If you don't already use the web site "have i been pwned?", you should. It's a solid resource for checking your accounts for possible compromise.  Basically, you enter your email address, it will search through its database, and if your address shows up in its list, it will spit out the compromised sites and the details of the breach.  

    Another feature of the site is the ability to check a password against their list of compromised passwords.  There are about 580 million passwords in their database and while you think "l33thacker" is solid, their database says it's been found 55 times.

    In the realm of vulnerable boxes, I prefer the more realistic situations rather than the style that leans toward capture the flag.  I get it.  When a person creates a vulnerable machine, it takes time and creativity and for that, I tip my hat to you.  Thank you for creating boxes!  All of you!  This one, however, leans toward the CTF style -- fortunately, it's not difficult and I rooted it quickly.  It was clever, I got to play around with a new application, and when I'm done with this post, I'm going back for a manual exploit on the same vuln.  

    import hashlib
    import requests
    import os
    password = raw_input("[*] Enter password to check: ")
    sha_1 = hashlib.sha1()
    hashed = sha_1.hexdigest()
    first_five = hashed[:5]
    print "Checking against Pwned Passwords..."
    host = "https://api.pwnedpasswords.com/range/" + first_five
    remaining = hashed[5:40]
    url = host
    headers = {'User-Agent': 'Mozilla/5.0'}
    html = requests.get(url, headers=headers).content
    if remaining.upper() in html:
        print("Bad Password!")
        print ("Good Password!")

    Now this is a box to test your ability to stay focused.  There are a few things going on that can distract you which could cause you to overlook the smaller, more important, details.  I can't say this with all of the boxes but I stayed on the right path from start to finish.  

    According to the notes, there are two ways to get a low privilege shell and three ways to root.  I found two ways to a low privilege shell and suspect there's actually a third.  I know of two ways to get root and I'll have to read a walkthrough to see the third avenue.  

    There's so much going on with this box for post exploitation and I want to play around a bit more but I have to move on.  

    If I were just starting out and I fumbled around on this box, I would go back to this box again in three to six months when I'd forgotten as much as I could and give it another go.  

    From time to time companies go through audits for various reasons.  In some cases, we’re the party performing the audit.  In other cases, a third party is performing the audit and we’re a participant from the technical team.  It’s a mixed bag because audits aren’t fun.  And no matter when you schedule them, it’s an inconvenience.  Rarely do I see both parties genuinely interested in the process or the outcome.  And let’s be honest, someone is questioning someone else’s ability to do their job.

    That said, having been on the frontline of a disaster recovery or two has taught me to take audits seriously.  Particularly when it comes to backups because a company can survive many obstacles but data loss typically isn’t one of them. 

    This has less to do with WordPress and more to do with a Python exploit which failed to work because of a self-signed SSL certificate.  To keep the solution simple, I decided to rewrite the existing WordPress script and test out the fix.  Essentially when a server is using a self-signed SSL certificate and you run the exploit, you're going to see the following error:

    urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)>

    If you look at the original version of this script, you'll notice I've added five lines which solves this issue:

    import urllib2
    import os
    import ssl
    if (not os.environ.get('PYTHONHTTPSVERIFY', '') and
        getattr(ssl, '_create_unverified_context', None)):
        ssl._create_default_https_context = ssl._create_unverified_context
    print "[*] Target URL format = http://www.mydomain.com"
    host = raw_input("[*] Enter target URL: ")
    path = '/wp-links-opml.php'
    combined = host + path
    url = urllib2.urlopen(combined)
    print ("fetching... ") + combined
    html = url.readlines()
    for line in html:
        if 'generator' in line:
            print line

    © 2020 sevenlayers.com