Hello everybody, Most of the time you read about account takeover or Infrastructure takeover but did you heard before about Company building takeover, Today I will share with you an interesting vulnerability that I found while hunting on one of the programs on Hackerone, so let’s refer to our target as Target-IP.com

So i started by taking a look at shodan

ssl:<Company ssl name>

I found in the result some IPs that contain some login panels after spending some time on other IPs but I didn’t find anything that deserved to be reported until I found our Desired IP where our story Begins

After accessing the IP i found eMerge login panel

After some information gathering, I found it’s a product that is commonly used between Company to manage Company building

I started to see if there is any public exploits

So let’s start by taking a look on searchsploit

┌──(omar㉿kali)-[~]
└─$ searchsploit “emerge”

Nice there some juicy exploits here

But unfortunately none of them worked

So I completed my search on other websites for any public exploits on Google, packetstorm, GitHub, etc…

Found some other exploits but it looks like the product is patched

While analyzing headers i found that header

PHP version is PHP/5 and we have login panel so what do you think is the best attack scenario for this version ?

it’s PHP Type Juggling

So let’s move to login request

The parameters are sent in POST request as a string and to be able to test PHP Type Juggling we need to test it with content type that saves parameter data type if it is string or integer e.g. JSON

So i changed the content type and parameters to send the request in JSON

But it seems that the back-end doesn’t accept JSON as it can’t recognize the login_id parameter which means our Type Juggling attacks failed before starting

After that, i started to test it for some attacks like SQLI on the login panel but it’s not vulnerable

Tried to get access to the registration endpoint maybe I can register a new user as an admin or less privileged user (e.g register,signup,sign-up,create-new-user)

┌──(omar㉿kali)-[~]
└─$ ffuf -w common-register-endpoints -u https://<Target-IP>/FUZZ

But i got nothing

So i started to doing some heavy fuzzing

┌──(omar㉿kali)-[~]
└─$ python3 dirsearch.py -w my-wordlist -u https://<Target-IP>/ -o dirsearch-output.txt

Left dirsearch working on background

Then started to do an analysis for the JS files hope to find some endpoints that will allow any type of broken access control vulnerabilities, Forced Browsing, exposed tokens, or hard-coded credentials, I tried to get DOM-Based-XSS by finding some sources following them to the sinks or finding any type of hidden parameters while doing all of this I found that dirsearch has finished her job

At first glance, I expected that the “test.txt” file contains nothing except some popular messages that were echoed by the developers like “Hello World!”, “Hi” etc… but let’s check it

Try to enter the credentials on the login panel

The first thing I found in the dashboard were the logs containing the admin’s IP address and the time the employees accessed the building

Okay now i think there is no need to complete my JS analyses anymore 😁

After accessing the login panel as Admin Let’s see what we can do

I found that I can watch live cameras of the Company Building

I found that i can control the building elevators, doors

I can collect employees data and adding new employees with authorization to access the Company building

Take control of the entire building

Hope you guys enjoyed the write-up

Don’t forget to follow on Twitter

Twitter: @OmarHashem666

Keep in touch

Linkedin | Youtube | Twitter