ms16-032 one-liners

I was playing around with box in my lab earlier testing out ms16-032, which is a privilege escalation exploit that got patched earlier this year that affected windows versions vista,2k8,7,8.1,2k12, and 10. It was a bug in the Secondary Logon service that allows you to leak a handle opened in a privileged process into a lower privileged process. @FuzzySec made a powershell script to exploit this that works really well, but I wanted to make it into as easy 1-liner to paste into a cmd prompt. Continue reading

Pivoting through Tomcat

On a recent pen-test engagement we had come across a Tomcat server with default creds. Trying to old tried and true methods with Metasploit did not work to get a shell on the box , which was running proprietary IBM_AIX. The exploit would be successful but no connect-back. Because of the limited time instead of trying to test for egress (and later finding out theres no payloads for metasploit), we tried another method of uploading a JSP .war file to the box that once deployed, enabled us to browse and run commands. Continue reading

SSH Tunneling RDP Using Putty

Recently I was trying RDP from a Windows10 laptop through SSH on a Debian web-server to an internal Windows7 box that was on a different VLAN. I had only a Windows10 laptop with Putty to do it. So Basically Win10laptop>debianwebserver>win7through a secure ssh session and get to the internal Win7 without port forwarding on the router.

I had access to SSH account on the Debian web-server, so I was able to use this as a pivot point to get into the internal network. Luckily even though the Debian web-server and Win7 box were on different VLANs, the VLANs were able to talk to each other. The Debian web-server was on , it could still ping Win7 on

Just in case your head is spinning trying to read this, below is a diagram how I achieved this using Putty. Im posting it here so next time I need to do this I dont need to try to figure it out again.


MiniPwner – Evil Network Dropbox

The MiniPwner is a penetration testing “drop box”, it is a small, cheap, and simple but powerful device that can be inconspicuously plugged into a network and provide the penetration tester remote access to that network. I purchased this device for a project here @ NESIT and thought it packed quite a punch for only $23, compared to the pwnie express plugs which run upwards of $500. And at that price you could afford to lose one or two on a pentesting job and not be hurting :p Continue reading