Posts

Microsoft Flow - Form, into excel, create word document from template, send email, addressing Copy/Create File errors

Image
Today a customer showed me a paper (invoice) recipe  he had to write into an excel, and then again into a word "thank you" for printing/emailing.

If you're here for the Copy/Create File errors, jump to the end.

So what we did is to prepare a Form for inputs, and then a Flow that takes that data, use "Insert Row" for excel.

Next was to create the word document. I've tried to create custom properties myself, but didn't manage so I followed Netwoven's tutorial, and the simple steps are:

1 - Create a Sharepoint Document Library and add your custom properties to the library as custom Fields.
2 - Go to Library Settings > Advanced Settings > click Edit Template
3 - The template will open an empty word document, edit it however you want
4 - Wherever you want one of the dynamic custom properties to fit in put your cursor there and click Insert > Quick Parts > Document Property > your custom Fields name
5 - Save the document as a normal .docx in…

Microsoft Flow - auto post in twitter and pinterest

The task at hand - a form, when filled, creates a post at [all] social networks, this blog is about twitter and pinterest.

Part 1 - prepare the image Twitter needs "file content" in its media field, while pinterest needs an image url open to the public. So [1st flow] was in OneDrive folder for those uploaded images, sending back the image ID to be used in the form. Can take a few minutes, sent to mail (better to send with the image).
The twitter account will create the public url for the image.
Part 2 - the form Most simple form, Title, Content and image id into [2nd flow] a Sharepoint list. If you're sure you're never going to use more than 255 characters you can just use the title (i dont like to extend title fields characters limit).
Part 3 - to the social media Next [3rd flow] when the SPItem is created, I use OneDrive "Get file content" for the file content and the "Title - Content" for the text, and post a new tweet. I then query tweets as &…

Becoming a (very Jn.) Hacker, how to, and my 1st Black Box Test

~ This is not a technical post, its a story post.
~ A story to whom just like stories, or to whom like to learn some lessons, and especially to anyone that wants to become a hacker.

Lately (like 6 last months) i'm starting to really go into hacking, it always interested me, but i could never find the time, plus, there was always another challenge @work like the new Angular.

But with time and effort, payment has become bigger, and with it my time.

And the 1st thing was how... from some videos and many SQL injections or XSS, DVWA ect. I didnt feel i'm learning anything other then extra web security.

Finally i found OverTheWire website, and finally i learn some "real" things, linux, php, memory, crypto, ssh, ect., all basics that I, as a web-programmer, had no clue. Only the web-based challenges were "natural" for me.

I can say that there I learned lesson no.1 - LEARNING.
In the world of hacking, you must be a weary-less learner, new things every time again, a…

Damn Vulnerable Web Application (DVWA) - File Inclusion and WebShells

today we are going to have some fun understanding the full potential of File Inclusion attacks.

my goals for today

1. a few words, Disclaimer, Lab, and links.
2. Web Shells intro with DVWA
3. How to complete the File Inclusion challenge in the new DVWA
4. Metasploit



1. a few words, Disclaimer, Lab, and links.


DISCLAIMER - if you do what i teach you today you WILL go to jail. so dont do this outside of your lab.

Setting up the lab -
For a hacking lab download either VirtualBox or VMWare, or, if you own win10pro, you have Hyper-V. With those you can create virtual machines, and you will need 2 today, one with DVWA, and another as the attacker, which for ease better be kali, download machines from osboxes.

For DVWA you can either download Metasploitable 2 or set up dvwa in some machine.
In my case i just turned them both on an internal network, so they can see each other but no internet (might need to set up DHCP if you dont have any ip).

For basic help about solving dvwa's file inclu…

Damn Vulnerable Web Application (DVWA) - installation 2018

for anyone trying today to install DVWA, thing changed a little, took me a while to get it working, so here it is:

IMPORTANT - su if you are not root user (i.e. not kali)

1. download the latest version 

to get it working with MariaDB and PHP v7.x

wget https://github.com/ethicalhack3r/DVWA/archive/master.zip && unzip master.zip

unzip under /var/www/html, rename folder to dvwa


2. config file

cd /var/www/html/dvwa/config
cp config.inc.php.dist config.inc.php
gedit config.inc.php

create captcha keys
https://www.google.com/recaptcha/intro/index.html
and set in $_DVWA[ 'recaptcha_public/private_key' ]

start at low difficulty

$_DVWA[ 'default_security_level' ] = 'low';

you need to clean cookies if the dvwa was running

3. set user in MariaDB

sudo service mysql start
mysql -u root -p

db commands...

mysql > create database dvwa;
mysql > CREATE USER dvwa@localhost IDENTIFIED BY 'p@ssw0rd';
mysql > grant all on dvwa.* to dvwa@localhost;
mysql > flush privilege…

Real Hacking Challenge - victim behind ssh

Image
the challenge is like this, i have the attacker machine (A), which connect with ssh client to another machine (B), which run ssh server (daaa...), these 2 are connected to the internet, but (B) is also connected to an internal network, and there there is a WIN10 machine (C), NOT connected to the internet but to (B) as said.

we will use the help of ssh, ShellTer to try also do it with windows defender on.

to succeed we will try to do this from bottom to top.

*DISCLAIMER - all this is illegal, and you may only do it at your lab, if you hack really you will go to jail.

*BIG NOTE : sometimes stuff just dont work, restarting (not power off) the machines, and the services refreshes stuff and then they work.


PLAN

1. prepare lab
2. test exploit on xp
3. test 3 machines ssh with 3 linux
4. exploit xp via ssh
5. exploit win10
6. test ssh with win 10
7. exploit win10 via ssh





1. preparing lab

using VBox (doesnt matter) i will create 4 machines, an arbitrary linux for ssh server, winXP for testings,…

VBOX Windows XP - how to use internet

1. right-click on the machine -> settings -> network -> choose NAT -> expand advnaced ->
choose "PCnet-FAST III(...)"

2. run cmd -> "inetcpl.cpl" -> advanced -> enable "use TLS 1.0"

3. open IE -> go to "www.bing.com" -> search "download firefox/chrome" -> do the usual with choosing "Yes" a zillion times every time he complains about the certificate.

-chrome do all kinda troubles sometimes with xp

4.1 with chrome and browse to "www.google.com", in the error screen click advanced -> proceed.

4.2 with firefox, just browse and enjoy

P.S. - if you have bridged connection problems try to change MAC