Matthew learns Pentesting/EH

 Finally we have made it. Here I will check we have the right module and then I will get my shell. Again remember these are just notes and not all of them. But if you see something and you know of a more effective way I am always up for hearing and learning new things  So, line 4 we eventually get rid of but one thing to note is that on line 6 when type it into the script we are typing it backwards and only 2 characters at a time. Now I am sure there is a reason, and it is significant, but the course did not go into it. Here I am copying the payload after it was created.  Now we add the payload to the script.  This is the remainder of the script. Run this and we have completed the objective.  Feel free to reach out on  LinkedIn  or  Twitter  

 I wrote a script for Bad chars and show how I overwrite the program. This is all leading up to finding the right module and then gaining shellcode. Exploit Development is defiantly something I want to take some more time to get to know. I plan on going through these videos at least one more time.  So a couple things to remember is take out "\x00" and make sure you wrap it in "()" Here is the first code I wrote And here is the correct code. Anyone catch the mistake? Thats right line 9 I forgot to change.  Now remember like with all the lessons before we are running both vulnserver and immunity debugger as admin. Attaching vulnserver  to Immunity Debugger and pressing play. The goal is to overflow the buffer space and through the EBP (Extended Base Pointer) and into the EIP (Extended Base Pointer Instructional Pointer). Which is where we will be placing the malicious code.  And as you can see it is now paused meaning we gained overflow and crashed the machine....

What I am doing here is finding the offset. Again this is all enumeration for the end attack. The more information we have the easier it is to overload this machine.  Remember to run vulnserver and immunity debugger as Admin and attach them. And here we are using the number of 3000, why is that. Well if you remember in the last blog the tipping point was 2900, so now we are ensuring enough characters will be used.  We get this printout and we are going to copy it to put in our script. A few things to note. We no longer need the time so we erased that. We set our "offset" to what we just copied and pasted and we are no longer using a while loop.  I took this picture to make a point. Make sure you copy the characters exactly. I had a single space after the last "9" and it messed up my whole script. So we removed the space, ran the program and as you can see we achieved overloading it and its paused.  Now in a very messy was I have highlighted the important part here. ...

 Here we started getting an introduction to some new tools. Using vulnserver, and immunity debugger. We did this as an introduction to exploit development. So the first thing you need to do is go out and download both vulnserver and immunity debugger. Now that you've done that run both vulnserver and immunity debugger as administrator  Then attach vulnserver to immunity debugger and press play. Make sure in the bottom right it says "Running" Here we use "nc" and "-nv" with the ip address of the target server with a port of 9999 to gain access and then we used 'HELP" to print out all the valid commands. Here we use the command "generic_send_tcp" with our ip address and por 9999 and trun.spk. Now to be honest I dont 100% remember what the following2 zeros are for as this was a few weeks ago and like many people I dont remember every single detail (hence the screenshots and this blog) And here you see its paused again because we have ju...

 Now this exploit for my rig was a little hard just because I do not have the most RAM and it required slightly more than the others. So I took less screenshots  This again is the same step as the others. Figuring out what ports were available  Here we are using "ffuf" again Now I believe this is the first time we used "dnsrecon" And here we add the dns to our machine so we can perform the attack Follow me at  LinkedIn  or  Twitter

This is the Dev machine through  TCM's  Practical Ethical Hacking course. Here we did the same thing as the last box "dhclient" and "ip a"  Here we run "nmap" to find open ports. This is the fourth or fifth exploit and what I have realized is the first several steps, rather it's on a windows or Linux machine, is the same. Here I showed all the ports because some of the important ports were a little out of site on the previous slide Here we are obtaining some vital information. We were able to see the php page and get some good information.  Using "ffuf" again to gain some enumeration. Here we used "searchsploit" for the first time.  Now following this we used the information gathered to gain privilege escalation and captured the flag. Follow me on  LinkedIn  or  Twitter

 This is the Academy VMware exploit. I was asked not to post the whole thing so I have most of it on here. This is me getting access to the box First you run "dhclient" then "ip a" to get the ip address of the box you are going to attack  Here we run "nmap" to find out what ports are open, what can we exploit? Here we use "ftp" to connect and see an interesting "note.txt" file Here we "cat" the "note.txt" file. If you notice it gives us a lot of valuable info Here we use "dirb" to directory bust the target Here is the first time I used "ffuf"  Here listened and were able to obtain root access and capture the flag Follow me or reach out at  LinkedIn  or  Twitter

 So we touched on Sockets on briefly, but we built our first port scanner. Now I decided to try both the 50-85 like the lesson taught then I went back and scanned all of them just out of curiosity. Let me tell you it took a while with as little processing power as my laptop has. But it was a fun lesson.  Socket above and Hydra Below Then below here is my first port scanner Feel Free to reach out on  LinkedIn  or  Twitter

 Now this was a little misleading when they said this. I thought we would be going out and brute forcing or something like that. But instead, we used hydra and Metasploit to manually gain root access to while I expected more it was still really cool and let's face it we all should be using the tools out there. I mean it's always good to have a base knowledge of how to do it if the tools become unavailable, but tools are there for a reason. One of the biggest aside from convenience is consistency. This ^ is the hydra code. And this ^ is me gaining root access again. Feel free to reach out on  Linkedin  or  Twitter