Be sure to scroll down and view the whole post as there is both audio and video coverage of today's episode!

Intro

A few weeks ago I was asked to do a pentest with some odd restrictions. The target was a popular commercial Webapp called MOVEIt Central, and I would only have RDP access to a terminal server with access to the app. To make things more challenging, I wasn't allowed to have a Kali VM with my usual toolset on the same subnet, nor was I even allowed an account to log into MOVEIt with.

So, the challenge was to do a pentest on a Webapp with pretty much no information or tools. I had a big fat sad face when I started the test, but that frown soon got turned into a psychotic grin that even Nic Cage would've been proud of (see today's video to see it in action)!

Important links

  • Background info about the MOVEit app.

  • Details on the MOVEit scripting engine commands - the most fun of which is MiRunCommand :-)

  • Once you've got local admin, check out my write-up on what I've learned so far about Empire to get your initial shell and start looking for additional interesting info like password hashes, enumerating other machines, etc.

  • Check out the "quick wins" section of my BPATTY privesc page for additional things you might want to look for on a compromised host (LLMNR/WPAD/etc.)

Video:

Here's the complementary video content for today's audio podcast: