- Downloaded file from YouTube-to-MP3 .
- Run
filecommand and uncover a Windows shortcut. - Look at it's metadata with
Exiftool. - In it we found a PowerShell command downloading a remote script.
- A unique code signature in the script help us to track the person on GitHub and revealed the attacker's identity.
Commands & Tools Used : Find, Exiftool, Github.
- Start looking into security logs of different timestamps in Elastic SIEM.
- Found some encoded PowerShell commands running.
- There found an encoded PowerShell command executed on compromised systems.
- Decode it with CyberChef, it was just a update command.
Commands & Tools Used : Elastic SIEM, CyberChef.
- In Kibana we look at some logs of
frostypines. After adjusting few filter we found some trace (path and unusual ip) of web shell. - Then because of weak/default credentials we able to logged in as admin on that website.
- Then we find that same file upload vulnearability in the image upload where we uploaded a php file that execute commands on server.
Commands & Tools Used : ELK (Elasticsearch, Logstash, and Kibana), ls, cat.
- Recreated MITRE ATT&CK technique
T1566.001 Spearphishingusing the Atomic Red Team library. - Looked into Sysmon logs for emulated attack, found a PowerShell command creating a file.
- Found technique for
a command and scripting interpreter on Windows command shell. - Now for technique
T1059.003 Command and Scripting Interpreter: Windows Command Shellwe iterate through each test until a file is created and we found our flag.
Commands & Tools Used : Atomic Red Team Library, Sysmon.
- On a wishlist website first we found a page
/wishes/wish_1.txtthat possibly admins use to see different wishes submited by users. - Then we used the
BurpSuiteto found that wish is submitted as XML to/wishlist.php. - XXE(XML external entity) might be present here so we put
<!DOCTYPE foo [<!ENTITY payload SYSTEM "/var/www/html/wishes/wish_1.txt"> ]>as external entity and&payload;in XML request & get access to admin only data.
Commands & Tools Used : Burp Suite.
- In a VM we run YARA rules to detect malware.
- After detection, we use a obfuscated version which used encoded PowerShell commands, but it remained identifiable through FLOSS and Sysmon logs.
Commands & Tools Used : YARA, Sysmon, CyberChef, FLOSS.
- Analyzed Amazon CloudTrail and RDS logs using
jqandgrepwith different filters to identify the individual responsible for modifying the QR code on the donation website.
Commands & Tools Used : JQ, grep.
- Used msfvenom, we generate a shellcode.
- We put the shellcode into memory using a powershell script to establish a reverse shell.
Commands & Tools Used : msfvenom, nc.
- Performed Risk Assessments based on the questions answerd by different vendors to choose the one with lowest risk.
- Used
Metasploit Frameworkto create a malicious macro. - Sent it through familiar looking email.
- We were using
Metasploit Frameworkto listen to incoming connection. - When the macro file opend we got reverse shell to the target system.
Commands & Tools Used : Metasploit Framework.
- With
iwset our wifi into monitor mode. - Used
airodump-ngto scan for nearby networks. - Sent deauth packets to specific BSSID then capture the 4 way handshake into a file.
- Run dictionary attack on the captured handshake file using
aircrack-ngto get the password.
Commands & Tools Used : iw, airodump-ng, aircrack-ng, aireplay-ng.
- A website with possibility of
Time-of-Check to Time-of-Use (TOCTOU)flaw, we intercepted money transfer request in Burp Suite. - Duplicate it in Repeater and sending multiple simultaneous requests using last-byte sync to exploit the race condition & successfully transfer more money than account's total balance.
Commands & Tools Used : Burp Suite.
- Intercept the WebSocket traffic of a car tracking website with
BurpSuite. - Manipulate the
userIdof WebSocket messages to track other's car. - Changed same parameter for chat traffic to send message in live chat as different user.
Commands & Tools Used : Burp Suite.
- First we did
local dns resolutionusing/etc/hostsfile to avoid trace in dns logs. - Used burpsuite as intermidiate proxy to listen to http traffic and get user credentials of a website using self-signed certificates.
Commands & Tools Used : Burp Suite.
- With a suspected breach of Active Directory, analyzed user logins and activities, reviewed PowerShell history, and identified maliciously installed GPOs
(Group Policy Objects).
Commands & Tools Used : Windows Event Viewer.
- Used Azure CLI to identify suspicious users, track their activities.
- Examined group memberships, check for suspicious groups.
- Check for assigned roles and access permissions.
Commands & Tools Used : Azure CLI.
- Used Splunk to view CCTV logs and web logs.
- Extracted custom fields, parsed the logs with regular expressions.
- Correlated the session IDs and IP addresses to identify the attacker.
Commands & Tools Used : Splunk.
- In AI-powered chatbot we check how it communicate with system using it's APIs and then performed prompt injection.
- Here through blind remote code execution (RCE) we achieved a reverse shell of target system.
Commands & Tools Used : tcpdump, netcat.
- Used Frida to intercept function calls.
- Accessed the in-game OTP.
- Altered in-game values to purchasing items for free.
- Passed the biometric check by altering the returning value from library function.
Commands & Tools Used : Frida, Vscode.
- Analyzed a PCAP file using Wireshark.
- Found a C2 server communication between multiple threat actors and their activities.
- Decrypted the secret messages using CyberChef.
Commands & Tools Used : Wireshark, CyberChef.
- Reverse engineering a suspicious .NET binary,
WarevilleApp.exe, using PEStudio for static analysis and ILSpy for decompiling to reveal its malicious functionality. - Figured the behaviour of malware which involved downloading and executing files, creating a zip file of victim data, and interacting with a C2 server.
Commands & Tools Used : PEStudio, ILSpy.
- Looked at some
Kubernetespod logs of compromised web application. - Identified a suspisious file
shelly.phpaccess from an unexpected IP. The webshell was present even after reboot so it was part of the docker image itself. - So we check the docker registry logs, we found same unexpected IP and other IP, and trace of PATCH the docker images in registry which have that
shelly.phpwhich is a web shell. - In the Kubernetes roles we found an unexpected role with a permission to do this kind of thing, with this we figure the attack path or activities of the user.
Commands & Tools Used : minikube, kubectl, docker.
- With
hash-id.pyidentified a hash type of a password hash. - Cracked it with John the Ripper using the
rockyou.txtwordlist. - We got a pdf with password so converted the file to a hash format with
pdf2john.pl. - Created a custom wordlist with possible password and run John the Ripper with
--rules=singleoption, cracked the PDF password.
Commands & Tools Used : John The Ripepr, hash-id.py, pdf2john.pl.
- Analyzed
MQTT (Message Queuing Telemetry Transport)traffic using Wireshark, examined captured packets in filechallenge.pcapngto get the correct message which would turn on the lights. - Used the
mosquitto_pubto publish the correct message to the devices which turn the lights on.
Commands & Tools Used : Wireshark, mosquitto_pub.
