So I found this new CTF hacking site, TryHackMe.  At first glance, it seems like a tamer version of HackTheBox.  I took a quick look around, hacked the first box, and now I'm paying the $10/month for my subscription because it was a good experience and I want to encourage them to grow this with my piddly $10.  The first box on the list is Tomghost so you sort of know where this is headed based on the Ghostcat logo.  If not, I don't go into detail because I just wrote about Ghostcat so you can get my full thoughts from that post.

    The description states:  "Identify recent vulnerabilities to try exploit the system or read files that you should not have access to."  So it's generic but we'll just do our normal routine.  Kicking off with Nmap:


    Before I jump into the post, let's get a definition:  "Terraform is an open-source infrastructure as code software tool created by HashiCorp. It enables users to define and provision a datacenter infrastructure using a high-level configuration language known as Hashicorp Configuration Language, or optionally JSON."

    We use AWS mostly and a little bit of Digital Ocean.  The majority of the instances are created from the GUI but I've been working on a project that requires the spin up and shutdown of similar servers and that's where Infrastructure as Code comes in handy.


    I've written a few things about Empire in the past but sometime around July of last year (I think), they stopped maintaining the project.  Then BC Security picked it up and moved the ball forward again.  I liked Empire because it's simple, no nonsense, and it worked.  That said, it wasn't as stealthy as some other C2 frameworks and it was unreliable when it came to evading antivirus.  When the new project came to light, I wanted to take a look but at the same time, I questioned whether or not I'd run into the same issues.  By necessity, I needed to test Empire for something I'm working on so I fired up the new project.


    It's hard to describe this in the subject line but how many times have you been on a Windows system and typed a *nix command?  Or on a *nix system and typed a Windows command?  One could assume that an attacker might do something similar and we could take advantage of that mistake.  First, we'll need to alias some commands like ifconfig and ls with doskey.  Our macro file looks like this:


    If you found yourself reading this article you probably know what a dropbox is already but to summarize, it's a piece of hardware that is either overtly or covertly planted on the network.  This particular model that I've constructed is using a Raspberry Pi Zero running Raspbian Lite.  In the diagram below, my dropbox is sitting the customer network.  It uses OpenVPN and calls home to our C2 server.  Logging into our C2 server, we can then SSH back into our dropbox bypassing all of the security measures.  What we do next depends on the engagement and this post is about the setup of the dropbox.


    From the description:  "Chisel is a fast TCP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server."

    What I like about this tool is that it's a single binary that supports both client and server while also being multi-platform.  What I don't like is that it seems to be very particular about the syntax ordering.  That being said, this is a tool in my toolbox for that very special need.  For example, we know there's a web server at the following address but when we perform an Nmap scan, we don't see it:


    Page 7 of 59

    © 2020 sevenlayers.com