I've been asked to give a talk on basic OpSec and I started compiling a small list of the essentials.  Some of the items on my list have already been written and exist somewhere on this site while others are yet to be written.  One of the questions that came up during the request for the OpSec talk involved public WiFi, the dangers, and how to protect yourself.  

    First, we have to understand how WiFi connections work at a basic level.  The real danger comes from WiFi connections that are not secure, like those we find in an airport, a cafe, etc.  When you turn on your device, the device will go through it's list of saved connections and it will toss out a request.  Starbucks, you here?  Oakland Airport, are you here?  


    Let's say we have a user authenticated into an application such as the LayerBB forum package pictured below.  If the software is vulnerable to Cross Site Request Forgery (CSRF), we could trick the user into clicking a link that would perform some function in that application.  For example -- if the authenticated user is an administrator to LayerBB, we could direct the user to our page which would create a new user within that application.  

    Prior to tricking our victim into clicking the link, we first need some information.  If we create a user within LayerBB:


    Here's the situation -- you're on a network and you find a Network Attached Storage device with a share protected using a weak password.  You brute force the password and once you login, you find a WindowsImageBackup directory which houses the data from a Windows Server Backup.  When we view the contents, we're interested in the files with the VHD or VHDX extension.  VHDX is essentially the same as VHD but the size limit on VHDX was increased to 2TB.  That's neither here nor there, what we really want is inside the file.

    We could copy the file over to our machine but depending on the location of the file with respect to your attacking system, that could be a problem.  What we really want to do is to mount that file in its current location and access what's inside.  

    My Kali box is already setup so in this example, I'm using Ubuntu 18 but the steps are the same regardless of whether it's Kali or not.


    I'm sure I've gone over various forms of Cross Site Scripting (XSS) in previous posts but sometimes I gloss over XSS because it's a vulnerability I discover along the way to a root.  But make no mistake, while XSS could seem benign, it is not.  The Browser Exploitation Framework (BeEF), while partially functional at this point, is still plenty dangerous and proof of that.  For this post though, I won't use BeEF because I've already done so in another post around here somewhere.  Today I will take a more manual approach -- exploiting an XSS vulnerability in LayerBB version 1.1.2

    With a regular user account, we login to the forum:


    I needed a quick and simple distraction for something more complicated that I've been working on.  A Google search for "Vulnhub Easy" turned up Simple which according to the description "focuses on the basics of web based hacking".  This was exactly what I had in mind and it probably took longer to write-up than it did to root.  I did find something interesting about the entry point which I learned after I rooted the box but I will get to that at the end of this post.

    First we kick off with an Nmap scan:


    I can't remember when I first heard about this new Sandbox feature but when I did, I got excited.  There are a number of times when we all get a suspicious attachment and we're not quite sure if we want to open it or delete it.  If we all had a safe place to take a look, we would.  On the surface, the Sandbox feature sounded like that's what we would be getting with the 1903 update. 

    I'll be honest, after seeing it, it should be called the "litter box" feature and you can use your imagination for my reasoning.  

    1903 was released and I wasn't really paying attention because my computer updates frequently, reboots frequently, and I just assumed it was already present.  It wasn't but if you need to download it manually, here's the link:


    © 2020 sevenlayers.com