CherryTree – Notes for Anything

One of the most important aspects of any job is your ability to stay organized and keep good notes. This is especially true during penetration tests. During a typical testing engagement, you will compile an enormous amount of data concerning what you did, when you did it, what systems you were doing to, and what the results were. You then need to be able take that information and convey it in a manner that the client will understand and be able to take action on. These may be folk on the business side of the house, who may not be receptive to overly technical presentations, they could be the business IT staff who prefer overly technical presentations that tell them how to reproduce and/or fix the issue, or possibly both.

Continue reading “CherryTree – Notes for Anything”

Bastion Writeup

Starting of with an nmap scan, we find a number of ports open including SSH, SMB, some HTTP server on 5985 and 47001 which are Windows Remote Manager ports, 47001 is the listener, msrpc ports on 49664,49665,49666,49668,49669,49670 and an open 49667 which is unknown but given the proximity of the surrounding RPC ports I suspect it is related.

Continue reading “Bastion Writeup”

Poison Writeup

Note: Looking back at my notes, I never actually formally wrote this up rather I just have a bulleted list of what I did. I will come back and do this properly at a future date.

  • Navigating to the site shows that it returns file data based on input. There is a short list of files that are intended to be examined by this process. One of which is listfiles.php so we start with that.
Continue reading “Poison Writeup”

Celestial Writeup

Enumeration

nmap -A 10.10.10.85 shows a node.js server running on TCP 3000. Navigating to this server in the web browser and inspecting the headers reveals that is further using the Express framework and we are using a single .profile cookie that appears to be the only point of sending input to the server, maybe there is trust in that data that we can abuse. A quick Google search shows that there is a deserialization bug that can lead to remote code execution. This sounds promising as we can execute a reverse shell to connect back to a netcat listener on my Kali box. Details on the exploit that I found useful can be found at https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/.

Continue reading “Celestial Writeup”

Valentine Writeup

Enumeration

Port Scan: nmap -A 10.10.10.79 shows ports 22, 80, and 443 open. http-enum.nse shows /dev/ /index/ directories on both 80 and 443. Checking these directories reveals 2 interesting files. A hex encoded RSA private key which after initial attempt to log in with, appears to be passphrase encrypted and notes.txt file which mentions an encoder/decoder somewhere on the site.  Navigating to the https site in the browser and examining the headers and security information found under developer tools shows that the website is using TLSv1.2, which is vulnerable to the Heartbleed exploit.

Continue reading “Valentine Writeup”