Funny story -- I have a number of virtual machines setup for various types of exploitation such as the machine I used below for this RID Hijacking post.  When I'm done with the exploitation, I will revert them back to their previous state to keep things clean and in order to have a fresh slate for my next "project".

After finishing up this post, I reverted the machine to a point further back than I thought and I was unable to login to the machine with the known password.  Quickly thinking, i was confident the box was vulnerable to MS17-010 but I was incorrect.  :\

This particular machine is hosted on a Xenserver hypervisor which allows you to detach the disk and reattach it elsewhere -- which is what I did.  Upon accessing the drive from another virtual machine, I changed the utilman.exe executable with a meterpreter executable.  I then reattached it to the original host.  If you're not familiar with this hack:  

Read more: RID Hijacking and Detection

I stumbled upon a vulnerable version of Oop CMS Blog which according to Exploit-DB is vulnerable to SQL Injection.  In order to better understand what I was dealing with, I downloaded the software and I installed it on the same operating system as the target server.  Looking at the comments on Exploit-DB, the injection points seemed relatively easy and I thought this was going to be a quick kill.  Due to a variety of different circumstances, I could never get from point A to point B in a single shot.  In the end, I wound up combining a few different pieces in order to get that initial shell.

From a web browser, we take a look at the site:

Read more: Combining Crumbs

SP: eric is one of the newer releases from Vulnhub and when I first started enumerating it, I spotted the .git directory.  Right off the bat, I figured that wasn't there by accident and I started Googling to find more information.  After a minute or so, I discovered a post titled:  "Don't publicly expose .git or how we downloaded your website's sourcecode" which lead me to a collection of tools written that facilitate data from sites where .git is exposed.

While I was working through this box, I was reminded of a Defcon talk, "Hacking Git", which I believe is along the same lines.  A quick search found some tools related from that talk but I wasn't as successful at extracting data as I was with the tools above so as far as I can tell, this is the quickest path to get where you need.

Anyway, I kick off with an Nmap scan:

Read more: Vulnhub SP: eric Walkthrough

I'm working on another box but I can't root it.  The initial foothold is very unique and even though I was tempted to write up just that part, I really want to do a full write-up so I'm holding off.  After banging my head far for too long and spending more time than I allot for these diversions, I decided to step back from it for a day or two.  In my "cooling off" period, I fired up another newly released box from Vulnhub titled "RootThis".  

Before I get started with the walk-through, let me point to a post I'd recently written:  Drupal to Reverse Shell

The timing of these articles couldn't be better.  Spending the time working with Drupal and then coming across this box made my life so much easier.

Let's not get too far ahead --

Read more: Vulnhub RootThis: 1

I was tasked with searching for data within Word and Excel files similar to something I'd written a while back but an expansion of that original request.  Instead of searching for a specific term within the filename, we are now searching inside of the files looking for a specific phrase.  When I was finished, I gained some additional knowledge -- some good and some not so good.  I started out with a myopic mindset but realized the gravity of the situation once I moved from my test environment to the live system.

That's not to say that it doesn't work so let's walk through the test situation and then I can elaborate on the issues.

We start off with our test folder which contains a dozen or so Excel files.  Within a couple of those Excel files, I've inserted a username and password.  In one of the folders, I've created a subfolder to ensure the -Recurse function was working.  

Read more: PowerShell Password Hunter

There are a variety of methods for generating payloads and depending on the avenue of attack, one method might prove to be a better route than another.  For example, in my opinion, any sort of .bat file email attachment or web download comes off as a bit more suspicious to me than say an emailed Excel or Word document.  That's not to say that you couldn't get someone to launch a .bat file but it's a lot more likely that someone would open a Word or Excel document from a trusted friend or colleague -- if you were able to spoof email from that trusted friend or colleague.  

It's also been my experience that the protection mechanisms on modern operating systems are getting better.  That is to say that Windows 8 & 10 are better than say Windows 7 and some antivirus products are proving to be a bit more challenging to get around than in years past.  Again, I'm leaning more toward the Office document rather than something that comes off as suspicious to these protections.

Read more: Payloads and Antivirus