First off huge thanks to IPPSEC for posting this video and doing the heavy work when I started looking into making a private OMI Exploitation lab without hosting it on azure.

At first I ran into SSL issues with the OMI install followed by namespace issues with the SOAP requests with the exploit POC I was using. So to make things very simple I documented out everything you need to make your own private OMI pwn lab.

Step 1: Download Ubuntu Server 20.04.3

Step 2: Download the following package links with wget directly to the server


With the latest CVE around the print spooler service this is a good time to update my guidance on securing domain controller environments with security hardening policies.

Just for reference at the time of this posting there is an RCE going around with the print spooler service which can be extremely dangerous if you have it left running on a domain controller.

Currently there are two free methods to downloading readily available group policy content and importing them to your active directory environment. Microsoft provides downloadable toolkits and security baselines for Windows Server 2012 and up. …

Here is another writeup on Chatterbox. This is a retired machine in HTB.

  1. Reconnaissance

An NMAP scan reveals two ports open. 9255 and 9256

A quick google search yields the following exploit DB result:

Next I do a searchsploit for achat software and I get two results for a remote buffer overflow. One in python and the other a ruby metasploit module.

This box is on the retired list in hack the box. Here is a walk through on how I got full system privileges in this active directory environment.

Pre-Requisites installations needed in Kali: —

Impacket —

Evil-WinRM — —

Installation walkthrough of prerequisites:


sudo apt install python3-pip

sudo git clone /opt/impacket

sudo pip3 install -r /opt/impacket/requirements.txt

cd /opt/impacket/

sudo python3 install


sudo gem install evil-winrm

Install bloodhound first. I have a walk through on how to do that here: is what we will be using so we don’t have to get creative and drop sharphound on a…

This is the first series of domain controllers I was able to compromise in hack the box. At the time of this writing the box has been retired allowing me to post how I did reconnaissance, enumeration, initial foothold, and privilege escalation. I hope you enjoy reading this as much as I was challenge to hack this box!

1. Reconnaissance

Using the following nmap scan to detect open ports and services.

nmap -A -T4 -p-

Some import ports to note:

53- DNS

88- Kerberos

389- LDAP


636/TCP LDAP over SSL

3268/TCP LDAP GC (Tells us we are definitely dealing…

Here are my notes to make a successful install of Impacket on Kali Linux version 2020. These were taken from

Step by step commands to run in terminal:

sudo apt install python3-pip

sudo git clone /opt/impacket

sudo pip3 install -r /opt/impacket/requirements.txt

sudo python3 ./ install

The NSA and FBI had an excellent joint write up on Russian Drovorub Malware on 8/13.


So for defenders what should you be doing with your internet facing Linux servers?

The NSA offers the following mitigation strategies:

  1. Apply Linux Updates
  2. Prevent Untrusted Kernel Modules (Ex. Activate UEFI/Secure boot)

Lets take a further in depth look at some popular linux server distros on protection strategies in regards to mitigation tactics with untrusted Kernel Modules.

Attached is how to enable UEFI in VMware Vsphere 6.7 If your linux distro supports:

CentOS 7

UEFI/Secure Boot is supported in CentOS7

So what…

This is my walkthrough on how to get started with bloodhound in Kali Linux

Open up terminal in Kali and type the following command:

sudo apt install bloodhound

After you select yes to install and the installation completes we will need to change the default passwords on the neo4j console. Type the following command:

sudo neo4j console

I’ve gotten into kerberoasting lately and thought this would be a good opportunity to talk about auditing your SPN’s and encryption types in your environment. There are some pitfalls that I thought I should explain first so that you can adequately plan and eventually remediate RC4 based Kerberos encryption types in your environment.

First lets start with a typical network hardening scenario of Kerberos in a Server 2016 Domain Controller Environment. Its a safe bet you may see a domain controller configured with these default encryption types kerberos…. …

There is a wealth of information that is stored in AAD. Email addresses, telephone numbers, group memberships, physical contact info, job titles. It even has pictures of employees. Just some thoughts and recommendations of limiting access:

  1. Restrict access to the Azure AD Administration portal.

To access AAD type Azure Active Directory in the search bar.

In the left pane click on user settings and ensure that the following setting is set to yes. This will prevent anyone with a non administrative role from accessing Azure AD.

Root ♊

It's 2016 and all I found was Toilets running Telnet...using shodan

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store