I'm playing around the other day and I find what looks to be a server which is vulnerable to Local File Inclusion (LFI).  I used to work for a company a long time ago and when something would break, I would declare:  "Bad code".  LFI is bad coding or perhaps I should say that it's a short sighted developer who doesn't anticipate the harm that can be caused by calling a file directly with something like:  http://example.com/index.php?file=SOMEFILENAME

Seems harmless enough until someone comes along and decides to change the url to:  http://example.com/index.php?file=/etc/passwd 

Now all of the sudden -- it doesn't seem all that harmless.  So that pretty much gets you up to speed and I assume that if you were searching for WAF Bypass, you already know this and probably more.  So as I said, I'm playing around and I discover:

Read more: WAF Bypass

I've been doing this job for far too long and something like a power outage creates a certain level of panic at first discovery.  While we take numerous steps to protect from disasters the one true test is pulling the plug to see what happens.  That is essentially what a power outage does -- it brings a certain sense of randomness with it. 

When disaster strikes, we reach for the documentation which includes pictures of the entire server to guide those on site through the rack.  "Two down from the Cisco switch, that's the firewall.  Check to see if it's on."  Etc.

Once we were able to see the network, back to the documentation to retrieve the IP addresses for the hypervisors. 

Read more: Bad request timestamp () [40105]

You’ve run your Nmap scan and you found the open web port. From the open web port, you’ve worked your way into the system and you have a low privilege shell. Now what?

The enumeration process starts all over again.

There are more than a few privilege escalation scripts as well as written documents that will aid in this process but only if you’re familiar with the operating system. If you’re hunting for that needle in the haystack but you don’t know what a needle looks like, how will you find it?  Recognizing that needle will come with time and I’m not trying to say you shouldn’t use those scripts.  Do use them but realize it could be overwhelming until you’re a bit more seasoned.

Read more: Pentesting 101: The Weakest Link

The first time I popped MS08-067 with Metasploit, I thought that was hacking.  And then I modified some exploit code I found on Exploit-db, popped a box, and I thought that was hacking.  In my current frame of reference, when I perform a buffer overflow, I get that feeling like I'm really hacking.  

So what is a buffer overflow?  Imagine you have a machine that dispenses soda into a can.  The can moves under the nozzle, the machine dispenses the right amount of soda to fit into the can, and the next can moves underneath the nozzle.  Now imagine that someone comes along with a hose and fills the can prior to it arriving underneath the nozzle.  When the machine dispenses the soda, the can overflows.  We have a design flaw.  The maker of the machine didn't anticipate that someone would come along and add liquid to the can prior to it arriving underneath the nozzle. 

Read more: Windows x86 Buffer Overflow

The stock Kali Linux distribution contains a number of password and word lists.  The most notable password list, RockYou, is from a breach that occurred in 2009.  The biggest revelation to come from this breach was the frequency of the most basic passwords.  The top five most used passwords in RockYou are:


In total, there were 32 million passwords in the RockYou breach but in the Kali version of this list, there are only 14 million passwords.

Read more: Pentesting 101: Passwords and Wordlists

I'm not critiquing the author because they are awesome!  However, I would say that dc-3 seems easier than dc-2 and if someone were to do these in order, this one would be later, not sooner.  That being said, I believe dc-6 was also easier and dc-5 is on my weekend list because it is different than the others.  Or perhaps at first glance, I missed something obvious with dc-5.  Time will tell.  

This machine was cool and it would definitely make a beginner think outside of the box.  It incorporates tools and technologies that you might not see every day.  I'm obviously trying not to spoil -- if someone is here just looking for a hint.  

Read more: Vulnhub DC: 2 Walkthrough