Image for post
Image for post

Target Experience:

My observations while working this target:

· Enumeration: Life-like

· Vulnerabilities: Life-like

· Exploitation: Life-like

· Foothold Difficulty: Medium

· Privilege Escalation Difficulty: Easy/Medium

Tools:

The recommended tools for this lab were:

· Nmap

· CrackmapExec

· Web Browser

· HashCat

· SMBPasswd

· RPCClient

· Evil-WinRM

· Visual Studio 19 (on Windows)

· NetCat

· HTTP Server

Vulnerabilities:

· Exposed Username(s)

· Weak Password

· Cleartext Password

· Privilege Abuse

Information Gathering:

Using Nmap, I saved the output while scanning for service version detection, OS detection, script scanning, and verbose mode of the target system.


Image for post
Image for post

Network Experience:

My observations while working the targets:

· Enumeration: Life-like

· Vulnerabilities: Life-like

· Exploitation: Life-like

· Flag Difficulty — Breach: Hard

· Flag Difficulty — Deploy: Easy

· Flag Difficulty — Ghost: Easy

· Flag Difficulty — Camouflage: Hard

· Flag Difficulty — Doppelgänger: Easy/Medium

· Flag Difficulty — Owned: Easy/Medium

Tools:

The recommended tools for this lab were:

· Nmap

· Browser

· Gobuster

· Various Wordlists

· Telnet

· smtp-user-enum

· swaks

· netcat

· Python HTTP Server

· Citrix Receiver client

· PowerUp.ps1

· MSFVenom

· Invoke-PowerShellTcp.ps1

· PowerView.ps1

· Nslookup

· Net view

· Net use

·…


Image for post
Image for post

Target Experience:

My observations while working this target:

· Enumeration: Life-like

· Vulnerabilities: Life-like

· Exploitation: Life-like

· Foothold Difficulty: Hard

· Privilege Escalation Difficulty: Medium

Tools:

The recommended tools for this lab were:

· Nmap

· CrackmapExec

· SMBClient

· GetNPUsers

· Hashcat

· PowerView (Windows)

· RPCClient

· Pypykatz

· Evil-WinRM

· Diskshadow (Windows)

· Secretsdump

Vulnerabilities:

· Exposed Usernames

· Kerberos Pre-Authentication not requried

· ACE Privilege Abuse

· Sensitive File Information

· Backup Privilege Abuse

Information Gathering:

Using Nmap, I saved the output while scanning for service version detection, OS detection, script scanning, and verbose mode of the target system.


After completing the OSCP, I was trying to find the “what’s next” for my educational journey as well as helping my pentesting career. I returned to HackTheBox and started studying with Offshore. However, more than halfway through, I ended up hitting the proverbial “brick wall”. Instead of continuing to ask for help, and not totally understanding some of the attacks, I decided to take PentesterAcadamy’s Attacking and Defending Active Directory course to fill in the gaps.

Background:

As I have mentioned in some of my other postings, I have been in the IT field for 24+ years and held positions as…


One of the tools that I like to use against Windows based machines during a pentest or a CTF is CrackMapExec, by Marcello Salvati (aka byt3bl33d3r). I have used this tool on various *nix systems for a couple of years and wanted to share some of the basics that work for me.

In my effort to migrate tools to OSX, I used the installation instructions and installed the latest bleeding-edge 5.1.0dev package into a Virtual Python Environment. As to my Virtual Python Environment, I installed it using Homebrew.

To launch the environment, simply execute a pipenv shell.

Image for post
Image for post
Figure 1: Executed Virtual Environment

Once in the…


I have had the opportunity to work on my Windows attacking skills within a couple of different CyberRanges recently. I have been trying to understand the different use cases with Mimikatz and decided to share my experiences with a Golden Ticket Attack.

To start, a Golden Ticket is a post-exploitation attack that provides the ability for domain persistence. Meaning, the attacker has already compromised an account that has DcSync rights to the Active Directory Domain. Thus, being able to dump the krbtgt hash, as well as the domain SID, and use this information to create a forged Golden Ticket.

Image for post
Image for post
Figure 1: Obtained Hash and SID

Prior…


I had a recent project to pentest a Microsoft Office 365 (O365) environment. When researching, I found that Microsoft implemented changes towards the end of 2019 to help mitigate user enumeration issues. With those changes, many documented techniques and automated tooling that previously leaked that information either no longer worked or returned mixed results. Based on my testing, I used some modified techniques that aided me to obtain valid O365 user accounts.

Site Enumeration:

Covering the basics, I performed a DNS query to determine the contents of the target organization’s MX record. If the MX record contained protection.outlook.com, …


I attended a recent on-line preview training of Breaching the Cloud Perimeter; presented by Beau Bullack (@dafthack). This training mentioned a technique of using a script named FireProx with an AWS API Gateway to create a pass-through proxy; which rotated the source IP Address with every request. I was very intrigued and wondered how I could use this technique during a pentest.

My first thought was why not use TOR? But, then I thought of cloud applications like Azure/O365 that implement conditional geolocation. Using the regions within AWS would give me better control of where my source IP Address originated…


After several months of studying, I was finally able to successfully achieve the OSCP certification after two attempts. This has been one of the certifications that I have desired after making the switch from a long career in Cisco UC/Networking to Cybersecurity. With that said, I wanted to share my experience to help inspire those wanting to achieve this certification as well as those who have been struggling to pass the exam.

Background:

I have been in the IT field for 24+ years and held positions as a PC Tech, System Admin, Security Admin, Network Admin/Architect/Consultant, UC (Unified Communications) Admin/ Architect/Consultant…


Image for post
Image for post

Target Experience:

My observations while working this target:

· Enumeration: Life-like

· Vulnerabilities: Life-like/CTF-like

· Exploitation: Life-like/CTF-like

· Difficulty: Easy/Medium

· Community Notes: Life-like/CTF-like

Tools:

The recommended tools for this machine were:

· Nmap

· Gobuster

· Nikto

· Browser

· Netcat

Vulnerabilities:

The following vulnerabilities were found:

· Evading White List

· Local Privilege Escalation (Code Abuse)

· Local Privilege Escalation (Script Flaw)

Information Gathering:

Using Nmap, I performed a SYN scan on all TCP ports for service version detection as well as default safe scripts.

Mike Bond

Cyber Security Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store