As I mentioned previously, I've been spending time on HackTheBox.  I've gone through about 12 machines in both the Active and Inactive areas.  A lot of what I'm finding so far is more along the lines of situations you wouldn't find in the real world.  That said, it's a great way to add technical chops and acquire more critical thinking skills.  Which is another way of saying I do a lot of head banging and Googling.  

The other day, I stumbled across Cronos which is a retired box and there several reasons why I decided to write about it.  Rather than spoil, I will mention those reasons when I get to them but let me summarize by saying that it's a bit more real world than what you typically see.

Read more: HackTheBox Cronos Walkthrough

Lately, I've been playing around on HackTheBox to expand my game.  I find the platform to be challenging because the Capture the Flag style hacking is another world to me.  I frequently see people writing "this is easy" when referring to a specific box or challenge but I think it's only easy if you know how to do "something".  For example, I know next to nothing about steganography and when I came across an image with a hidden message, I had no idea what tool to use for the problem.  But then you discover a tool like steghide and all of the sudden, it IS "easy" -- as they say.  Moving on....

I've been working my way through some of the easier boxes in both the Active and Retired section and my recent project is tenten which is when I came across the WordPress Job-Manager vulnerability.  I've said this previously, I'm a Python n00b but I learn from doing.  This seemed like a great opportunity because I needed to parse through a bunch of pages -- grabbing the title from each page.  Essentially, at this point in the process of working my way through this box, I'm trying to find my uploaded shell.

Read more: WordPress Job-Manager CVE-2015-6668

We deal with small to medium-sized businesses which means we might not have a budget for a thousand plus dollar Active Directory auditing tool. But maybe we only want a subset of those tools and we can script some of those tools in PowerShell.  For example, assuming you have a lockout policy setup in Active Directory (you should!), the point is to stop someone from guessing passwords on your accounts.  Wouldn't you like to know if someone is attempting to guess passwords on your accounts?

This script can be added to the Task Scheduler and I would setup its frequency based on your lockout duration. 

A few things to note about this script --

Read more: PowerShell: Account Lockout Email Notification

As soon as I scanned this box, I knew my entry point.  What's the first rule of Fight Club?  You don't talk about Fight Club.  So I won't say where I got my first experience with a similar box but James and I are quite familiar with each other.  

In the description, it's mentioned that it was formerly on HackTheBox.  I've played on HackTheBox, pulled my hair out working on HTB boxes, and this seems like an easy box for HTB.  Or maybe it's hard and the entry was known to me.  I digress.

Read more: Vulnhub SolidState 1 Walkthrough

I started playing with the HackTheBox October machine and during my enumeration process, I discovered something and I ended up in a Python rabbit hole.  Before I continue, let me say that I'm jumping straight to a spoiler -- so if you're looking for some subtle hints on entry, I'm past that point with respect to the direction of this post.  Assuming you've ended up here for some other reason, I'm going straight to to the ovrflw file which is vulnerable to a buffer overflow.  If you execute the binary, we see the following:

root@c2:~/hackthebox/October# ./ovrflw
Syntax: ./ovrflw <input string>

If we input a few characters, we get no response.  We assume that we can exceed a certain number of characters to get it to crash.  With buffer overflows, we want to get the exact byte count of the crash so that we can insert our shell code just after that point.  There are any number of ways to get the byte count for this buffer overflow, we could do something like:

root@c2:~/hackthebox/October# ./ovrflw `python -c 'print "A"*112'`
Segmentation fault

Read more: HackTheBox October Ovrflw

The description:  "Raven 2 is an intermediate level boot2root VM. There are four flags to capture. After multiple breaches, Raven Security has taken extra steps to harden their web server to prevent hackers from getting in. Can you still breach Raven?"  

I wasn't hunting flags but I found three of the four -- maybe I found one more but I don't remember because I wasn't looking.  

This was a fun machine.  Admittedly, I got hung up on the initial shell for longer than I should have but I knew it was my entry and I just had to get the syntax correctly.  Before I get ahead of myself too much, we start off with our scan:

Read more: Vulnhub Raven 2 Walkthrough