~17,400 words across 10 pages.
Assorted Writeups From NahamCon CTF 2022
2022-05-01 • Dweeno, Unimod, Cereal, Mobilize, Jurrasic Park, EXtravagant
Last week, I had the pleasure of participating in the 2022 NahamCon CTF, created and supported by the hard work of @NahamSec, @/_JohnHammond, and so many others — it was a blast. I competed on behalf of Western Washington University, and I am especially pleased with our performance; as shown in the cover photo, we scored in the top one percent of all teams.
Playing With Cobalt Strike: Part Two
2022-04-13 • Bypassing Defender on Windows Server 2022 with Cobalt Strike v4.5 and C
Approximately two months ago, I published Playing With Cobalt Strike, which readers seemed to enjoy. While writing that article, I was both pleasantly surprised as a red teamer, and disheartened as a blue teamer, at the ease of use and the general efficacy of Cobalt Strike 4.5’s Beacons (payloads) against Windows 10 and Excel 2016.
HackTheBox — Paper
2022-02-13 • Comprehensive walkthrough of the Paper machine on HackTheBox
Hello! Thank you for visiting my write-up on Paper, a HackTheBox CTF published by user secnigma. Information as of Sunday, February 13th, 2022 UTC: Release: eight (8) days ago Rating: 4.5 stars Topology: single machine Operating System(s): one (1) Paper requires the submission of USER and SYSTEM flags; I have described the process I used to capture both in-depth below.
Playing With Cobalt Strike
2022-02-11 • Fun with Cobalt Strike v4.5
Ah, Cobalt Strike, HelpSystems’ infamous (but legitimate) Red Teaming product coopted by attackers worldwide for malicious purposes. For those unfamiliar, Cobalt Strike is an adversarial toolkit. Its official capacity in the security industry is to simulate attacks for testing purposes. Of course, as is perhaps expected, given the prompt release of each new version to the Internet, those with less noble intentions also make use of the software.
HackTheBox — Previse
2022-02-11 • Comprehensive walkthrough of the retired Previse machine on HackTheBox
Hello, and thank you for expressing interest in my report on Previse, a CTF hosted by Hack the Box. Previse was uploaded by HTB user m4lwhere 138 days prior to the publication of this report and is currently considered by the HTB community to be easy to intermediate in terms of difficulty.
Fishing for Malware — Part Five: Finale
2022-02-09 • Analysis of malware dropped into my Google Cloud honeypot – an examination of collected data
Finally, here we are — the conclusion of my honeypot experiment. My original intention was to aim for a total of one million logged attacks, at which point I would shut down the honeypot. However, schoolwork fully occupied my attention for a brief period. Thus, I considered it a better idea to continue collecting data until I could find time to perform a proper analysis.
Fishing for Malware — Part Three: WannaCry
2022-01-25 • Analysis of malware dropped into my Google Cloud honeypot – WannaCry
Catching WannaCry One very interesting binary uploaded to my honeypot not only once, but several times from multiple hosts around the world, was WannaCry. Yes, nearly five years after the Shadow Brokers sold the NSA’s EternalBlue exploit to the notorious Pyongyang-based (alleged) Lazarus Group, who then developed and released WannaCry, one of the most damaging ransomware packages is still in active distribution.
Fishing for Malware — Part Four: Raspberry Pi IRC Bot
2022-01-25 • Analysis of malware dropped into my Google Cloud honeypot – fun with Bash on R. Pi
While dissecting binaries using Ghidra, Strings, and Hexdump makes for a fun puzzle in itself, it’s also fascinating to inspect the raw source code of malware. Cowrie, a Telnet and SSH honeypot with emulates a Unix environment packaged within T-Pot, captured quite the interesting Bash script, which includes a variety of malicious elements specifically designed for the Raspberry Pi platform.
Fishing for Malware — Part Two: Android Crypto Miner
2022-01-23 • Analysis of malware dropped into my Google Cloud honeypot — pulling apart a rudimentry Android cypto miner
Information Indicators of Compromise MD5: 8844985fcd57b0311d1d4cb2ec13a1ef SHA-1: a0c07fe897515e5575a72f94f9dea8c077a410ff SHA-256: 0d3c687ffc30e185b836b99bd07fa2b0d460a090626f6bbbd40a95b98ea70257 Package name: com.ufo.miner Connected domain: coinhive.com Unexpected high utilization of Android device resources File Magic: APK archive Language: Java Size: 45.43 KB See this file on VirusTotal As the heading and package name imply, this is a crypto miner developed for Android devices.
Fishing for Malware — Part One: Introduction
2022-01-22 • Analysis of malware dropped into my Google Cloud honeypot — preliminary notes
Intro Over the past week three weeks (school occupied my time), I have left a honeypot (T-Pot, courtesy of Telekom) running, hosted on a VM instance in Google Cloud. After all, what better way to thank Google for the $400 of free Cloud Compute resources they gifted me than to attract malware-distributing bots and hackers directly to their data centers?