Fuzzing is a common step in the vulnerability hunting process. The idea is to send unexpected input into a process or application in an attempt to crash or cause an error message. This gives information about unhandled exceptions that can be caused by user input and many times leads to some kind of exploit, such as a buffer overflow.Continue reading “Simple Python2 Fuzzer”
One of the most important aspects of any job is your ability to stay organized and keep good notes. This is especially true during penetration tests. During a typical testing engagement, you will compile an enormous amount of data concerning what you did, when you did it, what systems you were doing to, and what the results were. You then need to be able take that information and convey it in a manner that the client will understand and be able to take action on. These may be folk on the business side of the house, who may not be receptive to overly technical presentations, they could be the business IT staff who prefer overly technical presentations that tell them how to reproduce and/or fix the issue, or possibly both.Continue reading “CherryTree – Notes for Anything”
This is meant to be a ping sweeper utility for Windows hosts. I haven’t had the chance to test it yet, so there may be syntax issues. There will definitely be some enhancements I will do once I boot over to Windows and test it.Continue reading “Ping Sweeper for Windows”
This script is a simple ping sweeper to identify hosts reachable from a system. The intent here is something simple and dirty that can quickly be manually created in the event I can’t use the normal tools and scripts. Obviously things like nmap would be much better here, but sometimes those tools won’t be available and you won’t be able to transfer them over.Continue reading “Simple Ping Sweeper for Linux”
Starting of with an nmap scan, we find a number of ports open including SSH, SMB, some HTTP server on 5985 and 47001 which are Windows Remote Manager ports, 47001 is the listener, msrpc ports on 49664,49665,49666,49668,49669,49670 and an open 49667 which is unknown but given the proximity of the surrounding RPC ports I suspect it is related.Continue reading “Bastion Writeup”
Note: Looking back at my notes, I never actually formally wrote this up rather I just have a bulleted list of what I did. I will come back and do this properly at a future date.
- Navigating to the site shows that it returns file data based on input. There is a short list of files that are intended to be examined by this process. One of which is listfiles.php so we start with that.
nmap -A 10.10.10.85 shows a node.js server running on TCP 3000. Navigating to this server in the web browser and inspecting the headers reveals that is further using the Express framework and we are using a single .profile cookie that appears to be the only point of sending input to the server, maybe there is trust in that data that we can abuse. A quick Google search shows that there is a deserialization bug that can lead to remote code execution. This sounds promising as we can execute a reverse shell to connect back to a netcat listener on my Kali box. Details on the exploit that I found useful can be found at https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/.Continue reading “Celestial Writeup”
Port Scan: nmap -A 10.10.10.79 shows ports 22, 80, and 443 open. http-enum.nse shows /dev/ /index/ directories on both 80 and 443. Checking these directories reveals 2 interesting files. A hex encoded RSA private key which after initial attempt to log in with, appears to be passphrase encrypted and notes.txt file which mentions an encoder/decoder somewhere on the site. Navigating to the https site in the browser and examining the headers and security information found under developer tools shows that the website is using TLSv1.2, which is vulnerable to the Heartbleed exploit.Continue reading “Valentine Writeup”