I recently performed a pentest for a client who wanted a sanity check on their environment because there have been numerous new devices installed and those installations were done in haste.  While I do have prior knowledge of this network, I treated it like a black box test.  Initially, I thought I would drop into the network through a VPN and then attack from there but as luck would have it, I gained entry through a vulnerable device which made this all the more fun.

    When I began scanning the network, I uncovered numerous devices that could have potentially been used to drive further into the network but I put those aside when I fired up Responder.  In previous times, Responder would poison a request and we'd get a hash for cracking but with a modern domain controller, odds are pretty good that password complexity rules will thwart your hash cracking attempts.  That said, we won't need to crack hashes when we can relay them.


    There are a few new releases on Vulnhub and the one I'm writing about today claims there are 12 avenues for privilege escalation.  Honestly, I'm not interested in finding 12 different privilege escalations.  I have the patience and the time for one.  I figured with that many avenues, this would be over quickly.  I appreciate the effort but I'm one and done on this box.

    If you're on the hunt for all 12, I've got a few hints in the screenshots.  I would also look at cron because I seem to recall seeing something there as well when I was hunting around post root.  

    Anyway, kicking off with Nmap:


    A friend who already rooted this box recommended it to me and now understand why.  It wasn't hard but it makes you put pieces together and that makes it fun.  I'll bring this up in a minute when we get to a specific point but somewhere in the middle, something kept breaking and I had to tear out the VM and import a new one.  I don't know if that was just me or if this is everyone but it'll be obvious if it happens to you and I'll make sure to point it out.

    Anyway, kicking off with Nmap:


    In a not so distant past, I was a highly competitive endurance sports athlete.  I'm still very involved in endurance sports but not at that level because eventually you have to grow up and go back to work.  But during that time, I was highly obsessed with every aspect of endurance sports.  That is my nature though.  I become passionate and I obsess to become the absolute best I can be.  

    I've been into technology since I was a kid and it is the single constant in my life.  Obsessions come and go but tech has always been there.  Maybe not to the level of that first contact -- it ebbs and flows.  When I discovered information security, that stoked the fire once more and my obsession rages on.  With the exception of endurance sports which play a large role in my life, the only free space in my life is consumed by infosec.  


    A quick primer prior to hitting the substance of this post. 

    With respect to the Internet, people like names and machines like numbers.  When we enter:  www.google.com into our web browsers, domain name service (DNS), is what takes the name:  www.google.com and converts it to the IP address:  172.217.5.196

    DNS encompasses more than that but the basic point is that this type of resolution exists in the background and it's all happening unencrypted.  So why do we care?  We could talk about Man in the Middle attacks and how this traffic can be intercepted, poisoned, and how you could be sent somewhere else.  But odds are pretty good that's not happening to you.  Let me paint a more realistic example that is happening to you.  


    Don't hide passwords in Excel.  If you hide passwords in Excel, they can be found.  If you password protect Excel documents, they can be cracked.  Now that I've given my public service announcement, if you have to hide passwords in Excel or you have data that you don't necessarily want visible at all times, I have a quick fix for you.   I was sort of hoping for something a little more elegant but when I came across this solution, it solved my immediate problem and I'm not really all that interested in spending more time for a slightly better solution.

    Below, we have a typical Excel document with a column for the username and another column for the password:


    © 2020 sevenlayers.com