I've been doing this job for far too long and something like a power outage creates a certain level of panic at first discovery.  While we take numerous steps to protect from disasters the one true test is pulling the plug to see what happens.  That is essentially what a power outage does -- it brings a certain sense of randomness with it. 

    When disaster strikes, we reach for the documentation which includes pictures of the entire server to guide those on site through the rack.  "Two down from the Cisco switch, that's the firewall.  Check to see if it's on."  Etc.

    Once we were able to see the network, back to the documentation to retrieve the IP addresses for the hypervisors. 

    I took a brief look at DC: 5 and I can read into the file system but it's definitely not obvious taking the next step.  Meanwhile, I just wrapped up DC: 3 and according to part of the description:

    "For those with experience doing CTF and Boot2Root challenges, this probably won't take you long at all (in fact, it could take you less than 20 minutes easily)."

    It didn't take long but it did take more than 20 minutes because I decided to learn how to write a Joomla reverse shell plugin.  When I wrote the WordPress Plugin : Reverse Shell, the thought occurred to me to do the same for Joomla but I didn't bother.  Given the easier target, it seemed like a good time.  And I learned something and that's what really matters.

    The first time I popped MS08-067 with Metasploit, I thought that was hacking.  And then I modified some exploit code I found on Exploit-db, popped a box, and I thought that was hacking.  In my current frame of reference, when I perform a buffer overflow, I get that feeling like I'm really hacking.  

    So what is a buffer overflow?  Imagine you have a machine that dispenses soda into a can.  The can moves under the nozzle, the machine dispenses the right amount of soda to fit into the can, and the next can moves underneath the nozzle.  Now imagine that someone comes along with a hose and fills the can prior to it arriving underneath the nozzle.  When the machine dispenses the soda, the can overflows.  We have a design flaw.  The maker of the machine didn't anticipate that someone would come along and add liquid to the can prior to it arriving underneath the nozzle. 

    I don't do a lot of brute force attacks because other than some low-end products that allow for that kind of thing, most real world devices, services, etc., won't tolerate it.  When I do end up using brute force, it's either with Hydra or Burp but with write-ups, I shy away from pay products only because these tools might not be available to everyone.  Today, I used Hydra, I learned something new, and that makes this write-up worth it or more than one level.

    Continuing on with the DC series of boxes, our next target is DC: 4

    Kicking off with an Nmap scan:

    I'm not critiquing the author because they are awesome!  However, I would say that dc-3 seems easier than dc-2 and if someone were to do these in order, this one would be later, not sooner.  That being said, I believe dc-6 was also easier and dc-5 is on my weekend list because it is different than the others.  Or perhaps at first glance, I missed something obvious with dc-5.  Time will tell.  

    This machine was cool and it would definitely make a beginner think outside of the box.  It incorporates tools and technologies that you might not see every day.  I'm obviously trying not to spoil -- if someone is here just looking for a hint.  

    Up until now, we've discussed using Nmap to scan for open ports, web fuzzers that enumerate directories and files, hash cracking, and we've even taken it a little further toward the victim with brute force attacks where we were able to login to a web application.  But even with the successful login to a web application, I feel like we're sort of just pecking around the perimeter.  Shells take us to that next level where we're able to pierce the skin and get below the surface.

    This can be a tricky subject to wrap ones mind around so rather than jumping into the idea of shells immediately, let's start off with leveraging a tool, Netcat, for two way communication.  

    To better help (I hope!) keep this straight, I've colored each side.

    © 2020 sevenlayers.com