Here’s a fun rundown of a zero day vulnerability that was seen last year. It was called PrintNightmare, and it ravaged through some Windows computers. It used two CVEs that first grabbed credentials through SMB, and second allowed privilege escalation through the printer spool. I was able to play with this through a practice computer found on Hack The Box but can’t reveal its name due to it still being an active challenge (against the rules). In any case, seeing the exploit in action below should give you a good idea of the exploit’s capabilities.


Excerpt from this site:

When the user will browse the share a connection will established automatically from his system to the UNC path that is contained inside the SCF file. Windows will try to authenticate to that share with the username and the password of the user. During that authentication process a random 8 byte challenge key is sent from the server to the client and the hashed NTLM/LANMAN password is encrypted again with this challenge key. Responder will capture the NTLMv2 hash.

With basic credentials, this .scf file can be used to initiate a flow of viewable information. Before uploading, make a responder available to receive the information.

Continue Reading

HTB – Bastard – FH: Drupalgeddon2

Foot-hold: Remote Code Execution with Drupalageddon2

Nmap showed a few ports open, but it was obvious that the website was to be exploited for this box. The website shows a Drupal install.

Continue Reading

HTB – Optimum – FH: RCE

Foot-hold: Remote Code Execution, through Metasploit

This Optimum box took all of about 15 seconds after I discovered the service that was running. It’s at the bottom of the screenshot.

Continue Reading

HTB – Devel – FH: FTP

Foot-hold: ftp anonymous upload

Devel was not a tricky machine. It was pretty obvious that trying the ftp connection was the way. The NMAP showed port 21 and 80, which didn’t give too many options for an exploit. The website on port 80 only showed an IIS installation, and a link that went to the Microsoft site. Before running a directory scanner, I went ahead and tried the connection to the ftp portion of the server.

Continue Reading

HTB – Legacy & Lame – FH: Samba (SMB)

I mentioned not long ago that I am going to change my learning strategy a bit… my goal has always been to accomplish hacks and pwn machines; but right now, I think that my goal should be concentrated on the initial foot-hold of the boxes. Because of this small (temporary) change in strategy, I’ve moved from the Try Hack Me platform, to primarily the Hack The Box platform.

What HTB doesn’t give you is guidance toward what it takes to pwn a machine. THM does that every time, and it’s the primary way that the site works. Although there are a ton of writeups on HTB, they are not required to accomplish the pwn of a box. Therefore, what I am going to do is all of the initial reconnaissance and scans for each of the HTB boxes to which I am interested. At the same time, I’ll be taking a ton of notes… but not learning notes… I am not concentrated on writing reports based on the results of what I’ve found. I have a feeling this will prepare me for what I will find in the future.

Continue Reading

Busy Week for Hacking

As the title implies, it’s been quite the week of learning. I was furiously attempting to finish the course I’m taking so that I can move onto another one. The one right now has a little bit of everything when it comes to hacking. The next one will focus directly on privilege escalation for Windows, and I’m looking forward to that!

Most of this week has been dedicated to hacking Windows, and playing around with PowerShell to manipulate a computer. There were also some awesome enumeration tools that I was introduced to. Those included PowerView, Bloodhound, smbenumgpp, and winpeas.

Following the enumeration, I learned about some attacks that were pretty awesome. It was impressive how easy it was to take advantage of the convenience of an Active Directory system. Kerberoasting was fun, and used a ticket granting service to make Windows give you the hash dumps. From there, it was simply a matter of obtaining the passwords with hashcat. Those passwords were then used to gain access to the domain controller. Although all pen testing environments won’t offer the same playground, it was important to understand how the system worked in order to open my eyes up to the challenges of a client’s Windows network. It also showed me just how important it was to make sure that a network and all of its users employs very strong passwords of over 14 characters. In addition, this environment of which I was playing gave domain admin to local user accounts on workstations. That made it rather easy to hack as well.

Continue Reading

Hashcat on Windows

I think I may have mentioned in another post that my eyes were opened pretty wide when I found out that hashcat could be run on Windows. I took it to a new level this week.

For the past couple years of DEFCON, I’ve been collecting all of the password files that I could find. In all, I have around 12 TB of them in several forms. Some are for GSM, and others are simple text files used by hashcat. My original configuration of my hacking network had a ParotOS computer with the hard drives containing the data in them. I would use this separate computer to play around with hashcat, while using another one on Kali Linux to play with hacking and forensics. I never had a Windows computer until I built the rig that I use today which has several virtual machines running through VMWare Workstation.

Continue Reading

Train Your Admins

In my full-time job, this week has been a plethora of lessons learned. The story I tell here applies to anyone that is in charge of networks… or more importantly, your admins on that network.

Earlier this week, I received a disturbing email letting me know that certain services were down on our network. Specifically, some vital web pages used for specific things were not working, and troubleshooting was taking place. The webpages in question were owned by a particular shop of mine that was in the middle of development for a project that was about six months in the works.

Normally, this would not be an issue because I have several network and system admins in charge of troubleshooting situations just like this. The problem was that the development server was configured a bit different than the other normal servers. In this case, both IIS (Windows Web Server) and XAMPP (Linux Web Server) were installed on the same machine to test which platform was the most useful for this developer. The decision was made by that team to go ahead with XAMPP; however, IIS was still installed and on by default.

Continue Reading

Token Impersonation

Today was all about token impersonation. The concept is pretty easy to understand if you’ve been around the internet long enough. It’s basically a cookie.

A cookie, from a webpage, will grant you continued access to resources through a small file that is placed on your computer temporarily. A token, by contrast, is the same thing, except it allows network access to resources including Remote Desktop, and network drives.

Continue Reading
Scroll to top