RCE Using Recaf: an Awesome Java Decompiler/Recompiler

Recaf is super slick for reverse engineering and editing Java, I used it for arbitrary command injection (for RCE running as root!) last week (see previous post about the file handle lock). 

 

Anyway, about Recaf... I love that it auto-guesses the Java version. I used both the decompiler and hex editor, both excellent. Check it out:

https://www.coley.software/Recaf/

https://github.com/Col-E/Recaf

Palo Alto Networks - WAF Bypass for Webshell

I originally found/reported to Palo Alto in 2018.

You can use the default Kali Linux aspx webshell to get RCE on a server protected by Palo Alto Networks... as long as you change the "m" in cmd.exe to an "M".

That's it! That's the whole hack..! It bypasses the whitelist.

So my discovery process...

While I was trying to upload my webshell, I noticed the font of the error looked different than the rest of the application. I googled the wording, trying to figure out what service was displaying it. It looked similar to an image of a Palo Alto dialog:

Mine:

Theirs:

 

Close enough - I assumed I was dealing with a Palo Alto firewall. The logs confirmed this was true. The bypass worked and eventually I upgraded my webshell to a Meterpreter shell. The Palo Alto WAF bypass process wasn't fancy, but it was instrumental in owning the server.

 

 

 

ctrl + s to Escape Chrome Kiosk

Consider a tablet at a store kiosk where the owner wants to display one particular web page to users. They don't want the user to have access to any other programs or files on the tablet. In this case, they are running Chrome in a restricted mode, using this command:

 chrome.exe --kiosk "keepuseronthispage.com"

In theory, this is a restricted mode doesn't allow right-click context menu, doesn't show the browser address bar or the task bar, and keeps the user out of the system. So... how do we access the rest of the system? Well, if it's a Windows machine, as in this case, kiosk mode can easily be bypassed if the user presses ctrl + s.




Use the "save as" file explorer window that pops up to run cmd.exe. Now you have access to all the local resources.

NOTE: This doesn't seem to work on Mac OS...which is probably for the best.

Running Unicorn Payload Through Web Shell

This for escalating a low-privileged web shell to a Meterpreter shell. In this example, the Powershell execution policy was changed (using the web shell) to RemoteSigned using powershell Set-ExecutionPolicy. The normal method of storing a unicorn reverse-https payload wasn't working, since the file couldn't be written to the server (either through permissions restrictions or being picked up by antivirus).

Take the contents of the generated unicorn payload from the file, and run it as a Powershell command in the browser: