SANS Holiday Hack Mini-Prep Guide



Merry Christmas, hackerkin! Well, sorta.

This is a compressed, really SHORT guide to assist you in navigating your way through the SANS Holiday Hack CTF based on their past challenges and my observations over time. Whether or not you are successful (completing all the challs) is not the point of this exercise. The idea is to have fun, hopefully learn new techniques and grow as a security researcher, pentester, hacker, whatever you identify as.  


If you have any ideas you’d like to add, drop me a line on Twitter and I’ll see if I can add them.  I wanted to list more but I’m swamped with work and this is the best I could do right now.

This was last year’s challenges.

This is going to be mainly an advice, tools and resource listing under each category that I think you should have based on the last four years’ worth of solutions entries and what kind of challenges there were or because they are the tools which tend to be used in other CTF competitions.  

It’s NOT exhaustive and many of the things I link to here will be in a larger guide I’ve been trying to get published for the last year and a half but it’s at 300 chapters and won’t stop growing. This is just to point you in the right direction for right now. I also wanted to be able to upload this for you all before the challenge starts and I’m pressed for time.


Pay CLOSE attention to the SANS blogs, especially Jeff McJunkin’s posts! He is one of the hackers who writes the challenges for Holiday Hack!

Also say hi to Jeff! He’s very nice!:

Anything posted this year that is a fairly new technique or unique in nature will likely be featured in the challenge itself.  It makes sense. It is their research so of course they wish to display it and thanks to them many of the techniques you know are because somewhere along the line their staff taught it to someone who showed it to someone else.  SANS is an important member of our community and a solid pentesting/hacking repository of information.

Someone usually posts a HolidayHack thread on Reddit where you can get hints. This was last year :

Please read this next part VERY carefully. I’m asking nicely because this annoys me when I see it. Please don’t give out spoilers. You should be able to discuss a technique in subtle ways so as not to blatantly ruin it for others.

For instance, if you want to tell someone to use tcpdump or netstat to view INCOMING traffic to their system, you might say something like, “Maybe see if anything is phoning home?”  Rather than “TCPDUMP ALL THE THINGS!”  If you find you cannot give a hint without ruining it, it’s better not to say anything at all.

Myself and many others look forward to this challenge ALL YEAR LONG.  I get my box prepared for this months in advance and I take off from work for this, at least a couple of days so I can play.

Seriously, I do.  I get to Starbucks and get my Peppermint Mocha (or three) and I’m in front of this computer for hours, dancing in my chair to the awesome custom soundtrack they provide too.

I scour everything SANS related for months leading up to this. I want to arrive at the conclusion on my own and while it is fun to do I view this as a necessary part of my duty to educate myself.  This is how I’ve lead my own career. I don’t want to be handheld through it and neither does anyone else. Memorizing something is not learning. Learning is when you can repeat the topic in your own words which suggests to the listener you comprehend it. You’re not a parrot.  I want to comprehend and so do others. The way we do that, mostly, is by failing and keeping at it until we get it right.

Set up a temporary virtual environment for this and any other challenge you do online. You shouldn’t use your production box. If you have to change something, just for this challenge to get something to work, and you forget? Somethings might not work the next time you spin up the instance.

Many new hackers make this mistake and one last year, not understanding what the shellcode he downloaded did, ruined his environment and network.   This wasn’t in a SANS challenge but another I did and it was disheartening to hear about. While I am not aware of SANS having any sort of malware in their Holiday Hack challenge, treat every file you are examining as if it is suspect.  You don’t know what it’s going to do and even normal files when placed in the wrong environment or with specific configurations can screw things up.

I am a legend in the arena of breaking things the wrong way. I’m so good at it, I now go out of my way to do things the wrong way just to see what will happen.

That said, make sure your environment is FULLY PATCHED prior to the challenge itself.  This also means updating the tools themselves if they don’t automatically update with apt-get update. When you’re all done setting up all the tools, reboot and then take a snapshot. That’s your starting point.

Get a notebook and have it on your desk so you can write notes on the fly and refer back to them if you have to stop and come back again the next day. Also if you plan to submit your solutions to possibly win, you are going to need those notes!

Cheatsheets are available everywhere. On my desk I have a literature rack which spins and has sections which I flip.

This, basically:


I have Common Ports, Mubix’ and G0tM1lk’s Linux-Post-Exploit guides and more.

There are HIGHLY COVETED prizes attached to this contest each year. First prize a FREE SANS course of your choosing! They are all around six grand.  There’s also Best Technical Answer, Best Creative Answer and Random Draw.  So you’re competing for a chance to get the very best of training, no cost to you, from the very best hacker and pentest experts there are.

Ed Skoudis, Jeff and their team do our community a great service by working hard on these challenges every year. They don’t really need to do this but they do and for that I am grateful to them. It’s essentially free training.

Before I start linking, I’m not suggesting all of what I mention below will be in the challenge this year. I’m just trying to give you the best starting point. If it isn’t included and you didn’t know about one thing I mention, there will come a time where it will come in handy so save it for later.

Like for Hacky Easter (not hosted by SANS but by Hacking Lab each April) they most likely will too.

Also, the SANS people *love* Android analysis. I tweeted about this twice this year and I’m mentioning it again now…if you don’t have it on your system now, set aside two hours and install Android Studio. Get some dinner, learn to play a new instrument, bang your head against the wall, just install it. It is one of the longest software installs in history and you do NOT want to be installing it as you’re trying to solve a challenge. Trust me on this. I speak from painful experience.  

If you can spare the time try to do last year’s Holiday Hack because there was an APK you needed to analyze and it was most enjoyable to do.



The SANS guys are masters at Linux and PrivEsc. Get your hands on either Rob Fuller’s PrivEsc guide (His handle is Mubix)

or hacker G0tmi1k’s version



Red Team Field Manual, Blue Team Field Manual, Web App Hacker’s Handbook, Hacker’s Playbook 1 & 2.  

Get sticky notes to mark the pages that you think will be useful.

These are all on my desk, at all times.



Kali comes with Wireshark. Have it updated and a copy of the appropriate cheatsheets.

Also, before you ask because you’re probably going to ask (and this is something I’m DMed a lot about for some reason, I don’t know why):

Know how to quickly filter certain info.

Know how to decrypt packets and what specific things are needed to decrypt each protocol you come across. You don’t want to be going down the wrong path wasting valuable time.

E.g. WEP You only need one key to decrypt but with SSL you’d need both the private AND the public key.  

So this is where your critical thinking comes in. Let’s say you come across a key. If you don’t have any keys or only one? You need to find the other or they want you to do something else with the traffic or perhaps the information you seek is in part of the packets which are NOT encrypted.

I once did a challenge four years ago looking for keys that weren’t there only to find that the information I needed was in plaintext in the pcap and I spent hours for nothing.  With hacking it’s always important to know what you CAN’T do because it’s going to lead you to what you CAN DO instead. My mantra “What can I do, what can’t I do? What can I see, what can’t I see?”. Otherwise without certain pre-requisites in place you might waste time.


Download Network Miner. It is full of win.


Alternative Alphabets / Encoding / Etc

Morse, Sherlock’s Dancing Men, Futhark Runes, Maritime Flags.    If they obfuscate the alphabet in a code, you want to have as many of these at your fingertips to save time.

Fun fact: I have a pigpen cipher ring. I wear it a lot and it’s actually come in handy in a real life situation where a pigpen cipher was used.  

This is a tool by Kahu Security I use every week. It does Hex to text, converts shellcode, has an ASCII chart, everything.

It will be helpful if you are familiar with how certain formats look. If something is encoded in Base64 and you don’t know what that looks like, you might have to spin your wheels trying to figure it out.  

When in doubt as to something’s origin? Paste in Google.


Pictures (Steganography)

Tools on hand to extract the metadata from pictures.


What can you see if you view them in a Hex editor?  I use HXD, primarily

If steg is suspected, know which tools can handle which image types or you might waste time.

JpHide, as an example, only analyzes, jpegs.


Audio Files

If you haven’t downloaded Audacity, do it. I have used it a number of times for real-life engagements and CTF challenges.

Sonic Visualizer – E.g. (See if there’s a hidden message in the spectogram.)

Web Application Tools


You’re probably going to use BURP at some point so if you don’t know it, brush up on how to get started with it now:

Previous Write-Ups I Enjoyed Reading


Just have fun. Don’t worry if you don’t get them all. It’s not Pokemon. And if they include a game like they did last year with Wumpus, go with God Mode. Lesson learned. God that elf was annoying!

Good luck!

Hacking Boot2Roots

I receive quite a number of interesting DMs which intrigue me but this past week I received one which kind of blew my mind in that the author is a student in a class having nothing to do with hacking and the professor gave his students two VMs to root but didn’t teach them how. He just said to use their “ethical hacking skills” and the student which DMed me was confused as to where to even start.

It got me thinking about how I first learned about boot2roots (shout out to hackers G0tm1lk and g0blin whose writeups I happened upon which lead me to Vuln Hub) and how I wasn’t sure what to do with them at first. Now you might ask how a hacker who has a 50-VM plus virtual lab environment wouldn’t know what to do with a VM and the answer to that was that I was not doing VMs at that stage and after putting the pieces together of what I was reading about them, I then learned but it would’ve been nice to have a little guide. Now I am very familiar with them and can explain what I wanted to know when I first encountered a VM.

What is a VM boot2root challenge?

It is a stand-alone VULNERABLE image of a computer system which is loaded into virtualization software such as Oracle’s Virtual Box or VMWare.

What does a vulnerable VM actually mean?

It means that there is software on the system which is left intentionally unpatched so you can learn how to exploit those vulnerabilities or “hack” them.

What does one do with one?

Your goal with a boot2root is to BOOT it and then, after discovering vulnerabilities present in the system and exploiting them, ROOT it. Sometimes there are extras like finding flags and not just gaining access as the root user.

How does one hack a boot2root?

You need to load the VM image into your virtualization hypervisor of choice. I primarily use Virtual Box but I also have VMWare as well. After tweaking the settings like the RAM size, the Network adapter to use and getting it in a state where it will be usable, you start the VM, a black box will appear and you will begin to see the OS loading. Then you use your host system OR another VM, like Kali Linux which is pre-loaded with hacking tools, to scan the boot2root and begin finding vulnerabilities which you can then leverage to escalate your privileges within that system.

As my host system is Windows I run Kali on a VM. At work I have Kali installed as my main OS. So at home when doing boot2roots I have two VMs running.

How do I know which settings to tweak?

You will need to do some reading and research on what each of the settings available to you means and how it applies to your system. Google how to set up VMs, specifically the network settings portion so you can understand what each of the options do. Also read up on how to read the logs the VM creates in case you run into errors and need to figure out why. You can also buy Blindseeker’s book on setting up VM labs. I did. I follow him on Twitter. He’s very knowledgeable in this area and the book is a SOLID resource. I am recommending it to everyone I know and several have tried to steal my copy from me because of how good it is. It even helped me solve a PFsense problem I was having. Definitely worth the money.

You will also need to pay attention to any special criteria the boot2root author has specified. Most are DHCP enabled which means they will pick up an IP once you boot them but some are pre-configured to use a specific CIDR like etc and if that is the case you need to set up a special network for your VMs that have the proper IP addressing scheme.

If your host box only has 16 GB of RAM, as an example, you cannot assign a VM 16GB of RAM. For boot2roots which I know do NOT contain malware I use these settings:

Video RAM 16MB
Base Memory 1024MB
Network: Bridged Adapter
Turn off all sharing capabilities of clipboard, etc.

Alternate Way to Hack a Boot2root

An alternate way to hack one without going through the proper stages of a Pentest is to unzip the OVA file and examine the VMDK file in a free forensics program like SleuthKit’s Autopsy.

You will then see all the directories and files within it and can see how it was set up.

Where can I download a boot2root to practice myself?

Where can I see how other hackers hacked a particular boot2root?

In each challenge on Vuln Hub there is a Walkthrough section. Google the name of the boot2root + the words “writeup” or “walkthrough” and read how others did them. You will learn valuable techniques and methodology this way.

What hacking skill level is needed to do these challenges?

Typically the author will say whether or not it is easy, intermediate or hard. But how they define those words and how you define them are two different things. Minimally, as most boot2roots are in Linux, you will need to have an advanced understanding of the Linux OS environment, how files and folders are stored, the default directory structures, permissions, and networking concepts.

Start with the easy ones. Don’t get discouraged if you’re referring frequently to a walkthrough on the challenge. This is what they are there for. Try to do it on your own until you get stuck.

Use logic to get you past hurdles. For instance if you scan a VM and you see that it only has these two ports open, which would be your FIRST target?

22 SSH

The website is going to be your best bet first as SSH typically requires a known username and password to be inputted prior to you being able to login. Your goal is to recon the environment and collect credentials and take note of any places where you can input credentials.

Don’t make assumptions though. Hacking a website is different from hacking the Linux OS. Your job is to get from the website TO the underlying OS.

My mantra: What can I see? What can’t I see? What can I do? What can’t I do?

Can I see any login pages or forms?
Can I see directories which have indexing enabled?
Can I see any usernames present on the site which may help me?
CAN’T login to SSH without username and password but I found an RSA key , CAN I login as that user if I supply their key thus negating the need for the user’s password?
Once I get in as SSH, I CAN’T do much because I’m in a restricted shell but CAN I escape it?
CAN I invoke a shell in a program running on the system like VIM or AWK?
CAN’T see /etc/shadow but is there a vulnerability present in software on the website which will let me READ that file anyway and display it in the page?

You’ll get the hang of it eventually. Just go slow. Pay attention to EVERYTHING. As you exploit a system, research why you were able to do the hack so you can understand the WHOLE picture.

It’s not just rooting and pwning boxes like it’s a candy store. Do YOU understand the concepts behind why you were successful?

OK you DO? Great! Now say how to FIX them.

A great hacker is not made by running scripts someone else wrote and getting lucky. A great hacker is understanding each piece of the whole puzzle and in the end how to fix all the things which went wrong which allowed you to be successful in the first place.

How can I make my own boot2roots?


There are a number of ways to accomplish this like with Vagrant

or downloading pre-made VM set up tools on GitHub like SecGen

but the easiest way would be to map out on paper how you want your challenge to look. Then you would download the OS of your choosing and install any vulnerable packages to it. Then you would export the file in a VM format like OVA and test it out by hacking it yourself. You will have to plug any holes and narrow down the foothold points so that your challenge flows smoothly and isn’t rooted in a way you did not intend it to be. Then you can contact Vuln Hub and see if they will host it for you or if you have your own website upload it there and post about it on Twitter.

If you’re reading this and you already have one and would like an honest critique, drop me a DM on Twitter and I’ll be happy to check out your challenge for you.


Where do I download Kali Linux VM images?

Last minute tips

Take notes! Save your notes! Later on down the line if you do the challenge again you will see how far you’ve come from when you first started.

Download G0tM1lk

Mubix’ Privilege Escalation Guides for Linux.


Download cheatsheets like Common Ports.

Run VMs from SSDs if you can. They load MUCH faster than on traditional SATA disks.

Create a disposable Kali VM for each boot2root if you can so that you do not ruin your production system.

Have fun. We ALL started somewhere. We are not all successful every day. You’re GOING to fail and in fact, I hope you fail a lot. I do. You learn by making mistakes. This is a good thing.





Good Security Practices I Employ Daily

This is going to be a quickie post but someone came to me recently wanting to know how a hacker got into their Instagram and some other accounts after hacking into their Gmail account.

The answer is very simple. Stored Synced Passwords.

If you store your passwords with Google’s Sync feature, if a hacker breaches into your Gmail account (if you got phished and gave them the credentials), all they have to do to see your other passwords you saved?

Is go to and they will have your passwords to other sites. They even can see sites you did NOT save your passwords on and because most users use the same passwords? They make educated guesses.

So if you didn’t save your bank password, it shows up at the bottom under the Never Saved area and now they know which bank you use.

Go there now while you’re signed in and turn this feature OFF OR turn on Two-Factor Authentication.

Two-Factor Authentication which will stop them from getting in even if they have your password.

In fact, turn ON Two-Factor Auth on every service which allows it.

While you’re at it and reading this, go through your system and update all software which has been bugging you to update it but you never do because you’re too busy.

Do a Windows update and patch your Linux systems as well.

Every week, minimally, you should be going through your personal assets and making sure they are as secure as you can make them. Make backups of your environment as well. Plan ahead. If this software goes away ala TrueCrypt, what are you going to do to replace it with a secure option?

I patch every week, without fail.

My online email accounts do not have any stored emails in them. Everything is downloaded to my system. Which is hardened. And I pentest my environment personally and invite trusted hacker friends of mine to hack me as well.

No breaches yet, thank God.

Every file I downloaded is checked for malware PRIOR TO EXECUTION from several AVs, internally and externally to rule out a compromise I may have missed.

This especially includes PDFs and hidden URIs.

I run BurpSuite or ZAP proxies prior to clicking on links to “pause the action” so I can see what is happening and can stop it if it’s malicious.

Every. Time.

I have never gotten a virus on any system I have administered or owned.

I use a different password for every website and change them once a month. Like clockwork.

I routinely scrape my online profiles and make wordlists to ensure I am not subsconsciously leaking my passwords (if I didn’t generate them, that is) into my words.

I also monitor the words I use the most by using Maltego and building a dossier on myself.

If I ever get hacked or doxed, I want to be prepared.

I’ll post more good practices that I do later.

Patch your shit.

No excuses.

Creating Metasploitable 3 in a nested VM environment completely blind like maniacs do

Disclaimer: I’m a hacker and I’m also slightly insane.

Translation: I break software for fun, profit and because I don’t like to follow the rules all the time. This means I like to install software in ways no one else has or the developer intended.

Typically software installs are provided in such a way as to make it easier for the end-user to get it on their system and get up and running with it as fast as possible.

No end-user ever said to themselves “Gee, I want to spend fifteen hours trying to install this software in an environment it’s not intended to be in for no other reason than I’m curious and I CAN.”

Except, I say that all the time and I believe in trying new things so I can learn.

I am a fan of Rapid7 and I use Metasploit just like any other hacker. I hacked Metasploitable 1 & 2. They were easy to import and fun to play around with.

Then came Metasploitable 3. Before you can play with it, you have to create it. This is actually a brilliant idea on the part of Rapid7’s staff because it teaches you how a VM is built with Vagrant and Packer but it’s this idea where the problems started for the users.

Because not that many people build VMs this way.

