The Improper Function and the Poetry of Proofs

Later the Delta Function was named after their founder. Dirac himself called it an improper function. This time, the poem is not from repurposed snippets of his prose. These are just my own words to describe a proof: ~ In the limit the Lorentzian becomes the improper function. In the limit of tiny epsilons it … Continue reading The Improper Function and the Poetry of Proofs

Impersonating a Windows Enterprise Admin with a Certificate: Kerberos PKINIT from Linux

This is about a serious misconfiguration of a Windows Public Key Infrastructure integrated with Active Directory: If you can edit certificate templates, you can impersonate the Active Directory Forests's Enterprise Administrator by logging on with a client certificate. You have a persistent credential that will also survive the reset of this admin's password. In the … Continue reading Impersonating a Windows Enterprise Admin with a Certificate: Kerberos PKINIT from Linux

Locating Domain Controllers and Spoofing Active Directory DNS Servers

Last year, hackthebox let me test something I have always found fascinating - and scary: You can impersonate any user in a Windows Active Directory Forest if you have control over the certificate templates of an AD-integrated Windows Public Key Infrastructure: Add extended key usages for smartcard logon to the template, enroll for the certificate, … Continue reading Locating Domain Controllers and Spoofing Active Directory DNS Servers

The Solar Self-Building Movement

Every year the International Energy Agency publishes a detailed report on worldwide usage of solar thermal energy. The last one from 2019 is based on data from 2017. Countries are ranked by their installed capacity: Collectors' thermal heating power under standard operating conditions is linked to their area: 0.7 kWth (kilo Watt thermal) per square … Continue reading The Solar Self-Building Movement

Helpline @ hackthebox: Injecting an EFS Recovery Agent to Read Encrypted Files

Another great machine has been retired on hackthebox.eu - Helpline by @egre55! Here is my 'silly' unintended way to root the box: You can get both the encrypted user and root flag via the cumbersome web RCE alone - if you wait for a legit user to just look at the file. This is unlikely … Continue reading Helpline @ hackthebox: Injecting an EFS Recovery Agent to Read Encrypted Files

Sizzle @ hackthebox – Unintended: Getting a Logon Smartcard for the Domain Admin!

My writeup - how to pwn my favorite box on hackthebox.eu, using a (supposedly) unintended path. Sizzle - created by @mrb3n813 and @lkys37en - was the first box on HTB that had my favorite Windows Server Role - the Windows Public Key Infrastructure / Certification Authority. This CA allows a low-privileged user - amanda - … Continue reading Sizzle @ hackthebox – Unintended: Getting a Logon Smartcard for the Domain Admin!

Simple Ping Sweep, Port Scan, and Getting Output from Blind Remote Command Execution

Just dumping some quick and dirty one-liners! These are commands I had used to explore locked-down Windows and Linux machines, using bash or powershell when no other binaries were available or could be transferred to the boxes easily. Trying to ping all hosts in a subnet Linux for i in $(seq 1 254); do host=192.168.0.$i; … Continue reading Simple Ping Sweep, Port Scan, and Getting Output from Blind Remote Command Execution

Echo Unreadable Hex Characters in Windows: forfiles

How to transfer small files to a locked-down Windows machine? When there is no option to copy, ftp, or http GET a file. When powershell is blocked so that you can only use Windows cmd commands? My first choice would be to use certutil: certutil is a built-in tool for certificate and PKI management. It … Continue reading Echo Unreadable Hex Characters in Windows: forfiles

Ethereal @ hackthebox: Certificate-Related Rabbit Holes

This post is related to the 'insanely' difficult hackthebox machine Ethereal (created by egre55 and MinatoTW) that was recently retired. Beware - It is not at all a full comprehensive write-up! I zoom in on openssl, X.509 certificates, signing stuff, and related unnecessary rabbit holes that were particularly interesting to me - as somebody who … Continue reading Ethereal @ hackthebox: Certificate-Related Rabbit Holes

Certificates and PKI. The Prequel.

Some public key infrastructures run quietly in the background since years. They are half forgotten until the life of a signed file has come to an end - but then everything is on fire. In contrast to other seemingly important deadlines (Management needs this until XY or the world will come to an end!) this … Continue reading Certificates and PKI. The Prequel.

Modbus Server on Raspberry Pi as Babelfish for UVR16x2

Our main data logger is the Control and Monitoring Interface of the freely programmable controller UVR16x2. There are two pieces of hardware you need for logging - the actual control unit and the logger connected to the controller via the CAN bus. This 'architecture' might be due to historical reasons, but I like the separation … Continue reading Modbus Server on Raspberry Pi as Babelfish for UVR16x2

Unintended 2nd Order SQL Injection

Why I am not afraid of the AI / Big Data / Cloud powered robot apocalypse. SQL order injection means to run custom SQL queries through web interfaces because the input to the intended query is not sanitized, like appending the infamous ' OR '1'='1 to a user name or search term. It is 2nd … Continue reading Unintended 2nd Order SQL Injection

A Color Box. Lost in Translation

It was that time again. The Chief Engineer had rebuilt the technical room from scratch. Each piece of heavy equipment had a new place, each pipe and wire was reborn in a new incarnation (German stories here.) The control system was turned upset down as well, and thus the Data Kraken was looking at its … Continue reading A Color Box. Lost in Translation

