As you walk down the street, you approach a home with an ADT sign and you notice a pair of surveillance cameras.  As you pass the home, you also notice the doors, windows, and garage door are all closed, and a sign posted on the gate to the side yard reads:  "Beware of Dog". 

    A few doors down, you pass another home without any visible signs for an alarm company and as far as you can tell, no surveillance cameras.  As you complete your pass of this second home, you notice the gate and garage door are both wide open.  In the garage, you can see three bicycles, a set of golf clubs, and a BMW with the driver side window rolled down. 


    I banged my head a bit on this one.  The low privilege shell was quick but the privilege escalation had me twisting for a while.  This box is definitely a mixture of standard exploitation with a CTF twist.  CTF is not really my thing but I enjoyed this box.  It was clever and there were some components to it that are truer to life than some of the boxes that don't seem to have a purpose other than being a target.  


    This will sound like a walk-through for Kioptrix1 but it didn't start off that way.  While scanning a server, I saw the following:

    + mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell.

    When you search for:  mod_ssl exploit

    The first result is 764.c on Exploit-DB.  Out of the box, when you compile it, it throws a bunch of errors which sometimes means nothing but in this case, it didn't result in an exploitation.  I assumed this was due to the age of this exploit and when I went searching, I found a few articles on how to repair this exploit to make it work in the modern day.


    If you don't already use the web site "have i been pwned?", you should. It's a solid resource for checking your accounts for possible compromise.  Basically, you enter your email address, it will search through its database, and if your address shows up in its list, it will spit out the compromised sites and the details of the breach.  

    Another feature of the site is the ability to check a password against their list of compromised passwords.  There are about 580 million passwords in their database and while you think "l33thacker" is solid, their database says it's been found 55 times.


    With most things technology, if you don't use it, you lose it.  I was once an MSSQL DBA but after taking and passing the certification, I never used it -- and then lost it.  I can hack my way around SQL but I wouldn't call myself a database administrator.  If you don't want to lose it, keep honing your skills, keep learning new things, and with pentesting, keep popping boxes.  You step away from it for just a short period of time and you're rusty.  

    This is a skill I do not want to lose and that's why I find spare time to get after these boxes appearing on Vulnhub.  Practice, practice, practice!  


    #!/usr/bin/python
    import hashlib
    import requests
    import os
    print
    password = raw_input("[*] Enter password to check: ")
    print
    sha_1 = hashlib.sha1()
    sha_1.update(password)
    hashed = sha_1.hexdigest()
    first_five = hashed[:5]
    print "Checking against Pwned Passwords..."
    print
    host = "https://api.pwnedpasswords.com/range/" + first_five
    remaining = hashed[5:40]
    url = host
    headers = {'User-Agent': 'Mozilla/5.0'}
    html = requests.get(url, headers=headers).content
    if remaining.upper() in html:
        print("Bad Password!")
    else:
        print ("Good Password!")
    print




    © 2020 sevenlayers.com