I'm sitting on an airplane reading:  "How to Hack Like a LEGEND: A hacker's tale breaking into a secretive offshore company" and I'm taking notes.  As I'm reading through the book realizing there are more real-world tools I should be exploring versus playing on HackTheBox and Vulnhub, I write myself a note stating:  "Less hack-y things, more real-world".  That lasted a day, maybe two, and then I could feel the challenges calling me back.  It's not that the CTF challenges don't hone your skills, it's that there are some recent tools that are worth exploring as well.  Perhaps some more useful for current work projects.  

I'm starting to like the CTF challenges as I learn more of the esoteric techniques used for those particular style boxes.  So as I'm perusing Vulnhub, I come across Mercy:  "MERCY is a machine dedicated to Offensive Security for the PWK course, and to a great friend of mine who was there to share my sufferance with me. :-)"

Mercy definitely has that PWK feel except that I think the Offsec folks would have made the privilege escalation more challenging.  

CVE-2018-9206:  Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0

Alternatively known as the "eight year zero day".  Lots of vulnerabilities going unnoticed although eight years seems like a bit much.

I found this vulnerable version, set it up on a server, and decided to play around with an automated version of:

<?php $cmd=$_GET['cmd']; system($cmd);?>

Exploit-DB has an exploit already but you can use curl -F to upload a shell with the above syntax.  You could push up a reverse shell as well but I got to thinking, what if I did a little bit of automation:

While talking with a client this morning, I started to get nerdy about passwords and password managers.  A few things I emphasized were that passwords should be unique across all logins, password managers should be used by everyone, and saving passwords in Chrome (and other browsers) is a risky proposition.  

I've actually wanted to write this up for a while now but the conversation this morning motivated me to put the pen to the paper.  So here we are....

The actual time it took to root the box was just a few minutes and the setup actually took longer.  I wanted to have a Windows 10 Pro machine, fully patched, and running current antivirus. 

As a side note, there's a misconception that antivirus will protect you.  Antivirus is a must but it's trivial to get around as you'll see in a moment.