Author: Graham Thomas

Defcon, Bsides and July Update

These past two months have been all about the steady improvement. The work I have been doing at AttackIQ really help "round" me out in the security field. And when I say that, I really mean expose me to topics so I know they exist. The Intuit Dev Sec Ops bootcamp trial run ended last week. While the content was kinda scattered because it was a trial run, simply being exposed to it allowed me to assimilate enough knowledge to be able to teach myself if the need arises. Now that the bootcamp is over I can start going to OWASPSD again. Although, those are usually hit or miss... I've popped a decent amount of boxes, mostly by reading walkthroughs. Walkthroughs are like a shotgun shell for learning. While doing the box without aid can potentially yield more knowledge, getting stuck on a box

Website Troubles

I don't know if anyone tried to access my site or not, but I was planning on testing my phishing attacks on some of my friends. I created a php file that sent me an email with the person's IP who clicked on it. For some reason, when redirected to, this site sent over 45 emails which broke terms of service with my prior provider. Not only that, but these people locked my ftp server so I couldn't get my files back. I ended up paying them 6 dollars to get access back. I dumped by database and my files and then got my refund. Switched host providers and getting my Wordpress database transferred was an absolute nightmare. If anyone needs help here are a couple things I had to do to make it work. check wp-config.php make sure all the db parameters are correct. Then go to <your doma

Ransomware Blog Post for AttackIQ

By now, we have realized how lucrative the ransomware business has become for criminals. This is due in part to the success of common ransomware such as Locky or Cryptolocker. It is estimated that Cryptolocker generated 3 million dollars even though only 3 percent of the victims paid the ransom [1]. Not only has this amount triggered the interest of criminals, but it also reveals the magnitude of the problem that is ransomware. When one click has the power to shut down the operations of an organization, it is important to stay protected.   Ransomware is a piece of malware designed to block access to a system or the information stored on it until a sum of money is paid. Essentially, instead of stealing your information and selling it to an unknown party for pennies, the ransomwar...

Mr-Robot 1 ~ Vulnhub Walkthrough

nmap -a 192.168.1.213 1. Returns port 80 & 443 not a whole lot to work with… 2. Startup a dirbuster scan while I check out what each of these commands do. 3. Dirbuster begins returning a bunch of directories showing that this website is a wordpress site! 4. Start up wordpress scan Wpscan 192.168.1.213 5. Wordpress scan mentions that a robot.txt is availiable at robots.txt available under: 'http://192.168.1.213/robots.txt' 6. Navigate to this page and this is shown. 7. Navigate to the key-1-of-3.txt and we have our first key!   1. Navigate to the fsocity.dic and download a file of 6.6 Mb The file looks like a wordlist with about 900k words. Will keep this in mind for potential brute forcing later. 2. Go to the wp-admin site to see wha

SickOS1.1

SickOS1.1 Nmap scan -> 22 (ssh), 3128 (http-proxy Squid), 8080 (closed http-proxy) Started ncrack on the ssh port Ran nikto on the http proxy nikto -h 192.168.1.210 -useproxy http://192.168.1.210:3128 Configure my browser the connect through proxy. Go to view the webpage and this is what I see… In the nikto scan I saw the words robot.txt, no idea what it meant but I typed it in anyway Disallow: /wolfcms/ Navigated to that directory and found a blog type thing. Started researching some wolfcms stuff and found a list of “default directories” An ?admin page was one of them. Found a login page. The blog is still very new Because it’s new I google around for the default user and pass of the login page. Looks like it is admin/admin Shou

Nullbyte 1 Vulnerable VM

Nmap Web page Started ncrack (try to get lucky) Downloaded image on webpage exiftool main.gif ran basic dirb (try to get lucky) found directory in comment of metadata chucked request in burp Found “key=” in the post data brute forced “key=” login user hydra with the following command. hydra 192.168.1.209 http-form-post "/kzMb5nVYJw/index.php:key=^PASS^:invalid key" -P rockyou.txt -l user -t 10 -w 30 -o hydrasucksballs.txt Then it shows us a username input box so I ran sqlmap with the following sqlmap --wizard --users --passwords Please enter full target URL: http://192.168.1.209/kzMb5nVYJw/420search.php?usrtosearch= This gave us the password to the phpmyadmin directory Logged in with creds. Then we viewed the table and found two users. We took the

Milnet 1.0 Vuln VM

Did the first part of a vulnerable vm. First part meaning got a reverse shell, but have not achieved root access. I fired up burp and pressed on of the buttons to see the request. The requests had your basic headers, however, it had Dirbuster found 7 different php files. I attempted to navigate to each one but each file was just a piece of the website I had poked around to. After messing around with those a little bit, and zooming in really far on an image I decided to move on. Next I browsed to the ip in my browser and saw a very basic web page, in German.... Poked around a little bit, and didn't find much, no text boxes, no upload function. Popped it into dirbuster to see if anything lucky would come up. Quickly started up ncrack against the root user to see if ...

Crack WPA for Dummies

Before starting this guide, you will need the proper tools: Kali Linux in Virtual Box (May work on other distros with proper tooling. To simplify, try to use Kali) Kali comes included, but the Aircrack-ng suite of hacking tools is what we will be using A proper wireless card. Supports monitor (promiscuous) mode. Ability to inject and capture packets simultaneously http://www.aircrack-ng.org/doku.php?id=compatibility_drivers This link is provided by the suite creators. I do not guarantee that everyone on this list works but the list is very thorough. For the guide I will be using an Alfa Network Card Model: AWUS036NH. Setting up your card Type iwconfig in a terminal located in Kali. Should see something similar to this. Then go ahead a...

May Update

Things are starting to ramp up. Now that school is out I'm beginning to use most of my free time on security research. Every day I don't have work (Tuesday Saturday Sunday) I make it a point to crack a virtual box. I began hosting these box crackings on google hangouts and a couple people from SDHackers join me. Also, I began attending the DevSecOps Bootcamp hosted by Intuit. Seeing how Shannon Lietz is the one who got me into security in the first place, it seems awfully fitting to be attending her bootcamp. In order for me to excel at this bootcamp, I started studying Ruby and Ruby on rails as well. When I'm at home, I can research and crack boxes all I want, but the stuff I'm learning in that bootcamp I would never be able to learn anywhere else. The only issue I'm having currently, is ...

April Update.

Been swamped with school and internship. Finally coded a scenario for a customer. Went well. Finals coming up. After finals will hopefully do a couple vm write-ups or an article on something or other. Security Boot Camp an Intuit is supposed to start May 5. Haven't heard from them yet. Really stoked for that and hope it works out.