Every so often, I come across a challenge that has a password encrypted zip file.  And every so often I realize I've switched my working laptop and I no longer have Jumbo John installed.  Recently I encountered that exact scenario and when I attempted to install Jumbo John, something went sideways.  Rather than digging through it, and knowing that I'm about to switch my working laptop in the very near future, I decided to use a script instead.

Honestly, after going this route, I'm not exactly sure why this isn't a better approach.  Perhaps if I weren't using a wordlist?  Multithreading?  Dunno.  Anyway, I think I can count exactly one time I've come across a zip file with a password in my work.  Given that this situation only arises during CTF situations, the script works and I don't have to install anything.

Read more: Cracking Password Protected Zip Files

I almost titled this blog something that would give away the exploit but then I realized someone might be passing by to get a hint.  Without giving away the privilege escalation -- the first time I used this exploit, I felt like a l33t h4xor.  I'm not.  I just felt like one because it's more than just compile, execute, root.  I've only used it a few times but I like it.  There's a quicker way to root this box but it's worth doing the longer way especially because it didn't go as planned and there's a slight modification that makes it work anyway.  

Continuing on with the Kioptrix Series, this is Kioptrix 1.3 (#4), the fourth from this author (group?).  This is a big jump up from the first three in terms of difficulty, IMO.

Read more: When Life Hands You Lemons

I'm surprised I didn't find this one sooner.  I was working my way through the Kioptrix series but alas, the final box is from a different hypervisor and while I was able to import it, I could not get networking to function.  One day I will setup another machine to work on these other systems but for now, I continue finding lists of must-do boxes.  Vulnix has been around for a while but I've never crossed paths with it.

This is a fun box.  It is probably more real world than the CTF style boxes because its vulnerability stems from a misconfiguration which is more likely than you might think.  

Read more: Vulnhub Vulnix Walkthrough

Next up in the Kioptrix series is Kioptrix 1.2 (#3), the third in the group which gets even more confusing with #4 and #5 being referenced as 4 in their downloads but I digress.  I think something is wrong with the image because I was expecting LFI from the vulnerabilities I found but LFI didn't work.  I ended up going a different route than what I think was the point of this lesson.  I just wanted to pop the box, be done with it, and move on to the next one -- hoping that it was just a one-off problem.

After I rooted the box, I found some creds, a setuid binary, and I think that was my route after getting in through LFI but I'd already popped the box, seemed like things were messed up, and there are more to conquer.  

Read more: Dirtycow Gone Awry

First, let me say that while I've used this password manager on occasion for various reasons, this is not what I use personally.  If we're making a recommendation, we like 1Password.  But if we're looking for a completely free password manager that doesn't require logging into a website, KeePass is a solid option.  It's a no frills password manager that does exactly what you'd expect it to do -- store passwords.  

As far as I can tell, KeePass doesn't have native browser integration although there are Chrome and Firefox extensions available.  I can't speak to their reliability or their security.  Assuming we're just trying to get off of Excel as our password manager and we just want to move to something a little more secure and robust, without further ado -- KeePass...

Read more: KeePass Password Manager Install Guide

After learning of the Kioptrix series, I've become curious as to what makes up the other boxes.  The next in the series, Kioptrix:  Level 1.1 (#2), is a Centos server with an injection point.  There are a two things I like about this box:

1.  With the typical path I'd normally take with sqlmap, I was unable to get anything of use from this box and I was forced to use manual knowledge of blind sql injection.

2.  This box is older and what ultimately got me to root was an exploit I haven't used which is something new to me that I will stuff away for possible later use.

Read more: Simple SQL Injection