LazySysAdmin: 1 – Vulnhub Writeup


Another fun looking boot2root vulnhub VM that came out in in last months large batch release!  This one is supposedly inspired by the author failing the first OSCP attempt (maybe it will offer clues so I won’t meet a similar fate later this month?).

Let’s start off with the usual scan to confirm the target’s IP assigned on the network. Continue reading “LazySysAdmin: 1 – Vulnhub Writeup”

RickdiculouslyEasy: 1 – Vulnhub Writeup


It’s been a while since I’ve done a full writeup so figured I was due for posting another one.  Mainly I’ve been working through as many HacktheBox Windows machines as possible in preparation for the OSCP exam (I think I’m finally getting somewhat decent at Windows priv-esc).

Vulnhub just posted a bunch of new VMs, though, and I couldn’t resist doing a Ricky & Morty themed challenge.  🙂  There will be a series of flags totaling 130 worth of points…so let’s see if we can get them all!

Ooooooh yeah! Cannnnnnn doooo!

Continue reading “RickdiculouslyEasy: 1 – Vulnhub Writeup”

OSCP Study Progress – October 2017

This is meant to be a personal log of study progress toward OSCP certification.

Lab Progress: 15 days of lab time goes by very quickly!  I have two days left and am feeling pretty good about the amount of practice I’ve got from the labs so far.  There was a fair amount of overlap between them and some of the Vulnhub VMs I’ve done, but as I said in some previous notes I was definitely lacking in experience in Windows machines as well as more “real world” hacking techniques.  Things like pivoting and using captured credentials to log in to other locations within the network aren’t things you’re exposed to in the VMs either.  I’d really like to hone my ability to gain persistence on machines and also get some more experience with Windows priv-esc.  More practice with buffer overflow attacks would definitely help too…

OSCP Study Progress – September 2017

This is meant to be a personal log of study progress toward OSCP certification.

Lab Progress: New machine again, this one has the following ports/services open:  21/FTP, 22/SSH, 80/HTTP, 110/POP3, 143/IMAP, 3306/MYSQL on FreeBSD.  Was able to get into the mysql admin page (a second URL-brute forced one, the first more predictable one didn’t work) with default creds.  Dumped passwords for several users and cracked their hashes, but stuck on where to use them.  Can’t use on mysql login, SSH, or FTP.  Will see if I can somehow exploit something within the logged in admin page.  Or try to explore more on where the login/pwds could be used.

Lab Progress: I was able to get shell on the previous machine.  It had a very specific “trick” to solve it which I won’t spoil here.  I am noticing going through the labs that my level of familiarity with windows machines is much less than I would like.  I think this is in large part due to the fact that machines on penteresterlab/vulnhub are almost exclusively linux-based.  I know vulnhub at least hosts tools that help create vulnerable Windows VMs, and there are more to be found…so I will definitely try and focus on remedying this during and after the lab period.

Lab Progress: Machine 2 – Win2000 server running many services: FTP, ESMTP, IIS, RPC, netbios, RPC, tightvnc.  Navigating to port 80 website I’m presented with a login prompt which is susceptible to SQL injection.  Login bypassed but successful auth just leads to “successful login” screen.  Will need to experiment more to try to use SQLi to acquire useful info.

FTP Service + TightVNC on list to research exploits for.

Lab Progress: Bad timing to get sick…took a rest day yesterday.  I tried a couple different webshells with the first box along with  using ports like 80, 443, etc. but it didn’t seem to make a difference.  Any changes within WordPress reverted after just a couple minutes, and any webshell session created would get booted off in about the same time frame so I had to be fast.  I prepared 3 separate priv-esc exploits and put them on an webserver hosted in Kali.  Had all my WGET paths ready, webshell code ready, etc.  Rushed through the webshell creation and first exploit as fast as I could and was able to root and get the flag from /root/!  This was a good learning experience for later as I should establish some good methods going forward for gaining permanence on a machine.

Continue reading “OSCP Study Progress – September 2017”

Kioptrix: Level 1.3 (#4) – Vulnhub Writeup


4th in the series now of Kioptrix (1 to go!).  I’ll be concluding the reading/video portion of OSCP studying soon and will be doing a lot of practice in the online labs so this may be my last vulnhub VM in a while.  These have been a great learning experience and I’m looking forward to doing the next one soon!

To get this started, we’ll do the usual nmap host discovery scan.

nmap -sP

Continue reading “Kioptrix: Level 1.3 (#4) – Vulnhub Writeup”