7MS #236: From "Derp!" to Domain Admin with MOVEit Central
Be sure to scroll down and view the whole post as there is both audio and video coverage of today's episode!
Intro
A few weeks ago I was asked to do a pentest with some odd restrictions. The target was a popular commercial Webapp called MOVEIt Central, and I would only have RDP access to a terminal server with access to the app. To make things more challenging, I wasn't allowed to have a Kali VM with my usual toolset on the same subnet, nor was I even allowed an account to log into MOVEIt with.
So, the challenge was to do a pentest on a Webapp with pretty much no information or tools. I had a big fat sad face when I started the test, but that frown soon got turned into a psychotic grin that even Nic Cage would've been proud of (see today's video to see it in action)!
Important links
-
Background info about the MOVEit app.
-
Details on the MOVEit scripting engine commands - the most fun of which is MiRunCommand :-)
-
Once you've got local admin, check out my write-up on what I've learned so far about Empire to get your initial shell and start looking for additional interesting info like password hashes, enumerating other machines, etc.
-
Check out the "quick wins" section of my BPATTY privesc page for additional things you might want to look for on a compromised host (LLMNR/WPAD/etc.)
Video:
Here's the complementary video content for today's audio podcast: