So on a couple of the vulnerable machines I’ve reached a point where I have no idea what to do next. I’ve ended up pulling the walkthroughs and seeing how other people approach things. While it makes sense to learn from others, and it absolutely has helped me learn multiple techniques way faster than I could have on my own, I can’t shake the feeling it’s cheating. I suppose it’s my own bullshit. But if the goal is to learn how to do something, and I can accomplish that goal, and gain the useful knowledge in a fraction of the time (and still retain that information for later) it just makes sense. I do hope to do enough of these that I can start getting root without cheat sheets. But for now, it’s still very much a learning experience for me, so I’ll keep on looking things up as needed.
All of that said, I’m already seeing a big difference. I know far more tools than I did a month ago. I can accomplish a good deal from memory/experience at this point. I’m learning things. So if that’s the goal, then cheating be damned, I’m going to do it.
Luke (@LhHillz) put together a B2R called RickdiculouslyEasy. How could I resist. Wubbalubbadubdub here we go! Will post updates as things progress.
UPDATE: Completed. Got all 130 points, took 2 1/2 hours. Learned tons of things. Even some things I probably should have already know from being a syadmin. (how to use SCP from command line!)
Learned about building password lists using crunch, and then using those lists to attack something with hydra. All in all, time well spent. Onto the next one!
Finished badstore, so it was time for something new.
So I downloaded and spun up LazySysAdmin. A friend concurrently tried the same and showed me a couple of things. (SPARTA!!!) I learned about wpscan from some googling which turned up some nice info. Found an open share which had a password hidden in it. Located the WordPress config file and got myself into a basic shell with the info I found there, then once in was able to get a root shell by launching BASH from sudo. It’s listed as an easy Boot2Root, and it was fairly straightforward. Lots of fun though. Thanks to Togie McDogie (@TogieMcdogie)!
Onto the next one…
Badstore was quick and easy. Just as expected. But I’ve pretty much exhausted all the things to find/do. Time for another box to play with.
I found a couple of nice ones by ismailonderkaya: BTRsys v1 v2.1. We’ll see where this takes me.
It’s one thing to intellectually understand that the world is constantly attacking every address on the internet. It’s another to actually be able to visualize the data and see it. For fun I have been forwarding all of my inbound traffic logs to Graylog, and have enabled the Geolocation features. I never expected Seychelles to be one of the top sources of inbound traffic, but it is. Of course the usual suspects show up. Russia, southeast Asia, etc. But there is SO MUCH traffic from that tiny little island. Just an interesting observation.
Just playing around with some basic stuff. BadStore is ludicrously old, but it’s like playing the original Mario. Still fun. There’s just to many little things to play with. MySQL, XSS, form validation failure, SQL injection. I recently set up a retropie box for similar reasons. Having fun.
Spent this morning trying to get the Inject_CA module to work properly (or at least properly as I see fit). It is successfully inserting the key in to the registry, and reports success, but the actual certificate isn’t showing up in the Certs MMC. If I don’t see it there, then I have to assume it’s no actually loading properly. Nothing useful from Google so far. Well persistence will hopefully pay off, because this one is too useful to pass up.