Dot1X Kali Linux

I need to remember this for next time I’m faced with a dot1x authentication on wired connection.

Add the following to /etc/wpa_supplicant/wpa_supplicant.conf

And then run
wpa_supplicant -i eth2 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired

Wait for it to generate a sucess message, and run dhcpclient or set a static ip .. 🙂

L2 Network Attacks – HSRP / DTP

Lately I’ve been playing around with Layer 2 attacks, usually yerisina is my go to tool, but during a HSRP attack, it was not behaving the way I wanted. So I did some research, and remember scapy can generate any packets you want. While playing around, I came across /usr/sbin/hsrp a tool from the irpas packaged.

A simple attack would be:

It worked, but was sending more packets than was actually needed.
Why the need to send the Coup packet?

So back to scapy again.
There are some excellent guides out out there, Like

But following the guides, it should be pretty simple getting the attack working, but it did not.
I didn’t even see it wireshark, so it didn’t look like it was sending the attack out on the wire… time to debug.

BIG laughs… I had the “hsrp” filter in wireshark, and due to some strange behavior the packets that I was sending was not reconised as HSRP packets.

By looking at the packet that I was sending, the dport is not what it is suppose to be. 2029 vs 1985. And by adding the dport in the UDP in line 3 of the script, the attack worked perfect.


And since we are into L2 Attack, Attacking DTP is always fun.
Launch dtp attack with yersinia

Get a working interface up and running, here I’m using static IP, and connecting to vlan 666



ESXi cheetcheat

It’s not everyday you work on a Vmware Esxi platform, and I now felt the need to collect some of the quick fix that I keep forgetting. Most of the issues are with the new Esxi 6,5 on a “none-supported” platform.

esxi 6.5 angular js error on login with chrome (You can’t log in with chrome)

Fix: ssh/consol to host:
esxcli software vib install -v http://download3.vmware.com/software/vmw-tools/esxui/esxui-signed-latest.vib
 “Failed to power on the virtual machine, The attempted operation cannot be performed in the current state(Powered Off)” error
You can’t turn on a vm, even if it’s turned off. The VM is stuck in state you can’t recover from. I’ve now recreated the issue, and happens when you try to edit (remove ISO from cdrom) when the server is still running.


Unregistered the VM
Register a VM
Pick the vmx from the datastore

Extrem low performance with m2 ssd disk

The follow keep apperaing in the log, clearly stating that we are having a problem with the datastore.
ESXi 6.5 is using a new ahci driver, and in it’s current state sux big time.

[root@esxi:/vmfs/volumes/../] time sh -c "dd if=/dev/zero of=testfile bs=100k count=1k && sync"
1024+0 records in
1024+0 records out
real 0m 54.17s
user 0m 0.00s
sys 0m 0.00s

Fix: ssh/consol to host:
esxcli system module set –enabled=false –module=vmw_ahci

and then you have better performance
[root@esxi:/vmfs/volumes/../] time sh -c "dd if=/dev/zero of=testfile bs=100k count=1k && sync"
1024+0 records in
1024+0 records out
real 0m 0.44s
user 0m 0.00s
sys 0m 0.00s

From 50sec to under 1 sec, I would say that’s quick an performance boost! 🙂

Redmine Turnkey to Debian Stretch Stable

This has been way overdue, but when I start to use redmine it was such as hassle getting it up and running. So turning to a turnkey appliance was a easy fix, but as time goes by… and new version are released. Upgrading a turnkey wasn’t easy. But now it was time to try a redmine upgrade, and move to new server approach. I’ve tried it before, but failing hard. But this time around it was quite easy. Since I’m not doing any fancy stuff in redmine, no repositories, plugins etc. I only need to convert the database.

Here are my quick notes to convert from turnkey redmine (old version) to a fresh Debian stretch setup.

## Get info on current installation

root@redmineOLD ~# cat /var/www/redmine/config/database.yml|grep “username:\|password:\|database:”
database: redmine_development
username: redmine
password: xxxxxxxxxxxxxxx
database: redmine_test
username: redmine
password: xxxxxxxxxxxxxxx
database: redmine_production
username: redmine
password: xxxxxxxxxxxxxxx

## Dump the database

root@redmineOLD ~# mysqldump -u redmine -p redmine_production > redmine-dump.sql

Do a clean install of Debian debian-9.1.0-amd64-netinst.iso
With only ssh enabled as default.

Pro-Tip, install mysql (Mariadb) before trying to install redmine.

root@redmine:~# apt-get install mysql-server

Next up is install redmine.

root@redmine:~# apt-get install redmine-mysql

Do the default, but make sure you pick mysql as database

I’ve got an error when it tried to set up the redmine instance, but don’t care about that, we are rebuilding it anyway.

