#hack100days Day84: Poked at a box on another platform. Looks like BlueKeep is the way in, but metasploit module is for x64 and the target is x86. Found a PoC for x86, but I'm fighting python module dependencies. I need to get better at venv, I guess. Then the clock ran out, so I can't pick at it until tomorrow. #infosec #cososec
#hack100days Day83.1 Update: Finished 2nd box. Reset box and switched to meterpreter shell instead of trying to use command shell. Worked great. #infosec #cososec
#hack100days Day83: Hands on keyboard today! Worked on a pair of TryHackMe boxes. One down pretty quickly. Some progress on the second. Using msfconsole and msfvenom on that one. Issue w/getting handler and payload to match. Don't use it a whole lot, so more googling than I like. #infosec #cososec
#hack100days Day82: Read ch 4 of _Web Application Hacker’s Handbook_. #infosec #cososec #enumallthethings
#hack100days Day81: Started Practical Web Application Security and Testing class from mttaggart #infosec #cososec
#hack100days Day80: Read ch 3 of _Web Application Hacker’s Handbook_. #infosec #cososec (fixed unfortunate typo)
#hack100days Day 79: Didn’t make time to get hands on keyboard today. Started _Web Application Hacker's Handbook_ and got through first two chapters. While it’s 11 years old, still seems pretty relevant. #infosec #cososec #authn #authz #inputvalidation
#hack100days Day78: Went along with the Alh4zr3d stream on a PG Play box. Rated as hard. Got a bead on the foothold. Slowing down to make some notes. Make brain wrinkles and have something to come back to in the future--tags, MF! #infosec #cososec #tags #sqli #weakasspasswords
#hack100days Day77: I finished last night's target on Offsec PG Practice. Started in on a new one today. Bluekeep is a spooky vuln. Should be done w/that one soon. #infosec #cososec #patchyoshit
#hack100days Day76: Listened in on a couple of twitch streams by Alh4zr3d and mmtaggart. Poked at a Winderz box on offsec proving grounds. #infosec #cososec #alwaysbeenumerating
#hack100days Day75: Got my CTF prize, a month-long access to Offsec Proving Grounds Practice, so started on that. Hitting the first easy box. Basic enumeration in-flight. SSH, DNS, and two web services and and two mqueue listeners. #infosec #cososec
#hack100days Day74: Found a user w/low priv on the HtB box--based on the hostname, I took a flyer at a username I thought would match. Was able to use it to enumerate some additional users. Now brute-forcing for passwords. No school like the old school. Really wish folks would use fasttrack.txt for password brute forcing. Fairly long list of users, so this will take a while. #infosec #cososec
#hack100days Day73: Took a crack at today's release on HtB. Bunch of enumeration. Still poking around to find entry point. Not a webserver and I'm out of practice on anything but web servers, so this is good. Slow. But good. #infosec #cososec
#hack100days Day72.1: Update. I eventually figured the pivot—“pcap, or it didn’t happen!” Learned a bit more about Docker and worked on Wireshark skill. Ended up w/in top 10 and got a cyberrange voucher from the prize pool. I reckon there were between 50 and 100 people taking a crack at it. #infosec #cososec #hackinonthepatio
#hack100days Day72: Continued banging on ctf. Limited rce was sneaky rabbit hole. Found correct path to get shell. New one on me, so that was fun. Working on pivot point. This one's a little tougher. #infosec #cososec
#hack100days Day71: almost forgot to log it. Watched a stream. Hacked on a ctf. Figured out limited rce, but stumped on turning it into something really useful. It’ll be on tomorrow, so maybe a fresh look after sleep and coffee. #infosec #cososec #ctf
#hack100days Day70: More work on HtB Academy & ffuf. Made some progress and then stalled. Looks like word list choice is finicky. Read this article and found it pretty interesting: https://blog.includesecurity.com/2022/07/hunting-for-mass-assignment-vulnerabilities-using-github-codesearch-and-grep-app/. Signed up for the beta of git CodeSearch. #infosec #cososec
#hack100days Day69: More work on HtB Academy & ffuf. One more exercise to complete. Also kibbutzed on Al4zr3d stream while he walked through a couple of TryHackMe boxes. #infosec #cososec
#hack100days Day68: More work on Hack the Box Academy and on the ffuf module. Not making it through it as fast as I would like. Practice make perfect! #infosec #cososec
#hack100days Day67: Hack the Box Academy, did the ffuf module. #infosec #cososec
Muddling through.