HTB Oopsie

Continuing the Intro boxes with my local infosec group the second box on the list is Oopsie. It’s listed as an Easy box, but for some people starting out that aren’t familiar with webapps they could get lost, especially figuring out the initial login foothold. It’s IP is and you need the login pack for OpenVPN to reach it, you cant reach it with your normal one.

Continue reading

HTB Archetype

So I’m going to probably post my HackTheBox solutions here so I have somewhere I can look at them in case I’m not home etc.. I sometimes refer back to my notes when I am with clients so I don’t have to reinvent the wheel to solve the same problem, so it would be nice to have them accessible anywhere.

I am going to start off with Archetype, which is an intro box for beginners that I did with my local tech group to help walk them through learning the concepts behind penetration testing.

Continue reading

Cracking Zynga

Working on a personal project collecting breach DBs, I had come across the Zynga dump. On September 12th, 2019, Zynga publicly acknowledged the data breach had happened. The company developed games including Farmville, Zynga Poker, Words With Friends, Mafia Wars, Café World, and Empires & Allies etc… The breach contains 206,267,210 records including duplicates and 150,363,954 records without duplicates.
The following information was leaked:

Continue reading

Cracking WiFi – phone number wordlist

I used to see alot of networks setup and either the tech or the end user choosing the person/business’s phone number as the password. So I usually try to test these first when trying to crack a WiFi password.

I was looking into more efficient ways to crack the password if you were working in a virtual machine and didn’t have access to a GPU cracking rig to utilize hashcat.

Continue reading


Kon-Boot password tool

Kon-Boot is an awesome tool that I’ve used extensively with tech jobs that I’ve had in the past (it’s been around since 2009), for clients that couldn’t remember their password :/ or a employee that was fired etc… Most recently Red-Team pentest engagements when I’ve had physical access to a box and needed quick and stealth access. It allows accessing a target computer (Windows/Mac OSX) without knowing the user’s password.

Kon-Boot does not need to remove or modify the user’s password and all changes are reverted back to previous state after system restart unlike other tools that just remove/modify the password and is currently the only solution that I know of that can bypass Windows 10 online passwords.

Continue reading

ESXI 6.7 Password recovery / reset

Recently I had done some training where we setup ESXI 6.7 on a Intel NUC. It’s been over a month since I’ve touched it. Apparently during the training my coworker had set a root password for the install, which was supposedly written down, but was either typed wrong in the notes or fat-fingered while setting it. Unfortunately, you can no longer boot into single user mode or Service Console to reset the password and VMware suggest you reinstall ESXI to reset the password. I didn’t want to risk trying that method because I wasnt sure if it would affect the currently installed VMs and I didn’t have a copy of ESXI with me to do so. Instead I used a bootable Kali USB to mount the ESXI drive and reset the root password to a blank password by editing the shadow file.

Continue reading

Telephreak Tactical Lunchbox

One of the cooler swag I received @ Defcon this year was a lunchbox for the Telephreak party, filled with candy, gadgets, and toys from telephreakbadge. I do some ‘red teaming’ occasionally and always had my stuff all janky in my backpack with no way to really keep it all pretty and was a pain in the ass to go through everything to find what tools I needed. Plus stuffing them all in a box tends to get shit broken eventually. I was thinking I needed something like a pelican box but I didnt feel like spending a huge amount on something simple. So I was thinking one day that this lunchbox sitting on my desk would do the trick. I ended up getting a few pieces of Polyethylene off ebay for $9, They arrived pretty quick and i spent about an hour or so arranging some of my most used tools onto each layer and cutting out the foam to fit them all in. I used a small knife (the ones that have a knife/scissor/toothpick) and a razor blade to cut out the foam. Here’s all 3 layers that fit inside with descriptions of each tool’s usage.

Continue reading


My new open source python OSINT framework, skiptracer was released @ HushCon East on June 1st. Initial attack vectors for recon usually involve utilizing pay-for-data/API (Recon-NG), or paying to utilize transforms (Maltego) to get data mining results. Using some basic python webscraping of PII paywall sites to compile passive information on a target. The modules will allow queries for phone/email/screen names/real names/addresses/IP/Hostname/breach credentials etc.. It will help you collect relevant information about a target to help expand your attack surface.`Everyone should be encourage to submit new ideas/modules. You can get the code here: feel free to submit new modules or code fixes.

Office DDEAUTO attacks

Sensepost posted 10 days ago about a vulnerability which can trigger command execution, without use of macros, when someone opens a specially crafted Office document. Although a little bit of social-engineering needs to come in play for the victim to click ‘yes’ to the first 2 of 3 message boxes, most end-users are easily tricked. They found that by abusing the parameters of the DDEAUTO function that they could use powershell to download malicious payloads remotely. DDE is a legacy Inter-Process Communication (IPC) mechanism dating back to 1987, which establishes a dynamic data exchange (DDE) link with a document created in another Microsoft Windows-based program, (new information becomes available in a linked document, a DDE field inserts new information when you update the field). SensePost discovered that instead of specifying an application like Excel, an attacker can specify arbitrary parameters of another application as the first parameter, and quoted arguments as the second parameter (which cannot exceed 255 bytes). Continue reading