March 23, 2025 Volatility3 Analysis of STRELASTEALER via Rundll32 Proxy Execution Detailed forensic analysis of a Windows memory dump using Volatility3 to investigate a compromise at a financial institution. The analysis identifies a hidden malicious PowerShell process (powershell.exe -windowstyle hidden) abusing WebDAV to execute a second-stage payload (3435.dll) via rundll32.exe. This activity aligns with MITRE ATT&CK sub-technique T1218.011. The investigation determines the attacker's C2 IP (45.9.74.32), the compromised user ('Elon'), and correlates the C2 infrastructure with the STRELASTEALER malware family.
My Blog
- February 23, 2025 The Crime - Mobile Forensics with ALEAPP to Reconstruct a Crime Timeline Detailed mobile forensics writeup solving a murder case by analyzing an extracted Android device using ALEAPP. The analysis successfully traces the victim's final actions, identifying the primary financial stressor (Olymptrade and a 250,000 EGP debt owed to 'Shady Wahab'), the victim's final known location ('The Nile Ritz-Carlton'), planned escape route ('Las Vegas' flight ticket), and a final scheduled meeting location ('The Mob Museum') based on Discord chat logs.
- February 19, 2025 Instant - APK Decompilation, LFI via Swagger API, and Solar-PuTTY Backup Decryption Technical writeup detailing the compromise of the Instant machine. Initial foothold is achieved through static analysis of a downloadable APK file, revealing subdomains and a hardcoded API key. This key is used to exploit a Local File Inclusion (LFI) vulnerability within the authenticated Swagger API (via the logs reading function), leading to SSH key exfiltration and user access. Privilege escalation is achieved by locating, transferring, and decrypting an encrypted Solar-PuTTY sessions backup file, which yields the root password.
- February 17, 2025 Network Forensics of LLMNR/NBT-NS Poisoning Attacks Detailed network forensics writeup investigating an LLMNR/NBT-NS poisoning incident using Wireshark. The analysis tracks the attack chain, identifying the initial mistyped network query (FILESHAARE), the attacker's rogue IP (192.168.232.215), the compromised user (janesmith) whose NTLM hash was intercepted via SMB, and the hostname of the accessed machine (AccountingPC), demonstrating the vulnerability of unauthenticated name resolution protocols.
- February 06, 2025 WebStrike - Network Forensics of Web Shell Upload and Data Exfiltration Detailed network forensics writeup analyzing a PCAP file to investigate a web shell incident. The analysis successfully identifies the attack's origin (Tianjin, China), the attacker's User-Agent, and the exploitation of a file upload vulnerability to deploy a malicious web shell ('image.jpg.php' in the /reviews/uploads/ directory). Further investigation reveals the attacker's attempt to establish a reverse shell to port 8080 and the subsequent data exfiltration of the sensitive /etc/passwd file.
- January 30, 2025 UFO-1 - Sandworm Team (APT44) MITRE ATT&CK TTP Analysis Research writeup focusing on the Sandworm Team (APT44), a highly aggressive Russian APT group, using the MITRE ATT&CK framework. Analysis covers their TTPs, critical infrastructure attacks (e.g., 2016 Ukraine power grid, 2022 SCADA attacks), key malware (e.g., Industroyer2, NotPetya, Exaramel), persistence methods, and specific tools used for code execution and data destruction.
- January 26, 2025 Noxious - LLMNR Poisoning and NTLMv2 Hash Cracking Network forensics writeup detailing the analysis of an LLMNR poisoning attack. The process covers identifying the rogue device via LLMNR and DHCP traffic, locating the victim's credential leak (NTLMv2 hash) within SMB Session Setup packets, extracting NTLM Challenge/Response components, and performing hash cracking with Hashcat to recover the plaintext password, providing full context on the credential theft incident.
- December 05, 2024 Volatility3 Analysis of a Credential Stealer Trojan Detailed forensic analysis of a Windows memory dump compromised by the Amadey Trojan. This investigation utilizes Volatility3 to identify the main malicious process (lssass.exe), determine its location on the filesystem (Temp folder), confirm its nature via VirusTotal, track its C2C network connections (41.75.84.12), and discover persistence mechanisms (Scheduled Tasks and DLL payload execution via rundll32.exe).
