https://www.justintasset.com/red-team daily 0.75 2022-03-16 https://www.justintasset.com/red-team/oscp-journal-part-14-windows-privilege-escalation monthly 0.5 2022-02-27 https://www.justintasset.com/red-team/oscp-journal-part-13-htbsense monthly 0.5 2022-02-27 https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1626213979298-GE69YZZHMBT6SY0Q2O53/running+exploit.png CTF - Hack The Box: Sense - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1626213886483-66731OVZZYW88TXG1T5S/netcat.png CTF - Hack The Box: Sense - Make it stand out Using the exploit and the credentials we found I opened a netcat listener to catch the reverse shell the exploit will send and just like that we are in. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1626267232175-99RL3VILN1O1ISUK568Y/gobuster.png CTF - Hack The Box: Sense - Make it stand out The system-user.txt looks interesting. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1626214075517-ZEAXP765MNCYFGP27HLV/creds.png CTF - Hack The Box: Sense - Make it stand out Looks like we have a user! https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1626218639228-RUCPEC4KC0SU8K29KAIW/login.png CTF - Hack The Box: Sense - Make it stand out Simply plug in the username rohit and the password pfsense into the login prompt. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1626213862720-YB7S4GEH0TPZXEO1QLE3/searchsploit.png CTF - Hack The Box: Sense - Make it stand out Based on the version information I did a searchsploit for an exploit and got one that looks like it will work. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1626213633302-ANICTLBHWAP2FKGOS4IB/Capture.PNG CTF - Hack The Box: Sense - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1626214089507-82SQL8EZFOGE7XW87ESK/login+as+rohit.png CTF - Hack The Box: Sense - Make it stand out Got another key piece of information here. This pfsense instance is running version 2.1.3. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1626213756361-JIMF650TO602MBFEP9FK/port+80.png CTF - Hack The Box: Sense - Make it stand out Its a pfsense firewall. I immediately try the user admin and the password pfsense since I have worked with these firewalls alot. No luck though. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1626218533598-0FUWW2JEERLZ62UGUGC2/user+flag.png CTF - Hack The Box: Sense - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1626218544722-MRIAEJSPTF1HGQBCFBYG/root+flag.png CTF - Hack The Box: Sense - Make it stand out As root the user and root flags were there for the taking. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1626213805911-ZCL0Z5K31YYTWCWT7LOU/Screenshot_2021-07-12_17-36-03.png CTF - Hack The Box: Sense - Make it stand out We can see 80 and 443 are open. Lets check it out since that is all we have to work with. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1626214117670-90MJCV2348NPTT035KCD/default+creds.png CTF - Hack The Box: Sense - Make it stand out A quick google confirms what I knew to be true already. The default password is pfsense. https://www.justintasset.com/red-team/oscp-journal-part-11-htbsunday monthly 0.5 2022-02-27 https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1626008673885-UYHHPIIMGCRURW1ZA8KB/Capture.PNG CTF - Hack The Box: Sunday - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1626009202832-YD70D36CMNOW5ODAD1PL/sudo+-l+sammy.png CTF - Hack The Box: Sunday - Make it stand out Checking what a given user has the ability to run as root is always the first thing I check. In this case its wget. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1626009139714-SOW781ABUTGGS3KKML5F/password+hashes.png CTF - Hack The Box: Sunday - Make it stand out After poking around I found a backup if ./etc/shadow in the / directory. The next logical step is to grab them and put them through john. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1626009174709-YFBZEWXZ0LKKNLP6ASFN/root+flag.png CTF - Hack The Box: Sunday - Make it stand out I found using wget to be the most straight forward way to read the flag. We don’t necessarily need to be root to get the root flag when we can read the file as sammy. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1626009078924-YVQYM7GZIAZUWTI3M7E2/hydra.png CTF - Hack The Box: Sunday - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1626009102151-38F9OJPCSNO7UYKNTKU2/hydra+ssh+bruteforce.png CTF - Hack The Box: Sunday - Make it stand out Running hydra is always worth a shot when you have a username and on the 1329th try it looks like we got in. Ive been using the 10,000 most common passwords list instead of rockyou lately because rock you takes forever due to its size and is filled with a lot of garbage. The list can be found here. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1626008986216-47GXM4IWYOWMUQG3ZYLR/get+fingerenum.png CTF - Hack The Box: Sunday - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1626009639976-PL51QPA3TWFSVWHS0M5C/sammy+password.png CTF - Hack The Box: Sunday - Make it stand out Got credentials for sammy now. Lets log in. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1626008644215-E7T3MTZTDQ06MHHHD272/nmap.png CTF - Hack The Box: Sunday - Make it stand out Im not sure if its due to Sun OS but I had a hard time getting an accurate idea of what ports were open. It hammers home you should never take your tools output as gospel. It never hurts to run them again or with different switches. In this case finger (port 79) and ssh (port 22022) are of interest. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1626009041489-SE6AQTWY7EO2RPRFJFVM/sunday.png CTF - Hack The Box: Sunday - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1626010773896-6LHJE3S1FLO6KHK6VKJS/sddsf+ds.png CTF - Hack The Box: Sunday - Make it stand out Some googling tells us that “the Name/Finger protocol and the Finger user information protocol are simple network protocols for the exchange of human-oriented status and user information” and a the tool finger-userenum can be used to enumerate users so lets give that a shot. LINK https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1626013437576-TFKWFP2WEV3W2NZ2S3QW/finder+enum.png CTF - Hack The Box: Sunday - Make it stand out finger-user-enum is a standalone perl script so once we have it downloaded it was relatively straightforward to run. We find a bunch of different users we can potentially start attacking. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1626009544375-SOUTY6CABS44FNAIUAK7/user+flag.png CTF - Hack The Box: Sunday - Make it stand out I had to do some googling and use find to locate user.txt. Sun OS is unique in its own right so it wasn’t in the usual place. https://www.justintasset.com/red-team/oscp-journal-part-11-htbshocker monthly 0.5 2022-02-27 https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1625738641894-EVTUFQEL6X1TJAPW7PJI/gobuster.png CTF - Hack The Box: Shocker - Make it stand out Enumerating further with gobuster and a wordlist we locate a bunch of different scripts. “user.sh” is of particular interest especially since its the only one can get to. Some research points us to this machine possibly being vulnerable to shellshock! https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1625739739914-K6REYJEB9HE9P3P3QHKY/R7%5D.PNG CTF - Hack The Box: Shocker - Make it stand out Alittle more research confirms that this should work! https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1625738592730-SUEP9GGBSHRYMHLXOWKB/port80.png CTF - Hack The Box: Shocker - Make it stand out Port 80 doesn’t show anything of significant interest. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1625738703769-H77X8WZB5AMTFL92GT4B/dirb.png CTF - Hack The Box: Shocker - Make it stand out Next step is to enumerate pages in the site. cgi-bin is of interest because it “is a folder used to house scripts that will interact with a Web browser”. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1625738953218-IKVZVKSV7YJUMIOYJLHH/IAMROOT.png CTF - Hack The Box: Shocker - Make it stand out boom https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1625738452987-UEX6HBOW3D4IWLUOO53H/Nmao.png CTF - Hack The Box: Shocker - Make it stand out Nmap to see what we have to work with. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1625738909493-MY8ZX29Z2O38IYISBZPP/priv+esc+strategy+.png CTF - Hack The Box: Shocker - Make it stand out sudo -l is always one of the first things I look for when trying to escalate privileges. Happily shelly can run perl with impunity. Lets use that to create a root shell. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1625738722850-3GR3L11P2G0EISZZO4H2/shell%21.png CTF - Hack The Box: Shocker - Make it stand out Set up msf with all of the appropriate information and we are in! https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1625738582058-K1QVJM6BSO8H2C7OWKIH/Capture.PNG CTF - Hack The Box: Shocker - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1625738781797-AYUPFRR16TMWHZXKIY2W/cgi-bin+on+port+80.png CTF - Hack The Box: Shocker - Make it stand out Not sure why I bothered to check seeing as dirb told me it was 403. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1625738746968-CWI9RAQQXYBHS9758J2S/msfconsole.png CTF - Hack The Box: Shocker - Make it stand out This exploit seem to fit our needs https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1625738889455-H2DG0AB1FRNXZ6DJUZCP/user+flag.png CTF - Hack The Box: Shocker - Make it stand out The user flag is there for the taking without any privilege escalation. The same cant be said for the root flag however. https://www.justintasset.com/red-team/oscp-journal-part-10-htblegacy monthly 0.5 2022-02-27 https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1622730598810-4O23JULT6IWZTRS2OZLI/shell.png CTF - Hack The Box: Legacy - Make it stand out got a shell! https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1622730577476-HZ6QUW9XBNZLS3LCW33P/exploit.png CTF - Hack The Box: Legacy - Make it stand out Some googling turned up this Metasploit module. Full disclosure I tried the msf’s eternal blue exploit first but it didn’t seem to like XP. