B2R: Wallaby Walkthrough

December 30, 2016

Executive Summary This machine had an unlisted but open webapp path that allowed for remote command execution. After establishing a reverse shell as the limited user www-data, privilege checks showed the user was allowed to modify firewall rules. There was also an IRC server that contained a bot that allowed command execution through the use of the .run command. The command would only obey the user waldo so modification of the firewall allows an attacker to kick and assume the waldo identity. ... Read more

B2R: Stapler

December 24, 2016

Adding the IP address of the VM to the hosts file allows one to cut down on some typing. Executive Summary This machine had several services running, some of which revealed employee names and accounts that could later be leveraged to compromise the system. A Wordpress plug-in vulnerability was found and used to extract database credentials, which then led to a non-privileged shell. Once scanned, it was discovered that a script ran every 20 minutes as the root user and that the script was writable to our non-privileged user. ... Read more

B2R: SickOSv1.2

December 20, 2016

Executive Summary This machine had an unprotected folder which allowed uploading of malicious PHP code which could then be executed remotely. An attacker could then create an unprivileged shell on the victim machine and begin to explore the system for additional vulnerabilities which could lead to a full compromise. During the exploration, an outdated version of chkrootkit was found. By exploiting a known vulnerability in the way chkrootkit parses arguments, an attacker could create a malicious file that would later be run by chkrootkit as a fully privileged user. ... Read more

B2R: IMF Walkthrough

November 1, 2016

After mapping the network and finding our IP address at, we can add it to our /etc/hosts temporarily to make things a little easier for us. echo " imf" >> /etc/hosts Lets see what kind of machine we’re dealing with. Ok, so web only. Great. nikto didn’t reveal any low-hanging fruit so let’s dive into the source. Check that out! Our first flag was hidden in http://imf/contact.php. This looks like base64. ... Read more

B2R: Tr0ll Walkthrough

October 20, 2016

A couple of weeks ago, work sent me to a security class for an upcoming product. While there, I learned about vulnhub, a repository of intentionally vulnerable virtual machines for anyone to compromise. Since coming back, vulnhub has become my new obsession. Here’s a walkthrough of my attempt. Note: I struggled a bit more that this writeup lets on. The struggle is ommited for clarity and brevity. __ After finding the VM with an nmap scan, we see a couple of open ports. ... Read more