From time to time companies go through audits for various reasons.  In some cases, we’re the party performing the audit.  In other cases, a third party is performing the audit and we’re a participant from the technical team.  It’s a mixed bag because audits aren’t fun.  And no matter when you schedule them, it’s an inconvenience.  Rarely do I see both parties genuinely interested in the process or the outcome.  And let’s be honest, someone is questioning someone else’s ability to do their job.

That said, having been on the frontline of a disaster recovery or two has taught me to take audits seriously.  Particularly when it comes to backups because a company can survive many obstacles but data loss typically isn’t one of them. 

Read more: A Restore Solution

This has less to do with WordPress and more to do with a Python exploit which failed to work because of a self-signed SSL certificate.  To keep the solution simple, I decided to rewrite the existing WordPress script and test out the fix.  Essentially when a server is using a self-signed SSL certificate and you run the exploit, you're going to see the following error:

urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)>

If you look at the original version of this script, you'll notice I've added five lines which solves this issue:

#!/usr/bin/python
import urllib2
import os
import ssl
if (not os.environ.get('PYTHONHTTPSVERIFY', '') and
    getattr(ssl, '_create_unverified_context', None)):
    ssl._create_default_https_context = ssl._create_unverified_context
print "[*] Target URL format = http://www.mydomain.com"
host = raw_input("[*] Enter target URL: ")
path = '/wp-links-opml.php'
combined = host + path
url = urllib2.urlopen(combined)
print
print ("fetching... ") + combined
html = url.readlines()
for line in html:
    if 'generator' in line:
        print
        print line

In the realm of vulnerable boxes, I prefer the more realistic situations rather than the style that leans toward capture the flag.  I get it.  When a person creates a vulnerable machine, it takes time and creativity and for that, I tip my hat to you.  Thank you for creating boxes!  All of you!  This one, however, leans toward the CTF style -- fortunately, it's not difficult and I rooted it quickly.  It was clever, I got to play around with a new application, and when I'm done with this post, I'm going back for a manual exploit on the same vuln.  

Read more: Vulnhub Dina: 1.0.1 Walkthrough

The second of two, SickOs: 1.2 promises to be, and is, different than it's predecessor.  If anything, I learned that I'm becoming frustrated with my setup.  If you've noticed, a lot of the time, I'm pushing my shells across port 53.  That's partly by design and partly out of necessity.  First, if you think about it, port 53 is DNS and there should be a lot of DNS traffic floating around on your network.  While a reverse shell doesn't LOOK like a DNS query upon close inspection, perhaps it goes unnoticed among the noise.  Second, I like to use port 443 for basically the same reason, it gets lost in the noise.  But I had to enable SSL on my C2 server because there were exploits I needed to pass across HTTPS.  Enabling and disabling Apache was becoming annoying which is why I switched over to 53 and you'll see why that's a problem in a moment.

Read more: Vulnhub SickOs: 1.2 Walkthrough

Now this is a box to test your ability to stay focused.  There are a few things going on that can distract you which could cause you to overlook the smaller, more important, details.  I can't say this with all of the boxes but I stayed on the right path from start to finish.  

According to the notes, there are two ways to get a low privilege shell and three ways to root.  I found two ways to a low privilege shell and suspect there's actually a third.  I know of two ways to get root and I'll have to read a walkthrough to see the third avenue.  

There's so much going on with this box for post exploitation and I want to play around a bit more but I have to move on.  

If I were just starting out and I fumbled around on this box, I would go back to this box again in three to six months when I'd forgotten as much as I could and give it another go.  

Read more: Vulnhub Stapler: 1 Walkthrough

While I sort through some issues with my hypervisor and some older boxes which won't run on it, I'm working on the newer releases on vulnhub.  I spotted billu: box 2 and I think I recall doing the first box by this author sometime ago.  I don't remember the original nor do I have any notes so I can't give you any information as to whether it's similar, harder, or if there's any relationship at all.  

I spent some time trying to work out a manual way of getting my low priv shell but eventually went with Metasploit.  But I'm getting ahead of myself --

Read more: Vulnhub billu: b0x 2 Walkthrough