This is how I set up my Parrot OS after installation. There’s a few things I believe are missing that should be installed or done. I like to keep things as real as possible so this will be a hackers set up.
UFW VPN Kill Switch
This script will disallow traffic through the ethernet and WiFi port and allow traffic through the tunneling adapter only.
Note: If you experience issues with files ending with a “?” (id_rsa?) it’s because your script isn’t running with line endings of LF. This happens because of Window’s line endings are CRLF.
Running Terraform in Detached State
If you want shell access to the Terraform container here’s how. Docker containers are designed to shut down immediately after running, if the entrypoint command is complete. To keep the container running use the command “sh tail -f /dev/null”.
In this walkthrough, I’ll be using Parrot OS. I’ll break each vulnerability down and explain it. The video won’t demonstrate all of the techniques that could have been applied. I will also list the techniques I’ve learned from others.
Exploits / Techniques
Local File Inclusions (LFI)
Privilege Elevation through compiled code.
Remote Code Execution
Spawning Interactive Shells
First Identify the Virtual Machine (VM) server by using NetDiscover.
Use Nikto to scan the website for general information and exploits.
In the below results you can see the Nikto found the config.php file. We’ll get the database credentials out of that file.
Local File Inclusion
The actual code we will be exploiting will be an include that looks as if it’s supposed to load a language file through a cookie. There are comments that this code is unfinished.
PHP Base Filter
This exploit uses the php://filter/convert.base64-encode conversion filter. This filter runs before the file is included. Since this filter encodes everything to base64 we are able to view files on the server before they are processed.
This part is rather tricky. I had to have some help and followed Abatchy’s (Mohamed Shahat) technique on this one. His post is worth reading, he tries several other techniques and lists more information than this post.
Upon inspecting the file you can see that something in the file runs something similar to “cat /home/mike/msg.txt”.
The actual exploit here is to create a shell script called cat and export it in the environmental variables that way it runs instead of the system’s cat program. This needs to be done in Kane’s folder.
Will return something funny like “bash: dircolors: command not found”.
But… every time I tried to forward to SánchezHandyman.com it would say “Invalid Characters”.
After a call to tech support, I learned how Punycode works. I haven’t had the honor to make websites for many foreign individuals so I haven’t come across this issue before. It turns out that foreign characters don’t make good domain names and must be converted to Punycode for the domain registrar to work.
Starting a website for the first time can be time-consuming and a tedious process for someone who is new to the process. It’s important to make the right decisions when starting than get further down the process and realize you’ve made a mistake. This guide will point out what you need to do and why you need to do it. Make no mistake, I’ve seen people lose their websites to bad decisions they’ve made.
A Permanent E-Mail Address
Before you start purchasing domain names that will be used for your website(s) you need to make sure you have permanent access to your domain registrar (GoDaddy) by getting a reliable e-mail address. If you are to register a domain name on an email address that is associated with a domain name you own you are at risk of losing your domain name if you lose access to that domain name.
Step #1 – Get a Free E-mail Address
I personally recommend Gmail because it integrates well with a lot of things (2 Factor Authentication (2FA)) and provides services that you will later use such as Google Drive, Google Calendar. You will also need a Google Account to create a Google Analytics and Google AdWords account.
The domain registrar is where you will purchase your domain name (i.e, mrjamiebowman.com). I think GoDaddy is the best domain registrar but I do not recommend them for hosting. However, they excel at selling domain names.
Use your free e-mail address from (Gmail) to register your account at GoDaddy.com
TIP: Once you have an account you should purchase your domain name after you’ve had a web professional review your decision.
TIP: Once you own your domain name, NEVER transfer it to anyone unless you are selling your domain name or website. With GoDaddy, you can delegate access to other people to modify the settings of the domain name or even renew the billing of a domain name. I often ask my customers to delegate access to myself so I can help manage their website and make changes when necessary. A domain name is the most important thing to maintain when owning a website. Some web design agencies will take possession of your domain name to hold you hostage as a customer.
Step #3 – WordPress or Weebly?
WordPress is the way to go if you can afford design services and management services. This is a more robust solution that offers a lot of customization. If you are not willing to spend $100/month for management and $2-$5,0000 dollars then you should use Weebly.
Weebly is a great place for anyone who is looking to get started with a website. It is much more cost-effective to start here especially if you are new to owning a website or may lack content. The cost to start a Weebly website is $5/month. This includes a FREE SSL security certificate.
Just like WordPress Weebly has themes that you can choose from.