August 22, 2017

I’ve been running into more and more Linux boxes that don’t have python 2 installed. It’s been a little frustrating since I like to use a slightly modified version of the famous that almost all OSCP students know and love. I’m lazy and hate manual enumeration; makes my fingers go numb. I decided to spend an evening translating it to python 3, but quickly realized, “This python is just invoking shell commands, why am I doing this? ... Read more

Creating a VPN Access Point

August 18, 2017

By now, there shouldn’t be any doubt that not only are you being watched online, but your browsing habits, particularly your political ones, are of interest to the current administration. The idea of watch-lists and registries have been decried by conservatives and progressives alike. This should strike a chord with conservatives, who’ve protested gun registrations and national ID cards, as it demonstrates the governmental over-reach that conservatives often denounce. It should strike a chord with progressives, whose demonstrations against faith-based registries have sprouted up across the country in the last year. ... Read more

Chrome Extension Steals Cloudflare Api Tokens

August 3, 2017

Upon receiving news that the popular Chrome Extension, Web Developer, had been compromised, I quickly began to wonder about the what and how. Several stories exist about how the extension came to be compromised and they touched a bit on what it did. This post is meant to expand upon, what I believe to be, the more nefarious behavior of the extension. Since the extension calls out to an attacker-controlled URL, the payload hosted at that URL could be changed to anything at any time. ... Read more

Creating BashBunny Payloads

April 1, 2017

What is it? The BashBunny is an attack platform that allows attackers to create payloads in Bash. The device can be scripted to enumerate as a HID (keyboard), mass storage, serial, and Ethernet. This enables a multitude of attacks including thing like exfiltrating documents over a network interface or stealing account hashes from locked computers. Creating a Payload We want to create a payload that allows for easy exfiltration from macOS. ... Read more

Finding Your Way Out From Behind Firewalls with Strict Outbound Rules

February 7, 2017

You’ve achieved code execution on a machine, but for some reason your reverse shell isn’t pinging you back. Or that wget/tftp command isn’t downloading your recon/post-exploitation tools. There’s a chance you’re dealing with an egress problem. Typical ports that need outboud access are blocked. You try the main ones you can think of (21, 22, 53, 80, 8080, 443), but none of them seem to be connecting. Do you start at 1 and manually test? ... Read more

Configuring SSH for Pivoting

February 2, 2017

You’re on a pentesting engagement and you’ve discovered a dual homed machine that allows you access to a subnet you can’t access directly from your attack machine. Assuming you’ve compromised at least one machine on the initial network, you can use it as a proxy to other machines on the “hidden” subnet. The ssh client has an often-overlooked configuration file that resides in your ~/.ssh folder. You can configure things in here that are specific to certain hosts or you can set default configurations for every host. ... Read more

B2R: Wallaby Walkthrough

December 30, 2016

Executive Summary This machine had an unlisted but open webapp path that allowed for remote command execution. After establishing a reverse shell as the limited user www-data, privilege checks showed the user was allowed to modify firewall rules. There was also an IRC server that contained a bot that allowed command execution through the use of the .run command. The command would only obey the user waldo so modification of the firewall allows an attacker to kick and assume the waldo identity. ... Read more

B2R: Stapler

December 24, 2016

Adding the IP address of the VM to the hosts file allows one to cut down on some typing. Executive Summary This machine had several services running, some of which revealed employee names and accounts that could later be leveraged to compromise the system. A Wordpress plug-in vulnerability was found and used to extract database credentials, which then led to a non-privileged shell. Once scanned, it was discovered that a script ran every 20 minutes as the root user and that the script was writable to our non-privileged user. ... Read more

B2R: SickOSv1.2

December 20, 2016

Executive Summary This machine had an unprotected folder which allowed uploading of malicious PHP code which could then be executed remotely. An attacker could then create an unprivileged shell on the victim machine and begin to explore the system for additional vulnerabilities which could lead to a full compromise. During the exploration, an outdated version of chkrootkit was found. By exploiting a known vulnerability in the way chkrootkit parses arguments, an attacker could create a malicious file that would later be run by chkrootkit as a fully privileged user. ... Read more

B2R: IMF Walkthrough

November 1, 2016

After mapping the network and finding our IP address at, we can add it to our /etc/hosts temporarily to make things a little easier for us. echo " imf" >> /etc/hosts Lets see what kind of machine we’re dealing with. Ok, so web only. Great. nikto didn’t reveal any low-hanging fruit so let’s dive into the source. Check that out! Our first flag was hidden in http://imf/contact.php. This looks like base64. ... Read more