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1623508847810-KR4ALR0KUKO8XHYKUJ3Z/root+flag.png CTF - Hack The Box: Legacy - Make it stand out Grabbed the user and root flags. Not sure if its XP being so old or if it was the shell I had but things like whoami wouldn’t work and made getting around a bit harder. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1622730567310-5I5XVCLBTDHR0ES7Z2IX/nmap.png CTF - Hack The Box: Legacy - Make it stand out Our nmap scan reveals two open ports (139, 445) which is SMB. Also of interest is that this is a Windows XP machine which means finding an exploit wont be difficult. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1623508820207-7JJNYRXZPTNA3J82X2J9/user+flag.png CTF - Hack The Box: Legacy - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1622730640830-NSMLNS9EM25Q10J8LVDZ/Capture.PNG CTF - Hack The Box: Legacy - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://www.justintasset.com/red-team/oscp-journal-part-9-htbtraverxec monthly 0.5 2022-02-27 https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1615390821728-CMYYLJY8W35M6MV48MO2/Nmap.PNG CTF - Hack The Box: Traverxec Port 80 jumps off the page with an odd webserver https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1616847311558-LID251LPTM1KZ4RY14L4/searchsploit.PNG CTF - Hack The Box: Traverxec searchsploit tells us there is a metasploit module for this version of Nostromo https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1615391107761-UG3S9I8UPDQQI39QNLQY/Got+the+SSH+Keys.PNG CTF - Hack The Box: Traverxec Lets move it back to kali to work with it. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1616846946604-J3TFEXL4X5AC8PS2SKJA/got+a+shell.PNG CTF - Hack The Box: Traverxec got a shell but with next to no privileges. boo https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1615391179101-2JHURZ2F2PXMKLPJAJBD/id_rsa.PNG CTF - Hack The Box: Traverxec unpack the file and view the key https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1615390971701-09LMFXSW0R94HCWM15LE/user.PNG CTF - Hack The Box: Traverxec Using the information above we can now ssh as David and grab the user flag. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1615391061033-USYYRL82WNENH4C4GYCM/SSH%21.PNG CTF - Hack The Box: Traverxec https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1615390992515-MLYWMY76O3VJB6DGVQRH/escape+from+journalctl.PNG CTF - Hack The Box: Traverxec gtfobins is a great cheat sheet for this. If I hadn’t just taken the Ti3beriu’s linux privilege escalation class I would have been very lost. My cheat sheet can be found here. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1615391243481-J5L5YUCCWSLOK5L2REO5/cracked+hash.PNG CTF - Hack The Box: Traverxec Use john to hash the rsa key and run it through the rockyou wordlist to find out what david’s password is. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1615391660284-MGK7H34IUSLGKFI8GS3F/dsf.PNG CTF - Hack The Box: Traverxec This is the tough bit we can view the script and use a shell escape sequence to elevate our privileges. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1615390980202-33F6PF96TBUYHO6O1NRC/system.PNG CTF - Hack The Box: Traverxec Got root and grabbed the root flag. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1615390845399-4SKRSUXSGP6VBT6R620L/port+80.PNG CTF - Hack The Box: Traverxec https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1615391044747-9FUYUOGJGCRQU9S2H4HZ/SSH+Keys.PNG CTF - Hack The Box: Traverxec David leaves valuable files lying around with passive aggressive notes. https://www.justintasset.com/red-team/6sjv3zm5tnhnfyfwqzvvzb3yex49i5 monthly 0.5 2022-02-27 https://www.justintasset.com/red-team/oscp-journal-part-7-htbdevel monthly 0.5 2022-02-27 https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613699853101-A0YPW7S0MC3Z1RRWAI4Q/rshell.PNG CTF - Hack The Box: Devel While I knew the theory of reverse shells I had never actually created one. It took some research but I was able to learn how this is achieved. The above command was run on my machine to generate a the shell script. It was at this point I leaned on ippsec for help. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613699721470-ISC2MAL37IJ2AU1T6069/denied.PNG CTF - Hack The Box: Devel Bummer I became a user with no privileges. Another opportunity to practice privilege escalation. