AWAE Course Syllabus

  1. 0.
  2. 0.1 About the AWAE Course
  3. 0.2 Our Approach
  4. 0.3 Obtaining Support
  5. 0.4 Legal
  6. 0.5 Offensive Security Labs
  7. 0.6 Backups
  8. 1.
  9. 1.1 Web Traffic Inspection
  10. 1.2 Interacting with Web Listeners with Python
  11. 1.3 Source Code Recovery
  12. 2.
  13. 2.1 Overview
  14. 2.2 Getting Started
  15. 2.3 Atmail Vulnerability Discovery
  16. 2.4 Session Hijacking
  17. 2.5 Session Riding
  18. 2.6 Gaining Remote Code Execution
  19. 2.7 Summary
  20. 3.
  21. 3.1 Overview
  22. 3.2 GetStarted
  23. 3.3 Initial Vulnerability Discovery
  24. 3.4 Brief Review of Blind SQL Injections
  25. 3.5 Digging Deeper
  26. 3.6 Data Exfiltration
  27. 3.7 Subverting the ATutor Authentication
  28. 3.8 Authentication Gone Bad
  29. 3.9 Bypassing File Upload Restrictions
  30. 3.10 Gaining Remote Code Execution
  31. 3.11 Summary
  32. 4.
  33. 4.1 Overview
  34. 4.2 Getting Started
  35. 4.3 PHP Loose and Strict Comparisons
  36. 4.4 PHPString Conversion to Numbers
  37. 4.5 Vulnerability Discovery
  38. 4.6 Attacking the Loose Comparison
  39. 4.7 Summary
  40. 5.
  41. 5.1 Overview
  42. 5.2 Getting Started
  43. 5.3 Vulnerability Discovery
  44. 5.4 Bypassing Character Restrictions
  45. 5.5 Blind Bats
  46. 5.6 Accessing the File System
  47. 5.7 PostgreSQL Extensions
  48. 5.8 UDF Reverse Shell
  49. 5.9 More Shells!!!
  50. 5.10 Summary
  51. 6.
  52. 6.1 Overview
  53. 6.2 Getting Started
  54. 6.3 The Bassmaster Plugin
  55. 6.4 Vulnerability Discovery
  56. 6.5 Triggering the Vulnerability
  57. 6.6 Obtaining a Reverse Shell
  58. 6.7 Summary
  59. 7.
  60. 7.1 Overview
  61. 7.2 Getting Started
  62. 7.3 Introduction
  63. 7.4 Serialization Basics
  64. 7.5 DotNetNuke Vulnerability Analysis
  65. 7.6 Payload Options
  66. 7.7 Putting It All Together
  67. 7.8 ysoserial.net
  68. 7.9 Summary

2. Atmail Mail Server Appliance:
from XSS to RCE

2.1 Overview

In this module, we will cover the in-depth analysis and exploitation of a stored cross-site scripting (XSS) vulnerability identified in Atmail that can be used to gain access to an authenticated session. After gaining administrative user privileges in the Atmail web interface using the XSS vulnerability, we will then escalate the attack by leveraging the ability to manipulate global configuration settings with the goal of lowering the default security posture of the Atmail web application. This will ultimately allow us to upload arbitrary files, resulting in remote code execution on the target system. Versions Affected: 6.4 and below

In order to access the rest of this course content, you must enroll in Offensive Security's Advanced Web Attacks and Exploitation online course.

  • Explore unique challenges and vulnerabilities related to web applications
  • Gain access to OffSec's innovative virtual labs for a unique, hands-on learning experience
  • Earn the highly sought-after Offensive Security Web Expert (OSWE) certification
  • 2.2 Getting Started

    Make sure to revert the Atmail virtual machine from your student control panel before starting this module.

    The Atmail Webmail System has two different (but similar) web interfaces: one for webmail and the other for the mail server administration. Please refer to the student control panel for the credentials of both web interfaces.

    In the examples that follow, the IP address of the Atmail server is mapped to the hostname

    2.3 Atmail Vulnerability Discovery

    As described by its vendor,the Atmail Mail Server appliance is built as a complete messaging platform for any industry type. Atmail contains web interfaces for reading email and server administration, providing a rich web environment and most interestingly, a large attack surface.

    In this part of the module, we will start by attempting to detect XSS vulnerabilities with the help of a fuzzing tool.

    2.4 Session Hijacking

    Depending on any session protection mechanisms that may be present in the Atmail server, we now may have the ability to steal cookies and session information. This would allow us to impersonate our victim and access their webmail from a different location while bypassing any authentication. This is known as a session hijacking attack and is a well known vector while attacking web applications. To implement this attack vector, we can choose one of two options.

    Recall that these two choices are based on the results of our fuzzing efforts from the previous section.

    2.5 Session Riding

    Since we are targeting an administrative Atmail user, we could have unrestricted access to the application. However, while we have successfully hijacked the admin’s Atmail session, we will only be able to impersonate the target user as long as the session is alive. In other words, should the admin user log out, the session cookie will be invalidated and prevent us from accessing the admin’s Atmail interface and finishing whatever attack we planned.

    2.6 Gaining Remote Code Execution

    • 2.6.1 Overview

      As attackers, we want to find a way to gain full control of our target, and that means compromising the entire underlying operating system. Of course, one vulnerability alone is not always sufficient. Often, we have to use more than one in the audited application, or even target a different software running on the system.

    2.7 Summary

    In this module, we first discovered and then later exploited an XSS vulnerability in the Atmail Server.

    We showed how this vulnerability is triggered when a user views their inbox.

    We then combined it with a post-authenticated payload that will send an email on behalf of the administrator to any user, essentially spoofing the administrator.

    Finally, we walked through a file upload vulnerability so that you can build an end-to-end exploit combining all the vulnerabilities that will result in remote code execution and compromise the underlying server.

Menu
X Close

 

Certified Pentesting
Professional

OSCP
course starting at
$800 USD

Take Penetration Testing with Kali Linux to gain invaluable penetration testing skills and earn your OSCP.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSCP

Certified Pentesting
Expert

OSCE
course starting at
$1200 USD

Take Cracking the Perimeter to take your penetration testing skills to expert levels and earn your OSCE.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSCE

 

Certified Pentesting
Web Expert

OSWE
course starting at
$1400 USD

Take Advanced Web Attacks and Exploitation, to deep dive into web apps to earn your OSWE.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSWE

Certified Pentesting
Wireless Professional

OSWP
course starting at
$450 USD

Take Offensive Security Wireless Attacks to acquire knowledge about Wi-Fi attacks and earn your OSWP.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSWP

Certified Exploitation
Expert

OSEE
course starting at
See
Live Schedule

Take Advanced Windows Exploitation to develop exploits for Windows systems and earn your OSEE.

  • Live training course
  • Includes certification exam fee
  • Maximum instructor interaction
  • Highly challenging
  • Become an OSEE