CyberSec_Blog

  Second Side Quest (Scheme Catcher) started with discovering the key in the Advent of Cyber Day 9 room and using it to remove the firewall on the target machine. Afterwards, fuzzing a web application on the target for directories we were able to discover a file with a binary inside and analyzing the binary we discovered another endpoint. Checking out this endpoint we discovered the application running on another port and reverse enginering it we discovered a Use-After-Free vulnerability and with a heap exploitation exploit we were able to get remote code execution and a shell inside a container. Inside the container we discovered a SSH key which we used to get a shell on the host and reverse engineering and exploiting a vulnerable kernel module we were able to escalate to root and complete the room. Python Script : #!/usr/bin/env python3 from pwn import * import io_file context . update ( arch = " amd64 " , os = " linux " , log_level = " error "...

  A black hole is an astronomical body so dense that its gravity prevents anything from escaping, even light. For us to view what is beyond the event horizon we need to travel faster than light but nothing can travel faster than light. Luckily for us we have a spaceship that can warp space time and bend it to create a warm hole. The spaceship in this case is wireshark which we can count on to escape the black hole to the other side. Our black hole target is Sagittarius A which is in the center of our milky way galaxy. 5. What is the Administrator NTLM hash that the attacker found? -upon some research we find this Covenant decryption from GitHub.

While Emily worked on the issue from a local admin account, the threat actor continued the attack. With the entry point secured and Emily’s domain credentials stolen, they now wanted to explore opportunities for privilege escalation. Leveraging your knowledge of Windows forensics, can you uncover the elevating movement? All details are in the video , on the last task I connect to the machine with xfreerdp3 transfer the file on the kali linux and inspect with the pypykatz.

  This is another challenge for the Blue Team, but the level here is hard. Once the machine starts, we will receive credentials that allow us to dig into the logs directly. By exploring the attacker’s footsteps, we will identify which pages of the web application they accessed. Additionally, we have full access to the backend code of the running application once we log in via SSH. So I am not running any directory fuzzing tool. All Details are in the video  Thank you for watching 

  Threat Hunt Walkthrough The "Typo Snare" scenario on TryHackMe is a fantastic real-world simulation of a sophisticated, multi-stage attack. It starts with a simple mistake and escalates to a full domain compromise, culminating in ransomware. This post will walk you through the entire attack chain, phase by phase, showing you how to find each piece of evidence using Elastic KQL queries. Phase 1: Initial Access & Execution What Happened: The attack began when the user perry.parsons on workstation WKSTN-03 needed a 7-Zip tool. He googled it, clicked a typosquatted link ( 7zipp.org ), and downloaded a trojanized installer. This installer executed a PowerShell script ( 7z.ps1 ) directly from the attacker's server to establish the initial foothold. How to Find It: You are looking for a PowerShell process that was likely spawned by a browser and contains a command to download and execute a script ( iwr for Invoke-WebRequest and iex for Invoke-Expression ). KQL Query...