Writeup – CSL – Boats

Writeup – CSL – Boats

So the Boats box is a neat one, and I thoroughly enjoyed my first attempt at it live on Twitch the other day. Let’s dive right in and get after this!

Windows box on CSL!

Once we add the ip address to our /etc/hosts file, let’s get after this box with a good ol’ AutoRecon scan and check out the results. We see a bunch of ports open, including port 80, so while the scan is running, we can go check there.

Looks like a WordPress site to me!

Now, anytime I see a WordPress site, I get excited. And any time I see a potential plugin, I get even more excited. See that shopping cart label in the top right? That’s where I get excited.

So I kicked off a wpscan, and didn’t find anything, but I know there’s a plugin, so I clicked on the shopping cart and viewed the source. I see a plugin called “The Cart Press.” Let’s find vulnerabilities.

JAMES is a username!
thecartpress, I see!

Over on Exploit Database, we see a few. The Remote File Inclusion one really piques my interest. Remote file inclusion will require us to host our own file to be called out by the vulnerability. Let’s hope we are on the right version and give it a shot!

Remote File Inclusion!

Next step is to download one of my favorite remote shells and host it on a simple HTTP Server. I use the shell from I highly recommend it (P.S., it’s forked on my repository as well!). Host that in the directory of your choice (I named mine shell.php) and fire up a simpleHTTPServer (I used sudo and did it on port 80).

Boom, that was where I browsed to from Exploit-DB, and below is what you get when you pop my favorite remote file!

At this point the remote shell won’t work, but you can issue windows commands like dir to verify you have control. A great command to use in this case is certutil, and you can upload files utilizing it.

First step, make a payload using msfvenom. I utilize the cheatsheet over at to make my payloads.

Second, ensure your new shell.exe file is being hosted by your SimpleHTTPServer, and upload it with certutil. Here is the command line that worked for me: certutil -f shell.exe

shell.exe uploaded successfully!

At this point, use msfconsole to kick off a meterpreter listener, as shown below, and run that shell.exe command! It’s going to be slow to connect, but once it does, you will be nt authority/system and be able to go get your flags!

Here’s our listener, and below kicks off the shell.exe!
Boom! We own the box!

Thanks for catching the next writeup in my OSCP Prep series of writeups for CyberSecLabs! Stay tuned for the YouTube video to follow! And as always, keep hacking!

Writeup – CSL – Shares

Writeup – CSL – Shares

As the first box I’m doing from the great guys over at CyberSecLabs (, let’s fire it up and get to work!

Turn this bad boy on!

After adding the alias shares.csl to my /etc/hosts file, I kicked off AutoRecon and took a close look at the results. Here we see port 21 (FTP), port 80 (HTTP), port 111 (RPC), port 2049 (NFS), and port 27853 (Running SSH!), as well as some higher level ports. This high SSH port seemed odd to me.

Looking into the easy ports here, with NFS (Network File Sharing), we take a look at the nmap scan that was run on Port 111, and we see the following mount:

The *.*.*.* means it can be mounted by any IP address.

We mount this drive and see what we’ve got:

How to mount the directory. There’s more!

Thinking back to the high-port number running SSH, I bet that .ssh directory may be interesting!

Boom, private key!

Unfortunately, when you try using the private SSH key to login, and if you paid attention above, you’ll be denied access, asking for a passphrase, as the key is …. ENCRYPTED! But have no fear, ssh2john is here!

Prep the key for cracking!

Once you have it prepped for john, run john with the rockyou.txt wordlist to find the passphrase for the original key!

Boom. Now let’s login.

Now that we have the passphrase, don’t forget to chmod 600 the original private key and let’s login. Once logged in, run sudo -l, and we see there’s a user named amy that we can run /usr/bin/pkexec or /usr/bin/python3 as.

Getting somewhere now!

It’s trivial at this point to get on as amy. Simply search GTFOBins for the python binary, and take a look at sudo privileges, Switching users to amy and running python is a breeze.

And we’re amy!

Now, as amy, don’t forget to get the access.txt flag, and let’s sudo -l again! Now you see that we can run /usr/bin/ssh as anyone we want with no password, including root!

GTFOBins again? No way!

A quick trip back to GTFOBins shows us the way. Just look under sudo for ssh:

Don’t forget that system flag!

Thanks for tuning in to the first box I’ve gone after in the Beginner section of CyberSecLabs! I’m truly enjoying the quality of the content they’re providing here so far, and stay tuned for more!

OSCP Preparation – Day 3

This will be Day 3 of my OSCP Preparation. The mind-map linked in the previous post is what I’m still working on, but I just want to first take a moment out of discussing purely hacking to talk about how humbled I am. Veteran Security concluded their board elections a little over a week ago, and on June 1st, 2020, I took over as the Board Chair for the company. It’s an amazing organization owned and run by veterans for veterans transitioning into cyber security. We have some pretty awesome things planned, but that’s nothing compared to what the group has already done for so many, myself included. More than simply providing resources and guides to transition, Veteran Security (VetSec, Inc.) provides a much needed community – a place for veterans to discuss the issues that face our community and be there for one another.

Now then, Day 3 of OSCP. I have completed OverTheWire: Bandit through Level 23, and I have completed Wave 1 of the Zero to Hero blog for TryHackMe. Both platforms have been great for solidifying basic Linux command knowledge, establishing a solid methodology, and exposing me to many different vulnerabilities present in both Linux and Windows.

Much of what I’ve been done has been walkthrough style so far. I anticipate around next week (Day 10 OSCP or so) I will move into the lists of machines provided by TJ-Null and start working on VulnHub and HackTheBox machines. This is where it’ll get real.

I continue to make videos for my YouTube Channel, like this walkthrough of LazyAdmin on TryHackMe, and I continue to stream daily. This has been a great way for me to reinforce the knowledge I’ve gained by doing the same box a couple times.

Anyways, if you like following and learning along with me, keep checking out my YouTube and my Twitch and I’ll see you there!

How to Get Started in CyberSecurity

There’s a thousand posts about this topic, covering everything from whether Cyber is right for me, to the different certifications one could get, all sorts of stuff.  I’m going to try and take a slightly different tack with this one, and talk about learning in general.

You see, I joined in the Navy fresh out of High School. I didn’t even really know what I wanted to do with my life at that point. I didn’t understand what work in the real world was like – up until this point, I’d worked at a small cafe in Port Ludlow (which, unfortunately, went under within the past year), and McDonalds.  I knew I liked computers, and I knew my grades weren’t the best.  Perfect spot for a Navy recruiter to grab me, I know.

Anyways, after 18 years of service to our country at this point, I’m most grateful to the Navy’s Nuclear Power Program for teaching me how to learn.  The academia we go through is very rigorous. It’s extremely fast paced, teaching us the ins and outs of nuclear power inside of 18 months, including how the equipment actually functions well enough for us to do maintenance on it.

So after all this, how do you get started in Cybersecurity?  Find out if you like it. Learn about it!  Not just how to do the jobs, but what the jobs are about!  If you’re a veteran, like me, check out places like VeteranSec.  Network on LinkedIn.  Peruse Reddit and look through the various groups there. I just did an AMA on Navy Submarine life, look for one on Cybersecurity!  There are tons of ways to learn more about the profession. The Cyber Mentor has some great videos on a day in the life of a penetration tester.  There are some great blogs, and if you want to actually try some of it out on the red teaming side of the house, then visit sites like Ur-Hackr, TryHackMe, and HackTheBox.  For those super new to the profession, I am a big fan of the community that has been built up thus far in Ur-Hackr (of which I am a moderator), so come join us on Discord as well!

I’ll be updating a list of awesome links to gamified resources for hacking, learning cybersecurity, and more on the right sidebar when I get around to it.  Until then, try some of the links up above.  Remember, especially in our current age of coronavirus, people are our greatest asset.  Communicate with them!  This community is awesome and we’re all here to help.

Want to talk more? Come join me in the Ur-Hackr Discord!

Review: SANS Cyber FastTrack – Part 1

This year, as I’m finally on shore duty and headed towards that inevitable transition from the military life, I heard about the Cyber Fast Track offered by the SANS Institute.  When I read about it, I was a complete n00b to VetSec (and by many metrics still am).  Since then, I’ve discussed CTFs with quite a few people, and when I saw the opportunity to sign up for the SANS Cyber Fast Track CTF, I jumped at the opportunity.

This year, the competition happens in three phases – the first phase was a 48-hour Capture-the-Flag opportunity.  The top placers in the CTF are invited to continue on.

The 48-hour CTF was a bit of a doozy for someone who doesn’t have much experience doing CTFs (READ: This was my first).  I’d played around in Hack The Box before, and I have a Security+ certification, but nothing would’ve prepared me for this.  There were around 45 challenges, covering some general topics like finding a flag in source code, but then delving into Web Exploits, Reverse Engineering, Forensics, Networking, Binary Exploitation, and Cryptography.  I settled in with my caffeine supply of choice and proceeded to hammer as many challenges out as I could, while graciously my wife took over the parenting for the next 48 hours.

I slept about 8 hours in the 48 hours, stopping when I hit brick walls so I could let my subconscious do some work.  I stayed persistent and taught myself a lot throughout the competition, but was a little bummed when, at the 48-hour mark, I had only completed 63% of all of the challenges.  I didn’t think I had done nearly well enough to place to move on.

After the scores were tallied, I found out that, despite only completing 63% of the challenges, I placed 65th out of 3,498 players.  Quite a few had signed up and only done a couple challenges, or didn’t play at all. I was stoked!


Just a week ago, I received my invitation email to Phase 2. Phase 2 consists of access to CyberStart Game, a CTF-style playground with 4 months of time in it, covering general topics, python topics, forensics, plus a new base of challenges that haven’t unlocked yet.  Additionally, everyone invited to phase 2 gains access to Cyberstart Essentials, which is a course,

reinforcing key concepts with more than 45 in-browser interactive labs and 17 extended practical skill applications in virtual-machine based labs. You’ll establish a core understanding of technology component functions and apply that knowledge to security concepts such as reconstructing a crime from digital evidence or locating exploitable flaws in software and websites.

Plus, at the end of CyberStart Essentials, you will be able to take the GIAC Essentials Exam. Whatever your future cyber career path looks like, this accomplishment will look great on your résumé and support you on your journey.

As of this writing, I haven’t touched Essentials and I’m about 50% of the way done with Game. I plan on keeping up with the persistence, and hopefully finishing all of Game and Essentials. I’d love to get the $22,000 scholarship at the end of this to take the SANS courses, but we’ll see. No matter what, this has been a great learning experience!