Disclosure date:  08/17/19

CVE-2019-15228

FuelCMS 1.4.4 and possibly before are affected by a Cross Site Scripting vulnerability in the Create Blocks section of the Admin console.  This could lead to cookie stealing and other malicious
actions.  This vulnerability can be exploited with an authenticated account but can also impact unauthenticated visitors.

Read more: FuelCMS 1.4.4 XSS

Not to be the guy who says this is easy because everyone is somewhere on the ladder but this one is a pretty big softball. 

The description states:  "This boot2root is a linux based virtual machine and has been tested using VMware workstation 14."  Works fine on VirtualBox which is what I used.

This is part of a new batch of servers that were dumped overnight and I had a few minutes to spare.

Kicking off with Nmap:

Read more: Vulnhub dpwwn: 1 Walkthrough

Disclosure date:  08/16/19

CVE-2019-15227

Flightpath 4.8.3 and possibly before are affected by numerous Cross Site Script vulnerabilities in the "Content", "Edit urgent message", and "Users" section of the Admin Console.  This could lead to cookie stealing and other malicious actions.  This vulnerability can be exploited with an authenticated account but can also impact unauthenticated visitors.

Read more: Flightpath 4.8.3 XSS

While perusing the Vulnub back catalog for boxes that I can suggest to a relatively new penetration tester, I came across the "hackfest" series which sounded familiar.  Searching this site, I realized I'd written up the Quaorar box.  This one, Sedna, is the next in the series which promises to be "medium" in difficulty while the Quaorar box is "very easy".  Quickly glancing at the previous write up and just finishing this one, I'd say they are both "easy" but that's just an opinion.  This one is definitely a good beginner box, in my opinion.

We kick off with Nmap:

Read more: Vulnhub hackfest2016: Sedna Walkthrough

The description states:  "Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers."

I wanted to like this and perhaps there's much to like but when I'm looking at these types of frameworks, I'm interested in how it can help me.  There's definitely a red team / blue team component to this and maybe that's where this excels but that's of little interest to me.  

This is the first time I've run a dot net application on Linux so that was kind of cool  And in general, it's a cool tool but I don't see how it will aid me.  

Read more: Covenant C2

In this domain, the password complexity rules are set to force a password change every 90 days.  When logging into the Domain Controller, I saw the notification and scheduled the password change with the client.  Upon changing the password, I was immediately locked out of the domain.  Needless to say, that was not how I envisioned the start of my day.  Fortunately, that is not the only privileged account.  Looking through my documentation for this client, the AD admin account should not be tied to ANY resources and yet it must be.  In order to determine the root cause, we look at the Event Viewer.  FYI, I'm fairly confident that Auditing must be enabled in Group Policy for these events to be recorded.  

Read more: Identify AD Lockout Source