I sort of stumbled across Heist because I accidentally landed on a Reddit page that mentioned it.  Prior to that, I'd not heard of this box.  Granted, there are a lot of HTB boxes and I don't live on the platform.  It's not that I couldn't, I could.  It's very gamified and I'm drawn to that sort of thing but I also see it as a great time suck.  That being said, this box was mentioned in the same context with a box that I had rooted and I was curious about the parallel.  Spoiler, there wasn't any.  I think it was just a non sequitur but here I am and I'm not disappointed I ended up here.

    We kick off with Nmap:


    "Gophish is a powerful, open-source phishing framework that makes it easy to test your organization's exposure to phishing."

    Depending on where you look, and what they are trying to sell you, the percentage of attacks from phishing range from 30% - 90%.  The Verizon Data Breach Investigations Report shows the percentage dropped in 2019 from 2018 by about 40%.  Regardless, phishing is still an easy and viable attack vector.  I can send phishing emails over and over again and the recipient only needs to make a mistake once.  It's simple and it's effective.

    For phishing awareness training, there are pay services, there are services that offer phishing as a secondary feature -- like Duo, and there are free products like GoPhish.  Not only can you use phishing awareness tools test phishing, you can also use them as a tripwire of sorts -- more on that at the end of this post. 


    It's been a while since I've played on Vulnhub and there are a ton of new machines.  In fact, I just saw a stat that showed this is the first year where there have been over 100 submissions.  I guess I've got a lot of catching up to do -- or not.  Anyway, it's the holiday weekend and I have some time to kill so I went to see what was new and hackNos is one of the first few.

    This box is fairly straightforward as long as you don't get bogged down on any particular avenue.  It's also possible to get the root flag without actually becoming root but I couldn't let that stand so I rooted it as well.  More on that in a moment. 

    First, we kick off with Nmap:


    I gave a talk at a local hacker meetup this past weekend.  My talk was a combination of LLMNR and NetBIOS Poisoning, Responder, and the Responder Monitor decoy in Mazerunner.  A lot of what is in the presentation is already posted here but I think it would be helpful to have an aggregate, in the form of a presentation, to put it all together.  The key points are:  What is Responder?  How the attack works.  Possible defensive measures.  Reality.  And finally, How Mazerunner can help identify the attacker.


    While performing a penetration test recently, I managed to pivot from a workstation to a VoIP server.  One of the main reasons this occurred is due to the fact that the network was not segmented.  So what is network segmentation?  It's breaking up the network into logical parts while isolating some devices from other devices.

    I think most WiFi networks these days have a "guest network" which is essentially the same concept.  We're isolating the guests from the rest of our network but we're still allowing them access to the Internet.  With our network, we're able to do this with several different technologies but it can be done for as little as $20-$30. 

    In the picture below, I've created a basic network:


    While performing registry queries for something not exactly related, I saw an application on my personal machine with an unquoted service path.  Since this is a commonly used application, I've contacted the developer and I've submitted the CVE to secure an ID -- that whole "responsible disclosure" thing.  Seriously though, this isn't an obscure application and I would go so far as to say it's heavily used.  The mitigation technique would be to quote the path but that's something the average user wouldn't be capable of doing.  So while we wait, I'll explain the problem in detail.


    Page 6 of 47

    © 2020 sevenlayers.com