I began to notice two weeks ago that a lot of people on Twitter were having issues installing this vulnerable VM using the Windows 10 way. This is the *accepted* way to do it. Rapid7 even supplies us with a video made by a man named Jeremy who does just that.

I didn’t want to go through all that trouble even though in the end it probably would’ve been a lot faster. I wanted to install it in a NESTED VM environment that had Ubuntu, NOT Windows 10.

Why Ubuntu? Because it keeps you on your toes and if something is going to break, Ubuntu will make sure it does. You have to know workarounds with this OS and so when I do experiments of this kind, I like to throw Ubuntu into the mix to make it all that much harder.



***Before you begin, you must make sure that Hardware Virtualization is enabled in your BIOS – Stop reading right now, reboot and check. Chances are if you already have VM labs set up it’s already set but doesn’t hurt to check.

My system is already configured this way so I didn’t need to do this. If your chip doesn’t support this, stop, you can’t do this but you’re free to read how this maniac did 🙂

What I have: Windows 8.1 host computer running VMWare Workstation 12 loaded with a 64-bit Ubuntu 17.10 VMWare image which has Virtualbox installed inside of it.

**You cannot use Virtualbox to create the Metasploitable 3 VM because VirtualBox does not support Nested Virtualiation (VMs within VMs). VMWare does. I forgot about this rule and tried to do this in Virtualbox yesterday and got all the way to the end, saw the AMD-V error and realized where I went wrong.

Whoops! First world hacker problems.

My attack and research lab environments are all in VirtualBox. I have two SSDs dedicated to them as they start up very fast.

Before I get to my steps, I want to clearly explain what you are doing here. In previous versions of the Metasploitable ( 1 & 2 ) they were already pre-made into Virtual images you could attach to VMs in your fav hyper-visor.

This time, because the VM is made in a Windows OS and because of licensing issues with redistributing Windows OSes, Rapid7, the makers of Metasploit and the Metasploitable vuln VMs, created a way for you to create the VM yourself.

They can’t give you a ready-made image, it would be against Microsoft’s terms. But they can give you a framework in which to build the image which points directly to Microsoft’s servers to download the Windows 2008 ISOs needed (main OS and guest additions)

So, what I’m about to show you is this:

This means I’m running the Ubuntu VM guest on a Windows 8.1 host in VMware and then inside that guest Ubuntu VM I’m going to install VirtualBox again to get Metasploitable 3 created.

I’m spelling this out so there’s no confusion as you progress through this. Any questions, DM me on Twitter. I respond within 24 hours usually.

Set aside several hours for this. No distractions. You’ll just wind up getting aggravated further if you run into issues and have to get up to go walk the dog or cook dinner.



  1. I downloaded the Ubuntu 17.10 VMware image from OsBoxes

    Username: osboxes  Password:

  2. I downloaded VMWare
  3. I added the vmdk virtual disk file to the VMware machine, please do the following:

    Open your VMware virtual machine and make sure it is powered off;
    Choose VM -> Settings;
    On the Hardware tab, click Add to start the Add Hardware wizard, select Hard Disk and click Next.
    On the Select a Disk page, select Use an existing virtual disk and click Next.
    On the Select an Existing Disk page, enter the path name and filename for the existing disk file, or browse to the file and click OK.

  4. I enabled Bridged Adapter in the Networking section so as not to futz around with my special NAT environment I have for my VMs. Specific VMs require they be air-gapped, either because you’re analyzing malware or because they are vulnerable and opening them up fully to the Internet (public-facing) is a BAD idea. But for right now don’t worry about that. Let’s just get it Internet access so we can download what we need right away without restrictions.
  5. I gave the VM 12 GB of RAM and like 100 GB of space so it wouldn’t run out and I wouldn’t have to expand anything or play around with Gparted.
  6. I know my system supports it but if you’re following along, check if your system supports Nested VirtualizationFor Intel processors, cat out

    /sys/module/kvm_intel/parameters/nestedFor AMD processors into /sys/module/kvm_amd/parameters/nested.

    You should receive 1 or Y, if nested virt is supported, 0 or N otherwise. AMD processors should have it enabled by default, (certain) Intel processors might not. Example:

    $ cat /sys/module/kvm_intel/parameters/nested
    $ cat /sys/module/kvm_amd/parameters/nested

  7. Start up the Ubuntu VM.
  8. Change the ubuntu user’s password. It is “” to begin with.
  9. Now download Git

    sudo apt-get install git

  10. Git clone the Metasploitable 3 repo

    sudo git clone

  11. I downloaded the ISOs required for Metasploitable 3 direct from their sources as described in one of the files.
  12. I then edited the windows_2008_r2.json file in the metasploitable3 repository. At the end of the file look for ISO URL and put my file path in there instead of the Microsoft URL because why download it a second time?

    “variables”: { “iso_url”: “/home/osboxes/metasploitable3/7601.17514.101119-1850_x64fre_server_eval_en-us-GRMSXEVAL_EN_DVD.iso”, “iso_checksum_type”: “md5”, “iso_checksum”: “4263be2cf3c59177c45085c0a7bc6ca5″,”autounattend”: “./answer_files/2008_r2/Autounattend.xml”

  13. Installed latest version of Vagrant

    sudo apt install vagrant

  14. You can check if vagrant is installed by typing vagrant -v in Terminal or vagrant version.
  15. Now download the vagrant plugin. In Terminal type

    sudo vagrant plugin install vagrant-reload

  16. Install Packer and VirtualBox

    sudo apt install packer virtualbox

  17. Now test that it’s installed by typing packer in a terminal and then virtualbox. If you see options you’re good.
  18. At this point we have all the pre-reqs in place and should be able to start the shell script to build the VM. But trying to build it with sudo ./ was failing epically. I had to figure out another way for it to work.

    I knew I could build it manually using the supplied JSON script and the command “packer build”

    So I tried that.

    packer build windows_2008_r2.json

    This failed. VBoxManage: error: Details: code NS_ERROR_FAILURE (0x80004005), component MachineWrap, interface IMachine

    So I did some research and it said to do a headless start. This means there’s no GUI and you’re essentially blind running this.

    Also, there’s an additional problem which is that I’d be invoking VBoxManage through a JSON script not directly through the command line.

    So that meant I needed to edit the JSON file. I searched through it for the word “headless” and found it was set to false. I set it to true.

    And then I waited.

    I could see it was writing the Metasploitable VDI file in a new directory it created “output virtualbox-iso” F5ing (refreshing) allowed me to see it kept writing to it. I figured this was a good sign.

    I waited an agonizing 15 mins to see “Waiting for SSH to become available”

    It took another hour to fully build.

    Then it failed at the end with a VMWare error but I had the ovf, vmdk, vagrantfile and json file.

    I tried to start vagrant up but that failed too. I have something wonky somewhere. Not to worry, I can import it!

    Part of being a hacker is thinking on your feet and being able to consider your options, on the fly, if necessary, and trying what you can with the least amount of damage. Since this is an experiment, I don’t care about damage.

  19. I fired up Virtualbox and used File > Import Appliance and selected the “box.ovf” file it had created in a subdirectory in the metasploitable3 folder.

    It fails saying it’s corrupted.

    But it had created a backup zip of the four files so I extracted them someplace else and imported from there.

    This was successful! 🙂

    Now all I have to do is mount one of my external drives, transfer the zip to it and import it into my host computer’s Virtualbox environment.

    I can then attack it with Kali or whatever else.

    I’m going to follow my steps again this week, recreate this entire scenario from scratch and see if I missed anything in this tutorial. If I do, I’ll edit this guide.

    This required a lot of thinking on my part when things failed so I may have missed a few steps.

    In closing, remember that there is always an alternate way to do things. Always try new ways even if they seem crazy because you open up your horizons that way and get to experience new things.

    I downloaded Metasploitable 3 when it first came out and forgot about it. The discussions on Twitter are what prompted me to finally create it but I just didn’t want to copy everyone else.

    Anyway, that’s that. I didn’t give up although I wanted to. Ubuntu is such a pain at times!

Thank you to Jobert @ Hacker One

In 1986 when Blankenship, otherwise known as “The Mentor” wrote The Hacker Manifesto published in Phrack Magazine, I was ten years old. I didn’t hear of him until I was close to eighteen and started to really get into fixing computers and building networks. I subscribed to 2600, I donated money to the Free Kevin movement, went to and worked at computer shows on the weekends doing everything I could to be a part of the hacker culture. I built my first computer at sixteen and this was after failing my high school computer class. Like The Mentor, I was bored. My teacher was so frustrated with my horsing around that he said the most I’d ever be able to do was “flip burgers”. I smiled at him and went on my merry way knowing that he was dead wrong. I knew I was destined for greater things when at six years old when we got a microwave, a newfangled invention at the time, I cooked something in it without being told how to operate it. My entire life I had an affinity for everything electronic.

At 19, I was a manager of software and the help desk at the now defunct Family Golf Centers, Inc. I personally unpacked, turned on and configured over 160 Novell servers in three weeks and had them deployed to our pro shops working over the phone and in person with meager 56k uplinks.

At 23, I was the youngest systems administrator at Honeywell. They hired me to man the help desk. Two weeks later after the I Love You Virus hit and I programmed a custom button in Outlook to send out not only the fix but instructions to every single employee, I was given keys to seven kingdoms, or in our line of work, servers. They also let me play around with the AS400s. God, I miss those. I remember the day I became a Domain Admin for the first time. I was so proud! First password I ever gave out to a user was momoney. He was an accounting guy 😉

Yesterday I turned 41 and I still just have a high school education. This is not to say that college wouldn’t have been nice, I just couldn’t afford the *time* because while my other friends the same age were busy getting drunk while going to college, I was stuck in a server room trying to coax a Novell or NT server into playing nice with me. One time I got drunk at a bar in one of my company’s sports centers and the night manager was pouring coffee in my mouth and shaking me awake after the server went down and drunk as a skunk I fixed it.

Another time the floor above us sprung a leak and the ceiling was raining water down on my very expensive Lucent Merlin Legend PBX and I ran to a neighboring construction company’s office, stole a tarp from them and threw it over the damn thing before all was lost.

I was making the equivalent of $60,000 a year THEN with my “burger-flipping” equivalent of knowledge, if my H.S. teacher was to be believed, and I took my boyfriends out. They couldn’t keep up with me.

Since then I have been fortunate enough to have worked for Arrow Electronics, Symbol Technologies and Olympus of America, to name just a few.

Today I work for a forensics lab with some of the most amazing scientists, molecular biologists, chemists and brilliant minds this world has ever seen. I am not only their resident hacker and sysadmin but I’m also just a hacker who loves our craft dearly.

But nine years ago when I got back to hacking full-time (I was involved heavily in the scene in the late 90s, early 00’s), my life took a turn for the worst with the death of my stepfather. He got up for work on August 19th, 2008 and an hour later fell over and I was awakened by my mother screaming for me. I lived in the apartment downstairs. I ran upstairs to see her performing CPR on him. An hour after that he was gone.

Then the recession hit. I was out of work. Things got bad. They got so bad we had to suck the oil out of our pool’s oil tank during one blizzard because we ran out of heat. You know that heating program the former (now deceased) president of Venezuela, Hugo Chavez, had for poor people? Yeah, thanks to him we were warm that year. I don’t care that he was a tyrant. He kept my mother and I from freezing to death. I mourned him for the proper three days and every Winter, I say a silent prayer for him, in thanks. I am a witness to at least one act of kindness he did in his life.

I will spare you the gory details which followed in the subsequent years but suffice it to say, if something could go wrong in my life then, it DID. Every day it seemed like a new nightmare unfolded. I got my car repo’d, lost a temp job I took just to try and stay above water, was literally eating Ramen soup at night and trying desperately to keep my mother, who has an inoperable non-cancerous brain tumor which has caused her to go almost blind, from losing her mind as I was quickly losing mine.

I had a skill, you see, and I couldn’t fucking use it to save my immortal soul. I sent out applications EVERYWHERE. I got a rejection letter from Walmart where the hiring manager expressed surprise that I couldn’t find a job based on where I had worked previously. He thought I was trolling them. I called his office and begged him in a voicemail and said “I will clean your toilets. I don’t care. I just want to eat a piece of meat next week.”

He didn’t call me back. I don’t fault him for that. I wouldn’t have either. I sounded batshit insane. And, honestly? I probably WAS.

I came dangerously close to ending my life when we were forced to leave our home due to foreclosure. We had just three weeks left before the sherrif was coming to evict us when we FINALLY found a place to live.

You just could never know how soul-crushing it was to have been SO successful in my life and not be able to save my mother when she needed me the most. This is a woman who was told she would never have a child, she kept trying, gave me life, supported me through every scrape, every heartache and the ONE TIME she needs me, I was an epic failure.

Not that she ever said but I lost sleep every time I thought about how I must’ve been a collosal disappointment.

All my savings were gone. I sold every piece of jewelry, every computer, everything that had any SPECK of value and none of it came close to what was needed.

But then one night, five years ago now, bleary-eyed and exhausted from another horrible day that always repeated itself and never got better, I happened upon something written by Tavis Ormandy about this site (It’s down right now but hopefully will be back up soon!) and how he reversed this app.

I had always been a fan of Tavis so if he was touting the site, I knew I had to be a part of it.

I immediately signed up and cracked my first crackme a week later. I jumped around, I was so excited!

The rest is too long to list. I’ve probably bored you enough already. Tavis recently followed me on Twitter and expressed gratitude for something I wrote to him. I was hysterical when I got the notification because he could never know what he did for me and what he represents to me, as a result.

I told him he was one of my personal heroes and what he doesn’t know is that he is as much responsible for saving my life as hacking in general is because if he hadn’t intrigued me with what he had written, I never would’ve tried to reverse the executable myself. I never would’ve done half of what I’ve done since if it wasn’t for him.

When I cracked that exe, I had hope again. I had a point of reference. Something to look forward to. Not the inevitable misery of the next day. Thank you Tavis. Really, man, you’re my savior!

Now let me tell you about another personal hero of mine and the true reason for this post.

His name is Jobert Abma. He is the Co-Founder of the bug bounty program coordinator company, Hacker One. And he is an amazing human being! Three days ago was Jobert’s birthday and he sent out a tweet saying that if we told him why we decided to become hackers, he would reward three of us with some really awesome swag.

Without thinking of how it might be perceived (and that it was the poor man’s birthday and I maybe shouldn’t be writing something as awful as I did), I wrote how hacking saved me from opening my wrists in a bath tub.

It was the truth. It was knee-jerk. Poorly timed. I felt horrible and said so to another hacker on Twitter that I should’ve checked myself. But Jobert’s tweet struck a chord with me. It was in that moment, reading it, that I remembered cracking the Crackme and how uplifting a feeling it had been. I said I owed hacking a debt and that is also true. It truly saved my life.

Jobert has since reached out to me and picked me as one of the winners of his amazing generosity!

I want to thank Jobert for believing in me, a complete stranger, and for taking the time out of what has to be a busy day for him to write me what he did. It was beautiful. I haven’t stopped crying some two hours later now after receiving the notification. Thank you Jobert!!!

The hacking community may be vast in numbers of actual hackers but we are still close-knit and we support one another. Look at how the community came together to support MalwareTechBlog Marcus Hutchins! I am amazed daily at all the awesome things hackers do for one another. At times it is a thankless job. Most of I.T. is, to be quite honest. We bust our asses, solving impossible problems, for individuals, who, through no fault of their own, cannot truly appreciate the gravity of our work and research because they don’t understand the technology they use which we are always on hand to fix.

But we do understand it and they need us, even if they don’t always like to admit that.

Jobert’s company, Hacker One, has a mission to bring hackers and companies together on a level playing field to ensure that hackers get paid a fair enough wage for finding vulnerabilities and companies don’t have to worry about 0-Days ruining their stock prices because some hacker didn’t disclose properly and RESPONSIBLY.

I’m not a marketing person and I probably did a terrible job of explaining what they do but please trust me when I say that what they do is very important.

I participated in Hacker One’s collaboration with the DoD during Hack the Pentagon.

They are good people.

Doing great things for humanity.

Support them and thank them, when you can.

In closing, I sent Jobert an email thanking him personally but I wanted the world to know how happy he made me tonight. This was the best birthday gift ever! If Jobert should ever need my help, he only need ask me and I’ll be there for him. Whenever. Wherever. Don’t care what it is, I told him I have a saying that we have to give back what we take.

So thanks again Jobert, from one hacker to another! Together, we do hit harder!

I will endeavor to use your gift to do good for the world like you do and hopefully make you proud!



Installing Guest Additions in VirtualBox for Kali Linux Rolling


I just set up yet another VM with Kali (because I broke mine, which is typical, I do this several times a year and never take snapshots, I like to install fresh, saving tools/scripts in a shared directory) and had the “copy-paste” between Host and Guest with Bi-Directional sharing enabled problem (this means despite being told to copy and paste between the two, it wasn’t) so I thought I’d share my notes on how I’ve gotten it to work in the past.

I first do this



If after this it doesn’t work, go to the Devices menu of your Virtualbox program window.

Click “Insert Guest Additions CD image”
It creates a VboxAdditions_(versionofOracleboxyouarerunning)_somenumber CD image file on the desktop of your Kali linux VM.

Double click this and a window will appear
Right click and copy the file and paste it to your Desktop
Close out of the window
Open Terminal



And you should now have a full screen (if that was your problem) and/or copy-paste between host and guest should now be restored.

The Power of Chaining Commands in Linux

This took me about two hours to fiddle with. I’m trying to get better at writing my own scripts and chaining commands instead of relying on the ready-made scripts of other hackers, to whom I am eternally grateful for because without them I would never have learned how to even do half of what I do.

I thought I’d share with you a quick way I extracted info I needed from Searchsploit which is a great tool but once you find the exploit you’re looking for you have to specifically go into the directory where it is and then view the contents.

In Kali the exploits are in the /usr/share/exploitdb/platforms/ directory in a subdirectory for their particular language.

If you type it out it can get tiring and if you go through Nautilus it’s just as tiring to double click.

So I set out to see if I could get the info from these directories in one line in Bash.

For the purposes of our test, let’s say I want to search for exploits for Sendmail v 8. The first step is to see what we can see:



Eww. That’s way too much information.

Those Arbitrary Code Exec sploits look interesting. Let’s see just those using grep.




Okay that’s a little better but in order to get to each individual exploit I would have to type the following:


And that would get old fast. So I thought about how to do a bunch of commands that would create a script to do the following:

1. Search the tool Searchsploit for all Arbitrary Code Execution exploits for the program Sendmail 8
2. Cut the last few lines of each sploit with the paths to each filename
3. Append cat /usr/share/exploitdb/platforms/ path to the beginning of each line
4. Add a > character to the end of each line
5. Add numbers which increase by one to the end of each line
6. Create a script called “”
7. Give it executable rights
4. Then run the script it just created which would then dump the contents of each exploit file into four numerically sequenced files so I could view them.


In order to do this I had to find the column numbers for linux/local/…..

The final command structure is thus:

searchsploit Sendmail 8 | grep "Code Execution" | cut -c 195-220 | sed -e 's#^#cat /usr/share/exploitdb/platforms/#' | awk '{print $0">"}' | awk '{ print $0,NR}' | awk '{ print $0".txt"}' > | chmod +x /root/Desktop/ | sh /root/Desktop/


In closing, this isn’t perfect and I realize that. Also, for some strange reason, after an hour of testing various things, the column numbers were changing on me. I do not know why. I’m really in the beginning stages of shell scripting and I know I can write a script which will extract all this information and put it into the four files as I like without having to run each of these commands.

I’ll work on tweaking this and doing just that next time but I had a need for a few exploits and I figured I would use this as a way to illustrate how powerful Linux is and how useful chaining commands really is.


Sendmail Gmail 2FA Python Script & More

Happy Hack Sunday! This is the day that I truly devote to our craft and do things on my To Do list. Which is a list of things I’d like to get done because I need them to get done or things which I’d just like to do for the fun of it and to broaden my horizons. This is also the day I patch my systems. Today I have a few things I’d like to discuss with you all. So let’s get started here.

—————-Linux Hacking—————-

I’d like to direct your attention to the e-book Linux 101 Hacks “Practical Examples to Build a Strong Foundation in Linux” by Ramesh Natarajan. I’ve found this text useful and have incorporated some of the techniques into my own Scratchpad notes that I plan to publish here on my blog later this year. It is a guide I’ve been steadily adding to over the last four years pertaining to hacking and CTF competitions.

Find it here:


Do yourselves a very big favor and put this site on your watchlist because you’re going to want to be a part of this when it goes live. I have followed hacker Rastamouse for the last four years and he is EXTREMELY gifted. You should also read his write-ups because his hacking is solid.

—————-Rook & Bl4de not Razor & Blade———–

Speaking of gifted hackers, my Twitter pals hackers Rook & Blade should be ones you should watch.

Rook does a lot of live streaming events where he demonstrates his talent.

Bl4de is trying to get to number one on HackerOne’s top bug-hunter’s list and I’m convinced he will get there one day.

—————-HackerFantastic & x0rz—————-

Hackers HackerFantastic and x0rz had an interesting debate this week on Twitter about whether or not it’s “ethical” to “hack back” when targeted. But look through their feeds as well because they are exceptional at what they do as well.

—————-Sendmail Gmail 2FA Python Script——–

I was recently inspired to write a quick Python sendmail script (with help from StackOverflow) which allows me to send an email to multiple addresses AND uses 2FA with App Passwords through Gmail.


You want to change the following values:

Line 2: Change fromaddr= to the email you are sending it from
Line 3: Change the toaddrs to the email addresses you are sending the mail to. If you have more than two you are going to add another comma at the end of, followed by a tick mark ‘ the third email address and close with a tick mark

Line 5: Change the Subject to what you want
Line 7: Change “Testing” to the body of the message you want

Line 9: Change your username to your Gmail username
Line 10: This is important, in order to successfully authenticate you have to first create an “App Password” for Google’s Two-Factor Authentication 2FA process.

Google “Google App Password” and click the second link.
Create a “Mail” Password.
Name it Python or whatever you want to call it
Click Generate
Copy the password that it generates for you into Line 10. It can be with or without the spaces in it.
Name the script what you want just DO NOT call it “”!

This will fail as it will think its an existing email python script named “” in your Linux system and if you have Kali Linux it definitely will.

Make it executable chmod +x

Run it ./ or python


—————-Amazon Infosec Book Contest————–

Hacker RoxyD runs an ongoing Amazon book contest where you can either donate to her cause if you have extra Amazon credits or win the contest as I did along with some others in May.

Got a copy of HashCrack which went on my desk on top of the RTFM and BTFM manuals.

She’s very sweet and I just like her. Support her if you can, please.


I’m working on another boot2root challenge which I should be doing a writeup for next week or the following so look out for that. I have a bunch of hardware-related hacking I’m doing on my own and I’m also fixing some things for family and friends so my time is split for the next couple of weeks.

But I get to use my soldering iron so I’m happy about that!

As always, hack often and all the things! Thank you for reading!

How to Stop WannaCry Ransomware – Non-Technical Version

In this post, I attempt to consolidate the most salient pieces of information related to the global cyber-attack known as the “WannaCry Ransomware” in a way that is non-technical. I am just putting up links for non-computer savvy users to find the information fast because I’m noticing that there’s a lot of information being thrown at the public which I do not think they understand as evidenced by the fact that my private messages across many different outlets are filled with people asking what they should do to stop this on their own computers.

I hope this little bit I’m writing here helps the collective effort to stop this thing for good.

If I can help in any other way, my keyboard is at your disposal, my hacker brethren.


Twenty-one years ago when I accepted my first M.I.S. position (they called I.T. that in those days), I took a silent vow that I would assist end-users to interact with their computers in a meaningful and productive way that would both demystify them and educate using whatever knowledge I had at my disposal; promising constantly to keep my skills current so I could help them not be so fearful of a machine that was created to automate tasks and make their lives easier.

Now, as a whitehat hacker, I uphold this vow and take it one step further in swearing to do all I can to keep these machines from harming the very people who use them and destroying their lives.

My God, this sounds like I’m rewriting the script to The Terminator but in those days computer viruses were easier to remove, they didn’t take down entire hospital networks and didn’t kill people.

It’s not my place to pass judgment but I just want to say to the hacker(s) who authored WannaCry, there is a line in the movie Jurassic Park which is so apropos here and I think you should learn the meaning behind:

Jeff Goldblum’s character, speaking about the dangerous science of cloning dinosaur DNA and bringing them back to life, says, “Your scientists were so preoccupied with whether or not they could, they didn’t stop to think if they should.

