We manage and monitor backups for our clients and as part of our process, we perform audits to ensure backups can be restored.  Going on a tangent for a moment, the purpose of a backup is not to capture the data, the purpose is to restore data when there's data loss.  You would be surprised when the backup software reports a successful run and yet you're unable, or you have difficulty, restoring that data.  Not to get into the weeds too far, point being, it's important to test the restore function to see if your expectations and reality align.  

Back on topic.  In the process of testing the restore capability, we occasionally come across files with "password" in the title or some other title that leads us to believe a document contains passwords.  In a few previous posts, I've discussed various methods for hunting for sensitive data and cracking of various file protections.  In this post, I'm putting a couple of those together.

Read more: Password Hunting

I worked with a guy who went onsite to install a router with information he was given from the local Internet Service Provider (ISP).  When he arrived onsite and he attempted to install the router, he was unable to connect to the Internet.  He and I went back and forth about the possible issues and after a few minutes, I asked him to text me the information he was given by the ISP.  When I looked at the message, it became immediately clear as to what was causing the problem. 

Not using the actual IP information, this will suffice:

IP Address:  255.255.255.0
Subnet:  192.168.168.10
Gateway:  192.168.168.1

You could look at this information and the problem might be completely obvious to you – or perhaps not.  The point being that to call this post a primer on pentesting would be to ignore the entire foundation where the majority of this work exists – the network. 

Read more: Pentesting 101: Nmap

Sometimes you're the windshield and sometimes your the bug.  This week, I'm feeling like the bug with respect to educational development.  I'm a little beat down from trying to understand an exploitation technique that I'm having a hard time grasping.  In need of a break, I went in search for something on the easier side to build my confidence.  Looking through some of the older machines on Vulnhub, I found Quaoar which claims to be easy.  I went beyond what was necessary to achieve victory but I think given its level of difficulty, I could take this further, explore it beyond root, and see what else I could uncover.

Kicking off with Nmap:

Read more: Vulnhub hackfest2016: Quaoar Walkthrough

In my last post, I wrote about creating a basic WordPress Plugin that executes a reverse shell.  Neither particularly impressive about the plugin or the method I used for executing the shell but creating a plugin was new to me and I was working on something completely different when that idea just popped into my head.  After wrapping that up, another idea popped into my head -- what would it take to create a port scanner using PHP?  I did some hunting around and I found a few different ideas and then I started to cobble those ideas together.  

I iterated through different versions until I came up with the following:

Read more: WordPress Plugin : PHP Port Scanner

The other day, I received an email from someone who asked me to write up a walk-through on SP: leopold which is part of a new series of boxes on Vulnhub.  Sometimes I really appreciate the Internet for what it truly is -- a remarkable instrument for communication.  It allows someone, from somewhere, to reach out and collaborate with another stranger with a common interest.  I was flattered actually and it made my day.

When I replied to my new found friend, I said that I would take a look at it over the weekend and I offered my quick thoughts.  I received a reply not long after with a bit more information which included a solid hint.  Prior to receiving that hint, I did what I normally do --

Read more: Vulnhub SP: leopold Walkthrough

I'm working on project which involves creating a WordPress plugin and it got me to thinking about how easy it would be to create a plugin that's sole purpose is a reverse shell.  To get a shell from a WordPress UI, I've used plugins that allow for inclusion of PHP and I've also edited embedded PHP such as the footer.php file.  But until now, I didn't occur to me to write a plugin to perform the task.  

I started tinkering around and I initially used Pentest Monkey's reverse shell and even though it tossed back a shell, it also killed the WordPress site.  I literally had to go into the /wp-content/plugins directory to manually remove the plugin before the site would function correctly again.  Not ideal for a number of reasons.

Read more: WordPress Plugin : Reverse Shell