In 2015, Alexey Tyurin from ERPScan presented at the Hack-In-The-Box Amsterdam conference  multiple attack vectors to defeat the widely used Oracle PeopleSoft (or PS) system. Many companies in various market verticals are relying on this massive and complex software to host confidential information about their employees, their students or even about the financial results of the company. Furthermore, many corporations are exposing this platform on the Internet, especially when relying on PS for career portals or student portals. A year later, I am still amazed to see publicly accessible systems or internal PeopleSoft deployments during our intrusion testing practice that are vulnerable to these common attack vectors. These deployments fail to deliver a useful result, putting the entire company workforce identity at risk. The following post will explain how to attack the PS_TOKEN, as well as describe our contributions to John the Ripper and oclHashcat in order to speed up the cracking process.
As a penetration testers, we rarely have to find ‘zero day’ vulnerabilities or perform ‘bug hunting’ in order to compromise Windows Active Directory Domains. However, in one of these rare cases while performing an internal penetration test for a client, we had to do so. Lansweeper is an inventory software that scans your network in order to gather system information such as patch level, network interfaces, resources status, etc. We were fairly surprised during this test when we were able to access Lansweeper 5's dashboard with a regular user account. Our customer was actually shocked and swore that he had configured only Domain Admin access on this Web interface. According to him, a recent update must have reset the login permission on the dashboard. At first, we were doubtful that explanation would hold up to scrutiny. Our curiosity increased when we realized that Domain Admin accounts, SSH keys, Linux root passwords and all the “juicy stuff” one normally finds in a password vault is stored on a Lansweeper server. The result of our experimentation: Three vulnerabilities were identified that led to the full compromise of our customer’s network infrastructure. Later that week, our client sent us a copy of an email exchange with Lansweeper (formerly Hemoco) confirming the issues reported and that everything should be fixed by version 6.