m8r0wn
menu

Blog


TBBT: FunWithFlags Walkthrough (Vulnhub)

As a fan of The Big Bang Theory, and while practicing "social distance" due to COVID-19, I decided to try a writeup for emaragko's TBBT: FunWithFlags machine on vulnhub.com. My goal was to gain root privileges on the box and identify all 7 flags using only open source tools, without the use of Metasploit.


Internal Information Disclosure using Hidden NTLM Authentication

During an offensive security engagement it may not be a major vulnerability that leads to your end-goal, but a combination of lower severity findings compounded to make a larger impact. This post discusses information disclosure through NTLM authentication, which is one of those smaller vulnerabilities that can lead to greater attacks under the right circumstances. Additionally, we will demonstrate methods for invoking an NTLM challenge response, even when no login page is present, to coerce this information.


Why Your Payloads Aren't Working

This blog is intended to be an introduction to payload generation and environmental factors to consider when crafting payloads during a penetration test, or red team engagement. Although seemingly elementary, these concepts carry over into multiple tools commonly used and stress the importance of situational awareness.


Stored XSS in Cacti v1.1.38

A few weeks ago I ran into an older version of the Cacti network graphing solution, which led me down the path of researching the application. This revealed some interesting vulnerabilities, discussed in this post, that I have disclosed on the Cacti issues page.


Enumerating Windows with the Linux "net" Commands

There are several situations in penetration testing when all you have is your Linux machine against a Windows Active Directory environment. In that situation, it is helpful to know the various ways to interact with AD through the Linux 'net' commands.