- November 28, 2024 Archetype - SMB Credential Disclosure, MSSQL xp_cmdshell RCE, and SYSTEM Privileges via psexec Technical writeup detailing the compromise of the Archetype Windows machine. Initial foothold is achieved by exploiting Anonymous SMB access (445/tcp) to retrieve SQL credentials from a shared backup directory (prod.dtsConfig). These credentials are used to gain access to the MSSQL service (1433/tcp), where xp_cmdshell is activated to achieve RCE and establish a reverse shell. Privilege escalation to NT AUTHORITY sYSTEM is completed by hunting for credentials in the PowerShell history file and leveraging Impacket's psexec.py with the found administrator account.
- November 23, 2024 Responder - LFI/RFI Chain to NTLMv2 Hash Capture and WinRM Access Technical writeup detailing the initial compromise of the Responder machine. The attack chain involves exploiting a Local File Inclusion (LFI) vulnerability in a PHP application, escalating it to an RFI-style attack by injecting a UNC path to force an SMB authentication attempt. The resulting NTLMv2 hash is captured using the Responder tool, cracked with Hashcat, and used to gain full remote access via Evil-WinRM on port 5985.
- November 12, 2024 Broken Access Control (BAC) Analysis and Mitigation Technical analysis of Access Control failures (A01:2021) leading to resource exposure or privilege escalation. Covers identification of IDOR, Horizontal, and Vertical BAC vulnerabilities, presenting a Proof of Concept (PoC) using Burp Suite, alongside key mitigation strategies like RBAC.
- November 06, 2024 Whiterose - IDOR, EJS SSTI (CVE-2022-29078), and Sudoedit Bypass (CVE-2023-22809) Technical writeup detailing the compromise of the Whiterose machine. Initial access involves subdomain enumeration via wFuzz and exploiting an IDOR vulnerability to retrieve privileged user credentials. This leads to a Server-Side Template Injection (SSTI) RCE via CVE-2022-29078 (EJS Template Engine vulnerability). Privilege escalation is achieved by exploiting the Sudoedit vulnerability CVE-2023-22809 to gain root access via modifying the /etc/sudoers file.
- October 21, 2024 Chemistry - Pymatgen RCE (CVE-2024-23346), SSH Port Forwarding, and aiohttp LFI (CVE-2024-23334) Technical writeup detailing the compromise of the Chemistry machine. Initial access (RCE) is gained by exploiting CVE-2024-23346, an arbitrary code execution vulnerability in the pymatgen library via a malicious .CIF file upload, leading to a low-privileged shell. Privilege escalation is achieved by locating hidden credentials in a SQLite database, gaining SSH access, and then using SSH Port Forwarding to access an internal web service. The final step involves exploiting CVE-2024-23334, a critical path traversal vulnerability in aiohttp/3.9.1, to perform Local File Inclusion (LFI) and read the /etc/shadow file for root access.
- October 20, 2024 Cap - PCAP Analysis, FTP Credential Disclosure, and cap_setuid Privilege Escalation Technical writeup detailing the compromise of the Cap machine. Initial access is achieved by enumerating a web application that provides downloadable .PCAP network capture files. Tshark analysis of a specific PCAP file reveals FTP credentials in plaintext. These credentials are used to gain SSH access as the 'nathan' user. Privilege escalation to root is achieved by exploiting the 'cap_setuid' capability set on the /usr/bin/python3.8 binary, allowing arbitrary user ID change to 0 (root).
- October 16, 2024 EvilCUPS - CUPS Vulnerability Chaining (CVEs) and Local Credential Compromise Technical writeup detailing the compromise of the EvilCUPS machine. Initial access is achieved by exploiting a chain of CUPS vulnerabilities (including CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177) to gain Remote Code Execution (RCE) as the 'lp' user. Local privilege escalation is then performed by manually enumerating the CUPS spool directory (/var/spool/cups) to extract cleartext credentials for the root user.
- October 08, 2024 Nmap: Host Discovery and Port Scanning Reference Guide Comprehensive technical reference on leveraging Nmap for network reconnaissance. Covers fundamental techniques for host discovery, various port scanning methods (SYN, TCP, UDP), service versioning (-sV), OS fingerprinting (-O), evasion tactics, and output formatting for security audits.
Loading text...