Show more

Day84: Poked at a box on another platform. Looks like BlueKeep is the way in, but metasploit module is for x64 and the target is x86. Found a PoC for x86, but I'm fighting python module dependencies. I need to get better at venv, I guess. Then the clock ran out, so I can't pick at it until tomorrow.

Day83.1 Update: Finished 2nd box. Reset box and switched to meterpreter shell instead of trying to use command shell. Worked great.

Day83: Hands on keyboard today! Worked on a pair of TryHackMe boxes. One down pretty quickly. Some progress on the second. Using msfconsole and msfvenom on that one. Issue w/getting handler and payload to match. Don't use it a whole lot, so more googling than I like.

Day81: Started Practical Web Application Security and Testing class from mttaggart

Day80: Read ch 3 of _Web Application Hacker’s Handbook_. (fixed unfortunate typo)

Day 79: Didn’t make time to get hands on keyboard today. Started _Web Application Hacker's Handbook_ and got through first two chapters. While it’s 11 years old, still seems pretty relevant.

Day78: Went along with the Alh4zr3d stream on a PG Play box. Rated as hard. Got a bead on the foothold. Slowing down to make some notes. Make brain wrinkles and have something to come back to in the future--tags, MF!

Day77: I finished last night's target on Offsec PG Practice. Started in on a new one today. Bluekeep is a spooky vuln. Should be done w/that one soon.

Day76: Listened in on a couple of twitch streams by Alh4zr3d and mmtaggart. Poked at a Winderz box on offsec proving grounds.

Day75: Got my CTF prize, a month-long access to Offsec Proving Grounds Practice, so started on that. Hitting the first easy box. Basic enumeration in-flight. SSH, DNS, and two web services and and two mqueue listeners.

Day74: Found a user w/low priv on the HtB box--based on the hostname, I took a flyer at a username I thought would match. Was able to use it to enumerate some additional users. Now brute-forcing for passwords. No school like the old school. Really wish folks would use fasttrack.txt for password brute forcing. Fairly long list of users, so this will take a while.

Day73: Took a crack at today's release on HtB. Bunch of enumeration. Still poking around to find entry point. Not a webserver and I'm out of practice on anything but web servers, so this is good. Slow. But good.

Day72.1: Update. I eventually figured the pivot—“pcap, or it didn’t happen!” Learned a bit more about Docker and worked on Wireshark skill. Ended up w/in top 10 and got a cyberrange voucher from the prize pool. I reckon there were between 50 and 100 people taking a crack at it.

Day72: Continued banging on ctf. Limited rce was sneaky rabbit hole. Found correct path to get shell. New one on me, so that was fun. Working on pivot point. This one's a little tougher.

Day71: almost forgot to log it. Watched a stream. Hacked on a ctf. Figured out limited rce, but stumped on turning it into something really useful. It’ll be on tomorrow, so maybe a fresh look after sleep and coffee.

Day70: More work on HtB Academy & ffuf. Made some progress and then stalled. Looks like word list choice is finicky. Read this article and found it pretty interesting: blog.includesecurity.com/2022/. Signed up for the beta of git CodeSearch.

Day69: More work on HtB Academy & ffuf. One more exercise to complete. Also kibbutzed on Al4zr3d stream while he walked through a couple of TryHackMe boxes.

Day68: More work on Hack the Box Academy and on the ffuf module. Not making it through it as fast as I would like. Practice make perfect!

Show more

ath0

CounterSocial is the first Social Network Platform to take a zero-tolerance stance to hostile nations, bot accounts and trolls who are weaponizing OUR social media platforms and freedoms to engage in influence operations against us. And we're here to counter it.