This is not a comprehensive guide on installing Tinyproxy.  This is just a quick write-up on something I found that is very easy to setup for proxying.

I had a need for a small, simple, proxy, and when I went hunting around, I found Tinyproxy.  This could be installed on a Raspberry Pi, and I may end up doing exactly that at some point but for now, I installed it on the Debian "Small CDs or USB sticks" installation which took less than 10 minutes to install.  I probably spent another two minutes looking at the configuration file.  After that, I was in business -- proxying traffic.

Read more: Tinyproxy

SP: eric is one of the newer releases from Vulnhub and when I first started enumerating it, I spotted the .git directory.  Right off the bat, I figured that wasn't there by accident and I started Googling to find more information.  After a minute or so, I discovered a post titled:  "Don't publicly expose .git or how we downloaded your website's sourcecode" which lead me to a collection of tools written that facilitate data from sites where .git is exposed.

While I was working through this box, I was reminded of a Defcon talk, "Hacking Git", which I believe is along the same lines.  A quick search found some tools related from that talk but I wasn't as successful at extracting data as I was with the tools above so as far as I can tell, this is the quickest path to get where you need.

Anyway, I kick off with an Nmap scan:

Read more: Vulnhub SP: eric Walkthrough

The description for this box states:  "HackinOS is a beginner level CTF style vulnerable machine."  If this is "beginner", I'd hate to see intermediate.  That being said, this was a fun box because it was much more complex when compared to other boxes you'll find on Vulnhub.  There's also a little bit of everything with the different avenues of exploration and exploitation.  It's sprinkled with a few rabbit holes as well and I'll admit, I followed a couple.  To top it off, this box also gives us the opportunity to write a little bit of code which I initially tried to do in Bash (I ended up using PHP) but I couldn't get it to work for whatever reason.  I don't want to dig too much into that now but I'll go over it later when we arrive at that point in the enumeration process.

Kicking off with an Nmap scan:

Read more: Vulnhub HackInOS: 1 Walkthrough

I was tasked with searching for data within Word and Excel files similar to something I'd written a while back but an expansion of that original request.  Instead of searching for a specific term within the filename, we are now searching inside of the files looking for a specific phrase.  When I was finished, I gained some additional knowledge -- some good and some not so good.  I started out with a myopic mindset but realized the gravity of the situation once I moved from my test environment to the live system.

That's not to say that it doesn't work so let's walk through the test situation and then I can elaborate on the issues.

We start off with our test folder which contains a dozen or so Excel files.  Within a couple of those Excel files, I've inserted a username and password.  In one of the folders, I've created a subfolder to ensure the -Recurse function was working.  

Read more: PowerShell Password Hunter

Funny story -- I have a number of virtual machines setup for various types of exploitation such as the machine I used below for this RID Hijacking post.  When I'm done with the exploitation, I will revert them back to their previous state to keep things clean and in order to have a fresh slate for my next "project".

After finishing up this post, I reverted the machine to a point further back than I thought and I was unable to login to the machine with the known password.  Quickly thinking, i was confident the box was vulnerable to MS17-010 but I was incorrect.  :\

This particular machine is hosted on a Xenserver hypervisor which allows you to detach the disk and reattach it elsewhere -- which is what I did.  Upon accessing the drive from another virtual machine, I changed the utilman.exe executable with a meterpreter executable.  I then reattached it to the original host.  If you're not familiar with this hack:  

Read more: RID Hijacking and Detection

I stumbled upon a vulnerable version of Oop CMS Blog which according to Exploit-DB is vulnerable to SQL Injection.  In order to better understand what I was dealing with, I downloaded the software and I installed it on the same operating system as the target server.  Looking at the comments on Exploit-DB, the injection points seemed relatively easy and I thought this was going to be a quick kill.  Due to a variety of different circumstances, I could never get from point A to point B in a single shot.  In the end, I wound up combining a few different pieces in order to get that initial shell.

From a web browser, we take a look at the site:

Read more: Combining Crumbs