https://tahadraidia.com/tags/osep/Recent content in OSEP on Taha DraidiaHugo -- gohugo.ioen-usSat, 04 Dec 2021 11:25:46 +0000https://tahadraidia.com/posts/dont-go-phising-blind-watch-while-execution/Sat, 04 Dec 2021 11:25:46 +0000https://tahadraidia.com/posts/dont-go-phising-blind-watch-while-execution/Raise your hand if you crafted well your payload and the payload worked well in your lab machines but in the real scenario you’re not receiving the callback! I guess all of us at some point have experienced this. To solve this I wrote a simple and yet effective set of functions that allow us to see what going on while the runtime of our script. The first function/subroutine, which I called hello simply sends an GET request to a specified server.https://tahadraidia.com/posts/automate-the-reconnaissance-phase/Thu, 02 Dec 2021 07:43:03 +0000https://tahadraidia.com/posts/automate-the-reconnaissance-phase/If you have been reading my OSEP (PEN300) post series, you know that I love automating things, reconnaissance phase is one of the repetitive tasks that you do for each machine you compromise right. In this post, I am going to share with you how I took advantage of the existing scripts and tools to create let’s say a reconnaissance script bundle. The script is written into Powershell, the language has a rich API and special when it allow us to load .https://tahadraidia.com/posts/added-runasppl-check-to-our-pen300-msf-script/Wed, 01 Dec 2021 10:21:33 +0000https://tahadraidia.com/posts/added-runasppl-check-to-our-pen300-msf-script/While running some test this morning and stumbled on the following error: Could not execute auto: Rex::Post::Meterpreter::RequestError priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect. This occurred while executing right after enabling restricted admin in our MSF script as show in the screenshot. There are two important points we need to discuss here, first when the error happened, it was not handle hence, the script stop running, this bad. The second point is what could go wrong right?https://tahadraidia.com/posts/taking-advantage-of-assembly.getmanifestresourcestream-for-quick-dirty-hacks/Wed, 01 Dec 2021 04:32:52 +0000https://tahadraidia.com/posts/taking-advantage-of-assembly.getmanifestresourcestream-for-quick-dirty-hacks/We all get lazy from time to time, but things need to be done, in this post I am going to share with you a dirty hack that I used to avoid translating a solution written in a X programming language to another programming language. The scenario that we are going to cover here is that let’s say we wrote a piece of code that does something but requires another tool to achieve the next step of the aimed goal.https://tahadraidia.com/posts/make-sharprdp-a-loadable-dot-net-assembly/Mon, 29 Nov 2021 07:21:19 +0000https://tahadraidia.com/posts/make-sharprdp-a-loadable-dot-net-assembly/SharpRDP in a neat tool when it comes to get a command execution via RDP protocol, The project is written in C# .NET, which makes perfect to leverage .NET Assembly, however, in order to load an assembly the binary needs to expose the API and in this case SharpRDP is build in away that it can only be in traditional way. If we look at the source code of the project on github, we can clearly see that Program class has internal attributes and the two methods have private attribute.https://tahadraidia.com/posts/write-a-class-helper-for-metasploit-powershell-extension/Sun, 28 Nov 2021 15:43:16 +0000https://tahadraidia.com/posts/write-a-class-helper-for-metasploit-powershell-extension/Three weeks ago or so I started writing a MSF script that automates repeated tasks such running reconnaissance scripts, dumping credentials, listing tokens that could be impersonated and so on. The current script does all what I have listed above among other things, however, some part of the code generates Powershell cradles and executes Powershell commands, I would say that this is not an elegant way to do it. For instance, here are two examples where I run Powershell commands:https://tahadraidia.com/posts/build-an-atomic-windows-lab/Thu, 25 Nov 2021 15:32:12 +0000https://tahadraidia.com/posts/build-an-atomic-windows-lab/I have decided to build a Windows virtual machine to run some test scenarios with the goal to automate the repetitive tasks we encounter during an engagement. In the nutshell we are going to build a vulnerable Non-Domain Windows machine with different escalation paths including weak configuration service and Always Install Elevated enabled with some defenses on such as Windows Defender (LOL) and Powershell restricted language to make a bit challenging, or should I say interesting.