hack an airline to fly for free

The fifth part, in which pentesters gain the all-seeing eye

And now to IDOR. Access to some objects in the customer's infrastructure was implemented via a direct link using “unique” identifiers. However, the system did not check whether the identifier belonged to the user. I put “unique” in quotes because these IDs had the entropy of the password “qwerty123”. And the icing on the cake: this vulnerability worked both inside and outside the VPN. All we needed was an account in the airline's domain.

Yes, through /api_export/index.php we gained access to the personal data of all passengers using the order number. Full names, email addresses, telephone and ticket numbers, routes, departure/arrival dates were available to us. In some cases, a partial bank card number and order cost were visible.

Having presented the headlines in the media: “The data of millions of passengers was in the public domain,” we hastened to assign this vulnerability a critical level of danger and issued recommendations:

check whether the user has access rights to the requested objects;
to parameters vulnerable to IDOR, add random identifiers that have sufficient entropy and cannot be brute-forced in a foreseeable time;
implement limits on the number of requests from one IP address;
carefully check each API endpoint for unauthorized access.

The sixth part, in which pentesters can make themselves known to the whole world

After we gained access to passengers' personal data, we came across another useful API handle /rest/index.phpallowing you to send SMS on behalf of the company.

POST https://сайт_авиакомпании/rest/index.php?handler=bus_send_sms 
HTTP/1.1
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
phone=79999999999&text=Бастиону привет!&type=mobileapp promotion

Using this “feature” it was possible to easily launch a large-scale phishing attack: “Your flight has been cancelled. To get a refund, follow the link…” Or simply play a mischief by emptying the balance of the SMS gateway.

A similar problem occurred with email. Only now we were talking about sending letters on behalf of any user in a corporate domain.

POST https://сайт_авиакомпании/rest/index.php?handler=mail_send HTTP/1.1

Content-type: application/x-www-form-urlencoded
params={"from":"admin@сайт_авиакомпании","to":"почтовый@домен.com","subject":"321","body":"123"}&headers=

The seventh part, in which the Bastion team receives all the keys

So, we had already made our way into the domain from the big Internet, but we wanted more. We decided to go all-in and take a swing at the holy of holies – domain admin rights and key company systems:

infrastructure components (including Active Directory domain);
information security systems;
database management systems;
Administrators' workstations and data storage systems;
electronic document management systems;
financial systems (including 1C).

First of all, we connected to the server via RDP and received local administrator rights on it. To continue the pentest, we needed to download certain tools, but the antivirus was spying on the host. So we created a new ClusterStorage directory in the root of the C drive. It was included in the default antivirus exceptions. Thanks to this, we were able to download the necessary software and continue working.

Next, the psexec.exe utility was used. With its help, we received SYSTEM rights. This allowed us to detect the domain admin token. With it, we launched the command prompt and then we created a new account with domain administrator rights.

*Step-by-step adding a user to the Domain Administrators group*

So, as a result, we got access:

to backups – domain administrator rights allowed you to connect to the backup server via RDP;
control over antivirus;
control over the 1C-Bitrix system;
the ability to manage different databases and password storage systems.

For example, we were able to gain access to 1C Enterprise due to the fact that we found a certain task “Start Robot SBIS” in the schedule.

Every day she obediently launched the script, which in turn launched 1C. This script contained credentials for connecting to 1C Enterprise

To avoid this, it was necessary to restrict read access to the file to run the task and, perhaps, hide the task and file from everyone except SYSTEM or individual administrators.

The part where we draw conclusions

So, as if in a Hollywood blockbuster, we went from a modest SSRF to full control over the domain, along the way collecting an impressive collection of “trophies” – from promotional codes to administrator keys.

What do we have in the bottom line? The perimeter is like a sieve, passwords are stored as if it were 2007, there is no network segmentation at all. And the icing on the cake is that the handles from critical systems are accessible almost at the first click.

The growing complexity of systems, lack of resources, human factor – the reasons are clear, but what to do in such a situation? First, close the basic jambs:

Clean up the perimeter. It won't hurt to screw the WAF on.
Switch to normal password storage. Argon2 or at least bcrypt will help you.
Segment your network as if you were designing a doomsday bunker.
Two-factor for everything that moves and does not move.
Security audits are scheduled.

But the main thing is not to rest on your laurels. There is no finish line in our business, only an endless arms race. Today you are King of the Hill, and tomorrow you are already on the list of leaks on some unsympathetic forum.

What do you think about this? Share your stories and life hacks in the comments. I'm sure we have a lot to learn from each other!