Bsides 2015 Talk

This is my talk from Bsides Boston 2015. I feel overall the talk went well even though I did not have my presenters notes due to a projector issue.

I have removed the demo videos from the slides to save on space. But you can see them below as well as download the powerpoint file.

Tools I used:

-Decrypt.ps1 (For decrypting the Windows GPO entry)
-Karma/Mana/NetHunter
–https://github.com/karma-runner/karma
–https://github.com/sensepost/mana
–http://www.nethunter.com/
-Frogger
–https://github.com/nccgroup/vlan-hopping
-Responder
–https://github.com/SpiderLabs/Responder

Resources:

http://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning
http://en.wikipedia.org/wiki/VLAN_hopping

You can watch my talk below.

PragyanCTF (Wytshadow)

Lets download the zip and see whats up

Lets check out that html

hmmm lets look at the code…

I can also adjust the checkered image to see the text as well.

Changed the values from 184px to 1px

Looks like the flag isn’t here. Lets look at some other files that were in that zip.

Whats aes.js?

There is a lot of stuff in there but if you have a good eye you can spot the flag.

PragyanCTF (H1tch)

Writeup by H1tch (www.h1tch.org)

Another nice CTF. This one was pretty laid back went for over a weeks time.  Seemed to have a lot of Stego and crypto challenges pretty low on an type of reverse or forensics. Everything seems to have gone smoothly I didn’t notice any issues. Some members of Overflow Security were in and out of the challenges. Here are the write ups for the ones that I completed.

STEGO

Put on your reading glasses (10 pts)

run strings on file. flag is on the bottom

strings Proxy.jpg
M}EU]sF
1Z5;”A
kjiFF
16bbee7466db38dad50701223d57ace8

What you see is what you get. (50 pts)

Scream VM – The Easy Way

So this one was more work to build then it was to crack… That being said there is a harder way so stay tuned for that 🙂

-Download ISO
– Download Scream.exe
– Install .NET 4.0
– Run Scream.exe point it to the ISO and give it an XP license key.
– Choose a place to save the ISO file it creates.
– Use resulting ISO file to build a VM.

HackLab – VulnVoIP (“Harder” way in)

After finishing Vulnix I decided to take on VulnVoIP and try my hand with some phone system hacking! 🙂

The VM has some instructions on what to do other then get root:

VulnVoIP is based on a relatively old AsteriskNOW distribution and has a number of weaknesses. The aim is to locate VoIP users, crack their passwords and gain access to the Support account voicemail.

NMAP

HackLab – VulnVoIP

So yes there is a REALLY easy way, and a harder way to do VulnVoIP. This is a quick and dirty write-up on the easy way…

root@kali:~# nmap -sU -p 5060 172.16.28.160

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-14 16:28 EST
Nmap scan report for 172.16.28.160
Host is up (0.00032s latency).
PORT     STATE         SERVICE
5060/udp open|filtered sip
MAC Address: 00:0C:29:D8:2E:59 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 13.25 seconds
root@kali:~#

After that scan as well as running svmap…

HackLab – Vulnix

So I was poking around VulnHub for a new VM to work on and I came across Vulnix…  Here is how I got root!

NMAP:

Enumerator:

Found ssh credentials.

Tried to login as User with the password “letmein”


We get access to user.

We also can see that this system is using rservices more specifically rlogin (We had a pretty good idea that this was the case with our original port scan showing port 513 being opened.)

Added wildcard + + to allow anybody to login with no password as user.

De-IceS1.140

NMAP SCAN

DIRB

---- Scanning URL: http://172.16.28.131:80/ ----
+ http://172.16.28.131:80/cgi-bin/
(CODE:403|SIZE:210)
==> DIRECTORY: http://172.16.28.131:80/forum/
+ http://172.16.28.131:80/index
(CODE:200|SIZE:1782)
+ http://172.16.28.131:80/index.html(CODE:200|SIZE:1782)
+ http://172.16.28.131:80/server-status
(CODE:403|SIZE:215)

---- Scanning URL: https://172.16.28.131/ ----
+ https://172.16.28.131/cgi-bin/
(CODE:403|SIZE:210)
==> DIRECTORY: https://172.16.28.131/forum/
+ https://172.16.28.131/index
(CODE:200|SIZE:1782)
+ https://172.16.28.131/index.html(CODE:200|SIZE:1782)
==> DIRECTORY: https://172.16.28.131/phpmyadmin/
+ https://172.16.28.131/server-status
(CODE:403|SIZE:215)
==> DIRECTORY: https://172.16.28.131/webmail/

The Web App

 

Found Sandy
(SWillard) email… She may be an admin for this app from the looks for this
thread… Also can deduce from this thread that email addresses are
initials@lazyadmins.corp.

 

Sandy =
sw@lazyadmins.corp

 

X11 Forwarding Mac

This tutorial is going to cover setting up X11 forwarding via SSH from your Kali box to your Mac.  This is a great way to host your Kali machine on a server (Home Server or VPS) and still have access to tools like Burp that require a GUI.

First thing you will need to do is download and install XQuartz from http://xquartz.macosforge.org/landing/

Next we need to enable the ssh server service.

Screen Shot 2014-10-03 at 1.32.17 PM
Lets make sure we know the IP of our machine.  This is my internal lab machine so the IP is non routable, but if you had this going through a firewall you would obviously need to forward SSH to your Kali box before trying to SSH to your external IP address.

OSCP Review – Eagle11

Finally I am among those who can write this review and say “I did it!”

It has been a long journey for me with everything I had going on at home between work, and a new baby I had to extend my lab time A LOT!  So I will not be commenting on how long it SHOULD take you to complete the course and certification…  What i will say is if I would have had 2 weeks to do nothing but this class I could have knocked it out in that time.  My time for the class was spent mostly after work 6-7 PM until bed, and then on weekends…  

The opinions and thoughts on this blog are those of Overflow Security members, and do not reflect those of our members employers.