All posts for: TSPlus

During a penetration test conducted at a company, I discovered a vulnerability in the TSplus Remote Access software. The application stored the administrator’s PIN hash in the Windows registry using SHA-256, without employing any security mechanisms such as salt or pepper. The location of this entry was easy to identify thanks to an analysis of the unobfuscated .NET library used by the application. The obtained PIN hash, stored in the registry, was found in a public hash database, allowing immediate recovery of the original value without any cracking effort. As a result, I gained access to the administrator panel, as well as the ability to view and hijack sessions of other users on the same host.