Powershell Downgrade Attack using Unicorn

Dave Kennedy released a tool called Unicorn that is awesome. It is a tool that uses a powershell downgrade attack and injects shellcode straight into memory. It's based on Matthew Graeber's powershell attacks and the powershell bypass techniques presented by Dave Kennedy and Josh Kelly back at Defcon 18. It supports Metasploit, cobalt strike and your own shellcode. Again, it's awesome.

So, let's check out a simple PowerShell example that is a reverse shell back to a multi/handler using windows/shell/reverse_tcp:

Post Exploitation: SILENTTRINITY

Not too long ago, byt3bl33d3r released a tool called SILENTTRINITY. Essentially, it's an asynchronous post-exploitation agent powered by Python, IronPython, C# and .NET's DLR. Think of it as another PowerShell Empire or Meterpreter. It's awesome.

Below I'll go through a quick example of installing it and running the most basic agent. I will update this as I mess with ST more. But for now, let's just go over the most basics. Let's begin.

Reverse Shell in memory utilizing Powershell

These are just my notes on a simple reverse shell utilizing PowerShell. It will also be ran in memory so it won't ever touch disk. Additionally, using metasploit multi/handler for shell management.

DIY - Networking a house with Cat5e

One thing I've always wanted to do was run network cable in my home. When my wife and I finally bought our first house, I was finally given the opportunity! My vision is to run network cable throughout the entire house including the home office and bedrooms. In it's current state, I only have runs going into the home office, but when the need for physical connections is required, I will start pulling more runs through. Here's some of pictures of my project.


In order to perform this project, I needed some equipment. Below is a list of items that I used in order to accomplish my task:
  • Network Cable (Cat5, Cat5e or Cat6, whatever you prefer)
  • Crimper
  • Push/Pull rods
  • RJ-45 and Keystone Jack
  • Cat5e wall plate
  • Patch Panel
  • Network Switch
  • Network Cable Tester

A few parts needed when networking a home

Privilege Escalation: Exploiting write access to /etc/shadow

Recently, I was working on a Capture The Flag (CTF) lab scenario where as an attacker, I had the rare ability to have write access to the /etc/shadow file. I wanted to quickly write up on a technique I did to gain root access to the system.

To begin, let's first quickly understand the differences of /etc/passwd and /etc/shadow and what the contents of each look like and represent.

A typical "/etc/passwd" file would look something like this:


Each field is separated by a colon (":") and are as follows:
  • "test" = Username
  • "x" = Password field. An "x" means the users password is stored in the /etc/shadow file
  • "1002" = Numeric user id. This is assigned by the adduser command. This identifies the user
  • "1002" = Numeric group id. This represents the group id of the user. Usually this will match the user id too.
  • "test,,," = Full name of user
  • "/test" = The users home directory. Usually will be something like /home/test. 
  • "/bin/bash" = The users "shell account". Usually set to /bin/bash or /bin/sh

DIY - Laying Hardwood Flooring

During the summer, I tasked myself with laying hardwood floors in our upstairs hallway and master bedroom. I've installed hardwood floors in the past, but I usually had help from my father-in-law. This time, I borrowed his tools and tackled the project myself. I did however have some help from my pregnant wife and mother-in-law (organized hardwood, vacuum, etc.) but all in all, I'd like to think that I successfully installed the flooring myself!

Master Bedroom complete

SecKC Speaker Badge - Name Badge Hack

Over the past year, I have gained a fascination towards hardware hacking, soldering and building. For anyone that doesn't know, I am an active member of SecKC, the world's largest monthly information security meetup in Kansas City. Every month attendees get together in a relaxed environment and learn about security via networking and presentations. Recently, a SecKC participant started making Speaker badges. I was lucky enough to receive one during a Red vs Blue panel discussion back in 2018. With this speaker badge in hand and my eagerness to learn more about hardware hacking, I decided to put the pedal to the metal and make myself a custom name badge! Below are things I learned along the journey of creating this badge.