March 17, 2022

Hello Hugo, Goodbye WordPress

One of my goals for 2022 is to blog more frequently. I used to try and get a post out weekly when this blog was originally a college project. Weekly turned into monthly posts as my content got more technical and my career took off. Last year I posted once. Now that ends! I’m kicking off this revival with a site refresh. HackerUnderDev is moving away from a WordPress site running on a DigitalOcean droplet for a Hugo site running on Netlify.

June 13, 2021

Proving Grounds My-CMSMS Writeup

Full disclosure: I am an Offensive Security employee. This My-CMSMS walkthrough is a summary of what I did and learned. Friends from #misec and I completed this challenge together. No company restricted resources were used. Creating walkthroughs for Proving Grounds (PG) Play machines is allowed for anyone to publish. However, PG Practice machines from the paid tier, are not permitted to have public walkthroughs posted. On June 11th, @InfosecAli and I signed into Proving Grounds and booted up an intermediate PG play machine called My-CMSMS.

October 24, 2020

Hack your way to financial freedom

There is no get rich quick schemes to maximize your finances. Hacking is not cyber crime. If you think this post is going to be 5 steps to become a millionaire or advice on how to steal money, you’re wrong. This is a collection of advice I’ve picked up in recent years and suggest you follow. I will also admit that I have been blessed. My family is not poor, I grew up in a good area and received a strong education.

July 9, 2020

HackTheBox Sauna Writeup

Sauna is another “easy” Windows machine on HackTheBox. However I definitely fell down my fair share of rabbit holes on this one. There’s a static website hosted here, so I thought it’d start with a web shell. However, this box turned out to to be entire about domains and LDAP. Which I have very little experience with to date. While this blog may sound like a straight path, it’s well edited to be stream lined.

July 6, 2020

Walkthrough Decryption Instructions

4/9/2022 Update: After migrating from WordPress to Hugo, I do not have the ability to password protect blog posts. All content will be public and because of that these decryption instructions are no longer worthwhile for https://hackerunder.dev. I will not be posting content that requires password protection. For example, I previously shared unretired hackthebox machine walkthroughs but required hashes as the password for the post. This decryption method was copied from 0xPrashant and his own blog.

July 4, 2020

HackTheBox Remote Writeup

Remote was a fun windows box to hack. This is my second active target on HTB. My first was Traceback. Check that out for a similar web based exercise on Linux. Remote starts with a web vulnerability but requires finding credentials in a public share. DLL Hijacking is required to get a system shell. Lessons learned: Mounting a public windows share Exploit modifications – changing python code for a web exploit DLL Hijacking for privilege escalation Information gathering An initial nmap scan reveals some listening services.

May 3, 2020

HackTheBox Traceback Write-up

Thanks to a zoom call with members of PA Hackers. I fully exploited my first active HTB machine where I got points for my effort. To celebrate getting root, here’s my write-up. I learned quite a lot with this machine. It introduced me to new PHP web shells and message of the day (motd) privilege escalation. Lessons Learned Open Source INTelligence (OSINT) refresher with Google and Github PHP web shell alternatives to php-reverse-shell.

May 1, 2020

The Hacker Manifesto By The Mentor

Words of inspiration for many and an explanation to others who only see hackers as problems. Maybe one day I’ll base this manifesto to write my own. First it’s important to dig deep and see what’s going on then find how to put it into one clear document. Copied from Phrack Magazine <pre class="wp-block-preformatted">==Phrack Inc.== Volume One, Issue 7, Phile 3 of 10 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= The following was written shortly after my arrest.

April 30, 2020

Starting a Minecraft server

I’ve had a love hate relationship with Minecraft since I bought the beta when I was in highschool 2011. Throughout the years I’ve played countless local games, and joined others online in public servers. Over the last decade, I cycled through playing, getting mad at myself for not being productive, and taking a break. Lately I’ve been watching Hermitcraft more than playing or working combined. To convince myself I was being productive, I told myself starting a Minecraft server to play with friends and family would be a worthwhile systems administration and security project.

March 3, 2020

Patch your stuff

There’s a sticker on the back of my personal laptop. I don’t recall where I got it from I believe it was an informal sticker exchange at GrrCON a few years ago. It’s a pretty clear message and you can see it here. For anyone who’s trying to watch what they say, lets call it “Patch your stuff”. It’s a simple rule, but an important one we should all follow.