badsecrets icon indicating copy to clipboard operation
badsecrets copied to clipboard

Published 20 hours ago verified publisher icon blacklanternsecurity

Keys flagged but don't seem to work

Open random-robbie opened this issue 11 months ago • 9 comments

Hey,

During a test

i got these come back...

 __ )              |                                |
 __ \    _` |   _` |   __|   _ \   __|   __|   _ \  __|   __|
 |   |  (   |  (   | \__ \   __/  (     |      __/  |   \__ \
____/  \__,_| \__,_| ____/ \___| \___| _|    \___| \__| ____/

v0.6.21

Known Secret Found!

Detecting Module: ASPNET_Viewstate

Product Type: ASP.NET Viewstate
Product: Viewstate: y4QaoBx2GBiLVt/52Pt9Q993e/NiVmdexFdnFxyEL6X0QJRfWTKHMYiAY4bXNVWSHsvkCenKDATanKElOiq26BVrXJzhnJpAwjF35xNo9paMv5BprUY61fz8JWb1XFzVEDhv/GyDJqSndGiGKJzC+EGx/ot5o4Ig04ZSUq34ZWla2u4/CAlNxlrotQDHEVVDMmjDNUiLSY8ojc5JJJBypbje4DMJ0hfPK8ZEq5YNKmpyUcPGVqcXwSMMGgAcVI50q8+03eyhmT9TGQcFvuaESzVIsYQ5HjON0jXRpXiZ6LKuPZTV1dTZjaxWcUX757AJcaPOEN3cmjTB+x9l9QXm2vC5Etv9fad8GBoeR9DqajgAbgvbEDNxkgkc9zvIEVIy3BOPG4sQgPMoB+tSzhYw7QePlKffYAAaXocrjh6BbZdJMV7sDlhEGwlYyFSdUThvDwIP9WsWtPRSi+omZwt8+7J2HEDLij0g3F2UKDi5MLqN+OutWTiYo5i1P+ctWWiRlqd/BoHbDauRYjupQUwbvILM+rZGaPxhy/C0IZsfZALK2Gd0x4iPV44rhu1N4gIgqpKarqfwHCOX6XlJfGCihjId37tRE8MJBH0xF667CYrDIDD+8v5tTBYlihqsfUr1fyX9VnjBw6wtPB1l5DbcOSofy1nSakjuUhuuIbHaiKJFShBLu55uy4I5+ma0dSfwIpCUag== Generator: 27842C6F
Secret Type: ASP.NET MachineKey
Location: body
Secret: validationKey: 87AC8F432C8DB844A4EFD024301AC1AB5808BEE9D1870689B63794D33EE3B55CDB315BB480721A107187561F388C6BEF5B623BF31E2E725FC3F3F71A32BA5DFC validationAlgo: SHA1 encryptionKey: E001A307CCC8B1ADEA2C55B1246CDCFE8579576997FF92E7 encryptionAlgo: AES
Severity: CRITICAL
Details: Mode [DOTNET45]

Tried to exploit the site for the client but wasn't able to.

Threw the keys in to blacklist3r (ASP version) to confirm it can decode them and got this. Which i'm thinking is this a false positive as the original blacklist3r should be able to decode the viewstate if the keys are correct.

type test.txt
87AC8F432C8DB844A4EFD024301AC1AB5808BEE9D1870689B63794D33EE3B55CDB315BB480721A107187561F388C6BEF5B623BF31E2E725FC3F3F71A32BA5DFC,E001A307CCC8B1ADEA2C55B1246CDCFE8579576997FF92E7
E001A307CCC8B1ADEA2C55B1246CDCFE8579576997FF92E7,87AC8F432C8DB844A4EFD024301AC1AB5808BEE9D1870689B63794D33EE3B55CDB315BB480721A107187561F388C6BEF5B623BF31E2E725FC3F3F71A32BA5DFC

bigfix@BIGFIX C:\Users\bigfix\Downloads\AspDotNetWrapper>AspDotNetWrapper.exe --keypath test.txt --encrypteddata "y4QaoBx2GBiLVt/52Pt9Q993e/NiVmdexFdnFxyEL6X0QJRfWTKHMYiAY4bXNVWSHsvkCenKDATanKElOiq26BVrXJzhnJpAwjF35xNo9paMv5BprUY61fz8JWb1XFzVEDhv/GyDJqSndGiGKJzC+EGx/ot5o4Ig04ZSUq34ZWla2u4/CAlNxlrotQDHEVVDMmjDNUi
LSY8ojc5JJJBypbje4DMJ0hfPK8ZEq5YNKmpyUcPGVqcXwSMMGgAcVI50q8+03eyhmT9TGQcFvuaESzVIsYQ5HjON0jXRpXiZ6LKuPZTV1dTZjaxWcUX757AJcaPOEN3cmjTB+x9l9QXm2vC5Etv9fad8GBoeR9DqajgAbgvbEDNxkgkc9zvIEVIy3BOPG4sQgPMoB+tSzhYw7QePlKffYAAaXocrjh6BbZdJMV7sDlhEGwlYyFSdUThvDwIP9WsWtPRSi+omZwt8+7J2HEDLij0g3F2UKDi5MLqN+OutWTiYo5i1P+ctWWiR
lqd/BoHbDauRYjupQUwbvILM+rZGaPxhy/C0IZsfZALK2Gd0x4iPV44rhu1N4gIgqpKarqfwHCOX6XlJfGCihjId37tRE8MJBH0xF667CYrDIDD+8v5tTBYlihqsfUr1fyX9VnjBw6wtPB1l5DbcOSofy1nSakjuUhuuIbHaiKJFShBLu55uy4I5+ma0dSfwIpCUag== " --decrypt --purpose=viewstate --modifier=27842C6F --macdecode


Decode process start!!

