I'm working on another box but I can't root it.  The initial foothold is very unique and even though I was tempted to write up just that part, I really want to do a full write-up so I'm holding off.  After banging my head far for too long and spending more time than I allot for these diversions, I decided to step back from it for a day or two.  In my "cooling off" period, I fired up another newly released box from Vulnhub titled "RootThis".  

Before I get started with the walk-through, let me point to a post I'd recently written:  Drupal to Reverse Shell

The timing of these articles couldn't be better.  Spending the time working with Drupal and then coming across this box made my life so much easier.

Let's not get too far ahead --

Read more: Vulnhub RootThis: 1

I spent the weekend at a red teaming class -- when I returned, I jumped up on Vulnhub and I found a new batch of boxes waiting to be exploited.  Needless to say, it's like winning twice in the same week. 

I'm so appreciative of people who are willing to spend the time building these boxes because it allows others in the community to work on their skills -- for free.  Needless to say, I've downloaded a number of boxes from this recent batch and while perusing the list, I randomly picked Web Developer as my first to attack.  

If this box is any indication of how the rest will go, I will be very pleased because the author tossed in a couple of new avenues that I've yet to see.  While not particularly hard, if you have some knowledge with these avenues, this box still makes you think and jump through some hoops.  

Bottom line, this one was clever and a lot of fun!

Read more: Vulnhub Web Developer: 1

There are a variety of methods for generating payloads and depending on the avenue of attack, one method might prove to be a better route than another.  For example, in my opinion, any sort of .bat file email attachment or web download comes off as a bit more suspicious to me than say an emailed Excel or Word document.  That's not to say that you couldn't get someone to launch a .bat file but it's a lot more likely that someone would open a Word or Excel document from a trusted friend or colleague -- if you were able to spoof email from that trusted friend or colleague.  

It's also been my experience that the protection mechanisms on modern operating systems are getting better.  That is to say that Windows 8 & 10 are better than say Windows 7 and some antivirus products are proving to be a bit more challenging to get around than in years past.  Again, I'm leaning more toward the Office document rather than something that comes off as suspicious to these protections.

Read more: Payloads and Antivirus

Microsoft has given us the ability to report messages as Junk or Phishing to help improve their accuracy.  I would love to customize what they've given us to send messages elsewhere but Microsoft didn't provide us with that option.  

The problem is that not all messages are black & white obvious and users might not be able to determine the legitimacy of a message.  I would love a single click button that would forward suspicious email to our team where we can give it a hard look.  Now thinking about that scenario for a second -- if a user forwards spam, it could get flagged on our end as spam.  

Spoiler alert:  We're going to create such a button.  In the design, we're going to forward the message to a specific address that we can whitelist to prevent the forwarded message from getting trapped on our end.  In addition, we're going to change the subject to one that allows for easy identification.  

Read more: Custom Outlook Report Email Button

Updated:  Drupal 8 Post

The three biggest content management systems (CMS) are:

  • WordPress which controls over 50% of the market share.
  • Joomla which controls a little over 6% of the market share.
  • Drupal which controls a little under 5% of the market share.

Personally, we've been hosting, developing, and managing WordPress sites for over 5 years.  Joomla is the first CMS we've used and we've been hosting, developing, and managing it for over 10 years.  But when it comes to Drupal, we have very little experience other than exploiting it and almost exclusively with Drupalgeddon in the last few years.  Aside from that, we haven't seen a need to learn yet another content management system for the purpose of using it for its intended design.  

Read more: Drupal to Reverse Shell

I'm a big fan of people who take time out of their day to help others in the community, especially with something as time consuming as building a vulnerable server.  So when I state that I don't really like the capture the flag style boxes, it's nothing against the maker and it's just a personal preference.  I'm sure it's enhancing my critical thinking skills and I should be happy with that but sometimes these challenges frustrate me. 

FristiLeaks is one of those boxes that tested my patience.  My frustration came out at the end when I saw how I was supposed to conquer this box and instead I went for the kernel exploit.  Granted the kernel exploit is the fastest way to root so there's that but the author had intended for it to be more of a game.  

Anyway, in protest:

Read more: FristiLeaks 1.3