According to the Interwebs, fuzzing involves sending random data to software until something happens or something reveals itself.  Fuzzing a web server is not much different really other than I wouldn't call it random data.  We're essentially taking lists of words, throwing them at the web server in different ways, and we're looking at the response.

    In my opinion, fuzzing is an art form because it's a matter of using the right tool, with the right list, in the right way, to get the right response.

    The other day, I received an email from someone who asked me to write up a walk-through on SP: leopold which is part of a new series of boxes on Vulnhub.  Sometimes I really appreciate the Internet for what it truly is -- a remarkable instrument for communication.  It allows someone, from somewhere, to reach out and collaborate with another stranger with a common interest.  I was flattered actually and it made my day.

    When I replied to my new found friend, I said that I would take a look at it over the weekend and I offered my quick thoughts.  I received a reply not long after with a bit more information which included a solid hint.  Prior to receiving that hint, I did what I normally do --

    We manage and monitor backups for our clients and as part of our process, we perform audits to ensure backups can be restored.  Going on a tangent for a moment, the purpose of a backup is not to capture the data, the purpose is to restore data when there's data loss.  You would be surprised when the backup software reports a successful run and yet you're unable, or you have difficulty, restoring that data.  Not to get into the weeds too far, point being, it's important to test the restore function to see if your expectations and reality align.  

    Back on topic.  In the process of testing the restore capability, we occasionally come across files with "password" in the title or some other title that leads us to believe a document contains passwords.  In a few previous posts, I've discussed various methods for hunting for sensitive data and cracking of various file protections.  In this post, I'm putting a couple of those together.

    I worked with a guy who went onsite to install a router with information he was given from the local Internet Service Provider (ISP).  When he arrived onsite and he attempted to install the router, he was unable to connect to the Internet.  He and I went back and forth about the possible issues and after a few minutes, I asked him to text me the information he was given by the ISP.  When I looked at the message, it became immediately clear as to what was causing the problem. 

    Not using the actual IP information, this will suffice:

    IP Address:

    You could look at this information and the problem might be completely obvious to you – or perhaps not.  The point being that to call this post a primer on pentesting would be to ignore the entire foundation where the majority of this work exists – the network. 

    Sometimes you're the windshield and sometimes your the bug.  This week, I'm feeling like the bug with respect to educational development.  I'm a little beat down from trying to understand an exploitation technique that I'm having a hard time grasping.  In need of a break, I went in search for something on the easier side to build my confidence.  Looking through some of the older machines on Vulnhub, I found Quaoar which claims to be easy.  I went beyond what was necessary to achieve victory but I think given its level of difficulty, I could take this further, explore it beyond root, and see what else I could uncover.

    Kicking off with Nmap:

    In my last post, I wrote about creating a basic WordPress Plugin that executes a reverse shell.  Neither particularly impressive about the plugin or the method I used for executing the shell but creating a plugin was new to me and I was working on something completely different when that idea just popped into my head.  After wrapping that up, another idea popped into my head -- what would it take to create a port scanner using PHP?  I did some hunting around and I found a few different ideas and then I started to cobble those ideas together.  

    I iterated through different versions until I came up with the following:

    © 2020