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613699434450-KI8LTTWV5EIF47POZ1YF/rce.PNG CTF - Hack The Box: Devel Based on what was listed in the anonymous FTP I pulled up file file “welcome.png” over http. At this point I knew remote code execution was going to be the way in. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613699382829-YQUACEF11GCW9TLRA7CQ/Capture.PNG CTF - Hack The Box: Devel I like this box a lot because it had me demonstrate/learn a lot of different skills. In particular I learned how to create reverse shells. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613699691650-5Q5LAI312X8JR0QIDDS4/make+RS.PNG CTF - Hack The Box: Devel In this case I needed the filetype to aspx. So I adjusted the commands appropriately. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613956403157-AESJ9ZRPVH6FTWIM33SY/handler.PNG CTF - Hack The Box: Devel I went ahead and started a listener to listen on the appropriate port. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613956928910-C860FMETQEWZDM8YOPTN/nmap.png CTF - Hack The Box: Devel Nmap to find out what we have to work with. I noted anonymous ftp and the IIS server immediately. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613699457637-E5XJZ3T6SFDRWUVDVXAT/port+80.PNG CTF - Hack The Box: Devel Checking out what is on port 80 confirms this is a Windows IIS server. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613699650534-9MUFZJ60UPZYWPKSX8XL/SYSTEM.PNG CTF - Hack The Box: Devel https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613699542296-KU55JFGUC9XVTRPV6IEZ/post+2.PNG CTF - Hack The Box: Devel https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613699704938-OFK02CJNI1TWNGX2WHZD/place+shell.PNG CTF - Hack The Box: Devel I then went over and uploaded the reverse shell I created via anonymous ftp. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613699514664-3DFGWEG062ZD0YM26SHR/post+selection.PNG CTF - Hack The Box: Devel I dropped out of the shell and back into metasploit to find a way to elevate my privileges. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613699561666-KMDC4LD5MR1X619TW9TQ/system%21.PNG CTF - Hack The Box: Devel BAM. Im system. Now its just a matter of grabbing the flags. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613699621498-C26PAL8Z6FZOVLEM84BX/User.PNG CTF - Hack The Box: Devel https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613699871208-NODWQ66GDST267IB3TQ2/execute.PNG CTF - Hack The Box: Devel I executed it by trying to open it in the web browser. https://www.justintasset.com/red-team/oscp-journal-part-6-htboptimum monthly 0.5 2022-02-27 https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613679475007-VRFEM7U9XKUOWN4WNW4Q/User.PNG CTF - Hack The Box: Optimum https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613679490383-JQMDT75865PSVF6DGRUF/admin+denied.PNG CTF - Hack The Box: Optimum Happily I was able to grab the user flag right away but wasn’t able to grab the system flag. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613745364951-2QDVBJFSOW5AJJVRJGXF/Capture.PNG CTF - Hack The Box: Optimum A quick “google” of the http headers informed me that it is a Rejetto file server. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613679246951-26X0R6RMX3BCPNEVMLGI/port+80.png CTF - Hack The Box: Optimum https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613679231062-5S8WEW0X0YK6LARE1FW8/pwnd.PNG CTF - Hack The Box: Optimum I enjoyed this box and learning how to use post exploitation modules to achieve privilege escalation in metasploit was great fun and will be a useful skill. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613679215126-2ZPN34MPL2EP2L7G39AF/nmap.png CTF - Hack The Box: Optimum I ran my normal nmap script and noted the web server on port 80. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613679454107-HW0GDW4E6QGV6ZBWETO9/escalation.PNG CTF - Hack The Box: Optimum Until this point I was able to do everything without any help but I have never done privilege escalation and needed to lean on ippsec to load the post exploitation module in metasploit and run it to achieve system. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613679526681-70814J9ZJ2D37VPH05W5/root+flag.PNG CTF - Hack The Box: Optimum https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613679276817-BA6YNRT5AQGN7LIP7ACP/Rapid7.png CTF - Hack The Box: Optimum I was then able to pivot with that information and find a metasploit module to exploit that version of Rejetto. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613679297891-FSMDBFECQM1UWRIK9CQH/session.PNG CTF - Hack The Box: Optimum At this point im comfortable with metasploit but my kali instance just wasnt working so I moved over to perrot OS to run the exploit and get a shell. