HTB Oopsie

Continuing the Intro boxes with my local infosec group the second box on the list is Oopsie. It’s listed as an Easy box, but for some people starting out that aren’t familiar with webapps they could get lost, especially figuring out the initial login foothold. It’s IP is and you need the login pack for OpenVPN to reach it, you cant reach it with your normal one.

Continue reading

HTB Archetype

So I’m going to probably post my HackTheBox solutions here so I have somewhere I can look at them in case I’m not home etc.. I sometimes refer back to my notes when I am with clients so I don’t have to reinvent the wheel to solve the same problem, so it would be nice to have them accessible anywhere.

I am going to start off with Archetype, which is an intro box for beginners that I did with my local tech group to help walk them through learning the concepts behind penetration testing.

Continue reading

Telephreak Tactical Lunchbox

One of the cooler swag I received @ Defcon this year was a lunchbox for the Telephreak party, filled with candy, gadgets, and toys from telephreakbadge. I do some ‘red teaming’ occasionally and always had my stuff all janky in my backpack with no way to really keep it all pretty and was a pain in the ass to go through everything to find what tools I needed. Plus stuffing them all in a box tends to get shit broken eventually. I was thinking I needed something like a pelican box but I didnt feel like spending a huge amount on something simple. So I was thinking one day that this lunchbox sitting on my desk would do the trick. I ended up getting a few pieces of Polyethylene off ebay for $9, They arrived pretty quick and i spent about an hour or so arranging some of my most used tools onto each layer and cutting out the foam to fit them all in. I used a small knife (the ones that have a knife/scissor/toothpick) and a razor blade to cut out the foam. Here’s all 3 layers that fit inside with descriptions of each tool’s usage.

Continue reading

Exploiting with EternalRomance using Metasploit installed inside Win10 WSL

This post will have a few sections. We will get some general information of the ETERNALROMANCE exploit, learn how to install WSL on Win10 Creators Update, along with Metasploit. As a bonus I will show how to do this on Kali, and show a few different additional tricks to download payloads to the target machine. Continue reading


In July, CVE-2017-9805, was reserved for the Apache Struts RCE vulnerability in the REST plugin. Apache Struts 2.5 through 2.5.12 that are using REST plugin are vulnerable to this attack. It had an initial disclosure on 7/17/2017, and a patch was released recently on 9/5/2017, with Apache updating Struts to version 2.5.13 was released. The flaw exists in using the Struts REST plugin with XStream handler to handle XML payloads. If exploited correctly, it allows a remote unauthenticated attacker to run malicious code on the application server to either take over the machine or launch further attacks from it. The problem occurs in XStreamHandler’s toObject () method, which does not impose any restrictions on the incoming value when using XStream deserialization into an object. lgtm has in in depth article along with a press release from Apache Foundation. The company Lgtm, who discovered the CVE-2017-9805 vulnerability, had warned that at least 65 percent of Fortune 100 companies use Struts, and they could all be exposed to remote attacks due to this vulnerability. Continue reading

CVE-2017-0213 – Windows COM EoP

Wrote another blog post for Milton Security about details of a vulnerability that James Forshaw of Google Project Zero found in January, that exploits a bug in Windows COM Aggregate Marshaler. An attacker can use this bug to elevate privileges on Windows machines.

Microsoft had 90 days to patch, which they have with last month’s security updates. The post includes a proof of concept code for 32 and 64 bit versions of Windows from Win7-10 and Server 2k8-2k16.

EternalRed – CVE-2017-7494

I wrote another post for the Milton Security blog on the CVE-2017-7494 Samba exploit, which affects Linux machines running Samba 3.5.0 – 4.5.4/4.5.10/4.4.14. This also includes NAS devices that many people do not patch regularly. In the blog post i talked about what Samba is and how it has been vulnerable for the last 7 years due to this bug. I also go over on how to test/ exploit your machine to see if you’re vulnerable. I also cover some mitigations, the maintainers of the Samba project have provided a patch so I would advise you install it as soon as possible, some NAS firmware upgrades have been available from Netgear and Synology already. Continue reading

M17-010 EternalBlue

A few weeks ago ShadowBrokers released a dump of NSA/EquationGroup tools used to exploit various machines that they previously tried to auction off unsuccessfully. One of the exploits was for Windows SMB RCE which allowed an unauthenticated attacker to gain System-level privileges on target machines remotely by sending a specially crafted packet to a targeted SMB server. Microsoft quietly patched this as MS17-010 a month before, in March, before the dump was even made public. Although the dump was supposedly stolen around 2013, this affected Windows machines from Win2k up to Win2k16. Most reliable targets were Win7 and Win2k8 R2.

One exploit was codenamed EternalBlue. Everyone quickly jumped on the tools and found that along with ExternalBlue there was another tool called DoublePulsar that allowed you to inject shellcode or DLLs into the victim target after they were exploited with EternalBlue, it sets up the APC call with some user mode shellcode that would perform the DLL load avoiding use of the standard LoadLibrary call. DOUBLEPULSAR implements a loader that can load almost any DLL. A few people had writeups [1] & [2] on how to successfully install the tools in Windows and on Wine on Linux using older versions of Python. It was also discovered you could replace the DoublePulsar .dll with something like Meterpreter or Empire to have more control over your target with the need to use the NSA-provided GUI tool called FuzzBunch. Continue reading

Kali 2017.1 Released – Troubleshooting hardware during install

I have a cracking box that was currently Running Win7 pro that I used with hashcat. I wanted to switch to Kali so it’s easier to manage wordlists etc.. and wanted to use a web frontend to manage the cracking. Trying out the new rolling 2017.1 I ran into an issue with usb keyboard/mouse not working when using the Kali graphical installer, on a Gigabyte GA-970A-D3P (rev. 2.x) motherboard with an AMD FX-8320, so I found if I enable iommu in the BIOS settings they work again , but then I had another issue with AMD-VI and other issues during install.

I got to the part where its looking for the CD drive (even though im installing from USB) I saw fixes online where it says to get to shell prompt and type something like:
mount -t vfat /dev/dsb1 /cdrom
or it said to remove the USB and reinsert and try to look for CD but neither worked for me. Continue reading

Powershell to exe using iexpress

Saw something on twitter today about using the old standby program, iexpress.exe, which is still available in Win10, you can package your powershell scripts inside an executable. You can use it to run malicious powershell scripts etc…
SO I was thinking of some fun things to do with it, getting reverse shells, dumping passwords with mimikatz, compiling .cs files etc to evade AV and whitelisting. It’s fairly simple to do ,here’s an example of a powershell reverse shell: Continue reading