What the heck is WannaCry?

It’s a self-replicating Ransomware infection which has piggy-backed code inside of it borrowed from the NSA which allows it to penetrate a system via the SMB port 445, execute on its own, fully encrypt a drive, delete all backups and then move onto the next in computer worm fashion.  All without needing a password or user intervention. Meaning, it infects you without your knowledge or consent and your password is useless in this particular scenario.

How to stop it from getting on my computer?

1. You will need to immediately update (what we call patch) your computer with the latest updates from Microsoft. It only affects Windows systems. The link to do this is below under the MS17-010 section.

2. You will need to fully update your anti-virus software’s definitions and make sure its Real-Time functionality is on and working.

3. Disable what is called SMB version 1.0. There is a vulnerability in the software which runs this protocol which gives hackers and this particular virus the ability to penetrate your system without your knowledge or consent. They do not need your password. They bypass passwords altogether.

4. You should block port incoming traffic on port 445 on your firewall. You will need to look up instructions on how to do that as there are many out there and no one person can give you instructions for your particular one without knowing what it is. Port 445 is the port which SMB uses to communicate. I tell you how to do it in Windows Firewall below but you could be using other firewall software.

How to Disable SMB version 1.0

This article describe multiple ways to achieve this. Scroll down to “Windows Client: Add or Remove Programs method”

How to Patch Your OS

MS17-010 These are the links to the patches for your respective operating system. Scroll down and look for your system on the left-hand side of the table. If you try to run an executable that is not for your system, Windows will not allow you to do so and will give you an error.

If for whatever reason this fails, run Windows Update and update through there.

How to Block Port 445 in your Windows Firewall



You should immediately do a full backup of whatever important data you would not wish to lose and disconnect the device you are backing up to from your computer so as to avoid any infection getting into your backup device and encrypting it as well, thus making the backup data useless.

What do I do if I’ve been infected?

Do NOT pay the ransom. All this does is give the author of this virus and other bad hackers the idea that people will pay to get their data back. It encourages them. Many times they take the money and don’t decrypt the data. This is a bad idea.

I don’t know what other computer experts would tell you to do but my advice?

Fully wipe your computer and restore from backup.

An infection this dangerous, I wouldn’t take the chance that all traces of it were removed by an anti-virus suite. If you have a clean system and can restore your data which hasn’t been encrypted, you’re good.

If you start to dismantle it piece by piece and leave one of its remnants behind, you could be exposing your computer to damage in the future. I wouldn’t chance it.

How do I prevent infections like this in the future?

I can’t predict what’s going to happen with the next virus any more than any other hacker or computer expert can but I can tell you this, to date, I’ve never had any system of mine been infected and I study malware code. I have live viral samples in a controlled environment.

The reason for this is prior to executing any file, be it from email, the web, etc, I virus check it TWICE both with my AV software on my computer and an off-site checker like Virus Total.

I do not follow links I’m unsure of and I will paste the URLs into Virus Total to get a sense of whether or not they are bad before I visit them.

I don’t like email so most of it I delete without reading. Even legitimate emails I receive. I’m lazy 🙂

Keep your system up to date with security updates and patches. Keep your anti-virus software up to date as well. Virus check all files.

But nothing is 100%. You can start by educating yourself on how to keep your computer clean from viruses by researching it.

Technical Info on WannaCry

Malwaretech is the AMAZING hacker who stopped the virus from spreading further by registering the domain hidden in its code!  He deserves an award, something, to thank him for his quick-thinking which saved lives!!!!


The moral of the story is there are just as many good hackers out there working to protect the masses than there are bad. The speed in which friends, colleagues of mine and other hackers I deeply admire and respect came together to stop this on a global scale is truly awe-inspiring.

When you see a hacker in the world, make sure you thank them. Even the bad guys too. Because without them none of us would be able to demonstrate OUR skill and illustrate how hard we work to keep the rest of you safe.

Any questions, comments? Find me on Twitter. Because, I delete emails, remember? 😉


Shout out to all hackerkind

I am so grateful for all the private messages I get from hackers all over the world who are kind enough to share their ideas with me and their love for our craft.  I appreciate these rare moments, getting to bond with them, who, like me, are for the most part, solitary creatures.

To the non-hacker we are God-like beings who wield powers they feel they will never understand. We do things with computers that most people never thought possible. Sometimes this uncertainty and misunderstanding leads to them demonizing us. In the MSM, on social media and even in face to face conversations. We are the invisible phantoms they fear.

Many of them aren’t even aware that there is such a thing as a “good” hacker as I know from personal experience because whenever I am asked what it is I do and I tell them, they start to laugh. Like this is a joke. Like, I, am a joke. Although I assure you, I’m not.

Then when I tell them this is a lifestyle, they give me strange looks and they start to liken it to bizarre subcultures they’ve heard about that have nothing to do with hacking. Because the word “lifestyle” tends to evoke stereotypical imagery in the heads of those who are ignorant.

But this is a way of life. It is my way of life. And it is yours, my fellow hackers.

This is the path we have chosen and we are necessary. They need us even if they don’t think they do. I know this because like many of you, I’ve made a career out of being able to fix computers and they can barely turn them on. So, I can’t be all that bad.

I spend a lot of time mentoring other hackers who are new to the game and are unsure. It is to them that I speak now.

I do not know everything and neither will you. None of us, even the ones who make the news and are famous, know everything.

Because as great as we are at hacking computers and networks, at the end of the day we are NOT computers ourselves and can store vast quantities of data and reference them in milliseconds when asked.

We are human.

When a computer fails at a task, it tends to spit out a lot of garbage and errors and gets very confused.

When we fail, we pick ourselves up and try again. Like The Mentor said way back in 86, our crime is that of curiosity. We can’t help ourselves!

A computer can only try again provided it has the instructions to do so.

The joy of what we do is in the discovery and the disappointments, as I say. I get frustrated just as much as the rest of you. There are days where I can root a system very quickly and many others where I go blank and don’t know how to proceed. It may take me longer than I think is necessary. I get down and out too.

But you cannot let this consume you and you must not let these feelings best you.

You are better than this.

Please trust me when I say, that you GOT THIS.

It may take you a day longer than you think but you’ll find your way.

And if you need someone to talk to or some friendly encouragement, come talk to me.