Having completed the e-learning's eJPT, which I posted about here I have now embarked upon Offensive Security's PWK course, leading to the OSCP certificate. After the sign-up process and after waiting for my intake date, I received a series of emails giving me the course material (a PDF of a 375 pages and 149 videos), links to their lab control panel and instructions on how to download their version of Kali plus how to get to their labs via VPN. The materials seem quite good albeit a little sparse compared to how I expected them to be. Unlike the eJPT there are no lab challenges at the Continue Reading
VulnHub VM: Stapler
This has turned out to be quite a fun box to attack because it has multiple ways in and supposedly multiple escalation methods too. I prefer this sort of CTF to the ones where they hide passwords in Base64 encoded jpgs in the page source and that sort of thing. This is less of a puzzle/game and more realistic, albeit an unrealistically badly configured security setup. N.B. when I write these up, I write as I'm doing it so it's not a carefully edited walk-through as such but more of a record (for myself) as to what I did, as I did and the thought-processes which I'm hoping to Continue Reading
Kioptrix2014
I'm intending to start the OSCP course in the nearish future and wanting to give myself the best possible chance of success with it, I'm doing some more CTFs. I found this list of supposedly relevant CTFs: https://medium.com/@a.hilton83/oscp-training-vms-hosted-on-vulnhub-com-22fa061bf6a1 Top of the list is Kioptrix: 2014. Enumeration Booting up the VM you're presented with a bare login page with no info to be gleaned. I've put the machine on a host-only network of 10.0.0.0/24 and I can see the IP it's bound in the info on the boot screen. A basic nmap gives me: root@kali2017-1:~# nmap Continue Reading
LazySysAdmin 1 – revisited
In this post https://neilsec.com/ctf/vulnhub-lazysysadmin-1-ctf-attempt/ I had a crack at the LazySysAdmin VM from VulnHub and found the hidden flag. However it seemed a bit odd/easy to just enumerate some website directories and find a password, whilst ignoring all the Wordpress and myphpadmin bits. So I thought I'd have another look at it to see if there were other ways of rooting the box. Back to Wordpress So going back to the Wordpress site, I had a go at the login page using the credentials. WPSCAN had earlier told us that Admin was a valid username and so I tried the database Continue Reading