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613679383988-XH7K8F379JGEA2SGG9TA/system+info.PNG CTF - Hack The Box: Optimum https://www.justintasset.com/red-team/oscp-journal-part-5-htbjerrya monthly 0.5 2022-02-27 https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613526378317-6BR94OQQVCLH6TWIDCVI/nmap.png CTF - Hack The Box: Jerry Nmap the host to identify what we have to work with. In this case we have a tomcat server running on port 8080. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613572721663-WALI92SKA0XBQ7ZK8NJN/default%2Bcreds.jpg CTF - Hack The Box: Jerry Poking around the default tomcat page I found a default set of credentials that worked so I didn’t even need to go find a list. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613526353120-IU2ACDNMMBCXG66CD177/shell+2.png CTF - Hack The Box: Jerry 2 for the price of 1 on this box! I thought I was going to have do some privilege escalation but no such luck. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613526437569-3ACQ8742WNM4Z6OSU0M3/port+80808.png CTF - Hack The Box: Jerry https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613526281610-8WEA66BU0H8NW16GVHWM/shell.png CTF - Hack The Box: Jerry https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613526293941-GAF4HVAKXHT7HUCEFJW8/shell+1.png CTF - Hack The Box: Jerry https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613526691886-8XLKMZKGBLXLP9Z2LDAB/rapid7.png CTF - Hack The Box: Jerry Since tomcat 7.0.88 is nowhere near the current version I figured there would be a vulnerability I could take advantage of. Some trial and error lead me to a Metasploit module that yielded a shell. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613526742394-MWHSRMM6GK3FJRVQE06U/Capture.PNG CTF - Hack The Box: Jerry All in all I think Jerry was a relatively straight forward box. I did it with little or no help from the guide which is encouraging. https://www.justintasset.com/red-team/oscp-journal-part-4-htbnetmon monthly 0.5 2022-02-27 https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1612835545651-3Q8RA6KDD2996W0GLYIH/anon+ftp+and+user+flag.png CTF - Hack The Box: Netmon I had to explore anonymous ftp first and was surprised to find the root of C available. I explored users and found that I couldn’t access the Administrators folder but I could get into Public and located the flag. Now time to look for the system flag. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1612835630077-1DL0USRNESJBBAR16OHP/system+flag.png CTF - Hack The Box: Netmon https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1612835692154-BYK7WIV16ZDUBMRDKP78/default+creds.png CTF - Hack The Box: Netmon Some google presented some default credentials but no unfortunately the pesky system administrators changed them. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1612835679635-STN7Z3F7DMHUY505JB4I/port+80.png CTF - Hack The Box: Netmon Port 80 presented me with a login. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1612835573511-R35OOJ9QLEQODC46443H/Capture.PNG CTF - Hack The Box: Netmon I had more fun with this one than any of the previous machines. They all have been fun and a great learning experience. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1612835739075-CSQKT3X618DXVAXYQHSK/Backupconfig.png CTF - Hack The Box: Netmon Back to the anonymous ftp where an old backup was located. I had to lean on the walk through for this. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1612835471881-90TLRBQVOQOAGLHQYRTD/nmap.png CTF - Hack The Box: Netmon Same nmap scan as always. I noted port 80 and 21 immediately. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1612835653195-9FKQVAR4KRKYT7FMX2WD/rce4.png CTF - Hack The Box: Netmon Again I leaned on the walk-through to inform me of the remote code execution vulnerability. I chose to differ from the official HTB walkthrough on how I used the RCE though. It wanted to create a new user with elevated privileges but I liked this guide better because it simply moved the flag to a directory we could access with anonymous ftp (seemed stealthier to me). https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1612835640496-YFIVVX26MID8QIAY56M8/rce3.png CTF - Hack The Box: Netmon https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1612835785079-7MGXV9TVW1AZPM2UW599/creds.png CTF - Hack The Box: Netmon A review of the old backup reveals credentials. Since this was an old backup the password had to be adjusted to “PrTg@dmin2019“. I suspect if I looked at the system clock it would say it was 2019. https://www.justintasset.com/red-team/oscp-journey-part3-htblame monthly 0.5 2022-02-27 https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1612219850367-0ELH1NPPXFCW2KSEH5BC/Capture.PNG CTF - Hack The Box: Lame All and all Lame was a good learning experience that has made me more comfortable with how Metasploit works. