This for escalating a low-privileged web shell to a Meterpreter shell. In this example, the Powershell execution policy was changed (using the web shell) to RemoteSigned using powershell Set-ExecutionPolicy. The normal method of storing a unicorn reverse-https payload wasn't working, since the file couldn't be written to the server (either through permissions restrictions or being picked up by antivirus).
Take the contents of the generated unicorn payload from the file, and run it as a Powershell command in the browser:
This blog is about the educational (and sometimes entertainment) value of simple hacks. For active vulnerabilities, real names are concealed.
Tuesday, May 28, 2019
Bypass Auth Lib
Recently I found a problem with an authentication library. The hyperlink the user clicks to access private content looks something like this:
https://www.authenticateme.com/auth.asp?url=http://www.privatecontent.com/1337
So normally, after the user enters their credentials on the auth.asp page, they are redirected to privatecontent.com/1337 ... or they could just go directly to that page, bypassing any security restrictions. They can then enumerate and access other content based on the formula of the URL.
Additionally, this qualifies as an open redirect, since an attacker could append their own attack server's address to "url=", then send the link to a victim, and then the attacker will receive the credentials passed through the authentication page.