“How I Hacked Your Small Business… and How You Could Have Stopped Me” is the title of a talk I gave earlier this year at BSides College Station – back before Corona Virus had us all on lockdown.  The point of the talk is to give a step-by-step walkthrough of how I’d build an anonymous attack platform and set about to take over the infrastructure of a small business.  It wasn’t a blueprint but it was near close because I wanted to show small business owners and small business defenders what it would look like.  In the middle of the talk, I flip the script and I proceed to go into the steps for stopping me.  While this post isn’t that talk, there are some overlaps.  In my day to day work, I see the same issues time and time again and there are some points in my Bsides talk that are worth repeating.


    There are a ton of privilege escalation scripts that perform a wide variety of tasks but the reason why this particular tool sticks out is that it doesn't run on the target machine.  The description for Windows Exploit Suggester states:  "This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins."

    Basically, we run systeminfo, save the contents into a file on our machine, and we run Windows Exploit Suggester against that file. 


    The description states:  "Like its name, this box contains some interesting things about CMS. It has been designed in way to enhance user's skills while playing with some preveleges. Its a quite forward box but stay aware of rabbit holes."

    I think the description pretty much nails it.  It's beginner to intermediate -- I think leaning definitely towards beginner but there are some rabbit holes that you might want to hammer on that could lead to some lost time.  I don't want to get too deep into it so let's kick it off with Nmap:


    PingCastle is an auditing tool and oddly, when you view their website, they don't have an actual description of the product.  The site jumps straight into the uses, features, and benefits. 

    In a nutshell, PingCastle quickly generates a comprehensive assessment of the overall posture of the domain.  For example, is SMBv1 enabled?  Can we attack the network with LLMNR poisoning because we're allowing Netbios over TCP?  But it goes beyond the low hanging fruit, it gets into the granular settings for AD accounts and it makes suggestions on how to better configure the domain. 


    The description states:  "THIS IS A MACHINE FOR COMPLETE BEGINNER , GET THE FLAG AND SHARE IN THE TELEGRAM GROUP (GROUP LINK WILL BE IN FLAG.TXT)"

    I would say that's a fair assessment but I could also see this causing some problems for beginners.  In general, I think it's always good to remember that "beginner" is based on a person's level of knowledge, tools, etc. 

    Assuming that a beginner is reading this post for some help, let me toss out a couple of tricks and also show how I spider out with my enumeration and then come back to what's important. 

    First, we kick off with Nmap:


    When I spoke at BSides earlier this year, I met a guy who works for a company that provides SOC as a service.  Our skills are not the same and if anything, he's on the receiving end of what I've create.  I had a question about some of the obfuscation techniques I use -- specifically, I wanted to know how someone would approach the obfuscated code.  He mentioned a tool -- CyberChef.  I'd never heard of it and looking back, I don't know how I haven't heard of it.  The description from their site states:  "CyberChef - The Cyber Swiss Army Knife".


    Page 3 of 59

    © 2020 sevenlayers.com