I think I've mentioned that I dislike the puzzle style boxes.  Seems like the last couple of Vulnhub downloads required me to solve problems that had little to do with real world scenarios.  I hate to quit midstream but my personal goal is to hone my craft, learn new techniques, and improve my documentation skills.  Hunting for the hidden page, behind the hidden page, behind the hidden page, using a wordlist I scraped from some video game fan page is not exactly what I had in mind. #truestory

Searching through Vulnhub, I spotted the SP series and I remember it being fresh, challenging, and at least semi real world.  Jerome's description:  "Jerome has created some awesome recipes. Can you find them?"

I'm glad I found my way back to this series because while Jerome was never hard, it was challenging and it kept me on my toes.  

Read more: Vulnhub SP: jerome (v1.0.1)

After playing with Ted, I was excited to move to the next box from the same author.  DomDom is described as:  "How well do you understand PHP programs? How familiar are you with Linux misconfigurations? This image will cover advanced Web attacks, out of the box thinking and the latest security vulnerabilities."

Let me start off by saying that I think Ted was harder but it's really a matter of what you know versus what you don't know. This seemed pretty straightforward and it didn't take long to get on the box.  From there, root was quick.  I only went one route for root this time because it's Saturday morning and I have things to do. ;)  Given the nature of Ted, I think there's a more clever way to root but I take these boxes to be more about the entry than the privilege escalation.  Perhaps I'll take a second glance later.  I also thought about scripting up a portion of the process in Python.  For now....

Read more: Vulnhub DomDom: 1 Walkthrough

This is one of those things that is pretty benign but just makes people crazy.  In the Burp Suite history, we repeatedly see entries for http://detectportal.firefox.com and the frequency is ridiculous.  I have this disabled in my c2 image but I hopped on a client's Kali install and there it was... tormenting me:

Read more: Burp Suite: detectportal.firefox.com

This is definitely not a beginner style box.  The description for Ted states:  "How well do you understand PHP programs? How familiar are you with Linux misconfigurations? This image will cover advanced Web attacks, out of the box thinking and the latest security vulnerabilities."  

The biggest barrier for Ted is the entry.  Once you get on the box, standard enumeration will lead you to root in any number of ways.  There are no less than three kernel exploits and a misconfigued something.  It's Friday not, I've got nothing better to do than hack, once I got on the box, I just kept popping it until I got bored.  That said, I did NOT get bored with the entry.  This box is hard, this box is fun, and this box is worth doing even if you're following this walkthrough because there are lessons to be learned.

Read more: Vulnhub Ted: 1 Walkthrough

I think this is from the same author that has produced a couple (?) of the advanced web application machines.  The description for this box states:  "The library is a sophisticated web application which has few advanced vulnerabilities. You will have to think out of the box to be able to compromised successfully this machine. If you can't you can just enjoy countries history ;)"

This one was tough.  The injection is tedious and tricky but if you take your generic queries into SQL and you look at the responses, it will become obvious as to what will and will not work.  I'm trying not to spoil too much and perhaps that hint is enough by itself.

Read more: Vulnhub The Library: 1 Walkthrough

I recently performed a pentest for a client who wanted a sanity check on their environment because there have been numerous new devices installed and those installations were done in haste.  While I do have prior knowledge of this network, I treated it like a black box test.  Initially, I thought I would drop into the network through a VPN and then attack from there but as luck would have it, I gained entry through a vulnerable device which made this all the more fun.

When I began scanning the network, I uncovered numerous devices that could have potentially been used to drive further into the network but I put those aside when I fired up Responder.  In previous times, Responder would poison a request and we'd get a hash for cracking but with a modern domain controller, odds are pretty good that password complexity rules will thwart your hash cracking attempts.  That said, we won't need to crack hashes when we can relay them.

Read more: Domain Takeover with Responder, RunFinger, and MultiRelay