A friend who already rooted this box recommended it to me and now understand why. It wasn't hard but it makes you put pieces together and that makes it fun. I'll bring this up in a minute when we get to a specific point but somewhere in the middle, something kept breaking and I had to tear out the VM and import a new one. I don't know if that was just me or if this is everyone but it'll be obvious if it happens to you and I'll make sure to point it out.
Anyway, kicking off with Nmap:
In a not so distant past, I was a highly competitive endurance sports athlete. I'm still very involved in endurance sports but not at that level because eventually you have to grow up and go back to work. But during that time, I was highly obsessed with every aspect of endurance sports. That is my nature though. I become passionate and I obsess to become the absolute best I can be.
I've been into technology since I was a kid and it is the single constant in my life. Obsessions come and go but tech has always been there. Maybe not to the level of that first contact -- it ebbs and flows. When I discovered information security, that stoked the fire once more and my obsession rages on. With the exception of endurance sports which play a large role in my life, the only free space in my life is consumed by infosec.
A quick primer prior to hitting the substance of this post.
With respect to the Internet, people like names and machines like numbers. When we enter: www.google.com into our web browsers, domain name service (DNS), is what takes the name: www.google.com and converts it to the IP address: 172.217.5.196
DNS encompasses more than that but the basic point is that this type of resolution exists in the background and it's all happening unencrypted. So why do we care? We could talk about Man in the Middle attacks and how this traffic can be intercepted, poisoned, and how you could be sent somewhere else. But odds are pretty good that's not happening to you. Let me paint a more realistic example that is happening to you.
Don't hide passwords in Excel. If you hide passwords in Excel, they can be found. If you password protect Excel documents, they can be cracked. Now that I've given my public service announcement, if you have to hide passwords in Excel or you have data that you don't necessarily want visible at all times, I have a quick fix for you. I was sort of hoping for something a little more elegant but when I came across this solution, it solved my immediate problem and I'm not really all that interested in spending more time for a slightly better solution.
Below, we have a typical Excel document with a column for the username and another column for the password:
There are a few new releases on Vulnhub and the one I'm writing about today claims there are 12 avenues for privilege escalation. Honestly, I'm not interested in finding 12 different privilege escalations. I have the patience and the time for one. I figured with that many avenues, this would be over quickly. I appreciate the effort but I'm one and done on this box.
If you're on the hunt for all 12, I've got a few hints in the screenshots. I would also look at cron because I seem to recall seeing something there as well when I was hunting around post root.
Anyway, kicking off with Nmap:
I've been asked to give a talk on basic OpSec and I started compiling a small list of the essentials. Some of the items on my list have already been written and exist somewhere on this site while others are yet to be written. One of the questions that came up during the request for the OpSec talk involved public WiFi, the dangers, and how to protect yourself.
First, we have to understand how WiFi connections work at a basic level. The real danger comes from WiFi connections that are not secure, like those we find in an airport, a cafe, etc. When you turn on your device, the device will go through it's list of saved connections and it will toss out a request. Starbucks, you here? Oakland Airport, are you here?