OSINT stands for Open Source Intelligence and is the practice of scraping the internet for publicly available information. This information, when examined individually, may seem relatively innocuous but when you gather enough individual pieces and can consider them together you can often build a eerily clear picture of someone or something.Continue reading “OSINT With Buscador”
I’ve always struggled with anything relating to video drivers in Linux to begin with, but one of the things that has always bothered me most about it was never being able to get GPU support for hash cracking. Today, after way too long of failing, I finally got it working so I figured it would make a good post in case there are other driver-challenged folk out there.Continue reading “CUDA Support for Hashcat on Parrot OS”
One of the most important aspects of any job is your ability to stay organized and keep good notes. This is especially true during penetration tests. During a typical testing engagement, you will compile an enormous amount of data concerning what you did, when you did it, what systems you were doing to, and what the results were. You then need to be able take that information and convey it in a manner that the client will understand and be able to take action on. These may be folk on the business side of the house, who may not be receptive to overly technical presentations, they could be the business IT staff who prefer overly technical presentations that tell them how to reproduce and/or fix the issue, or possibly both.Continue reading “CherryTree – Notes for Anything”
This script is a simple ping sweeper to identify hosts reachable from a system. The intent here is something simple and dirty that can quickly be manually created in the event I can’t use the normal tools and scripts. Obviously things like nmap would be much better here, but sometimes those tools won’t be available and you won’t be able to transfer them over.Continue reading “Simple Ping Sweeper for Linux”
Note: Looking back at my notes, I never actually formally wrote this up rather I just have a bulleted list of what I did. I will come back and do this properly at a future date.
- Navigating to the site shows that it returns file data based on input. There is a short list of files that are intended to be examined by this process. One of which is listfiles.php so we start with that.
nmap -A 10.10.10.85 shows a node.js server running on TCP 3000. Navigating to this server in the web browser and inspecting the headers reveals that is further using the Express framework and we are using a single .profile cookie that appears to be the only point of sending input to the server, maybe there is trust in that data that we can abuse. A quick Google search shows that there is a deserialization bug that can lead to remote code execution. This sounds promising as we can execute a reverse shell to connect back to a netcat listener on my Kali box. Details on the exploit that I found useful can be found at https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/.Continue reading “Celestial Writeup”
Port Scan: nmap -A 10.10.10.79 shows ports 22, 80, and 443 open. http-enum.nse shows /dev/ /index/ directories on both 80 and 443. Checking these directories reveals 2 interesting files. A hex encoded RSA private key which after initial attempt to log in with, appears to be passphrase encrypted and notes.txt file which mentions an encoder/decoder somewhere on the site. Navigating to the https site in the browser and examining the headers and security information found under developer tools shows that the website is using TLSv1.2, which is vulnerable to the Heartbleed exploit.Continue reading “Valentine Writeup”