SwagShop HTB Walkthrough

Walkthrough of SwagShop machine from Hack the Box. Key Findings Key findings noted from the machine SwagShop: Public facing Magento website had not been patched for a known vulnerability. Through use of publicly available exploit code administrative access to the store backend was obtained. All resources (including public facing ones) need to be kept fully patched against known security vulnerabilities. System user (www-data) has ability to run a single command as a privileged user via sudo without requiring further authentication.

Read more

Luke HTB Walkthrough

Walk through of Luke machine from Hack the Box. Key Findings Key findings noted from the machine Luke: Privileged credentials were left exposed in files available via HTTP (config.php & config.json). Credentials obtained could be used to gain additional system access. This type of data should not be publicly available. User credentials were available to an authenticated API user. Credential should not be made available in this fashion. Ajenti instance does not have SSL configured. This allows a malicious attacker

Read more

Bastion HTB Walkthrough

Walk through of the Bastion machine from Hack The Box Key Findings Production backup data was left un-encrypted and exposed to the public. This was able to be used to derive initial system credentials and obtain initial access. Access to this type of data should not be made available to the public and should be stored encrypted. Privileged credentials were left stored in a non-secure manner. These could be extracted and used to obtain privileged access to the system. Appropriately

Read more

Achieving OSCP

My background isn’t in Cyber Security. I was a Project Manager for a long time who tinkered with security things in my spare time. Achieving OSCP was a goal I set myself as part of shifting careers into the Cyber Security industry. End to end OSCP took me approximately three months to attain. This was made up of 60 days of lab time with a following month spent on cleaning up documentation and final preparations. During my time I compromised

Read more

OneTwoSeven HTB Walkthrough

Walkthrough of OneTwoSeven machine from Hack The Box. Key Findings Comments were maintained in production code. Details in comments give insights to what has been done by development teams when and why. Comments need to be removed prior to pushing any code into production. System data exposed by inappropriate chroot configuration. Method of configuring chroot on machine left significant amounts of chroot data exposed that can be accessed by an attacker. As part of deploying to production system functionality to

Read more

Ch4inrulz Walkthrough

Walkthrough of the Ch4inrulz challenge from vulnhub. Walkthrough A netdiscover finds the machine. Running a basic nmap scan (command: nmap -A -T4 192.168.139.130) against it finds a few things of interest. Key items from the scan: There is a FTP instance running that allows for anonymous login. Anonymous login allows any user to access the service. There is a SSH server running There is a web server running, banner information indicates it belongs to ‘Frank’ with nothing in the robots.txt

Read more

DC-6 Walkthrough

Walkthrough of DC-6 challenge from vulnhub. Initial hints given from reviewing the challenge listing: The name of the host is wordy A password list can be determined using cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt Walkthrough A basic ping sweep finds the machine, throwing a default nmap scan at it finds two ports of interest – SSH (22) & HTTP (80). Of interest in the http headers are the mention of hostname wordy (inline with the initial hint) Wordy added

Read more

SANS Holiday Hack 2018 walk through

Objective 1 – Orientation Challenge First stop was Bushy Evergreen with Essential Editor Skills. Solving it was simply a :q command in vim to quit. For this challenge I couldn’t get the kiosk to load in-game. From asking in chat someone gave the direct URL – https://www.holidayhackchallenge.com/2018/challenges/osint_challenge_windows.html Finding the answers was a combination of listening to the Ed Skoudis talk, browsing through the previous year’s challenge details on https://www.holidayhackchallenge.com/ & drawing on my memories from attempting the 2016 challenge. I

Read more

Wallaby’s Worst Knightmare 1 – Walkthrough

Walkthrough of Wallaby’s Worst Knightmare 1 vulnhub challenge https://www.vulnhub.com/entry/wallabys-nightmare-v102,176/. Walkthrough A basic ping sweep finds the machine, throwing nmap at it yields 3 ports of interest. 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 6e:07:fc:70:20:98:f8:46:e4:8d:2e:ca:39:22:c7:be (RSA) | 256 99:46:05:e7:c2:ba:ce:06:c4:47:c8:4f:9f:58:4c:86 (ECDSA) |_ 256 4c:87:71:4f:af:1b:7c:35:49:ba:58:26:c1:df:b8:4f (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Wallaby’s Server 6667/tcp filtered irc MAC Address: 00:0C:29:10:4C:60 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE:

Read more

BlackMarket: 1 – walkthrough

Walkthrough for BlackMarket: 1 (https://www.vulnhub.com/entry/blackmarket-1,223/) Summary Flags Credentials Walkthrough A basic nmap sweep finds the machine. root@kali:~# nmap -sP 192.168.195.0/24 Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-26 06:13 AEDT Nmap scan report for 192.168.195.211 Host is up (0.00021s latency). Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 2.45 seconds Throwing a nmap scan across the box shows up ftp (vsftpd 3.0.2), ssh (OpenSSH 6.6.1p1), web (Apache httpd 2.4.7), along with pop3 & imap (Dovecot)

Read more