I'm working on project which involves creating a WordPress plugin and it got me to thinking about how easy it would be to create a plugin that's sole purpose is a reverse shell.  To get a shell from a WordPress UI, I've used plugins that allow for inclusion of PHP and I've also edited embedded PHP such as the footer.php file.  But until now, I didn't occur to me to write a plugin to perform the task.  

I started tinkering around and I initially used Pentest Monkey's reverse shell and even though it tossed back a shell, it also killed the WordPress site.  I literally had to go into the /wp-content/plugins directory to manually remove the plugin before the site would function correctly again.  Not ideal for a number of reasons.

Read more: WordPress Plugin : Reverse Shell

I went hunting for vulnerable PHP code to use as an example and my first acquisition was a collection of scripts that wouldn't function correctly.  It had several different pieces, all supposedly vulnerable, but only one of the pieces actually worked.  In my second attempt at finding vulnerable code, I came across WackoPicko.  According to the description:

"WackoPicko is a website that contains known vulnerabilities. It was first used for the paper Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners"

In the end, I didn't get exactly what I wanted and my frustration with "free" code not performing up to my level of expectation lead me down a path which is equally amusing.

Read more: Injections Gone Wild

There are a number of methods which use macros in Office documents to deploy malware.  I came across one the other day that leverages a vulnerability in various versions of the .NET Framework.  

CVE 2017-8759 -- Microsoft .NET Framework versions allow an attacker to execute code remotely via a malicious document or application, aka ".NET Framework Remote Code Execution Vulnerability."

There are three pieces to this exploit -- the Word document, a text file which will get downloaded when the macros are enabled, and .hta file with a payload.  With a patched machine and current antivirus, I attempted to get this working but I could never get proper execution for whatever reason.

Read more: Empire Macro Fun

Heartbleed came out not long after the time I began my journey into the security side of the house.  I recall a box that I believe was vulnerable to the the Heartbleed attack but I wasn't seasoned enough to know what to do with it. 

When I saw the name Valentine on this box, I knew it was a clue -- most of the names ARE clues but I didn't hone in on it until I saw the main page for the website.

Read more: HackTheBox - Valentine

My original intention was to provide an example of automating Local File Inclusion (LFI) which I'd done previously somewhere on this site using Python.  But the point of that post was LFI with Python, not to answer a question someone posed to me in a discussion.  Now that I think about it, I wonder if the problems I encountered with this exercise would have also been encountered with a Python script.  Hold that thought, I'll work that out in a moment.

Before I digress too much, this post is about automating LFI with Bash but then things got sideways and I thought I'd write about it.  

If there's one big takeaway from hacking, I'd say it's this -- what we do is not the intended method for interacting with the application (or interacting with whatever) and we should expect inconsistent results.  That was my mistake here.

Read more: LFI Reality

The description of this box states:

"DC-1 is a purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.  It was designed to be a challenge for beginners, but just how easy it is will depend on your skills and knowledge, and your ability to learn."

I think this definitely falls into the beginner category.  The entry is fairly obvious, hone that down to a specific vulnerability and you have your in.  From there, enumerate carefully.  Find the nugget and then figure out how to use it to your advantage.

That's all I'm saying for now...

Read more: Vulnhub DC-1: 1 Walkthrough