CyberSec_Blog

  TryHackMe – The Last Trial    In this challenge, I investigated a macOS compromise that occurred in parallel with a larger Active Directory–based ransomware attack. The scenario emphasized that not all incidents are targeted attacks—some originate from user curiosity and unsafe software trials. 1. Initial Access via Malicious Software Trials The attacker gained access after the user downloaded a fake AI development tool installer from a malicious website: Website: developai.thm Installer: DevelopAIInstaller.pkg This reinforced how social engineering and trojanized installers remain effective, especially when they target trending topics like AI tools. 2. macOS Installation and Timeline Analysis I learned how to determine exact installation timestamps of malicious applications on macOS by analyzing system artifacts, allowing accurate attack timeline reconstruction. Installation time: 2025-07-04 10:09:03 3. Abuse of macOS Privacy Controls (TCC) The malware abused macOS Tra...

  Promotion Night – SOC Investigation Walkthrough Scenario Overview During an overnight SOC shift, a critical alert triggered indicating a potential ransomware note on the domain controller DC-01. With no escalation support available, the investigation had to be performed end-to-end by a Level 1 analyst using SIEM telemetry (Splunk). The objective was to triage the alert, reconstruct the attack chain, and identify the adversary’s actions across discovery, persistence, lateral movement, ransomware deployment, and cloud compromise. 1. Network Share Path Used to Deploy Ransomware Question: What was the network share path where ransomware was placed? Answer: \\DC-01\SYSVOL\gaze.exe How it was found: Splunk logs showed the ransomware binary being written to the SYSVOL share on the domain controller. SYSVOL is commonly abused in domain-wide attacks because it is replicated and accessible to authenticated domain systems. Key log indicators: File creation events UNC paths referencing \\DC-...

      Fourth Side Quest (BreachBlocker Unlocker) started by discovering the key through reverse engineering an HTA file from the Advent of Cyber Day 21 room and using it to remove the firewall on the target machine. Let's start with command used : root@ip-10-81-182-239:~# :~# seq -w 0 999999 > codes.txt root@ip-10-81-182-239:~# :~# COOKIE='session=.eJxtj11rwkAQRf_LPIsPKX40IKjgQwttTRsUEQmzm4lZ3Oza2UlESv-7WlCK5vmeey73B7CWkpwYjUI5xMI1dUCh22VRgZn2OUEMq35qF5_J4G3RWyYNfa2Ok-f0ZTt8lUgG2H_fDpO9eqK5nhym32nx0USzEfzTNMSmMBd_gTZcB9Baf6A8y32FxgWI10AYhFjVzhkKXSkr2NzBdGbtH6uR2cs5pPFjrQMV2hK5Lbsp267XgdhhdXkdFBPqUlmvd8Qtot8TkGpzmQ.aUpUuw.lQbR5-wD3QPxVos09eGYYGnQyEU' root@ip-10-81-182-239:~# :~# gobuster dir -u https://10.81.135.120:8443 -w /usr/share/wordlists/dirbus 'emeter/directory-list-2.3-medium.txt -x .txt, js,py, html, zip - k pip3 install aiosmtpd root@ip-10-81-182-239:~# :~# aiosmtpd -n -l 0.0.0.0:25 -c aiosmtpd.handlers.Debugging stdout nmap -sC -sV -p- <IP> Python...

  Second Side Quest (Scheme Catcher) started with discovering the key in the Advent of Cyber Day 9 room and using it to remove the firewall on the target machine. Afterwards, fuzzing a web application on the target for directories we were able to discover a file with a binary inside and analyzing the binary we discovered another endpoint. Checking out this endpoint we discovered the application running on another port and reverse enginering it we discovered a Use-After-Free vulnerability and with a heap exploitation exploit we were able to get remote code execution and a shell inside a container. Inside the container we discovered a SSH key which we used to get a shell on the host and reverse engineering and exploiting a vulnerable kernel module we were able to escalate to root and complete the room. Python Script : #!/usr/bin/env python3 from pwn import * import io_file context . update ( arch = " amd64 " , os = " linux " , log_level = " error "...

  A black hole is an astronomical body so dense that its gravity prevents anything from escaping, even light. For us to view what is beyond the event horizon we need to travel faster than light but nothing can travel faster than light. Luckily for us we have a spaceship that can warp space time and bend it to create a warm hole. The spaceship in this case is wireshark which we can count on to escape the black hole to the other side. Our black hole target is Sagittarius A which is in the center of our milky way galaxy. 5. What is the Administrator NTLM hash that the attacker found? -upon some research we find this Covenant decryption from GitHub.

While Emily worked on the issue from a local admin account, the threat actor continued the attack. With the entry point secured and Emily’s domain credentials stolen, they now wanted to explore opportunities for privilege escalation. Leveraging your knowledge of Windows forensics, can you uncover the elevating movement? All details are in the video , on the last task I connect to the machine with xfreerdp3 transfer the file on the kali linux and inspect with the pypykatz.