Full Company Building Takeover
Hello everybody, Most of the time you read about account takeover or Infrastructure takeover but did you heard before about Company building takeover, Today I will share with you an interesting vulnerability that I found while hunting on one of the programs on Hackerone, so let’s refer to our target as Target-IP.com
So i started by taking a look at shodan
ssl:<Company ssl name>
I found in the result some IPs that contain some login panels after spending some time on other IPs but I didn’t find anything that deserved to be reported until I found our Desired IP where our story Begins
After accessing the IP i found eMerge login panel
After some information gathering, I found it’s a product that is commonly used between Company to manage Company building
I started to see if there is any public exploits
So let’s start by taking a look on searchsploit
┌──(omar㉿kali)-[~]
└─$ searchsploit “emerge”
Nice there some juicy exploits here
But unfortunately none of them worked
So I completed my search on other websites for any public exploits on Google, packetstorm, GitHub, etc…
Found some other exploits but it looks like the product is patched
While analyzing headers i found that header
PHP version is PHP/5 and we have login panel so what do you think is the best attack scenario for this version ?
it’s PHP Type Juggling
So let’s move to login request
The parameters are sent in POST request as a string and to be able to test PHP Type Juggling we need to test it with content type that saves parameter data type if it is string or integer e.g. JSON
So i changed the content type and parameters to send the request in JSON
But it seems that the back-end doesn’t accept JSON as it can’t recognize the login_id parameter which means our Type Juggling attacks failed before starting
After that, i started to test it for some attacks like SQLI on the login panel but it’s not vulnerable
Tried to get access to the registration endpoint maybe I can register a new user as an admin or less privileged user (e.g register,signup,sign-up,create-new-user)
┌──(omar㉿kali)-[~]
└─$ ffuf -w common-register-endpoints -u https://<Target-IP>/FUZZ
But i got nothing
So i started to doing some heavy fuzzing
┌──(omar㉿kali)-[~]
└─$ python3 dirsearch.py -w my-wordlist -u https://<Target-IP>/ -o dirsearch-output.txt
Left dirsearch working on background
Then started to do an analysis for the JS files hope to find some endpoints that will allow any type of broken access control vulnerabilities, Forced Browsing, exposed tokens, or hard-coded credentials, I tried to get DOM-Based-XSS by finding some sources following them to the sinks or finding any type of hidden parameters while doing all of this I found that dirsearch has finished her job
At first glance, I expected that the “test.txt” file contains nothing except some popular messages that were echoed by the developers like “Hello World!”, “Hi” etc… but let’s check it
Try to enter the credentials on the login panel
The first thing I found in the dashboard were the logs containing the admin’s IP address and the time the employees accessed the building
Okay now i think there is no need to complete my JS analyses anymore 😁
After accessing the login panel as Admin Let’s see what we can do
I found that I can watch live cameras of the Company Building
I found that i can control the building elevators, doors
I can collect employees data and adding new employees with authorization to access the Company building
Final Impact:
Take control of the entire building
Hope you guys enjoyed the write-up
Don’t forget to follow on Twitter
Twitter: @OmarHashem666
