Things have been OK for me except that I'm a zombie now

Creating BashBunny Payloads

What is it? The BashBunny is an attack platform that allows attackers to create payloads in Bash. The device can be scripted to enumerate as a HID (keyboard), mass storage, serial, and Ethernet. This enables a multitude of attacks including thing like exfiltrating documents over a network interface or stealing account hashes from locked computers. Creating a Payload We want to create a payload that allows for easy exfiltration from macOS.

Finding Your Way Out From Behind Firewalls with Strict Outbound Rules

You’ve achieved code execution on a machine, but for some reason your reverse shell isn’t pinging you back. Or that wget/tftp command isn’t downloading your recon/post-exploitation tools. There’s a chance you’re dealing with an egress problem. Typical ports that need outboud access are blocked. You try the main ones you can think of (21, 22, 53, 80, 8080, 443), but none of them seem to be connecting. Do you start at 1 and manually test?

Configuring SSH for Pivoting

You’re on a pentesting engagement and you’ve discovered a dual homed machine that allows you access to a subnet you can’t access directly from your attack machine. Assuming you’ve compromised at least one machine on the initial network, you can use it as a proxy to other machines on the “hidden” subnet. The ssh client has an often-overlooked configuration file that resides in your ~/.ssh folder. You can configure things in here that are specific to certain hosts or you can set default configurations for every host.

B2R: Wallaby Walkthrough

Executive Summary This machine had an unlisted but open webapp path that allowed for remote command execution. After establishing a reverse shell as the limited user www-data, privilege checks showed the user was allowed to modify firewall rules. There was also an IRC server that contained a bot that allowed command execution through the use of the .run command. The command would only obey the user waldo so modification of the firewall allows an attacker to kick and assume the waldo identity.

B2R: Stapler

Adding the IP address of the VM to the hosts file allows one to cut down on some typing. Executive Summary This machine had several services running, some of which revealed employee names and accounts that could later be leveraged to compromise the system. A Wordpress plug-in vulnerability was found and used to extract database credentials, which then led to a non-privileged shell. Once scanned, it was discovered that a script ran every 20 minutes as the root user and that the script was writable to our non-privileged user.

B2R: SickOSv1.2

Executive Summary This machine had an unprotected folder which allowed uploading of malicious PHP code which could then be executed remotely. An attacker could then create an unprivileged shell on the victim machine and begin to explore the system for additional vulnerabilities which could lead to a full compromise. During the exploration, an outdated version of chkrootkit was found. By exploiting a known vulnerability in the way chkrootkit parses arguments, an attacker could create a malicious file that would later be run by chkrootkit as a fully privileged user.

B2R: IMF Walkthrough

After mapping the network and finding our IP address at, we can add it to our /etc/hosts temporarily to make things a little easier for us. echo " imf" >> /etc/hosts Lets see what kind of machine we’re dealing with. Ok, so web only. Great. nikto didn’t reveal any low-hanging fruit so let’s dive into the source. Check that out! Our first flag was hidden in http://imf/contact.php. This looks like base64.

B2R: Tr0ll Walkthrough

A couple of weeks ago, work sent me to a security class for an upcoming product. While there, I learned about vulnhub, a repository of intentionally vulnerable virtual machines for anyone to compromise. Since coming back, vulnhub has become my new obsession. Here’s a walkthrough of my attempt. Note: I struggled a bit more that this writeup lets on. The struggle is ommited for clarity and brevity. __ After finding the VM with an nmap scan, we see a couple of open ports.