Now let’s setup apache and passenger

root@redmine:~# apt-get install apache2 libapache2-mod-passenger

Now you need to deactivate the default website, and enable redmine

root@redmine:~# cp /usr/share/doc/redmine/examples/apache2-passenger-host.conf /etc/apache2/sites-available/redmine.conf
root@redmine:~# a2ensite redmine.conf
Enabling site redmine.
To activate the new configuration, you need to run:
systemctl reload apache2
root@redmine:~# a2dissite 000-default.conf
Site 000-default disabled.
To activate the new configuration, you need to run:
systemctl reload apache2
root@redmine:~# systemctl reload apache2

Drop the current DB, and create a empty database.

root@redmine:~# mysqladmin drop redmine_default -u root -p
Enter password:
Dropping the database is potentially a very bad thing to do.
Any data stored in the database will be destroyed.

Do you really want to drop the ‘redmine_default’ database [y/N] y
Database “redmine_default” dropped

root@redmine:~# mysqladmin create redmine_default -u root -p
Enter password:

Get the password for the redmine db username

root@redmine:~# cat /etc/redmine/default/database.yml
adapter: mysql2
database: redmine_default
host: localhost
port: 3306
username: redmine/instance
password: xxxxxxxxxxxxxxxxxxxxx
encoding: utf8

Upload your redmine mysql db file and fill the new db with it. (Use the password found in the previous step)

root@redmine:~# mysql -u redmine/instance -p redmine_default < /root/redmine-dump.sql

No go to the redmine directory and rebuild/upgrade the db

root@redmine:~# cd /usr/share/redmine/
root@redmine:/usr/share/redmine# bundle exec rake db:migrate RAILS_ENV=production

All done 🙂

And if you care anything about security, please set a root password for your mysql server!
Run : mysql_secure_installation

pluck: 1 – Writeup

Getting ready for NetWars later this month it was time to sharpen my game. Let’s pick the first good Vulhub vm and have a go. Pluck: 1 – looked like a good start, no info what so ever.. lets see how it goes.

First let’s run a nmap and discover what service we have to deal with.

Okey, we’ve got a web server, and mysql? Let’s look at what webpage we have.

Looks like a bootstrap theme, and by clicking around I can see it’s using ?page=filename.php
This smells like LFI, quickly grab /etc/passwd to verify.

Look a the last line, that looks interesting…..
backup-user:x:1003:1003:Just to make backups easier,,,:/backup:/usr/local/scripts/backup.sh

Could there be a tftp server here as well? I know the filename I’m looking for, this should be a quick win.

By extracting the backup.tar file I’ve got a backup of the /home/ directory and /var/www/html

Quick side note, they are trolling the SQLi guys.. When ever you input the escape charc in admin.php You will get something that looks like a sql error message.

Back on track, let’s see what we have at the home directory. Paul is a user with a lot of keys. Check them all, and maybe we get lucky once more.

By using id_key4 I could log in as user paul without a password. I tested all other combination for know users (source /etc/passwd), but with no luck. The paul user was limited to pdmenu.

Here I got a little bit stuck. I looks like it was possible to do some escaping from “Edit file” meny, or even from the “www” (lynx), but no luck. There must be some basic protection within the pdmenu that prevents normal escape routines to work. Using the Directory listning and change directory I could move around and look at the file system but it was way to to slow, and you had to type/remember your path and files. After trying it out a bit, it was time to move on, let’s get a shell. I could use the edit file option and run Local-File-Inclusion to get me a www-user shell.

## Update ##
During some playing with another shell escape. My normal escape with :!/bin/bash would not work as an escape from the Edit file menu.
But by using the alias command :set shell=/bin/bash and invoking it with the :shell I could have skipped the php shell LFI workaround…


Dump pentest monkey php revereshell to /tmp and used LFI to get shell.

After running the most basic private escalation, and going back to the backup folder (It looks like the user bob had some sudo rights..) I start looking for kernel exploits. DirtyCow should work on this version, and they did have gcc on it. But missing some libs, and without a proper shell. Booting up a Ubuntu 16.10 64bit Server VM and build/test it there. And I’m glad I did it, cause dirtycow is unstable, and you have to be fast to input the magic line of “echo 0 > /proc/sys/vm/dirty_writeback_centisecs” otherwise the system will crash, and a reboot is necessary. Build/test and upload to target.

And that’s it.. I’ve got ROOT, and time to claim my flag.

This was a fun little evening session, but I do however think there is other ways getting in and around the system. But I’ll leave that for the next victime of pluck:1.