Gather as much knowledge as you can in order to make educated decisions.  For example, there's this idea that if we password protect Microsoft Office documents, we are going to keep people from accessing them.  I'd say that is mostly correct and when I'm done explaining how to crack the password, you can decide if what you have stored in them is protected well enough.  

    First, let me state that there are commercial products that will do crack the passwords easily.  I haven't used one of those products in a long, long, time and I think a search would yield legitimate products along with questionable, possibly malware laced, products and it's not something I want to randomly download.  For this post, I'm going to use open source (read:  FREE) and publicly available tools along with the rockyou wordlist.  


    -- UPDATED AGAIN -- MS17-010 PYTHON EXPLOIT

    -- UPDATED AT THE BOTTOM OF THE PAGE --


    Don't be confused, this is about MS17-010 and the error you'll sometimes see which states:  "Unable to find accessible named pipe!

    Since I came across this while working, I thought I'd document the steps of how I got here and how I worked to move past it.

    I'm on a network with a Windows 2008 Server and when I perform my port scan, I see:


    I had so many different ideas for the title of this post because there are so many different ways to call attention to this problem.  "Too much point and click."  "Attention to detail."  "Understanding your environment."  All of these apply.  

    The other day, I was playing around with (I will post on this soon!) Oracle Glassfish --  "Glassfish is the world's first implementation of the Java Platform, Enterprise Edition (Java EE) 6 specification."  I managed to get credentials and with that, I am able to deploy an application which is very much like deploying an application on Tomcat.  

    I setup Metasploit:


    "Hackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in today’s rich client and mobile applications."  The download can be found here:  https://github.com/rapid7/hackazon

    Honestly, when I heard the name, I didn't clue in.  When I saw the interface, I realized I missed the play on words. 

    I'd seen this application mentioned somewhere and I wanted to check it out.  Let me start off by saying that if you're a beginner, this is a great application to mess with for a any number of reasons.  If you're seasoned a bit, this might not be worth the effort.  


    I can't say that I've encountered Jenkins much in the real world but when I worked with large groups of developers they worked independently of each other and Jenkins probably could have helped with that problem but I digress -- that is no longer my world.  

    I've heard Jenkins mentioned in the context of pentesting larger organizations and I have two impressions:  First, it's discovered frequently.  Second, it's a sitting duck.  I don't know either to be true but I've wanted to get familiar with it.  I've seen it a few times but not in a situation where I could get a solid foothold. 

    Quick sidebar -- I met a red teamer who said he wanted to go through every single exploit in Metasploit to see how it worked.  I understand that concept and this is basically what I'm doing here.  Attack as many things as you can find, become familiar with how they work, and add that knowledge to your toolbox.  It will aid you in pentesting and it will also aid you in securing these applications when you come across them.

    I finally found a vulnerable version of Jenkins, version 1.637, and I wanted to work through every angle -- even if some are redundant.


    I'm sitting on an airplane reading:  "How to Hack Like a LEGEND: A hacker's tale breaking into a secretive offshore company" and I'm taking notes.  As I'm reading through the book realizing there are more real-world tools I should be exploring versus playing on HackTheBox and Vulnhub, I write myself a note stating:  "Less hack-y things, more real-world".  That lasted a day, maybe two, and then I could feel the challenges calling me back.  It's not that the CTF challenges don't hone your skills, it's that there are some recent tools that are worth exploring as well.  Perhaps some more useful for current work projects.  

    I'm starting to like the CTF challenges as I learn more of the esoteric techniques used for those particular style boxes.  So as I'm perusing Vulnhub, I come across Mercy:  "MERCY is a machine dedicated to Offensive Security for the PWK course, and to a great friend of mine who was there to share my sufferance with me. :-)"

    Mercy definitely has that PWK feel except that I think the Offsec folks would have made the privilege escalation more challenging.  


    © 2020 sevenlayers.com