Skip to content

Apps connecting to Services

  • apps connecting to services can often include connection strings that can be leaked if they are not secured

ELF Executable Examination

  • an octopus_checker binary is found on a pentest
  • running the application locally reveals that it connects to a db instance to check the dbs availability.
  • if it trys to connect to a db, it might have some string that has creds
  • using https://github.com/longld/peda tools to debug
  • using https://github.com/pwndbg/pwndbg & https://pwndbg.re/pwndbg/latest/commands/ 
    gdb
>pwndbg
>set disassembly-flavor intel
>disas main

# find the function calling sqldriver
>b SQLDriverConnect
>run

# read the registers for the value

DLL File Examination

  • DLL file is a Dynamically Linked Library - it contains code that is called from other programs while they are running
  • a dll file is found during a pentest
  • Get-FileMetaData .\MultimasterAPI.dll
    • says this is .NET assembly
  • Using the debugger and .NET assembly editor dnSpy to see the source code directly
  • This tool allows reading, editing, and debugging the source code of a .NET assembly (C# and Visual Basic).
  • Inspection of MultimasterAPI.Controllers -> ColleagueController reveals a database connection string containing the password.