Posts

Blue Team Labs Online - Wargames

Image
SCENARIO A privileged USER working as local admin on a "REALLY SECURE System" opened a HOWTO for the "TIC TAC TOE" Strategy Game. Unfortunately he downloaded the HOWTO from a repository controlled by an adversary named TRUDY. We suspect exploitation was performed on the system and that persistence has been achieved. After the user noticed his system was acting strange he disconnected it from the network and the local IR unit was able to acquire a memory dump using the “dumpit” tool. You have your disposal an updated version of the VOLATILITY 3 FRAMEWORK and linux cli to perform your analysis To view available windows plugins for volatility3 the following command may be used: python3 vol.py -f ../DUMP-20210321-211411.dmp windows. What was the System Time at time of Image Acquisition? (5 points) python3 vol.py -f ../DUMP-20210321-211411.dmp windows.info.Info The output shows the system time of image acquisition to be 2021-03-21 21:14:13 What's the Virtual Memory A

Detecting CVE-2018-16983 (NoScript Bypass)

Image
MORE INFO: https://nvd.nist.gov/vuln/detail/CVE-2018-16983   The following post is regarding information which is obviously quite old. As a long time NoScript user, I was quite alarmed to see a tweet put out by Zerodium detailing an extremely simple exploit that tricks NoScript into allowing Javascript to be executed. I consider NoScript necessary for a safe browsing experience. However, the real concern is for those whose physical safety relies on the security and privacy provided by the Tor Browser, which is by extension affected by this critical flaw.   Unfortunately, I was unable to locate a version of NoScript (prior to version 5.1.8.7) that is vulnerable. In any case, I am releasing the following Snort rule in hopes that someone may benefit from it.   alert tcp any any -> any any (msg:"EXTERNAL_NET CVE-2018-16938 NoScript Content-Type Bypass"; content:"text/html\;/json"; sid:1; rev:1;) Fortunately, we may still the efficacy of this rule using netcat. A stri

Hack the Box - Sauna

Image
Sauna is a Windows machine at 10.10.10.175 using nmap to scan for open ports shows that Sauna's domain is EGOTISTICALBANK.LOCAL Sauna is running an IIS web server on port 80 the web root links to /about.html, this page reveals employee names we can now create a wordlist based on common enterprise naming conventions and these names this list can now be used with kerbrute to enumerate valid domain users the only user found was 'fsmith' as stated https://www.tarlogic.com/en/blog/how-to-attack-kerberos/ , GetNPUsers.py is used to harvest non-preauth AS-REP responses. This may reveal hashes for users with this attribute. we now have fsmith's hash in Kerberos 5 AS-REP format johntheripper can be used to crack this hash with the rockyou.txt wordlist johntheripper determined fsmith's password to be 'Thestrokes23' evil-winrm is a tool which takes advantage of the windows remote management service we can use it to start a ses

Vulnhub Matrix: 1 Walkthrough

Image
Starting with a ping scan we find Matrix at 192.168.19.192 A service scan reveals 3 open ports A base64 encoded string can be found in the source of the web root on port 31337 Decoding this string reveals a command that redirects a quote to a file named 'Cypher.matrix' The server's response to http://matrix:31337/Cypher.matrix is a brainfuck sample I then used https://copy.sh/brainfuck to interpret the code This reveals a set of credentials, where the last 2 characters of the password are unknown I then used crunch to create a list of suffixes to use in combination with 'k1ll0r' Awk was then used to prepend 'k1ll0r' to the wordlist The list is now ready to be used in a dictionary attack against ssh using ncrack ncrack found the credentials to be 'guest:k1ll0r7n' We are now able to login to ssh using these credentials! Attempts to execute commands reveal that we are stuck in a restricted s