Memories of My First CVEs
It’s 2023 and I see that Erik Wynter landed a Metasploit module for one of my first CVE from 2016! Well, technically it was my 2nd CVE, but I submitted both CVE-2016-10107 and CVE-2016-10108 at the same time.
Technical Director (penetration testing), Security Researcher
It’s 2023 and I see that Erik Wynter landed a Metasploit module for one of my first CVE from 2016! Well, technically it was my 2nd CVE, but I submitted both CVE-2016-10107 and CVE-2016-10108 at the same time.
I was helping teammate Robert Bronstein on an internal network pentest. One of my tasks was screenshotting and reviewing HTTP/S services for default credentials and exploitable versions. That’s when I stumbled upon a Remote Code Execution (RCE) vulnerability in Symmetricom SyncServer. This post outlines the challenges we faced when developing the exploit proof of concept (PoC) and Metasploit code.
The (known) affected software version is 9.0.146 of both the KACE Systems Deployment and Remote Site appliances.
On your internal pentest you managed to find a Windows vm while searching network shares as a low privilged user. If you can extract the SAM hashes from the virtual machine, you may be able to pass the hash and gain local admin access to some systems.
From BloodHound: “GenericWrite to a computer object can be used to perform a resource based constrained delegation attack. Abusing this primitive is currently only possible through the Rubeus project. First, if an attacker does not control an account with an SPN set, Kevin Robertson’s Powermad project can be used to add a new attacker-controlled computer account”
Here I will be showing the easiest and most useful pivot techniques I use on penetration testing engagements as well as HackTheBox Pro Lab networks. We will not be discussing other types of pivots, including the myriad ways to bend SSH to your will as those topics are already well documented.
While reviewing the security of a product marketed as a “Ransomware Protection and Recovery” solution, I discovered multiple stored Cross-Site Scripting (XSS) vulnerabilities in NAKIVO Backup & Replication version 10.4.1 (build 59587 from 21 Oct 2021). These vulnerabilities could allow malicious JavaScript to be executed by anyone who authenticates to the web application. The attacker may be able to perform privileged operations on behalf of the user or gain access to sensitive data belonging to the user.
I recently had the pleasure of attending Steve Borosh’s “Enterprise Attack Initial Access” course offered through Antisyphon. This is my review.
NCC Group published an article titled “RIFT: Analysing a Lazarus Shellcode Execution Method”.[1] This shellcode execution method bypasses some of the usual Sysmon/ETW detections on VirtualAlloc, WriteProcessMemory or CreateThread by encoding the shellcode in UUID’s before creating space on the heap and using some relatively benign WinAPI calls to execute the shellcode. At the moment I’m not sure how many EDR’s this will evade, but I do know that this method will evade detection by most if not all antivirus products. The only detection I’ve found after using Sysmon with a common public domain ruleset is a crash found in the Application log after the shellcode has already executed, which the user never sees.
I’ve been learning Nim programming and love how easy and productive Nim development is compared to C/C++, while also giving you low-level control and a fantastic Windows FFI. There are already some great examples out there on Offensive Nim, including Byt3bl33d3r’s OffensiveNim GitHub repository. I recently found that there didn’t seem to be any examples of how to use Nim to inject a DLL from disk into a process. After spending more than a day debugging my code, I stumbled on waldo-irc’s NimMusings example. This post is a simple explanation on the Windows API call differences between injecting shellcode and DLL’s into a process using Nim.
Jeeves is a HackTheBox (binary) Pwn challenge, and is now retired. It’s an easy challenge:
This post discusses how a compiled C program (Elf) on Linux resolves the location in memory for shared libraries and includes a walkthrough of the Procedure Linkage Table (PLT) and Global Offset Table (GOT).
This article doesn’t cover HOW to build a pentest appliance virtual machine although it does link to another article that I followed. What I do cover here is after you’ve built a pentest appliance virtual machine in vmware, how to reduce the file size so that when you export it to OVA and give it to your customer it will be as small as possible. I started out with a 20 GB OVA file even though the disk usage was only 9 GB, and through the following steps I reduced it down to 4 GB.
This is my walkthrough of HackTheBox Doctor, 10.10.10.209.
Kali Linux recently switched from the Bash shell to Zsh. I log the output of every command run during a pentest to a logfile, in addition to saving screenshots. Pentesters are frequently asked by the client or Blue Team for information to correlate with SIEM alerts, so it’s a good idea to update your Zsh prompt to include the date, time, and IP address.
In the past I’d use a Mac when I needed to test iOS apps on a jailbroken device due to getting an error in Linux about needing to mount an Apple Developer Disk image when trying to use Frida and Objection on Ubuntu or Kali to test an iOS device:
Kickoff call: During the kickoff call, ask if any user input in the thick client app can be viewed by backend web interfaces, or if there is a web client that complements the thick client. If yes, ask if they want to add it to be tested. This should be scoped to another assessment, as we don’t want to give away free work. Additionally, there is a possible attack vector if user input in the thick client is not sanitized and can trigger attacks such as XSS in the web client.
Docker has some very good use cases for pentesters. I cover what is Docker, how to install it, basic usage, and some interesting use cases for penetration testers. This video covers using Docker to run pentesting tools, not how to exploit docker containers.
The following Golang code demonstrates how to take a network address string in CIDR format and return a slice of strings containing host addresses. Note that I found this code on the Golang Playground (I don’t know specifically who to attribute it to) and edited it slightly and added my own comments so that I was sure to understand what the code was doing before posting it here for my notes.
Nessus-Exploitable is a simple Ruby script to parse Nessus .nessus files and output all exploitable vulnerabilities in tab separated values format for import into Excel.
I was working for a very large corporation that has many subsidiaries and they were buying up smaller companies. We needed to send out a dropbox (Raspberry Pi or Intel NUC) that we could have a remote office plug into the network for internal pentesting and it establishes a ssh tunnel to our server regardless of network restrictions in the remote office.
Android Testing Cheatsheet - Configuring tools and mobile device for Android app testing and find vulnerabilities. Updated on 4/20/2020
How to use the Objection framework with Frida to reverse engineer an Android app to bypass root detection.
This is my listing of iOS and Android assessment tools for my personal bookmarks.
Ruby-Nessus is a ruby interface for the popular Nessus vulnerability scanner. Ruby-Nessus aims to deliver an easy yet powerful interface for interacting and manipulating Nessus scan results and configurations. Ruby-Nessus currently supports both version 1.0 and 2.0 of the .nessus file format.
Update: CrackMapExec now includes the ‘lsassy’ module which automates the following steps. While the article below still works, if you need dump lsass across multiple hosts, I’d use CrackMapExec as the steps below take a lot more time.
While testing web applications, I monitor the application using Wireshark to see if the app is using a protocol that lacks support in Burp Suite, like HTTP2. This post shows how to decrypt TLS traffic in Wireshark on Kali Linux.
One of the prerequisites for using jackit with a CrazyRadio PA USB dongle is first flashing it using mousejack. This has always been problematic when using VMware. I was getting the error “The connection for the USB device ‘Nordic ASA nRF24LU1P-F32 BOOT LDR’ was unsuccessful.” which looked like a VMware dialog, not a dialog generated by the virtual machine (Kali Linux).
Update: This post is outdated. The Kali repo’s are fixed and now the best way to install PowerShell on Kali is to run this command: apt update && apt -y install powershell
Sure there are already some pretty good security tools that can pull off ARP spoofing: Ettercap, Bettercap, etc. This post details what I learned when I wanted to do it myself using Scapy, in the hopes that I can help someone else who’s also trying to learn how to use Scapy. After a while you get tired of using other people’s tools and want to learn how to do it yourself, even if you’re just creating yet another tool to do ‘X’, at least you’re learning something new.
Sometimes you may want to manually establish TCP 3-way handshakes when you’re using Python Scapy, but wouldn’t it be nice to use sockets to maintain the TCP handshake and pass the data to/from Scapy? If you don’t really care about the TCP handshake and want that taken care of while you fuzz the data, here’s an easy way using a StreamSocket with Scapy:
I frequently use the Intruder tab in Burp Suite Pro to password spray websites which use Active Directory authentication. One of the problems of using Burp Suite is that there doesn’t seem to be a way to avoid lockout when using a long password list. Frequently I don’t get a hit on valid password on the first try with Season/Year stuff like “Winter2018!” and need to run through a list of 51 common AD passwords that I have in a file. Sure, I can paste in a list of three or four passwords (depending on my client’s lockout policy), but then I have to wait X minutes and then replace those passwords with three of four more, track the time between password spray runs, etc. That’s a manual process, and I’d prefer something that I can setup and just let it run to completion.
ScanCannon - Runs Masscan, followed up by Nmap for service version info. This should finish scans much faster than Nmap alone while providing service version info that Masscan doesn’t provide.
The one thing that changed my life was when I read about interest vs commitment. Too often I hear people wish that things were different, or they want things they will never have or accomplish. They don’t know what it means to be committed to something, so they wander through life like a leaf on a stream, never knowing they’re holding themselves back and maybe they blame others or circumstance.
I tired of maintaining my own Wordpress blog, and issues with Wordpress on Digital Ocean resulted in my database going down repeatedly. Now I’m hosting on github.io and don’t have to worry about site security, databases, etc., just write and publish!