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1612215942890-07M9FBIB62QRAG9XQCC6/image-asset.png CTF - Hack The Box: Lame A search in metasploit confirms its able to be used and I select it with the “use” command. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1612215683923-RJ530503GHH73T1MXFJ4/1.png CTF - Hack The Box: Lame Started off with my usual nmap script. It is slow but very thorough. I noticed ftp was open but decided to take a shot at Samba first. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1612220322453-0F9ZMEHGKCV8P1QQH5C0/5.png CTF - Hack The Box: Lame I set RHOST and LHOST and run the exploit creating a session. This is where I ran into some issues though. When I used my private IP I got very mixed results (very slow, non-responsive, no shell, …..). Undoubtedly there is networking I don’t fully understand. Using the tunnel seemed to do the trick though. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1612221070684-YKVWZ0QTV40UXHOFHNR3/Capture.PNG CTF - Hack The Box: Lame “searchsploit” is my new best friend. Its a very easy way to search if a service is vulnerable. Luckily there is a metasploit module which will make this easy. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1612220404493-N8GROB0M2JO3C2E7S3KL/3.png CTF - Hack The Box: Lame https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1612215851516-56ZF6JD2ULX9D3VOX3EE/6.png CTF - Hack The Box: Lame Once I got a shell getting the flags wasn’t an issue but manipulating an exploited shell proved to be a bit different and a little harder than I anticipated. https://www.justintasset.com/red-team/oscp-journey-part-2-htbblue monthly 0.5 2022-02-27 https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1611081105349-6HQU7LFNB4VK4EASX81B/Nmap CTF - Hack The Box: Blue I started off with an nmap scan per usual and if the name of the box didnt give it away the fact that it was Windows 7 should be telling. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1611081292550-JFI2R5HS2F3446455DCR/msf CTF - Hack The Box: Blue WIN! That felt nice https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1611081635278-9DY3GOSGOPQH9TTKHD38/2.PNG CTF - Hack The Box: Blue https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1611081206575-CVCZV4G36PSWAU7TMDVX/Screenshot_2021-01-17_10-10-46.png CTF - Hack The Box: Blue After I got a shell and became authority the system was mine. All in all a good box for beginners. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1611081128706-S6XNYLZRNKP0JVM9LYEJ/Screenshot_2021-01-17_09-49-24.png CTF - Hack The Box: Blue https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1611081147337-3U3GJIW8E63CE6W58FH4/MS17-010 CTF - Hack The Box: Blue There are a few exploits for ms17-101. I ended up using /windows/smb/ms17_010_eteralblue. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1611081173116-KKEH410JU6YQ64VO4LKQ/Screenshot_2021-01-17_10-07-45.png CTF - Hack The Box: Blue https://www.justintasset.com/red-team/oscp-journey-part-1 monthly 0.5 2022-02-27 https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1607523875983-ATBB3XRZ8C6U5FU85UVH/dirb+2.png CTF - Hack The Box: Blocky I ran dirb against the web page to see what pages existed. http://10.10.10.37/plugins was of particular interest. I used second dirb to enumerate further locating the /files directory. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1607522375756-T3ONY56ZUBAE7KC4Q3AF/image-asset.png CTF - Hack The Box: Blocky I downloaded and decompiled these files I was able to locate the root password in the BlockyCore.jar file! https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1607526671429-ZAVGFR7EL043RDLGF8TS/root+passwd.png CTF - Hack The Box: Blocky From here I was able to elevate to root as notch is in the sudoers group and go and grab the user and root flags. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1607524428655-B8CPH46KGXB5DYIUDG4T/user.png CTF - Hack The Box: Blocky https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1607521798512-KMHM2Z70T7APY1TMQZ8R/image-asset.png CTF - Hack The Box: Blocky https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1607477374856-0785BTSRZJHC2ZMWQSYA/image-asset.png CTF - Hack The Box: Blocky https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1607522573498-G5GS86N03QTUPIIHF3PU/access.png CTF - Hack The Box: Blocky Using these credentials I tired to log in as root over SSH but it unfortunately it didn’t work. Luckily I was able to find a username by looking at the only blog post. This was a place I got stuck and needed some help from the official write up. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1607527557753-P8RYFQHLTVMY3M8S9PH2/nmap.jpg CTF - Hack The Box: Blocky Nmap was used to find what services were open on this host. In this case 21, 22, and 80 are open. