7MS #236: From "Derp!" to Domain Admin with MOVEit Central
Be sure to scroll down and view the whole post as there is both audio and video coverage of today's episode!
A few weeks ago I was asked to do a pentest with some odd restrictions. The target was a popular commercial Webapp called MOVEIt Central, and I would only have RDP access to a terminal server with access to the app. To make things more challenging, I wasn't allowed to have a Kali VM with my usual toolset on the same subnet, nor was I even allowed an account to log into MOVEIt with.
So, the challenge was to do a pentest on a Webapp with pretty much no information or tools. I had a big fat sad face when I started the test, but that frown soon got turned into a psychotic grin that even Nic Cage would've been proud of (see today's video to see it in action)!
Background info about the MOVEit app.
Details on the MOVEit scripting engine commands - the most fun of which is MiRunCommand :-)
Once you've got local admin, check out my write-up on what I've learned so far about Empire to get your initial shell and start looking for additional interesting info like password hashes, enumerating other machines, etc.
Check out the "quick wins" section of my BPATTY privesc page for additional things you might want to look for on a compromised host (LLMNR/WPAD/etc.)
Here's the complementary video content for today's audio podcast: