Old

~17,400 words across 10 pages.

Assorted Writeups From NahamCon CTF 2022

2022-05-01 • Dweeno, Unimod, Cereal, Mobilize, Jurrasic Park, EXtravagant

Last week, I had the pleasure of participating in the 2022 NahamCon CTF, created and supported by the hard work of @NahamSec, @/_JohnHammond, and so many others — it was a blast. I competed on behalf of Western Washington University, and I am especially pleased with our performance; as shown in the cover photo, we scored in the top one percent of all teams.

Read More...

Playing With Cobalt Strike: Part Two

2022-04-13 • Bypassing Defender on Windows Server 2022 with Cobalt Strike v4.5 and C

Approximately two months ago, I published Playing With Cobalt Strike, which readers seemed to enjoy. While writing that article, I was both pleasantly surprised as a red teamer, and disheartened as a blue teamer, at the ease of use and the general efficacy of Cobalt Strike 4.5’s Beacons (payloads) against Windows 10 and Excel 2016.

Read More...

HackTheBox — Paper

2022-02-13 • Comprehensive walkthrough of the Paper machine on HackTheBox

Hello! Thank you for visiting my write-up on Paper, a HackTheBox CTF published by user secnigma. Information as of Sunday, February 13th, 2022 UTC: Release: eight (8) days ago Rating: 4.5 stars Topology: single machine Operating System(s): one (1) Paper requires the submission of USER and SYSTEM flags; I have described the process I used to capture both in-depth below.

Read More...

Playing With Cobalt Strike

2022-02-11 • Fun with Cobalt Strike v4.5

Ah, Cobalt Strike, HelpSystems’ infamous (but legitimate) Red Teaming product coopted by attackers worldwide for malicious purposes. For those unfamiliar, Cobalt Strike is an adversarial toolkit. Its official capacity in the security industry is to simulate attacks for testing purposes. Of course, as is perhaps expected, given the prompt release of each new version to the Internet, those with less noble intentions also make use of the software.

Read More...

HackTheBox — Previse

2022-02-11 • Comprehensive walkthrough of the retired Previse machine on HackTheBox

Hello, and thank you for expressing interest in my report on Previse, a CTF hosted by Hack the Box. Previse was uploaded by HTB user m4lwhere 138 days prior to the publication of this report and is currently considered by the HTB community to be easy to intermediate in terms of difficulty.

Read More...

Fishing for Malware — Part Five: Finale

2022-02-09 • Analysis of malware dropped into my Google Cloud honeypot – an examination of collected data

Finally, here we are — the conclusion of my honeypot experiment. My original intention was to aim for a total of one million logged attacks, at which point I would shut down the honeypot. However, schoolwork fully occupied my attention for a brief period. Thus, I considered it a better idea to continue collecting data until I could find time to perform a proper analysis.

Read More...

Fishing for Malware — Part Three: WannaCry

2022-01-25 • Analysis of malware dropped into my Google Cloud honeypot – WannaCry

Catching WannaCry One very interesting binary uploaded to my honeypot not only once, but several times from multiple hosts around the world, was WannaCry. Yes, nearly five years after the Shadow Brokers sold the NSA’s EternalBlue exploit to the notorious Pyongyang-based (alleged) Lazarus Group, who then developed and released WannaCry, one of the most damaging ransomware packages is still in active distribution.

Read More...

Fishing for Malware — Part Four: Raspberry Pi IRC Bot

2022-01-25 • Analysis of malware dropped into my Google Cloud honeypot – fun with Bash on R. Pi

While dissecting binaries using Ghidra, Strings, and Hexdump makes for a fun puzzle in itself, it’s also fascinating to inspect the raw source code of malware. Cowrie, a Telnet and SSH honeypot with emulates a Unix environment packaged within T-Pot, captured quite the interesting Bash script, which includes a variety of malicious elements specifically designed for the Raspberry Pi platform.

Read More...

Fishing for Malware — Part Two: Android Crypto Miner

2022-01-23 • Analysis of malware dropped into my Google Cloud honeypot — pulling apart a rudimentry Android cypto miner

Information Indicators of Compromise MD5: 8844985fcd57b0311d1d4cb2ec13a1ef SHA-1: a0c07fe897515e5575a72f94f9dea8c077a410ff SHA-256: 0d3c687ffc30e185b836b99bd07fa2b0d460a090626f6bbbd40a95b98ea70257 Package name: com.ufo.miner Connected domain: coinhive.com Unexpected high utilization of Android device resources File Magic: APK archive Language: Java Size: 45.43 KB See this file on VirusTotal As the heading and package name imply, this is a crypto miner developed for Android devices.

Read More...

Fishing for Malware — Part One: Introduction

2022-01-22 • Analysis of malware dropped into my Google Cloud honeypot — preliminary notes

Intro Over the past week three weeks (school occupied my time), I have left a honeypot (T-Pot, courtesy of Telekom) running, hosted on a VM instance in Google Cloud. After all, what better way to thank Google for the $400 of free Cloud Compute resources they gifted me than to attract malware-distributing bots and hackers directly to their data centers?

Read More...