Unbricking Proxmark3 RDV4 with a Shikra

Yesterday I unboxed my shiny new Proxmark and proceeded to immediately brick it trying to update the firmware. I saw a couple of guides for de-bricking it using the BusPirate, but I only have a Shikra. I thought surely this is a thing, and did some Googling and pretending like I know what I am doing until to my surprise, it worked! Things you’ll need: A bricked Proxmark3 RDV4 - https://hackerwarehouse.

How I Hacked BlackHat 2018

BlackHat is one of the world’s largest cybersecurity events which takes place in the USA in Las Vegas every summer ( Those who have attended BlackHat may have noticed that their badge contains an NFC tag. This NFC tag is scanned at booths in the Business Hall so vendors can collect their marketing data including name, address, company, job title, and phone number. Following BlackHat, attendees who have had their badges scanned by various vendors then receive a barrage of marketing emails.

Adventures in Privesc: SCCM and Viewfinity

With the welcome shift of companies revoking local-administrator permissions from standard users, came the challenge of how to allow users to perform administrative actions on their machines — such as installing approved software — without making them full-blown administrators on their machines. Several tools exist to resolve this problem by allowing a low-privilege user to perform software installation in an elevated context. An issue I discovered with this approach is that when a user can interact with an installer deployed using one of these solutions, they can often escalate privileges on their machine.

Deploying Gophish to a VPS

Standing up a new phishing infrastructure in a VPS is simple and prevents issues such as having your infrastructure blacklisted from earlier campaigns. Linode is my favorite VPS to use for phishing infrastructure because they make reverse-DNS easy which helps with spam scores, but any VPS will work. These instructions are written for Debian only, but can be altered for any Linux distribution. Download Gophish The first thing you need to do is set up your Debian server on your VPS.

Enumerating AD from Linux

This article will describe two scenarios where you have a foothold in an Active Directory environment on a Linux system. The first is that you have a limited user account on a machine that is not attached to the domain. The second is that you are on a Linux machine that is domain joined but do not have any user credentials. This was a scenario I encountered in a client environment and it turned out to be very useful to be able to make LDAP queries to the domain.

SickOs 1.2

First, Nmap was run to scan for open ports and running service versions. nmap -sV Starting Nmap 7.30 ( ) at 2016-10-14 11:29 MDT Nmap scan report for Host is up (0.00059s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0) 80/tcp open http lighttpd 1.4.28 MAC Address: 00:0C:29:09:A5:6D (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed.


First, Nmap was run to scan for open ports and service version on the machine. nmap -sV Starting Nmap 7.30 ( ) at 2016-10-20 11:46 MDT Nmap scan report for Host is up (0.0014s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3) MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC) Service detection performed. Please report any incorrect results at https://nmap.


First, Nmap was used to port scan the target machine and enumerate running services with the -sV flag. nmap -sV Starting Nmap 7.30 ( https=// ) at 2016-10-25 11:47 MDT Nmap scan report for Host is up (0.000071s latency). Not shown= 998 closed ports PORT STATE SERVICE VERSION 9999/tcp open abyss? 10000/tcp open http SimpleHTTPServer 0.6 (Python 2.7.3) MAC Address= 00:0C:29:4E:E6:A7 (VMware) Service detection performed. Please report any incorrect results at https=//nmap.