Author: <span>n00py</span>

VulnHub Walkthrough: Donkey Docker

August 23, 2017
ExploitWalkthrough
0 Comment

I’m always on the lookout for VulnHub VMs that teach real pentesting skills, and are not just puzzles.  I like them to be practical, and force you to learn techniques that you would use in the real world.  I feel Donkey Docker is one of these challenges.  As always we can begin with an nmap…

Read More

Exploiting Server Side Include Injection

August 15, 2017
ExploitPentestingVulnerability
0 Comment

Recently I was performing a penetration test and came across a Server Side Include injection bug (SSI).  If you are familiar with cross-site scripting (XSS) this type of vulnerability will sound familiar.  This is caused by an application taking input form the user, and supplying it in the response from the server.  The mitigations are…

Read More

Exploiting an unsecured Dell Foglight server

June 20, 2017
ExploitPentestingPost Exploitation
0 Comment

  Dell Foglight for Virtualization is an infrastructure performance monitoring tool that can also be used to manage systems as well.  It comes configured with a default username and password of “foglight”. It is possible to execute code on the host itself through an integrated scripting console. By browsing to Homes -> Administration And then…

Read More

Securing a default installation of MacOS

June 19, 2017
DefenseOSX
0 Comment

  This was originally written as the basis for a GIAC Gold paper.  Ultimately, it was not unique enough to warrant a research paper, but will provide an overview of the security features of MacOS.   As of mid 2016, MacOS captures nearly 10% of the global market for desktop PC software.  While Apple computers…

Read More

Phishing with Maldocs

April 23, 2017
ExploitPentestingVulnerability
0 Comment

  There are many ways to run a phishing campaign.  The most common of them all is a typical credential harvesting attack, where the attacker sends an email to the target enticing them to click a link to a spoofed website.  Running these campaigns are fairly straight forward, and a couple of tools make this…

Read More

Squeezing the juice out of a compromised WordPress server

March 29, 2017
PentestingPost ExploitationVulnerability
0 Comment

During the course of a penetration test, you may stumble upon a web server running WordPress.  WordPress is a highly popular CMS.  It runs on PHP, and is typically ran on top of a LAMP stack.  While most WordPress servers on the web are configured with strong passwords and security plugins, rarely is this the…

Read More

VulnHub Walkthrough: hackfest2016: Sedna

March 19, 2017
ExploitWalkthrough
0 Comment

Sedna is the second vulnerable VM released by hackfest.ca this month.  Much of the first steps of enumeration will be similar to that of my write up for the first VM in the series. The first thing I start with is an Nmap scan.  The output is below, shortened for brevity. root@kali:~# nmap 10.0.1.22 -p-…

Read More

VulnHub Walkthrough: hackfest2016: Quaoar

March 17, 2017
ExploitWalkthrough
0 Comment

A relatively new set of VulnHub CTFs came online in March 2017.  This post is about the first and easiest one, named “Quaoar“. This post will be a walk-through of my exploitation of this system. The first thing I like to start off with on any box is a full TCP port scan.  When you…

Read More

Compromising Synergy clients with a rogue Synergy server

March 3, 2017
ExploitPentestingResearchVulnerability
0 Comment

  Synergy is a type of mouse an keyboard sharing software. When configured, moving your mouse off the screen will allow you to control another system that is also set up with Synergy. Below is a YouTube video from Synergy on how it works: The way this works is one host acts as the Synergy…

Read More

From OSINT to Internal – Gaining Access from outside the perimeter

March 1, 2017
ExploitPentestingVulnerability
0 Comment

                  During an external penetration test, you may be tasked with gaining access from the internet with no knowledge of the a target environment.  After hitting all known servers and web applications with various scanning tools, you have nothing. Searching open source information such as database breaches…

Read More

Removing Backdoors – Powershell Empire Edition

January 30, 2017
DefenseIncident Responsepersistence
0 Comment

                  I’m a big fan of Powershell Empire for penetration testing.   If you haven’t heard of it, it is a post-exploitation framework which uses powershell agents to run post-exploitation scripts on a target system.  This blog post is meant to address a small subset of the…

Read More

Compromising Jenkins and extracting credentials

January 21, 2017
PentestingPost Exploitation
0 Comment

      Jenkins is an open-source continuous integration software tool written in the Java programming language.  While useful to developers, it can also be useful to attackers.  Often times developers will leave Jenkins consoles in an insecure state, especially within development environments.  Jenkins has a scripting console available which can be used to run…

Read More

Control your Mac with an iPhone app – An analysis of HippoRemote

January 4, 2017
ExploitOSXResearchVulnerability
0 Comment

              Applications that are in use on Macs often times are under less scrutiny for security compared to their Windows alternatives.  When researching popular apps in use on OS X I found an app on the iPhone called HippoRemote.  It appears to be quite popular, with a combined 7,558…

Read More

Using email for persistence on OS X

October 28, 2016
OSXpersistencePost ExploitationResearch
0 Comment

In this post we will cover how we can use Mail.app on OS X to persist.  I was inspired by similar tools which are designed to work with Microsoft Outlook.  I first stumbled upon this article from MWR InfoSecurity, and then this blog post from Silent Break Security.  While rules in Mail.app will not replicate…

Read More

Privilege escalation on OS X – without exploits

October 16, 2016
OSXPost Exploitation
0 Comment

This blog post is about ways to escalate privilege on OS X without the usage of exploits.  While exploits are always nice to have, there are other ways in which you can gain root privileges on your target.  By using misconfigurations with a little bit of social engineering you can get your victim to escalate…

Read More