Don't be confused, this is about MS17-010 and the error you'll sometimes see which states:  "Unable to find accessible named pipe!

Since I came across this while working, I thought I'd document the steps of how I got here and how I worked to move past it.

I'm on a network with a Windows 2008 Server and when I perform my port scan, I see:

Read more: Unable to find accessible named pipe!

CVE-2018-9206:  Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0

Alternatively known as the "eight year zero day".  Lots of vulnerabilities going unnoticed although eight years seems like a bit much.

I found this vulnerable version, set it up on a server, and decided to play around with an automated version of:

<?php $cmd=$_GET['cmd']; system($cmd);?>

Exploit-DB has an exploit already but you can use curl -F to upload a shell with the above syntax.  You could push up a reverse shell as well but I got to thinking, what if I did a little bit of automation:

Read more: Exploiting jQuery-File-Upload 9.22.0

"Hackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in today’s rich client and mobile applications."  The download can be found here:  https://github.com/rapid7/hackazon

Honestly, when I heard the name, I didn't clue in.  When I saw the interface, I realized I missed the play on words. 

I'd seen this application mentioned somewhere and I wanted to check it out.  Let me start off by saying that if you're a beginner, this is a great application to mess with for a any number of reasons.  If you're seasoned a bit, this might not be worth the effort.  

Read more: Hackazon

While talking with a client this morning, I started to get nerdy about passwords and password managers.  A few things I emphasized were that passwords should be unique across all logins, password managers should be used by everyone, and saving passwords in Chrome (and other browsers) is a risky proposition.  

I've actually wanted to write this up for a while now but the conversation this morning motivated me to put the pen to the paper.  So here we are....

The actual time it took to root the box was just a few minutes and the setup actually took longer.  I wanted to have a Windows 10 Pro machine, fully patched, and running current antivirus. 

As a side note, there's a misconception that antivirus will protect you.  Antivirus is a must but it's trivial to get around as you'll see in a moment.  

Read more: Stealing Chrome Passwords

I'm sitting on an airplane reading:  "How to Hack Like a LEGEND: A hacker's tale breaking into a secretive offshore company" and I'm taking notes.  As I'm reading through the book realizing there are more real-world tools I should be exploring versus playing on HackTheBox and Vulnhub, I write myself a note stating:  "Less hack-y things, more real-world".  That lasted a day, maybe two, and then I could feel the challenges calling me back.  It's not that the CTF challenges don't hone your skills, it's that there are some recent tools that are worth exploring as well.  Perhaps some more useful for current work projects.  

I'm starting to like the CTF challenges as I learn more of the esoteric techniques used for those particular style boxes.  So as I'm perusing Vulnhub, I come across Mercy:  "MERCY is a machine dedicated to Offensive Security for the PWK course, and to a great friend of mine who was there to share my sufferance with me. :-)"

Mercy definitely has that PWK feel except that I think the Offsec folks would have made the privilege escalation more challenging.  

Read more: Vulnhub Mercy Walkthrough

This is something I should have done a long time ago.  I'm frequently hopping on a server and creating a manual backup prior to doing [something].  It's not like this task is complicated but as I was about to manually go through the steps this morning, I thought -- let's finally automate this process.

There's actually a one-liner for mysqldump but for some reason, it didn't work so I went a different route with the variables at the top which makes it a little easier when recycling this script on another server.

Read more: Backup Wordpress HTML and MySQL