Month: June 2020

THM – Mr Robot

NOTE: This is not a tutorial on the Mr Robot machine hosted by Try Hack Me. It is simply an overview of the strategy used to defeat the box, and a reference for that strategy.

The target machine was a simple server hosting a webpage. Other than the web ports, and SSH, there was nothing else to exploit. I ran across the wordpress construct right after I did a dirbuster search on the box. As soon as I saw ‘wp-content’ in the list, I felt pretty comfortable about the organization of the folders. Knowing the wordpress structure through years of experience allowed me to notice if anything of importance stood out. It also allowed me to play with a tool with which I don’t have much experience… wpscan.

It’s not uncommon to run multiple scans at once and look at results in real time as they present themselves. I mentioned the dirbuster results, but also ran wpscan as soon as wordpress was discovered. I didn’t have many results on that tool other than some suggestions for referenced attacks using meterpreter (wasn’t interested in that here), and some information about versions.

This image has an empty alt attribute; its file name is image.png
WPScan Header Screenshot
Continue Reading

Strategy from Here

My TCM course is just about complete. I have about an hour left from the over twenty four hours that were offered. Every second of that course has been awesome, and I’m looking forward to more content from Heath Adams. That said, I wanted to mention my technique when it comes to the end of courses. I’ve used this my entire life, and it really helps to solidify the things that you’ve learned.

This week, I plan to grab all of my notes (around 69 pages worth) and apply them to this website. You probably have noticed that there are two parts to this webpage… the Blog, and the Quick Reference materials. I want to start to build a more logical flow for the information that I’ve encapsulated. I am constantly referencing to find syntax, and explanations; I can only do this because I write everything on the site. I don’t feel that any wayfarers would find it organized enough to quickly find what they need. Therefore, I plan to truly separate sections into the different stages of hacking. I certainly don’t mind the techniques being listed at the end of the quick-reference, but anything before that needs to be in the order in which you would pen test.

With this goal in mind, I will go through all of those notes that I mentioned and place the material appropriately. I have no doubt that I’ll be adding a ton of content as well. When I’m done with the week, or maybe two depending on how many rabbit holes I go down, I think that my understanding of the material will be cemented. It’s been so much fun on the first round of the material… I guarantee that the second round will be even more exciting. Can’t wait!

Web Application Hacking

The last part of my course is the Web Application Hacking modules. Being that I have been creating web servers for most of my adult life, I was very interested in this next portion. I’ve read several books that mentioned cross site scripting and the rest, but have never delved into actually doing it. Needless to say, this was a very exciting part of the course for me.

I think that first and foremost, it would be good to mention the Juice Shop! It’s a docker container that starts up a web server with challenges containing each web hack that’s out there. It’s nice when you can load up a lab and just start playing thanks to the hackers before me that had enough insight to create such things. It also has quite the reference library! Just about every hack possible is explained, and that’s such a great thing when you’re just learning about them.

Continue Reading

Busy Week for Hacking

As the title implies, it’s been quite the week of learning. I was furiously attempting to finish the course I’m taking so that I can move onto another one. The one right now has a little bit of everything when it comes to hacking. The next one will focus directly on privilege escalation for Windows, and I’m looking forward to that!

Most of this week has been dedicated to hacking Windows, and playing around with PowerShell to manipulate a computer. There were also some awesome enumeration tools that I was introduced to. Those included PowerView, Bloodhound, smbenumgpp, and winpeas.

Following the enumeration, I learned about some attacks that were pretty awesome. It was impressive how easy it was to take advantage of the convenience of an Active Directory system. Kerberoasting was fun, and used a ticket granting service to make Windows give you the hash dumps. From there, it was simply a matter of obtaining the passwords with hashcat. Those passwords were then used to gain access to the domain controller. Although all pen testing environments won’t offer the same playground, it was important to understand how the system worked in order to open my eyes up to the challenges of a client’s Windows network. It also showed me just how important it was to make sure that a network and all of its users employs very strong passwords of over 14 characters. In addition, this environment of which I was playing gave domain admin to local user accounts on workstations. That made it rather easy to hack as well.

Continue Reading

Hashcat on Windows

I think I may have mentioned in another post that my eyes were opened pretty wide when I found out that hashcat could be run on Windows. I took it to a new level this week.

For the past couple years of DEFCON, I’ve been collecting all of the password files that I could find. In all, I have around 12 TB of them in several forms. Some are for GSM, and others are simple text files used by hashcat. My original configuration of my hacking network had a ParotOS computer with the hard drives containing the data in them. I would use this separate computer to play around with hashcat, while using another one on Kali Linux to play with hacking and forensics. I never had a Windows computer until I built the rig that I use today which has several virtual machines running through VMWare Workstation.

Continue Reading

Good in the World

I’ve been thinking about some of the contributions that I’ve made to people’s lives, and I wanted to share them here. My hope is that anyone reading this would think about the motives behind why I did these things, and perhaps incorporate the good intentions into their lives.

Last week, I was contacted by text by a cousin. The message was simple: “I don’t know anything about computers, and you do.” He has a 13 year old son who was looking into getting a gaming PC, but the budget was only five hundred dollars. He asked for a twenty minute call with his son to talk about options in the confines of his budget. Needless to say, this was going to be a very difficult task.

Continue Reading

Weekly Blog Now

Due to the increased workload of my full time job, and the city opening back up from the covid crisis, I’m going to make a new goal for myself to accomplish ‘at least’ one post per week.

I plan to incorporate all of the hacking and research that I’ve done throughout the week, but it may make for some longer posts.

Train Your Admins

In my full-time job, this week has been a plethora of lessons learned. The story I tell here applies to anyone that is in charge of networks… or more importantly, your admins on that network.

Earlier this week, I received a disturbing email letting me know that certain services were down on our network. Specifically, some vital web pages used for specific things were not working, and troubleshooting was taking place. The webpages in question were owned by a particular shop of mine that was in the middle of development for a project that was about six months in the works.

Normally, this would not be an issue because I have several network and system admins in charge of troubleshooting situations just like this. The problem was that the development server was configured a bit different than the other normal servers. In this case, both IIS (Windows Web Server) and XAMPP (Linux Web Server) were installed on the same machine to test which platform was the most useful for this developer. The decision was made by that team to go ahead with XAMPP; however, IIS was still installed and on by default.

Continue Reading

Token Impersonation

Today was all about token impersonation. The concept is pretty easy to understand if you’ve been around the internet long enough. It’s basically a cookie.

A cookie, from a webpage, will grant you continued access to resources through a small file that is placed on your computer temporarily. A token, by contrast, is the same thing, except it allows network access to resources including Remote Desktop, and network drives.

Continue Reading

Services Takeover

Today was a lot of fun. After almost a week of not being able to do much hacking, I was able to get down and dirty with some Windows manipulation. Luckily, today involved both meterpreter, and the old fashioned way of executing a script.

Since I’m still learning the intricate ins and outs of meterpreter, it was good to go through some of the same routines for capturing a Windows machine. The capture today was due to a flaw in an HTTP file server. It was a known flaw that had an assigned exploit database number. This meant that I could simply google the version number of the server, and have the code for the script pop up.

To play around with meterpreter, I decided to download the script and have it ready, but also did a meterpreter search for the particular software. Needless to say, it turned up pretty quickly… but this wasn’t my real goal; I wanted to play around with Power Shell after I pwnd the box, and see if I could get privilege escalation.

Continue Reading
Scroll to top