Heat Conduction Cheat Sheet

I am dumping some equations here I need now and then! The sections about 3-dimensional temperature waves summarize what is described at length in the second part of this post. Temperature waves are interesting for simulating yearly and daily oscillations in the temperature below the surface of the earth or near wall/floor of our ice/water … Continue reading Heat Conduction Cheat Sheet

Hacking

I am joining the ranks of self-proclaimed productivity experts: Do you feel distracted by social media? Do you feel that too much scrolling feeds transforms your mind - in a bad way? Solution: Go find an online platform that will put your mind in a different state. Go hacking on hackthebox.eu. I have been hacking … Continue reading Hacking

Cloudy Troubleshooting (2)

Unrelated to part 1 - but the same genre. Actors this time: File Cloud: A cloud service for syncing and sharing files. We won't drop a brand name, will we? Client: Another user of File Cloud. [Redacted]: Once known for reliability and as The Best Network. Dark Platform: Wannabe hackers' playground. elkement: Somebody who sometimes just wants to be an … Continue reading Cloudy Troubleshooting (2)

Infinite Loop: Theory and Practice Revisited.

I've unlocked a new achievement as a blogger, or a new milestone as a life-form. As a dinosaur telling the same old stories over and over again. I started drafting a blog post, as I always do since a while: I do it in my mind only, twist and turn in for days or weeks … Continue reading Infinite Loop: Theory and Practice Revisited.

Where Are the Files? [Winsol – UVR16x2]

Recently somebody has asked me where the log files are stored. This question is more interesting then it seems. We are using the freely programmable controller UVR16x2 (and its predecessor) UVR1611) ... .. and their Control and Monitoring Interface - CMI: The CMI is a data logger and runs a web server. It logs data … Continue reading Where Are the Files? [Winsol – UVR16x2]

Cloudy Troubleshooting

Actors: Cloud: Service provider delivering an application over the internet. Client: Business using the Cloud Telco: Service provider operating part of the network infrastructure connecting them. elkement: Somebody who always ends up playing intermediary. ~ Client: Cloud logs us off ever so often! We can't work like this! elkement: Cloud, what timeouts do you use? … Continue reading Cloudy Troubleshooting

Logging Fun with UVR16x2: Photovoltaic Generator – Modbus – CAN Bus

The Data Kraken wants to grow new tentacles. I am playing with the CMI - Control and Monitoring Interface - the logger / 'ethernet gateway' connected to our control units (UVR1611, UVR16x2) via CAN bus. The CMI has become a little Data Kraken itself: Inputs and outputs can be created for CAN bus and Modbus, … Continue reading Logging Fun with UVR16x2: Photovoltaic Generator – Modbus – CAN Bus

Can the Efficiency Be Greater Than One?

This is one of the perennial top search terms for this blog. Anticlimactic answer: Yes, because input and output are determined also by economics, not only by physics. Often readers search for the efficiency of a refrigerator. Its efficiency, the ratio of output and input energies, is greater than 1 because the ambient energy is … Continue reading Can the Efficiency Be Greater Than One?

Let Your Hyperlinks Live Forever!

It is the the duty of a Webmaster to allocate URIs which you will be able to stand by in 2 years, in 20 years, in 200 years. This needs thought, and organization, and commitment. (https://www.w3.org/Provider/Style/URI) Joel Spolsky did it:  I’m bending over backwards not to create “linkrot” — all old links to Joel on Software … Continue reading Let Your Hyperlinks Live Forever!

Consequences of the Second Law of Thermodynamics

Why a Carnot process using a Van der Waals gas - or other fluid with uncommon equation of state - also runs at Carnot's efficiency. Textbooks often refer to an ideal gas when introducing Carnot's cycle - it's easy to calculate heat energies and work in this case. Perhaps this might imply that not only must the … Continue reading Consequences of the Second Law of Thermodynamics

The Heat Source Paradox

It is not a paradox - it is a straight-forward relation between a heat pump system's key data: The lower a heat pump's performance factor is, the smaller the source can be built. I would not write this post, hadn't I found a version of this statement with a positive twist  used in an advert! … Continue reading The Heat Source Paradox

Things You Find in Your Hydraulic Schematic

Building an ice storage powered heat pump system is a DIY adventure - for a Leonardo da Vinci of plumbing, electrical engineering, carpentry, masonry, and computer technology. But that holistic approach is already demonstrated clearly in our hydraulic schematics. Actually, here it is even more daring and bold: There is Plutonium - Pu - everywhere … Continue reading Things You Find in Your Hydraulic Schematic

Cooling Potential

I had an interesting discussion about the cooling potential of our heat pump system - in a climate warmer than ours. Recently I've shown data for the past heating season, including also passive cooling performance: After the heating season, tank temperature is limited to 10°C as long as possible - the collector is bypassed in … Continue reading Cooling Potential

Reverse Engineering Fun

Recently I read a lot about reverse engineering -  in relation to malware research. I for one simply wanted to get ancient and hardly documented HVAC engineering software to work. The software in question should have shown a photo of the front panel of a device - knobs and displays - augmented with current system's … Continue reading Reverse Engineering Fun

Entropy and Dimensions (Following Landau and Lifshitz)

Some time ago I wrote about volumes of spheres in multi-dimensional phase space - as needed in integrals in statistical mechanics. The post was primarily about the curious fact that the 'bulk of the volume' of such spheres is contained in a thin shell beneath their hyperspherical surfaces. The trick to calculate something reasonable is … Continue reading Entropy and Dimensions (Following Landau and Lifshitz)