While talking with a client this morning, I started to get nerdy about passwords and password managers. A few things I emphasized were that passwords should be unique across all logins, password managers should be used by everyone, and saving passwords in Chrome (and other browsers) is a risky proposition.
I've actually wanted to write this up for a while now but the conversation this morning motivated me to put the pen to the paper. So here we are....
The actual time it took to root the box was just a few minutes and the setup actually took longer. I wanted to have a Windows 10 Pro machine, fully patched, and running current antivirus.
As a side note, there's a misconception that antivirus will protect you. Antivirus is a must but it's trivial to get around as you'll see in a moment.
I sent an email to a vendor asking for a document and when the vendor replied to my email with the document attached, the document was password protected. He said as much and he also said that I could probably crack it. He is correct.
I've probably cracked a PDF once or twice. I've probably also cracked a few ZIP files, RAR files, and various other files with passwords but I think you get the point. Essentially, most of these types of files will all crack the same way -- John the Ripper.
There are a couple of John the Ripper versions but somewhere along the way, I discovered that the Jumbo John package is the one to use for cracking ZIPs and RAR files. I don't know whether PDFs fall under that some umbrella but that's where I went.
This is something I should have done a long time ago. I'm frequently hopping on a server and creating a manual backup prior to doing [something]. It's not like this task is complicated but as I was about to manually go through the steps this morning, I thought -- let's finally automate this process.
There's actually a one-liner for mysqldump but for some reason, it didn't work so I went a different route with the variables at the top which makes it a little easier when recycling this script on another server.
Hacking is doing something that wasn't meant to be done. Or perhaps a better way of putting it is to say that when the designer designed their product, they were not thinking of our method of interaction.
When the login form below was designed, the idea was that a decent person would visit this site with the intention of logging in with their credentials.
A while back, I wrote about a buffer overflow I discovered while tackling a CTF style box. It's not a complete guide to buffer overflow but if you have some basic instructions on "how to", you can fill in those gaps that I've left unwritten.
When I first learned of buffer overflows, I was sort of following along with blind faith, hoping it would all work out in the end. At a certain point though, the tools we use become more familiar through other use. For example, MSFVenom will become widely used for more than just generating shellcode for buffer overflows. You'll go from mindlessly retying the text you see to understanding what you're actually typing. And then, hopefully, wanting to test what you're doing prior to pointing it at your victim machine.
In the line below, I'm generating Linux shellcode, the architecture is 64 bit, the shellcode will spawn a reverse shell, host and port are pointing back to my box, my format is C code, and I'm excluding the bad characters which could muck up the execution. Like the buffer overflow explanation in the above referenced post, I'm not drilling down completely because a lesson on why null byte, line feed, and carriage return could / will cause problems is an entire post on its own.
I go back and forth between working on various problems and when a hard problem wears me down, I work on something easier. That's where Blocky comes into play.
It seems they move boxes in and out of the Retired section of HTB because I don't even recall its name. I do know that I was working on another box, went through the weekend without touching it, and when I went back to it that following Monday, it was inactive.
Anyway, so Blocky went from Nmap scan to root in no time purely because of a solid guess. I sometimes just poke at something for the sake of covering all of my bases but it doesn't normally bear fruit. This time it did and I was completely taken aback. More on that in a bit.
First we kickoff an Nmap scan: