One of the best ways to acquire and maintain an offensive security skill set is to build a home lab and populate it with intentionally vulnerable machines. The most straightforward option is to simply spin up VMs in VirtualBox or VMWare Player and manage everything locally. To take things to the next level, however, you really need a hypervisor like ESXi or Proxmox. Nowadays, ... READ MORE
Vuln Box
Building a Vulnerable Box – HFS Revisted
A few months ago, in the Building a Vulnerable Box series, I wrote a walkthrough for putting together and compromising a Rejetto HFS server. The post had originally been intended for my security students at the time, but, to my surprise, it's become one of the War Room's most consistently visited write-ups. Just last week, a similar exploit was posted to the Exploit-DB by Naser ... READ MORE
Building a Vulnerable Box – Heartbleed
Patchwork may have wrapped this series up in his last post, but I've got one more to add. The Heartbleed bug (CVE-2014-0160) received a lot of press when it was discovered and disclosed in April of 2014, and deservedly so. The vulnerability was severe not only because of the sensitivity of the information it could leak, but also because of its prevalence across the ... READ MORE
Building a Vulnerable Box – Domino
IBM Domino (formerly Lotus Domino) is a particular interesting (and lengthy) setup. The build is not terribly complicated, but the software has been vulnerable for a long time, so it's definitely worth exploring. We might as well have titled the blog "Building a Domino Box" with the vulnerability simply assumed. This box was also featured on the final for my university ... READ MORE
CTF – PHP and OS Command Injection
This past weekend, RSM’s technical consultants worked with representatives from the University of Mount Union to host a Capture the Flag competition for teams of local high school students. The teams competed for scholarship money in challenges spread across six categories – Coding, Cryptography, Forensics, Grab Bag, Hacking, and Web. The students’ collaboration, research, ... READ MORE
Building a Vulnerable Box – Rejetto HFS
Happy Friday. Today's vulnerable box was not particularly difficult to set up, but I like the exploit. I am also using this particular box on the final exam for my network security students over the next few weeks, so part of me wants to see if they stumble across the tutorial. Full disclosure: I've never encountered Rejetto's HTTP File Server on a penetration test. I ... READ MORE
Building a Vulnerable Box – Elastix
This spring, I had the opportunity to teach Network Security at a local university. As one would expect, I chose to teach the course from the perspective of a pentester. One of the challenges I've faced is setting up vulnerable systems for my students to attack. We've also started using the boxes internally to training new hires and test certain exploits and techniques (the ... READ MORE