A few years ago I found an interesting vulnerability in the VMware Hands On Labs. I reported it and it got fixed but I found out at VMware Explore this year that I can disclose what I found. So 3 or 4 years later here we go.
TLDR: outbound connections to any IP from internet enabled labs. Including reverse shells.
Long version:
I was playing around trying to figure out if it was possible to import and exfiltrate data from the labs. My original idea was to use a QR code generator in powershell and a screen scraper to get data out and use base64 encoding to get things in through the clipboard function. This was when they had windows control VMs so powershell was the method of choice. After messing around with that I got bored and went spelunking. I found that the vPod Router that was used for internal lab routing and internet access was using dns names as ACLs for outbound access. For instance you could access http://www.vmware.com but not other urls. When exploring how the local machine was doing name resolution I found that the local domain controller was doing results on of public host names itself. So there was an outbound connection possible. The old joke it’s alway dns got me thinking. Would it be possible to create a new zone on the domain controller to trick the router into thinking it was talking to http://www.vmware.com when in fact I was suppling the destination IP? So I set *.vmware.com to point to my IP at home. Then I setup HA proxy to accept the connection and based on the host name send it to a specific port on a machine running meterpreter. One host name for an https server that hosted a https reverse shell binary and one for the reverse shell listener.
I loaded up the web browser in the lab connected to the right hostname in the vmware.com zone and I was able to download the reverse shell binary. After that just running the executable provided a reverse meterpreter session from the lab to my local machine and I was able to do anything I wanted inside the lab from my local machine. Including uploading and downloading anything. Of course I called up the Hands On Labs team and informed them of the issue gave them a demo and a recording and decided to forget about it until they told me it was patched. It took sometime and was a monumental effort by the team. One time I was even talking to someone on the team and they mentioned something about a vulnerability and how much work it was to fix. I of course smiled at them and apologized while laughing to myself. Anyways. That’s the long version of how I “hacked” the hands on labs.
vSkeeBall 