7MS #583: Cred-Capturing Phishing with Caddy Server

Today my pal Paul from Project7 and I hack the heck out of Billy Madison a vulnerable virtual machine that is celebrating its 7th anniversary this month!

1 Syys 202336min

Today, sadly, might be the last episode of DIY pentest dropbox tips for a while because I found (well, ChatGPT did actually) the missing link to 100% automate a Kali Linux install! Check episode #449 for more info on building your Kali preseed file, but essentially the last line in my file runs a kali.sh script to download/install all the pentest tools I want. The "missing link" part is I figured out how to get Kali to reboot and then run a script one time to complete all the post-install stuff. So at the bottom of my kali.sh is this: sudo wget https://somesite/kali-docker.sh -O /opt/kali-docker.sh sudo chmod +x /opt/kali-docker.sh sudo touch /flag sudo wget https://somesite/docker.service -O /etc/systemd/system/mydocker.service sudo systemctl daemon-reload sudo systemctl enable mydocker.service The contents of docker.service are: [Unit] Description=Docker install [Service] Type=simple ExecStart=/opt/kali-docker.sh [Install] WantedBy=multi-user.target The beginning and end snippets of kali-docker.sh are: #!/bin/bash flag_file="/flag" if [ -e "$flag_file" ]; then # get bbot sudo docker run -it blacklanternsecurity/bbot:stable --help # Do a bunch of other install things... rm "$flag_file" else echo "Script already ran before. Exiting" fi So essentially the work flow is: kali.sh runs, downloads and installs kali-docker.sh, and also installs a service that runs kali-docker.sh on each reboot. But when kali-docker.sh runs, it checks for the presence of a file called /flag. If /flag exists, all the post-install commands will run. If it does not exist, those commands won't run. Simple, yet genius I think!

25 Elo 202318min

Hey friends, today I'm super excited to share I found the missing link! Specifically, the missing piece that now allows me to create fully automated Windows 10 installs that serve as virtual pentest jumpboxes. Here are the high points: When your deployment script is finishing and you need the system to reboot and run some final commands, temporarily add your account as an auto-login account like so: new-itemproperty -path 'hklm:\software\microsoft\windows nt\currentversion\winlogon' -name AutoAdminLogon -value 1 -force new-itemproperty -path 'hklm:\software\microsoft\windows nt\currentversion\winlogon' -name DefaultUserName -value "your-local-user" -force new-itemproperty -path 'hklm:\software\microsoft\windows nt\currentversion\winlogon' -name DefaultPassword -value "your-password" -force Then tell Windows to run your final script one time after automatically logging in as your-local-user: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v MyRunOnceKey /t REG_SZ /d "c:\your-final-script.bat" Finally, make sure your your-final-script.bat deletes the auto-login creds: reg delete "hkey_local_machine\software\microsoft\windows nt\currentversion\Winlogon" /v DefaultUserName /f reg delete "hkey_local_machine\software\microsoft\windows nt\currentversion\Winlogon" /v DefaultPassword /f reg delete "hkey_local_machine\software\microsoft\windows nt\currentversion\Winlogon" /v AutoAdminLogon /f

18 Elo 202324min

In today's tale of pwnage, we'll talk about how domain trusts can be dangerous because they have...well...trust issues.

11 Elo 202317min

Today we had a blast playing with Wazuh as a SIEM you can use for work and/or home. Inspiration for this episode came from Network Chuck. This one-liner will literally get Wazuh installed in about 5 minutes: curl -sO https://packages.wazuh.com/4.4/wazuh-install.sh && sudo bash ./wazuh-install.sh -a P.S. if you accidentally close your command window before writing down the admin password (like I did), you can use this command to retrieve it: sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt Once Wazuh is installed, I recommend going to Management > Configuration > Edit Configuration, look for a section that starts with  and change no to yes. Also, before you start deploying agents, I recommend making some groups for them, which I believe has to be done at the command line: /var/ossec/bin/agent_groups -a -g windows-boxes -q /var/ossec/bin/agent_groups -a -g linux -q From there you should be ready to start rockin' some agent installs. Have fun!

31 Heinä 202350min

Oooo, giggidy! Today's tale of pentest pwnage is about pwning vCenter with CVE-2021-44228 - a vulnerability that lets us bypass authentication entirely and do/take what we want from vCenter! Key links to make the magic happen: How to exploit log4j manually in vCenter How to automate the attack! Tool to steal the SAML database you extract from vCenter

21 Heinä 202322min

Today me and my pal Paul from Project7 did a live hacking session and finally got the Callahan Auto brake pad Web app back online! Hopefully you enjoyed this hacking series. The feedback has been great, so we may have to take a crack at Billy in the near future as well.

17 Heinä 202331min