Category Hacking

If you follow me on Twitter @xxByte you must have seen the tweets about scaning a large scope of IPs and how did I approach that.

The goal: To scan all TCP ports (0-65536) of ~800 IPs spread across Europe and detect any low hanging fruits using automated tools or manual assessment in the most efficient way with the least resources needed.

The approach:

Let’s first do some math. Scanning 65536 TCP ports on 800 IPs means:
65536 x 800 = 52428800. That’s 52428800 SYN packet out and waiting for a SYN ACK reply packets in total.

To have the rest of the project requirements we need to scan each open port with deeper script scan and version detection scan, which means even more packets.

At such scale we cannot afford to script scan blindly all TCP ports...

This year I was at bruCon in Ghent, BE. I usually either go to interesting talks or spend the conferences in challenges just like I did in Defcon back in 2017.

So during bruCON I stumbled upon this challenge with QR-code that says “first one to scan this gets 100€”; in my head I thought pff this is easy and I will probably not be the first one to scan this. So I popped my phone and scanned. Nothing happened. Then I was like oh wait .. a huge piece of this qr-code is missing.

So the first thing I thought of is to mark the squares randomly because I thought it must be redundant or error correction squars. Remember at this point I know nothing about qr-codes...

If you work in security and don’t encrypt your drives, maybe you should consider something else 😉

I recently was trying to make peace with Windows 10 co-living with Kali 2019 and it was really painful process. Each time I got one side working the other side was complaining.

Eventually it boils down to this:

1- Install Windows 10 fully (including setting up a user, and password, etc.) Failign to do so will corupt the encrypted partition of kali

2- Install Kali until you reach the step to partition the disk. Choose “Manual”

3- now create 3 partitions:
– one is for /boot (~256mb)
– one for swap area (8-10gb)
– the rest is for the root mount /

4- now go to “Encrypt partition” and click “Yes” for writing the current partitions

5- now choose wherever you have swap and root...

the reason why I’m writing this post is due to the lack of reviews I found online about AWE course offered by offensive security. If you look up for OSCP or OSCE they are plenty but not so much for OSEE/AWE. If there is something I learned from hacking cons is that you can contribute to the infosec world by creating any kind of helpful material for other people (refer to the hacker manifesto); hence I decided to contribute to the infosec world in my own way too.

a little background:
To be honest it took me quite some energy and time to even get into this course due to its high demand and lack of availability. Fast forward I was sitting with almost other 30 students in Blackhat 2018 fronted by the offsec staff to teach us some exploitation black magic; and oh boy was it black magic…

the 4...

If you missed this one; please head to this link, and try it yourself before going to the solution.

Wait; did I say BackTrack? Yes Backtrack is still a cool (outdated) distro for hacking!
If for some odd reasons you still need to use BackTrack in 2017 (hello? have you heard of Kali), I won’t judge you.
Maybe you’re doing your OSCE and need an image that is still in the course / labs

This post is meant to save you some time if you haven’t used BackTrack for a while and need to get some things done with it.

1. We want to change the root password

Recently I was working on one of the vulnhub vulnerable boxes and once I finally got a reverse shell it was a restricted one. What a bummer!
In this post I want to document how did I breakout of it in a simple way.

There many ways to break out of the restricted shell (aka /bin/rbash). One simple way for example is to use perl or python to call /bin/sh:

Perl/Python aren’t the only ways. You can STILL breakout if vim, vi, awk, gdb, more, less, etc. are allowed!

• check out this slide for full list and explanation.
• This SANS article is also detailed and full of examples

What I want to add here is a special case of a restricted bash, that’s when the rbash is called with an output redirection.
So might be able to use the earlier tricks to breakout but it’s no good as all the output is being r...