Running commands in a specific user context in PowerShell

If you find yourself in a limited cmd shell but have obtained credentials for another user, you can leverage PowerShell’s Invoke-Command cmdlet to execute a script block in the security context of that specific user. This can be helpful in a penetration test setting or CTF. One thing to be aware of is that you cannot just pass a user and password string to the -Credential parameter of Invoke-Command, but need to create a valid PSCredential object first. ...

December 8, 2019 · David Hamann

Hack the Box Write-up #2: Networked

In today’s write-up we’re looking at “Networked”, another Hack the Box machine rated as easy. We’ll start by finding relevant files via a directory brute-forcer, go on to read some PHP code and then exploiting a file upload feature. Command injection through a file name gives us a proper user shell, and in a second step, through network-scripts, a root shell. Enjoy! Recon We start with an nmap scan, just like in the last write-up, and see just two ports open: ...

December 4, 2019 · David Hamann

Hack the Box Write-up #1: Jerry

A while back I signed up for hackthebox.eu, but then somehow left the account sitting idle for quite some time as I was busy with work and doing my eCPPT. Having finished the PTP course and some free time available, I started to do some of the active machines and yesterday – after getting VIP access – also some of the “retired” boxes. As posting write-ups for retired machines is “fair game”, I thought I’d start a blog series of walk-throughs. ...

December 3, 2019 · David Hamann

Reading sniffed SSL/TLS traffic from curl with Wireshark

If you want to debug/inspect/analyze SSL/TLS traffic made by curl, you can easily do so by setting the environment variable SSLKEYLOGFILE to a file path of your choice (for storing the secrets), and then point Wireshark to use this file. Let’s see how: In Wireshark, go to Edit -> Preferences -> Protocols -> SSL -> (Pre)-Master-Secret log filename, and set the path: Then start the Wireshark capture. In your shell, you can now set the environment variable and make a request: ...

August 6, 2019 · David Hamann

Running ESXi on Intel NUC8i7HVK (with 64 GB of RAM)

I recently bought an Intel NUC8i7HVK to work as an ESXi host. In this post I walk you through the process of installation and initial setup. Hardware The NUC8i7HVK is the top-of-the-line model of the NUC kits and comes with an i7-8809G processor. It ships with neither memory nor storage, so picked up the following additional components: 2 x Samsung 32 GB DDR4-2666, SO-DIMM (M471A4G43MB1-CTD) 1 x Intel SSD 660p Series 1.0 TB, M.2 80 mm (SSDPEKNW010T8x 1) 1 x SanDisk Ultra Fit 16 GB (SDCZ430-016G-G46) An interesting fact to note: in the official specs, Intel mentions 32 GB as the maximum memory size. However, with 32 GB sticks now readily available and 64 GB being listed as the maximum memory size for the i7-8809G, I gave it a shot and installed 2 x 32 GB of RAM. It worked without issues. ...

August 6, 2019 · David Hamann