Following are the task available on STC01 to perform Fronend setup: SAP_FIORI_LAUNCHPAD_INIT_SETUP - To activate launchpad OData and HTTP services on an SAP Gateway system (frontend)SAP_SAP2GATEWAY_TRUSTED_CONFIG - To create a trusted connection from an SAP system to SAP Gateway.SAP_GATEWAY_ADD_SYSTEM - To connect an SAP system (backend) to an SAP Gateway system (frontend).SAP_GATEWAY_ADD_SYSTEM_ALIAS - To create a system alias for an existing remote function call destination (to backend).SAP_GATEWAY_ACTIVATE_ODATA_SERV - To activate multiple OData services. OData services are required to initially set up the SAP Fiori Launchpad and the SAP Fiori Launchpad designer.SAP_BASIS_ACTIVATE_ICF_NODES - To activate multiple HTTP Services (ICF). The SAP Fiori Launchpad uses the User interface add-on for SAP …
The topic here is this: Post-exploitation for SAP systens - not at application level, but at OS level..
Imagine a red-teamer gained acess to aadm user ID. Having SSH or RDP access. Whats next?
Well, theres a lot he/sehe can do. adm has the rights to go query DB directly. adm can access userkeystore. adm typically has the rights to read PSE files and keytabs. adm typically can access /sapmnt/trans of other SID within the landscape. adm can aslo access profiles, DEFAULT.PFL, etc, and insert a command line backdoor that will restart each time the application starts.
Watch this space. Am developing that script. :)
SECTION 1: The Possible Probe Points
- Get the SID via /etc/passwd or net users or service query or current user
- Identify possible PSE file location
- identfiy any possible cert dumps to get p12 format
- identify DB and kernel version
- identify connectivity and userstore - R3trans or sqlplus or hdbsql or sqlcmd etc.. …