.NET Insecure Deserialization
Task 1. Perform reconnaissance and find a soap-based web service Interact with all services of the web server to find the one that you can interact with via SOAP messages.
Note: The binary used is based on NCC Group's vulnerable remoting service. [https://github.com/nccgroup/VulnerableDotNetHTTPRemoting\]
Task 2. Execute code on remote machine Use ysoserial.net to generate a payload in SoapFormat. Note that you might need to remove <SOAP:Body> tags from the resulting payload before testing. Also make sure you respect the format of SOAP messages.
Task 3. Get command output using an out-of-band channel Turn blind code execution into a non-blind one. Prove that this is possible by executing a command and retrieving the output using an out-of-band channel.
The web application.
Viewing the source code reveals the .NET remoting endpoint.
Checking if the application reacts to a SOAP message.
Generate a payload using ysoserial.net.
The geneerated payload is below. Becuase the length is not validated, you can edit the [command] without regenerating the payload.
In Burp:
Remove the SOAP body tags
Content type should be text/xml
In order to have a valid soap message, a dummy SOAPAction header is required. This is related to SOAP and not related to this specific lab
If you are receiving an error stating "Requested service was not found", you might also need to clear some whitespaces / newlines
Create a file named payload.txt with this contents:
And then replace [command] with this:
Observe the results of the whoami command.
Last updated