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1607521670708-J3UTP36M5CCC94T5GAJ3/blocky.png CTF - Hack The Box: Blocky Blocky is a reference to minecraft so it wasn’t a surprise that I found a minecraft server. https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1607521949354-B3HC4TX0YF9JZH3VF1SR/image-asset.png CTF - Hack The Box: Blocky https://www.justintasset.com/red-team/category/OSCP monthly 0.5 https://www.justintasset.com/red-team/tag/%23RCE monthly 0.5 https://www.justintasset.com/red-team/tag/finger monthly 0.5 https://www.justintasset.com/red-team/tag/shellshock monthly 0.5 https://www.justintasset.com/red-team/tag/%23HTB monthly 0.5 https://www.justintasset.com/red-team/tag/%23dirb monthly 0.5 https://www.justintasset.com/red-team/tag/%23AlwaysChangeDefaultCredsPlease monthly 0.5 https://www.justintasset.com/red-team/tag/%23OSCP monthly 0.5 https://www.justintasset.com/red-team/tag/privesc monthly 0.5 https://www.justintasset.com/red-team/tag/wget monthly 0.5 https://www.justintasset.com/red-team/tag/%23Metasploit monthly 0.5 https://www.justintasset.com/red-team/tag/windows monthly 0.5 https://www.justintasset.com/red-team/tag/fingerenum monthly 0.5 https://www.justintasset.com/red-team/tag/%23ftp monthly 0.5 https://www.justintasset.com/red-team/tag/file+misconfiguration monthly 0.5 https://www.justintasset.com/red-team/tag/%23nmap monthly 0.5 https://www.justintasset.com/red-team/tag/web monthly 0.5 https://www.justintasset.com/red-team/tag/%23HackTheBox monthly 0.5 https://www.justintasset.com/red-team/tag/%23enum monthly 0.5 https://www.justintasset.com/red-team/tag/bash monthly 0.5 https://www.justintasset.com/red-team/tag/john monthly 0.5 https://www.justintasset.com/red-team/tag/perl monthly 0.5 https://www.justintasset.com/red-team/tag/%23tomcat monthly 0.5 https://www.justintasset.com/red-team/tag/solaris monthly 0.5 https://www.justintasset.com/home daily 1.0 2024-09-25 https://www.justintasset.com/about daily 0.75 2022-03-21 https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1613749908238-HLHNXFKDK8G2DMGWHORO/1516473065182.jpg About https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1611186640603-A71T7DVFPF5AUXJ3PHIP/Capture.PNG About - About Me https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1614539555198-QC7ASHPSPK2C9CN6RELW/Roundtower.jpg About - Roundtower Technologies Cybersecurity Engineer (Aug 2018 – Jul 2019) -Drive monitoring of security events using a SIEM and other feeds, looking for significant events, and processing reports of unexpected network activity -Manage a team of 10 analysts who review, assess, and triage security events and guide the management events escalating into incidents -Write custom rules to track specific activity and security events proactively or as requested by our clients -Respond to inbound phone and electronic requests for technical assistance from customers -Work closely with our client's Incident Response Teams to analyze and resolve security incidents -Work with new clients to install the SIEM and configure syslog from all security/network devices Cybersecurity Analyst (Aug 2017 – Aug 2018) -Perform real-time proactive security monitoring, detection and response to security events and incidents within client networks. -Investigate potential cyber-attacks and intrusion attempts, and lead containment, eradication, recovery, and lessons learned analysis of actual incidents. -Analyze a variety of network and host-based security appliance logs (Firewalls, NIDS, HIDS, etc.) to determine the correct remediation actions and escalation paths for each incident. -Backup of firewalls, Alien Vault security appliances, and other security devices. -Provide information regarding intrusion events, security incidents, and other threat indications and warning information to the client. -Utilize advanced network and host forensic tools in order to triage and scope an incident. -Maintain situational awareness of latest cybersecurity threats, vulnerabilities and mitigation strategies. Cybersecurity Analyst Co-op (Apr 2017 – Aug 2018) https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1614539508181-TKVAP353KODHGXUIJW26/avista.jpg About - Avista Corporation Cyber Threat Hunter (Jul 2019 - Present) -Perform hunting exercises using threat intelligence, analysis of anomalous log data and results of historical events and data to detect and respond to threats -Correlate data from intrusion detection and prevention systems with data from other sources such as firewall, web server, vulnerability, proxy, endpoint, email and DNS logs -Create and add custom signatures to mitigate highly dynamic threats to the enterprise using the latest threat information obtained from multiple