Pocessing machinekeys TripleDES,HMACSHA512: 2/2..............

Keys not found!!

random-robbie avatar Dec 18 '24 16:12 random-robbie

Are you getting the same result every time, or did it only happen once?

liquidsec avatar Dec 18 '24 19:12 liquidsec

I wouldn't necessarily assume BlackList3r is going to get it, there was definitely a few edge cases I got working that they didn't account for

liquidsec avatar Dec 18 '24 19:12 liquidsec

Same results every time.

Weirdly it seems that when badsecrets flags but blacklist3r does not it means the way to exploit it is a different

badsecrets only is TextFormattingRunProperties and blacklist3r is TypeConfuseDelegate when using ysoserial.

random-robbie avatar Dec 19 '24 09:12 random-robbie

Does your last comment imply that you got it to work?

Is the viewstate you posted unmodified? I can't seem to get a detection working just from that.

Also, were you using it in URL mode or manually supplying the viewstate and generator?

In general, I'd say exploitation can be tricky sometimes. I still run into situations where some tiny little detail makes things not work. However, so far, I have never seen a single true false positive from badsecrets. I am sure there have been a few false negatives.

liquidsec avatar Dec 19 '24 16:12 liquidsec

I was using url mode and i'll try get a list of sites it's flagged on but blacklist3r has not to see if there is a common output that i'm missing that should be obvious on why blacklist3r isn't seeing them but badsecrets is.

random-robbie avatar Dec 21 '24 14:12 random-robbie

badsecrets -u "https://xxxxx/"

 __ )              |                                |         
 __ \    _` |   _` |   __|   _ \   __|   __|   _ \  __|   __| 
 |   |  (   |  (   | \__ \   __/  (     |      __/  |   \__ \ 
____/  \__,_| \__,_| ____/ \___| \___| _|    \___| \__| ____/ 

Version - 0.9.29

Known Secret Found!

Detecting Module: ASPNET_Viewstate

Product Type: ASP.NET Viewstate
Product: Viewstate: 8mpvENM7u0VUeYMM0HazaNeTepCb+UN1kx+07vyDyGZPsVdcndmMRNvFrB1Nu2hvoMMIDQaqYD+69vyn/YYE1CTuRBxoNAqBslh5MuYA7cRH7CDp5f92Ye6Q3mWzmLMrrhw5NxNx9Zo4IwfFM6kU9U6Y8cza4h7AG4WoA69tLbSm7IM7XpaUxBnGW2ZV+ybSEhGARi5OMhyqSmsgEdY/+cSgV18fE2r5jhc4lQ+9DqH4Euj9S39YQWXcTaxNJfD3SgkSJ9zMCySepxAKhot+2M0i+DMp9Gk6qrtR4cIunODSWB2F91DZzJvTJjLXV5cNy+kl3n/GXaCTQXu7MvdWllZbSlp8IiLtDL2OIDwXcQsrLUq1weNHrtmjMhNT0dA4Zqd3aN+PMlbE7JlpZLuAdUa8A9cukb0f0V58r89cLBkwPJK9tmH4gM2z0ISKJWBnlc3kQEiiKseaGX8Kxw7fINcTmnOI825I+9ClkUsS+O6ESxiJ0xCt5vl/thspqCBy/NBdnBBX0dl2kr/DhRSgBO2YancS6N5oHBhGcyR+/RfNwVc0kJV2X2DqiojHayG5aQMblu25zbiB1o+mjF/dcc5NGak= Generator: CA0B0334
Secret Type: ASP.NET MachineKey
Location: body
Secret: validationKey: A1B2C3D4E5F6F6E5D4C3B2A1A1B2C3D4E5F6F6E5D4C3B2A1A1B2C3D4E5F6F6E5D4C3B2A1A1B2C3D4E5F6F6E5D4C3B2A1A1B2C3D4E5F6F6E5D4C3B2A1B2C3D4E5 validationAlgo: SHA1 encryptionKey: A1B2C3D4E5F6F6E5D4C3B2A1A1B2C3D4E5F6F6E5D4C3B2A1 encryptionAlgo: AES
Severity: CRITICAL
Details: Mode [DOTNET40]

I had the same problem.

ssrsec avatar Mar 14 '25 18:03 ssrsec

@ssrsec My assumption at this point would be it's a true positive and there is some nuance stopping execution. The tiniest detail can stop it. I have exploited dozens of these and I still get hung up frequently. There are a large number of things that could do so, including EDR blocking execution.

Unless you are willing to DM me the domain so I can take a look, the only thing I can think of that might help confirm would be if you happen to have verbose errors on - i'd like to compare the error message from ysoserial payload using the keys badsecrets found, and then change a random character.

If those error messages are different (the one where you changed the random character will likely say "invalid viewstate" or something to that effect) that is 100% confirmation the keys are correct.

liquidsec avatar Mar 14 '25 20:03 liquidsec

@liquidsec I am using badsecrets to conduct black box testing on the target. The failure case I sent yesterday is in the intranet and cannot be given to you. Thankfully, I tried to find a website on the Internet that had the same results. You can leave your email address, I will send you the domain name by email.

ssrsec avatar Mar 15 '25 15:03 ssrsec

liquid3174 on discord if you want to DM me.

liquidsec avatar Mar 15 '25 17:03 liquidsec

closed for inactivity. If there are new examples of this, please open a new issue. I have not found a confirmed case of a false positive for viewstate yet.

liquidsec avatar Aug 13 '25 23:08 liquidsec