CyberSec_Blog

  The ExfilNode challenge on TryHackMe is a medium-difficulty room that focuses on exploiting a Node.js application to gain initial access, followed by a clever lateral movement and privilege escalation involving sensitive data exfiltration. 1. Enumeration The process begins with a standard network scan. You’ll find a web server running a Node.js application. By exploring the site and its source code (or through directory brute-forcing), you identify an endpoint that allows for file uploads or processes user input in a way that is vulnerable to Command Injection. 2. Initial Foothold Vulnerability: The application fails to properly sanitize input before passing it to a system shell. Exploitation: By injecting a reverse shell payload (e.g., using bash or python), you gain a shell as a low-privileged user (typically www-data). Stabilization: Use Python's pty module to upgrade your shell to a fully interactive TTY. 3. Lateral Movement Once inside, you discover a second user on the syst...

     Someone decided corporate secrets are a free-for-all and our dear Liam thought he could play sneak-and-leak. This writeup walks through the hunt: the breadcrumbs on the endpoint, the USB that betrayed him, the dusty hotspot he used to dodge network logs, and the little executable the external actor insisted he run. Read it like a detective novel, but with more registry keys and less melodrama. Screenshots are left exactly where you asked — because evidence should always stare you in the face. Scenario Tech THM discovered their critical data had been leaked to the competitors. After an internal investigation, the company suspects Liam, a recently terminated employee who was working as a system engineer with Tech THM. This suspicion was raised as Liam had access to the leaked data in his company-provided workstation. He often worked late hours without clear justification for his extended presence. He was also caught roaming around the critical server room and taking pi...

  Incident Scenario There I was, seated with a Caffè Latte and cold server dump, while my team successfully lured IronShade-one of the world’s most renowned APT groups-into our honeypot using exposed SSH ports with weak credentials. Of course, sure enough, they pounced like moths to a flame. The fun part would then be trying to piece every single one of their moves together-like some sort of Sherlock in cybersecurity.The mission? To investigate the compromised Linux server, find the attack footprints, and maybe poke a little fun at the audacity of the “subtle” moves of IronShade Lab Incident Hackers Get Too Cocky According to the threat intel report, IronShade loves persistence-so do we all. They are supposed to have created backdoor accounts, cronjobs, and even installed their shady services. Think about your very own malicious startup operating on your infrastructure. But enough chit-chat; let’s dive in. Here is the juicy investigative breakdown. Explanation  - " Who Let the...

  TryHackMe – The Last Trial    In this challenge, I investigated a macOS compromise that occurred in parallel with a larger Active Directory–based ransomware attack. The scenario emphasized that not all incidents are targeted attacks—some originate from user curiosity and unsafe software trials. 1. Initial Access via Malicious Software Trials The attacker gained access after the user downloaded a fake AI development tool installer from a malicious website: Website: developai.thm Installer: DevelopAIInstaller.pkg This reinforced how social engineering and trojanized installers remain effective, especially when they target trending topics like AI tools. 2. macOS Installation and Timeline Analysis I learned how to determine exact installation timestamps of malicious applications on macOS by analyzing system artifacts, allowing accurate attack timeline reconstruction. Installation time: 2025-07-04 10:09:03 3. Abuse of macOS Privacy Controls (TCC) The malware abused macOS Tra...

  Promotion Night – SOC Investigation Walkthrough Scenario Overview During an overnight SOC shift, a critical alert triggered indicating a potential ransomware note on the domain controller DC-01. With no escalation support available, the investigation had to be performed end-to-end by a Level 1 analyst using SIEM telemetry (Splunk). The objective was to triage the alert, reconstruct the attack chain, and identify the adversary’s actions across discovery, persistence, lateral movement, ransomware deployment, and cloud compromise. 1. Network Share Path Used to Deploy Ransomware Question: What was the network share path where ransomware was placed? Answer: \\DC-01\SYSVOL\gaze.exe How it was found: Splunk logs showed the ransomware binary being written to the SYSVOL share on the domain controller. SYSVOL is commonly abused in domain-wide attacks because it is replicated and accessible to authenticated domain systems. Key log indicators: File creation events UNC paths referencing \\DC-...

      Fourth Side Quest (BreachBlocker Unlocker) started by discovering the key through reverse engineering an HTA file from the Advent of Cyber Day 21 room and using it to remove the firewall on the target machine. Let's start with command used : root@ip-10-81-182-239:~# :~# seq -w 0 999999 > codes.txt root@ip-10-81-182-239:~# :~# COOKIE='session=.eJxtj11rwkAQRf_LPIsPKX40IKjgQwttTRsUEQmzm4lZ3Oza2UlESv-7WlCK5vmeey73B7CWkpwYjUI5xMI1dUCh22VRgZn2OUEMq35qF5_J4G3RWyYNfa2Ok-f0ZTt8lUgG2H_fDpO9eqK5nhym32nx0USzEfzTNMSmMBd_gTZcB9Baf6A8y32FxgWI10AYhFjVzhkKXSkr2NzBdGbtH6uR2cs5pPFjrQMV2hK5Lbsp267XgdhhdXkdFBPqUlmvd8Qtot8TkGpzmQ.aUpUuw.lQbR5-wD3QPxVos09eGYYGnQyEU' root@ip-10-81-182-239:~# :~# gobuster dir -u https://10.81.135.120:8443 -w /usr/share/wordlists/dirbus 'emeter/directory-list-2.3-medium.txt -x .txt, js,py, html, zip - k pip3 install aiosmtpd root@ip-10-81-182-239:~# :~# aiosmtpd -n -l 0.0.0.0:25 -c aiosmtpd.handlers.Debugging stdout nmap -sC -sV -p- <IP> Python...