With each new tool that pops up on the Internet, there's a/v signature written within the very near future of its birth to detect and remove it.  For example, PowerSploit's PowerView which is described as:  "a PowerShell tool to gain network situational awareness on Windows domains."  Technically, there's nothing malicious about this tool as far as I can tell other than its purpose is primarily used for hacking.  When downloaded to a system with endpoint protection, the PowerView script is immediately removed.

Not that I've looked under the PowerView hood but I can imagine it's making calls to existing commands and presenting the output to us.  I'm a huge proponent of living off the land because we're using the system against itself and as far as endpoint protection, we'll go unnoticed.  That's not to say that alerts aren't written for PowerShell execution but that's a separate issue. 

I belong to a few business networking groups and I’m frequently asked – “Who is your ideal customer?”  Normally, I answer that question in generic terms but I was recently at a presentation given by a local HR benefits provider and my answer to that question changed the following week. 

The description states:  "Welcome to ColddBox Easy, it is a Wordpress machine with an easy level of difficulty, highly recommended for beginners in the field, good luck!" 

I've been looking for a little mindless hacking because I'm sandwiched between a couple of red team courses that are making my brain hurt.  I've actually been refreshing the Vulnhub page for a few days now hoping they'd dump some new boxes.  I also have a new box in that list as well.  The last two were huge successes and the feedback I got was pretty amazing.  Anyway, enough about that, we kick off with Nmap:

In a previous post, I talked about using Terraform to spin up AWS instances.  Not to rehash what was already written, if you want to see the mechanics of account creation, permissions, and the basic server setup, please look to that post.  This post will expand on the basic server by executing a post install script that performs a number of tasks.  Really, this is where you can automate a ton and save time. 

This was an interesting situation where I thought I was retrieving a token using XSS, like (document.cookie), but instead the token was located in LocalStorage.  Obviously, you need to know the key name but since I had the application, I had that information.  Pushing aside the XSS part, the meat is here:

Described as an "Easy to Intermediate" boot2root, the description states:  "Really technical machine, if you are ready for certifications it will be a good tool to test yourself. You will find a very rare final exploit technique, which you have hardly seen before!" 

I've said this a ton of times, it's all a matter of perspective.  In my opinion, this challenge is easy.  Entry is quick and root is even quicker.

We kick off with Nmap: