I go back and forth between working on various problems and when a hard problem wears me down, I work on something easier.  That's where Blocky comes into play. 

    It seems they move boxes in and out of the Retired section of HTB because I don't even recall its name.  I do know that I was working on another box, went through the weekend without touching it, and when I went back to it that following Monday, it was inactive.  

    Anyway, so Blocky went from Nmap scan to root in no time purely because of a solid guess.  I sometimes just poke at something for the sake of covering all of my bases but it doesn't normally bear fruit.  This time it did and I was completely taken aback.  More on that in a bit.

    First we kickoff an Nmap scan:


    We deal with small to medium-sized businesses which means we might not have a budget for a thousand plus dollar Active Directory auditing tool. But maybe we only want a subset of those tools and we can script some of those tools in PowerShell.  For example, assuming you have a lockout policy setup in Active Directory (you should!), the point is to stop someone from guessing passwords on your accounts.  Wouldn't you like to know if someone is attempting to guess passwords on your accounts?

    This script can be added to the Task Scheduler and I would setup its frequency based on your lockout duration. 

    A few things to note about this script --


    I was working on a project and while looking at the randint function, I suddenly thought about blackjack.  It makes sense -- you have a function, randint, that generates a random number.  So I open a terminal and after a little side deviation, I'm generating a couple of cards.  I realize a few things I'm missing and I build it out a bit further.  Then even further.  Each time realizing that there's more to this little game project than I had anticipated.  I finally decide to stop at this version you see below.

    There are a couple of things to note here -- first, my dealer cheats.  That's intentional.  The second thing to note is that I didn't take into account that an Ace can be worth one or 11.  I could go back in an assign values to variables but then this would grow further and that wasn't really my point.  

    As always, my Python is pretty weak so don't critique me.  I don't use it for much other than single functions hence the very small hacky scripts you see here.  One day I'll build something... one day...


    Sort of an odd one, I'm not exactly sure why though.  I wrote this up to exploit an LFI vulnerability in the Localize My Post plugin for WordPress.  You populate the path.txt file with your typical goodies:  /etc/passwd, /etc/hosts, etc.  Each on their own line, of course.  I also included /var/www/html/wp-config.php but for some reason, it wouldn't grab it.  I thought it was some sort of protection mechanism but as I looked around, including in the apache log file, it was getting 200 OK.  I move the file into /etc/ and it works but in place or in /tmp, no luck.  Regardless, it still grabs l00t just change the IP address.  You can just as easily use curl as well -- it's just a bit quicker if you're trying to grab multiple files at once.  


    As I mentioned previously, I've been spending time on HackTheBox.  I've gone through about 12 machines in both the Active and Inactive areas.  A lot of what I'm finding so far is more along the lines of situations you wouldn't find in the real world.  That said, it's a great way to add technical chops and acquire more critical thinking skills.  Which is another way of saying I do a lot of head banging and Googling.  

    The other day, I stumbled across Cronos which is a retired box and there several reasons why I decided to write about it.  Rather than spoil, I will mention those reasons when I get to them but let me summarize by saying that it's a bit more real world than what you typically see.


    I started playing with the HackTheBox October machine and during my enumeration process, I discovered something and I ended up in a Python rabbit hole.  Before I continue, let me say that I'm jumping straight to a spoiler -- so if you're looking for some subtle hints on entry, I'm past that point with respect to the direction of this post.  Assuming you've ended up here for some other reason, I'm going straight to to the ovrflw file which is vulnerable to a buffer overflow.  If you execute the binary, we see the following:

    root@c2:~/hackthebox/October# ./ovrflw
    Syntax: ./ovrflw <input string>

    If we input a few characters, we get no response.  We assume that we can exceed a certain number of characters to get it to crash.  With buffer overflows, we want to get the exact byte count of the crash so that we can insert our shell code just after that point.  There are any number of ways to get the byte count for this buffer overflow, we could do something like:

    root@c2:~/hackthebox/October# ./ovrflw `python -c 'print "A"*112'`
    Segmentation fault


    © 2020 sevenlayers.com