Windows

The problem statement Let’s say you have a (Windows or Linux) EC2 instance in a private subnet and want to access it interactively. There are several ways to do this: You could use a bastion host in your public subnet, harden it and limit access to a certain IP range, and then tunnel your SSH or RDP (or any other TCP) traffic through this host using SSH. Alternatively, you could set up a VPN server through which to connect to your instance. ...

A couple of days ago I took the exam for the CRTP (Certified Red Team Professional) certification by Pentester Academy. In this review I want to give a quick overview of the course contents, the labs and the exam. Course Contents Attacking and Defending Active Directory is the accompanying course for the CRTP certification and it covers – as the name suggests – various common attack vectors and persistence techniques in Windows AD networks. The course also gives an overview of the defensive measures you can take – from more high-level explanations of privilege separation models to deploying decoy objects in the environment for deception. ...

This is a write-up of today’s retired Hack The Box machine Buff. Buff was a fun 20 point box that included exploitation of a known vulnerability in a gym management web app and a classic buffer overflow for getting an administrator shell. In my opinion doing this machine can also serve as a good practice if you plan on doing something like the OSCP or eCPPT certification and still need practice targets for the binary exploitation / buffer overflow part. ...

I finally found some time again to write a walk-through of a Hack The Box machine. In this post we’ll hack into Fuse, a Medium machine which just got retired and included some password guessing, discovery of stored plaintext credentials and eventually a SeLoadDriverPrivilege escalation. Recon and Enumeration To get a first overview of the box, we’ll start with a nmap -sC -sV 10.10.10.193. PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Site doesn't have a title (text/html). 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-10-30 22:31:39Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Looking at the ports and enumeration output, we can tell we’re dealing with a domain controller. ...

Recently, I needed to transfer a binary over a very limited network connection allowing only small packets to be sent. I ended up splitting the binary into pieces on my Linux box and reassembled the pieces on the target Windows host. If, for some reason, you cannot use easier means like IP fragmentation and work with a smaller maximum transfer unit (MTU), here’s how to do the splitting and re-combining. ...