Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Carbon Black Cloud Workload Appliance is the first target and VMware vRealize Operations Manager is the second target.

While reviewing the application, they found a service called getServiceToken API, which has 100% access in Spring. This API is internal authentication routes sends back a valid JWT to make further requests. Can we hit it? No, we cannot.

Now, there are routing and proxy servers they do a fair amount of route rewritting. The rule had two main points: the route /acs/api/v1/service-token will be redirected to /no_cloud and /acs/ will be forwarded to the backend. When using a denylists, it is important that the frontend and backend servers agree on a route perfectly.

From there, they did the best thing ever: they read the documentation. In the documentation, the Envoy points out that normalization of the path is disable by default. This means that URL encoding the path with the denylist will get the request forwarded as normal. Because, later on, the Tomcat server will normalize it themselves. Now, this is super user privileges for everything.

Moving to Operations Manager, they found several unauthenticated endpoints. One of the endpoints (/casa/nodes/thumbprints), takes an IP address as a parameter. Since this added a path, we can put a question mark (?) to use our complete path.

Using this SSRF, they could call authenticated endpoints with a GET request to steal passwords between nodes and other things. This was awesome since it gave us access to endpoints we normally would not have access to. To make this even better, we can steal this auth token by sending a request to ourselves.

Once we have these credentials, it is possible to reset the admin password. Since this is noisy and not fun, they wanted to find something else though. They found a fairly classic directy traversal that could be used to write a JSP-shell into the web directory. Now, we can access this endpoint ourselves to execute arbitrary commands on the device.

Overall, some great bugs! In particular, I enjoyed the non-traditional SSRF exploit and the URL encoding for the auth bypass. As we see here, denylists never seem to work