I started this thing at work – we call it BugWeek – where a few times a year, the senior staff lock ourselves in my office and go to town on the corporate network. It’s a great way to find exposures that traditional vulnerability scanners don’t pick up, and it helps keep the blue team’s ‘red’ skills fresh.
During the latest BugWeek, one of the team found a new web application called LanSweeper that was in the process of being deployed – she was able to gain administrative access to the web application interface by using default credentials.
We ended up taking a closer look, and found a tidy little 0-day in the form of an arbitrary file upload. Creating a new KB article gave us the ability to upload a file of choice that was subsequently written to the filesystem in a location that was directly accessible via web browser, albeit with a modified (but easily identifiable) filename. Since the app was written in ASP, we were able to upload an ASP reverse shell and obtain NT AUTHORITY\SYSTEM access to the underlying server.
Fully updated endpoint AV did not catch the shell.
Here’s what it looks like: