Two RCEs are better than one: write-up of an interesting lateral movement

Execution of xp_cmdshell [source]

In this article, I will talk about how I managed to get two different Remote Code Execution during past work on a desktop application.

As this was a Penetration Test for a company and I was testing a custom application designed for them, I will not share any private information or original images.

What I can do is tell you the story of this interesting lateral movement. I can’t disclose any original information, but I’ve learned a lot about new vulnerabilities and I wanted to document it. I’ll do my best to make everything as clear as possible 🙂

The scope is composed of: the server hosting a custom desktop application for the employees through Citrix Gateway, the custom desktop application, and the database server.

Context: At the time of this Penetration Test, I didn’t have much experience testing Thick Client Applications and it was also a Black Box test. Nevertheless, I didn’t let my inexperience stop me and managed to hit some serious vulnerabilities, as you’ll see.

What is Citrix Gateway?

Citrix Gateway unifies remote access infrastructure to offer single sign-on for all applications, regardless of whether they are hosted in a data center, the cloud, or are offered as SaaS apps. Through a single URL, anyone may access any app on any device.

An example of the login panel of Citrix Gateway [source]

It can be really useful for companies as it does not require all employees to install the same program and saves time setting up the work environment.

However, this can introduce many serious vulnerabilities if the environment is not set up correctly, as you will discover later.

A strange dialog box

Windows dialog box [source]

File upload functionalities are always interesting functionality to test. If not set up correctly, it can lead to medium to critical vulnerabilities.

If you are not new to hacking, you have probably seen PHP shell uploads, Image tragic, XXE, and stuff like that.

For this reason, this is something you want to make sure you check every time you encounter it during your activities and make sure it’s all safe.

In this case, there was a button on the custom desktop application to read some files. So, I jumped in to test it.

I saw the dialog box and thought: “Alright, let’s upload some stuff.” But, something strange happened. I wasn’t seeing any of the files present on my computer. Why?

Because the dialog box wasn’t from my computer, it was from the server hosting the application. So, I decided to try to open the cmd and the PowerShell by inserting the path in the dialog box but no luck.

Something I could do was to right-click and do many operations, like creating new files and copying and pasting stuff. This way, I could upload files by copy and paste them from my machine to the remote one.

Can’t open a local shell? Upload it!

PowerShell [source]

The ingredients are these: right-click without any restriction and the possibility to upload any file. Now, what else can we do?

Here, you can do an interesting trick: upload a .zip containing a portable PowerShell and unzip it. Now, double-click on the .exe of the PS, and boom! Here it is a shell with the highest privileges.

At this point, I had complete control over the machine. I could create, modify, or delete any file. I could read anything, even the registry. Now, what to do?

Pwned, what’s next?

The RCE is known as the holy grail of vulnerabilities, the final achievement. So, game over, right? Wrong! There is still something to do. I haven’t pwned yet the server that hosts the database.

So, following the past process, it was time to upload Process Hacker.

An example of Process Hacker [source]

This tool is helpful to dump the memory of an executable. In it, you might find some information that shouldn’t be there, like credentials.

I dumped the memory, and that’s what I found, the username and password of a user with access to the database.

Great! Time to test them.

Second RCE! With SQL Server Management Studio

By logging in, I found that this user apparently had low privileges, but this is no time to be discouraged.

I immediately tried the query “EXEC xp_cmdshell ‘whoami’” but nothing, xp_cmdshell is disabled. So, I remembered a query to activate it. Note: this shouldn’t be possible for a non-admin user.

The query is the following:

This is how it’s possible to activate and execute xp_cmdshell

I tried and the query was successful! Now, I had gotten a second Remote Code Execution.

To recap

  1. Via an arbitrary file upload, you can perform a remote code execution via Citrix escape by loading a portable PowerShell;
  2. At this point, through a memory analysis of the custom desktop application from the compromised machine, valid database server credentials can be found;
  3. By logging into the database server, it is possible to perform a privilege escalation thus reconfiguring the activation of xp_cmdshell and thus obtaining a second remote code execution.

Leave a Reply

Your email address will not be published. Required fields are marked *