I’m always on the lookout for VulnHub VMs that teach real pentesting skills, and are not just puzzles. I like them to be practical, and force you to learn techniques that you would use in the real world. I feel Donkey Docker is one of these challenges. As always we can begin with an nmap…
Exploiting Server Side Include Injection
Recently I was performing a penetration test and came across a Server Side Include injection bug (SSI). If you are familiar with cross-site scripting (XSS) this type of vulnerability will sound familiar. This is caused by an application taking input form the user, and supplying it in the response from the server. The mitigations are…
Exploiting an unsecured Dell Foglight server
Dell Foglight for Virtualization is an infrastructure performance monitoring tool that can also be used to manage systems as well. It comes configured with a default username and password of “foglight”. It is possible to execute code on the host itself through an integrated scripting console. By browsing to Homes -> Administration And then…
Securing a default installation of MacOS
This was originally written as the basis for a GIAC Gold paper. Ultimately, it was not unique enough to warrant a research paper, but will provide an overview of the security features of MacOS. As of mid 2016, MacOS captures nearly 10% of the global market for desktop PC software. While Apple computers…
Phishing with Maldocs
There are many ways to run a phishing campaign. The most common of them all is a typical credential harvesting attack, where the attacker sends an email to the target enticing them to click a link to a spoofed website. Running these campaigns are fairly straight forward, and a couple of tools make this…
Squeezing the juice out of a compromised WordPress server
During the course of a penetration test, you may stumble upon a web server running WordPress. WordPress is a highly popular CMS. It runs on PHP, and is typically ran on top of a LAMP stack. While most WordPress servers on the web are configured with strong passwords and security plugins, rarely is this the…
VulnHub Walkthrough: hackfest2016: Sedna
Sedna is the second vulnerable VM released by hackfest.ca this month. Much of the first steps of enumeration will be similar to that of my write up for the first VM in the series. The first thing I start with is an Nmap scan. The output is below, shortened for brevity. root@kali:~# nmap 10.0.1.22 -p-…
VulnHub Walkthrough: hackfest2016: Quaoar
A relatively new set of VulnHub CTFs came online in March 2017. This post is about the first and easiest one, named “Quaoar“. This post will be a walk-through of my exploitation of this system. The first thing I like to start off with on any box is a full TCP port scan. When you…
Compromising Synergy clients with a rogue Synergy server
Synergy is a type of mouse an keyboard sharing software. When configured, moving your mouse off the screen will allow you to control another system that is also set up with Synergy. Below is a YouTube video from Synergy on how it works: The way this works is one host acts as the Synergy…
From OSINT to Internal – Gaining Access from outside the perimeter
During an external penetration test, you may be tasked with gaining access from the internet with no knowledge of the a target environment. After hitting all known servers and web applications with various scanning tools, you have nothing. Searching open source information such as database breaches…
Removing Backdoors – Powershell Empire Edition
I’m a big fan of Powershell Empire for penetration testing. If you haven’t heard of it, it is a post-exploitation framework which uses powershell agents to run post-exploitation scripts on a target system. This blog post is meant to address a small subset of the…
Compromising Jenkins and extracting credentials
Jenkins is an open-source continuous integration software tool written in the Java programming language. While useful to developers, it can also be useful to attackers. Often times developers will leave Jenkins consoles in an insecure state, especially within development environments. Jenkins has a scripting console available which can be used to run…
Control your Mac with an iPhone app – An analysis of HippoRemote
Applications that are in use on Macs often times are under less scrutiny for security compared to their Windows alternatives. When researching popular apps in use on OS X I found an app on the iPhone called HippoRemote. It appears to be quite popular, with a combined 7,558…
Using email for persistence on OS X
In this post we will cover how we can use Mail.app on OS X to persist. I was inspired by similar tools which are designed to work with Microsoft Outlook. I first stumbled upon this article from MWR InfoSecurity, and then this blog post from Silent Break Security. While rules in Mail.app will not replicate…
Privilege escalation on OS X – without exploits
This blog post is about ways to escalate privilege on OS X without the usage of exploits. While exploits are always nice to have, there are other ways in which you can gain root privileges on your target. By using misconfigurations with a little bit of social engineering you can get your victim to escalate…
Categories
n00py Blog
- The SOCKS We Have at Home
- Bypassing Amazon Kids+ Parental Controls
- Bypassing Okta MFA Credential Provider for Windows
- CactusCon 2023: BloodHound Unleashed
- Exploiting Resource Based Constrained Delegation (RBCD) with Pure Metasploit
- Practical Attacks against NTLMv1
- Password Spraying RapidIdentity Logon Portal
- Manipulating User Passwords Without Mimikatz
- Unauthenticated Dumping of Usernames via Cisco Unified Call Manager (CUCM)
- Adding DCSync Permissions from Linux
December 2024 M T W T F S S 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Archives
- January 2024
- April 2023
- February 2023
- January 2023
- October 2022
- March 2022
- January 2022
- September 2021
- May 2021
- December 2020
- August 2020
- May 2020
- February 2020
- January 2020
- December 2019
- June 2019
- March 2019
- October 2018
- August 2018
- June 2018
- April 2018
- March 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- June 2017
- April 2017
- March 2017
- January 2017
- October 2016