The other day, I received an email from someone who asked me to write up a walk-through on SP: leopold which is part of a new series of boxes on Vulnhub.  Sometimes I really appreciate the Internet for what it truly is -- a remarkable instrument for communication.  It allows someone, from somewhere, to reach out and collaborate with another stranger with a common interest.  I was flattered actually and it made my day.

When I replied to my new found friend, I said that I would take a look at it over the weekend and I offered my quick thoughts.  I received a reply not long after with a bit more information which included a solid hint.  Prior to receiving that hint, I did what I normally do --

Read more: Vulnhub SP: leopold Walkthrough

I'm working on project which involves creating a WordPress plugin and it got me to thinking about how easy it would be to create a plugin that's sole purpose is a reverse shell.  To get a shell from a WordPress UI, I've used plugins that allow for inclusion of PHP and I've also edited embedded PHP such as the footer.php file.  But until now, I didn't occur to me to write a plugin to perform the task.  

I started tinkering around and I initially used Pentest Monkey's reverse shell and even though it tossed back a shell, it also killed the WordPress site.  I literally had to go into the /wp-content/plugins directory to manually remove the plugin before the site would function correctly again.  Not ideal for a number of reasons.

Read more: WordPress Plugin : Reverse Shell

I worked with a guy who went onsite to install a router with information he was given from the local Internet Service Provider (ISP).  When he arrived onsite and he attempted to install the router, he was unable to connect to the Internet.  He and I went back and forth about the possible issues and after a few minutes, I asked him to text me the information he was given by the ISP.  When I looked at the message, it became immediately clear as to what was causing the problem. 

Not using the actual IP information, this will suffice:

IP Address:

You could look at this information and the problem might be completely obvious to you – or perhaps not.  The point being that to call this post a primer on pentesting would be to ignore the entire foundation where the majority of this work exists – the network. 

Read more: Pentesting 101: Nmap

There are a number of methods which use macros in Office documents to deploy malware.  I came across one the other day that leverages a vulnerability in various versions of the .NET Framework.  

CVE 2017-8759 -- Microsoft .NET Framework versions allow an attacker to execute code remotely via a malicious document or application, aka ".NET Framework Remote Code Execution Vulnerability."

There are three pieces to this exploit -- the Word document, a text file which will get downloaded when the macros are enabled, and .hta file with a payload.  With a patched machine and current antivirus, I attempted to get this working but I could never get proper execution for whatever reason.

Read more: Empire Macro Fun

In my last post, I wrote about creating a basic WordPress Plugin that executes a reverse shell.  Neither particularly impressive about the plugin or the method I used for executing the shell but creating a plugin was new to me and I was working on something completely different when that idea just popped into my head.  After wrapping that up, another idea popped into my head -- what would it take to create a port scanner using PHP?  I did some hunting around and I found a few different ideas and then I started to cobble those ideas together.  

I iterated through different versions until I came up with the following:

Read more: WordPress Plugin : PHP Port Scanner

My original intention was to provide an example of automating Local File Inclusion (LFI) which I'd done previously somewhere on this site using Python.  But the point of that post was LFI with Python, not to answer a question someone posed to me in a discussion.  Now that I think about it, I wonder if the problems I encountered with this exercise would have also been encountered with a Python script.  Hold that thought, I'll work that out in a moment.

Before I digress too much, this post is about automating LFI with Bash but then things got sideways and I thought I'd write about it.  

If there's one big takeaway from hacking, I'd say it's this -- what we do is not the intended method for interacting with the application (or interacting with whatever) and we should expect inconsistent results.  That was my mistake here.

Read more: LFI Reality