The description of this box states:

    "DC-1 is a purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.  It was designed to be a challenge for beginners, but just how easy it is will depend on your skills and knowledge, and your ability to learn."

    I think this definitely falls into the beginner category.  The entry is fairly obvious, hone that down to a specific vulnerability and you have your in.  From there, enumerate carefully.  Find the nugget and then figure out how to use it to your advantage.

    That's all I'm saying for now...


    The description for this box states:  "HackinOS is a beginner level CTF style vulnerable machine."  If this is "beginner", I'd hate to see intermediate.  That being said, this was a fun box because it was much more complex when compared to other boxes you'll find on Vulnhub.  There's also a little bit of everything with the different avenues of exploration and exploitation.  It's sprinkled with a few rabbit holes as well and I'll admit, I followed a couple.  To top it off, this box also gives us the opportunity to write a little bit of code which I initially tried to do in Bash (I ended up using PHP) but I couldn't get it to work for whatever reason.  I don't want to dig too much into that now but I'll go over it later when we arrive at that point in the enumeration process.

    Kicking off with an Nmap scan:


    Better late than never, I guess.  I wanted to write this up a while back but I got distracted and by the time I returned to my notes, I felt like I'd lost the flow.  I had the screenshots but when I looked at it, I could remember that I wanted to discuss a few points but I couldn't remember exactly what.  Rather than just upload the images with some text, I decided to go back through it once more.  But then I had an issue with the server where it was living and I ended up rebuilding the image.  So it's been awhile.  Moving on...

    According to Wiki:  "GlassFish is an open-source application server project started by Sun Microsystems for the Java EE platform and now sponsored by Oracle Corporation. The supported version is called Oracle GlassFish Server."

    When I began poking around, the avenues of attack for GlassFish felt similar to Tomcat.  When I searched for the difference, I came up with:  "Tomcat is simply an HTTP server and a Java servlet container. Glassfish is a complete Java EE application server."  So not exactly the same but perhaps they were built with a similar style.


    Funny story -- I have a number of virtual machines setup for various types of exploitation such as the machine I used below for this RID Hijacking post.  When I'm done with the exploitation, I will revert them back to their previous state to keep things clean and in order to have a fresh slate for my next "project".

    After finishing up this post, I reverted the machine to a point further back than I thought and I was unable to login to the machine with the known password.  Quickly thinking, i was confident the box was vulnerable to MS17-010 but I was incorrect.  :\

    This particular machine is hosted on a Xenserver hypervisor which allows you to detach the disk and reattach it elsewhere -- which is what I did.  Upon accessing the drive from another virtual machine, I changed the utilman.exe executable with a meterpreter executable.  I then reattached it to the original host.  If you're not familiar with this hack:  


    This is not a comprehensive guide on installing Tinyproxy.  This is just a quick write-up on something I found that is very easy to setup for proxying.

    I had a need for a small, simple, proxy, and when I went hunting around, I found Tinyproxy.  This could be installed on a Raspberry Pi, and I may end up doing exactly that at some point but for now, I installed it on the Debian "Small CDs or USB sticks" installation which took less than 10 minutes to install.  I probably spent another two minutes looking at the configuration file.  After that, I was in business -- proxying traffic.


    SP: eric is one of the newer releases from Vulnhub and when I first started enumerating it, I spotted the .git directory.  Right off the bat, I figured that wasn't there by accident and I started Googling to find more information.  After a minute or so, I discovered a post titled:  "Don't publicly expose .git or how we downloaded your website's sourcecode" which lead me to a collection of tools written that facilitate data from sites where .git is exposed.

    While I was working through this box, I was reminded of a Defcon talk, "Hacking Git", which I believe is along the same lines.  A quick search found some tools related from that talk but I wasn't as successful at extracting data as I was with the tools above so as far as I can tell, this is the quickest path to get where you need.

    Anyway, I kick off with an Nmap scan:


    © 2020 sevenlayers.com