localhost exposed

« Previous | Next »

Path to OSCP - Part 10, Days 9, 10 and 11


[ sorry for the rasping sounds caused by the mic rubbing against my coarse beard :/ ]

I barely got myself to do this vlog, because I wanted to just try and get root! But I really needed to do it so that a lot of this new stuff doesn't get lost in my enthusiasm.



My first pivot from a compromised host into a new network behind a firewall!

If you don't know what pivoting is, this Wikipedia paragraph explains:

Pivoting refers to a method used by penetration testers that uses the compromised system to attack other systems on the same network to avoid restrictions such as firewall configurations, which may prohibit direct access to all machines. For example, if an attacker compromises a web server on a corporate network, the attacker can then use the compromised web server to attack other systems on the network. These types of attacks are often called multi-layered attacks. Pivoting is also known as island hopping.

So yeah! I managed to pivot my way behind a firewall. And there was much rejoicing!

Have been using Metasploit to help me do recon / probing / exploiting. Also; the hosts and services commands in msf are really awesome for gathering information on the target network and systems.

The grokking has begun

I have truly begun to grok the attacker mindset! Instead of being in a defensive traditional blue team reactive stance, I am starting to think like an attacker. If I see someone in our security monitoring systems trying to bruteforce / attack in general some services we have, my gut tells me that I should do an nmap scan of the services to check what the attackers see -- and then check searchsploit for any tips.

Real world use

I have already started to see real world use for the skills and tools I am using on this course.

netsh trace to capture traffic without wireshark / pcap.

Nice set of PDF cheat sheets from packetlife.

Misconfigurations and demo sites will kill your infosec posture.

That might be a slightly clickbait-y headline, but there is a kernel of truth there. It doesn't matter how shiny and blinky your new Next-Gen-Semantic-AI-Software-Defined-Matrix-Neural-Firewall is, if you have ftp/ssh/whatever open to the world and your admins have by accident left some very simple to guess user credentials on the system, you are in for a bad day.

"But SELinux/AppArmor/GRC will save the day!" I hear you say. Yes! It might. Hence you need skilled and motivated admins to do the needful i.e. remove the mis- from misconfiugration.

Excellent example of this is this new post on Facebook bug bounty, where a smart guy bagged $15'000 for basically finding that the beta (and some dev) version of Facebook didn't have the proper rate-limiting in place for a security related API: the forgot password feature.

You woulda thunk that it would be like base level of security that people will try to bruteforce these services and they should not be allowed to.

Don't assume something's fixed. Poke it with a stick and see if it breaks!

And on that bombshell, it's time to end the show...!


Forgot to add this Youtube link:


« Previous | Next »