sources -Collect and deploy threat intelligence to detect, respond, and defeat advanced persistent threats -Maintain knowledge of the current security threat level by monitoring related Internet postings, Intelligence reports, and other related documents as necessary -Develop and produce reports on all activities and incidents to help maintain day to day status, develop and report on trends, and provide focus and situational awareness on all issues https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1611685443872-XX01DOXARSZ7SQYVZ4MY/School+Logo.png About University of Cincinnati, School of Information Technology Bachelor of Science in Information Technology, Major: Cybersecurity Cumulative GPA: 3.5/4.0 Relevant Coursework: Programming, Networking, System Administration, and Security College of Mount Saint Joseph, School of Business Bachelor of Science in Business Administration, Major: Business Administration Cumulative GPA: 3.0/4.0 Relevant Coursework: Accounting, Economics, Marketing, and Finance https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1614010579932-3IVZCO4U9G6K09FI4RYS/external-content.duckduckgo.com.jpg About https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1611180386096-M4IPP87PQOX7HAGKDQJ5/oscp-certs.png About https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1611180357608-7KRO8W2MT7CKR12ZAVCR/CEH.png About https://www.justintasset.com/404 daily 0.75 2022-03-04 https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/442f15c2-2c91-49f2-a507-bb6859d77901/external-content.duckduckgo.com.jpg 418 https://www.justintasset.com/readinglist daily 0.75 2022-02-24 https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/b6cf76c6-c459-453e-b6f2-f025a84d46cf/51ePZIsgqlL._SX327_BO1%2C204%2C203%2C200_.jpg Reading List https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/f81154e4-0634-4bec-a100-a826c4878726/51ukTf13RPL._SX320_BO1%2C204%2C203%2C200_.jpg Reading List https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/040efab4-5fb1-4d0b-a55e-17186c711917/51jwMaP%2BOzL._SY344_BO1%2C204%2C203%2C200_.jpg Reading List https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/0bac783c-b75d-435f-bb44-c170e4778957/51rsftpeCZL._SX327_BO1%2C204%2C203%2C200_.jpg Reading List https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/c3c876fc-46b9-4ab1-af7a-34f511d86558/51uMpgGt%2BcL._SY344_BO1%2C204%2C203%2C200_.jpg Reading List https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/e07fd313-c84f-4be3-b2ac-d7a32e1c50a1/31TP3e%2B0CRL._BO1%2C204%2C203%2C200_.jpg Reading List https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/7cc06031-2cf4-4fb8-a935-a43c73227f92/41vw%2BRmEi4L._SY344_BO1%2C204%2C203%2C200_.jpg Reading List https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/2927d51c-b990-4e01-8bc4-f1ff60e70b48/31t93iSxN0L._SX248_BO1%2C204%2C203%2C200_.jpg Reading List https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/a8ed7ccb-adc4-433b-9814-0ef98ec02213/51NJOD0ItCL._SX314_BO1%2C204%2C203%2C200_.jpg Reading List https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/600c070d-f1e6-49d5-a87f-79068da2906a/41vACymv5JL._SX321_BO1%2C204%2C203%2C200_.jpg Reading List https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/0f80e4fb-d6ac-48b3-8c7b-e9a9a96573cf/1520126247.01._SCLZZZZZZZ_SX500_.jpg Reading List https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/09473349-9c5c-4198-987e-39998a27e7cc/51qWblR2GXL._SX320_BO1%2C204%2C203%2C200_.jpg Reading List https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/83ce0e95-2ed5-42ec-98fe-78b0d28a4352/51AWMwHe9rL._SX329_BO1%2C204%2C203%2C200_.jpg Reading List https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1efd1e36-4510-4287-b618-d65a70187933/51sefpkmWnL._SX343_BO1%2C204%2C203%2C200_.jpg Reading List https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/4d0d7387-6629-497c-9738-c04011492f89/41yAdpcoZkL._SX331_BO1%2C204%2C203%2C200_.jpg Reading List https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/1d441258-9cce-4c94-ba54-7f1ccf8a4dd1/613VM4hOVNL._SX329_BO1%2C204%2C203%2C200_.jpg Reading List https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/a4b79a81-3634-40ac-8887-8ace0f7de775/030788743X.01._SCLZZZZZZZ_SX500_.jpg Reading List https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/8bade4fa-462e-4488-b722-31cdaf0ed9cd/51E2unWGyRL._SY346_.jpg Reading List https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/40b01453-23b2-46df-8f23-b6e7b5176097/51lp0z%2BJsoL._SY346_.jpg Reading List https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/e55601bc-bc7c-43bc-a01c-bf1a1547482b/41bnNZhRN2L._SX325_BO1%2C204%2C203%2C200_.jpg Reading List https://images.squarespace-cdn.com/content/v1/5fb544f3e0b11f38021b7731/a236284c-6bc0-4998-830f-2d9957baa20c/0804137250.01._SCLZZZZZZZ_SX500_.jpg Reading List