Ninja.Style

How I Hacked BlackHat 2018

BlackHat is one of the world’s largest cybersecurity events which takes place in the USA in Las Vegas every summer (https://www.blackhat.com/us-18/). Those who have attended BlackHat may have noticed that their badge contains an NFC tag. This NFC tag is scanned at booths in the Business Hall so vendors can collect their marketing data including name, address, company, job title, and phone number. Following BlackHat, attendees who have had their badges scanned by various vendors then receive a barrage of marketing emails.

Adventures in Privesc: SCCM and Viewfinity

With the welcome shift of companies revoking local-administrator permissions from standard users, came the challenge of how to allow users to perform administrative actions on their machines — such as installing approved software — without making them full-blown administrators on their machines. Several tools exist to resolve this problem by allowing a low-privilege user to perform software installation in an elevated context. An issue I discovered with this approach is that when a user can interact with an installer deployed using one of these solutions, they can often escalate privileges on their machine.

Deploying Gophish to a VPS

Standing up a new phishing infrastructure in a VPS is simple and prevents issues such as having your infrastructure blacklisted from earlier campaigns. Linode is my favorite VPS to use for phishing infrastructure because they make reverse-DNS easy which helps with spam scores, but any VPS will work. These instructions are written for Debian only, but can be altered for any Linux distribution. Download Gophish The first thing you need to do is set up your Debian server on your VPS.

Enumerating AD from Linux

This article will describe two scenarios where you have a foothold in an Active Directory environment on a Linux system. The first is that you have a limited user account on a machine that is not attached to the domain. The second is that you are on a Linux machine that is domain joined but do not have any user credentials. This was a scenario I encountered in a client environment and it turned out to be very useful to be able to make LDAP queries to the domain.

SickOs 1.2

First, Nmap was run to scan for open ports and running service versions. nmap -sV 192.168.130.131 Starting Nmap 7.30 ( https://nmap.org ) at 2016-10-14 11:29 MDT Nmap scan report for 192.168.130.131 Host is up (0.00059s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0) 80/tcp open http lighttpd 1.4.28 MAC Address: 00:0C:29:09:A5:6D (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed.

Fristileaks

First, Nmap was run to scan for open ports and service version on the machine. nmap -sV 192.168.130.128 Starting Nmap 7.30 ( https://nmap.org ) at 2016-10-20 11:46 MDT Nmap scan report for 192.168.130.128 Host is up (0.0014s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3) MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC) Service detection performed. Please report any incorrect results at https://nmap.

Brainpan2

First, Nmap was used to port scan the target machine and enumerate running services with the -sV flag. nmap -sV 192.168.130.130 Starting Nmap 7.30 ( https=//nmap.org ) at 2016-10-25 11:47 MDT Nmap scan report for 192.168.130.130 Host is up (0.000071s latency). Not shown= 998 closed ports PORT STATE SERVICE VERSION 9999/tcp open abyss? 10000/tcp open http SimpleHTTPServer 0.6 (Python 2.7.3) MAC Address= 00:0C:29:4E:E6:A7 (VMware) Service detection performed. Please report any incorrect results at https=//nmap.