About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Unauthorized RCE in VMware vCenter- 401

Mikhail Klyuchnikov - PtsecurityPosted 5 Years Ago
  • Using Burp Suite, the author was looking for authorization issues within the application. They noticed that a particular plugin did not require a session cookie or API key to be used.
  • One of the functionalities of this plugin was a file upload. Using this, an arbitrary tar file could be uploaded to the server, which was then un-archieved in process. In a non-shocking turn of events, the tar library did NOT filter out directory traversal attempts!
  • With the directory traversal and lack of authorization together, an arbitrary file could be loaded to an arbitrary location! Using this, it is possible to get RCE on both Windows and Linux by overriding either a .jar file or by adding an ssh key.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed