Continuing through the list of must do boot2root machines, I came upon Kevgir.  I love this box for so many reasons.  It's not particularly hard but it's easy to follow one of the many rabbit holes.  I followed exactly one rabbit hole but not for too long -- I started chasing Jenkins.  I just finished a recently published book and the author talked about Jenkins being a go to avenue.  I don't have a lot of experience with Jenkins but I took his word for it and I pushed on Jenkins for about 15 minutes, stepped back, and said -- let's stick with what we know.

Read more: Vulnhub Kevgir: 1 Walkthrough

I've been reading books on Red Teaming and one of the differences that stands out from Pentesting is the need to be stealthy.  Pentesting tools are very noisy and in a mature, or maybe even not so mature, environment, running stock Kali tools might set off an alert and trigger a ban of some sort.

So I was thinking -- if I wanted to get the WordPress version from a site in a stealthy manner, how would I go about doing that?  Let's paint that picture a bit more -- I'm on a network with my Kali laptop, I don't have access to the Internet, and I found a web server running WordPress.  I want to make as little noise as possible.  As it turns out, I know that I can get the WordPress version from wp-links-opml.php and I'll do it with Python because using a browser is lame.  :)

Read more: Simple Python Scripts: CMS Version Retrieval

I found a list of recommended Vulnhub servers that someone suggested for good practice.  When I started looking at the age of these boot2root boxes, I could already tell my first 'go to' exploit would be DirtyCow, at least for some of them. 

I saw a comment on this exploit somewhere and they talked about its instability.  It is very unstable unless you know how to stabilize it -- which is easy.  

When you first launch the exploit, it hangs while finishing.  If you do nothing and wait for it to finish, not long after it finishes, it's going to crash the server.  If you've read some of my other posts where I use this exploit, I have the fix lined up.  Here's what you need to do --

Read more: Vulnhub SickOs: 1.1 Walkthrough

I came across a web site running a current version of WordPress with the Simple Fields plugin installed.  Searching Exploit-DB, I found:

WordPress Plugin Simple Fields 0.2 - 0.3.5 - Local/Remote File Inclusion / Remote Code Execution

“ This can even lead to remote code execution, for example by injecting php code into the apache logs or if allow_url_include is turned on in php.ini. ”

Read more: The Reality of Log Contamination

As administrators, developers, and various other technology roles, we make mistakes and I wanted to find a server that I could use as an example of how mistakes are made in the real world. LazySysAdmin is just that box.

Don't get me wrong, I love the esoteric CTF type boxes with port knocking, hidden exif data messages, etc., but as far as I can tell, those don't exist in the real world. This box is real world -- where simple mistakes that someone can make in everyday administration can turn into full-on compromise.

Read more: Vulnhub LazySysAdmin: 1 Walkthrough

The first time you find a page with a Local File Inclusion (LFI) vulnerability, it's like magic.  You feed your string in the browser:

... it spits back the contents of /etc/passwd, you're excited, and you continue enumerating the system. 

Read more: Python: Automating Local File Inclusion (LFI)