Posts
Flare-on 1 – Challenge 3 - Shellolololol
· β˜• 1 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here Challenge 3 brings a PE executable file to take a look at. such_evil: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows I loaded the file up in x64dbg and after navigating to the main function it looks to load a whole lot of data onto the stack then CALL into the loaded code.

Flare-on 1 – Challenge 2 - Javascrap
· β˜• 5 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here In Challenge 2 the zip file extracts a html and png file. From the top of the HTML file to looks pretty normal until you see the PHP tag located near the bottom of the code including the PNG file in the img directory. The file looks to be a normal PNG file and displays image data when loaded.

Flare-on 1 - Challenge 1 - Bob Doge
· β˜• 1 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here In the very first challenge you are presented with a windows executable and when you run it you are presented with a Bob Ross painting a nice scene. But, when you click DECODE! You get a Bob Doge with an weird text string. Digging a little deeper to see what type of file we have we find we hace a .

Decoding Malware Payload encoded in a PNG part 2 - "W.H.O.bat"
· β˜• 7 min read · ✍️ suidroot
This post is a sequel to the post covering the sample β€œBank Statement.bat.” I had received this message before the Bank Statement message, but I found the sample in the previous post was less obfuscated and easier to reverse engineer. In this post, I will cover the different ways that this sample hid the decoding routes and how I was able to gather the data to run the same decoding script I used before to extract the payload from the PNG data within this sample.

Decoding Malware Payload encoded in a PNG - "Bank Statement.bat"
· β˜• 7 min read · ✍️ suidroot
When looking through my Spam folder, I have run across a few messages with β€œ.bat” files attached to them. Most messages have had different content in the message to entice a victim to open the attachment. I started to investigate each of the attachments and found they were Windows Binaries, and at least two had PNG files in the resources. After doing this initial triage, I wanted to see if the payload of these pieces of malware is encoded in this PNG data and how it was encoded.

Ryuk Malware - Analysis and Reverse Engineering
· β˜• 12 min read · ✍️ suidroot
Summary In this post, I will reverse and analyze a Ryuk malware sample. Ryuk is pretty well-known ransomware that encrypts the contents of a victim’s hard drive. The sample uses two executable stages, one that determines if the system is a 32bit or a 64bit system, then extracts out the appropriate second stage executable onto the file system and executes the second stage. The second stage then attempts to gain persistence through creating a registry key and then finally injects an encryption process into another process and starts to encrypt the file systems leaving behind a Ransom note for the user to find.

CTF Box: Kioptrix level 1 walk-through
· β˜• 6 min read · ✍️ Ben Mason
This is a walk-through of the first level of the CTF box series named Kioptrix. The virtual machines images can be downloaded from: https://www.vulnhub.com/entry/kioptrix-level-1-1,22/ There are two methods I used to exploit this machine, but first, let’s enumerate the server. Enumeration To start, I ran a Nmap scan on the server to see what services are running on it. # Nmap 7.70 scan initiated Sat Apr 13 14:05:06 2019 as: nmap -O -A -sV -sC -oA nmap/knoptrix1 192.

Installing slackin on Heroku
· β˜• 3 min read · ✍️ suidroot
slackin provides a self-service interface to join a slack team. I found it as a solution when I was setting up the mainesec slack team eliminating the need out unique links to every member that was joining. slackin creates a sign-up form where a user enters an email address and is automatically sent an invite to the slack team. I have seen the script running in the Heroku cloud before but could not find any good instructions to install or run set it up other than a vague mention for a link to a button to automatically install it that did not exist.

DIGOO DG-HOSA – Part 2 Firmware Extraction and Initial Analysis
· β˜• 6 min read · ✍️ suidroot
This is a continuation from a previous post: https://ben.the-collective.net/hugo/posts/2019-08-21-digoo-dg-hosa-part-1-teardown-and-hardware/ Finding the connections Now that I have the lay of the land for the device (which that I outlined in my previous part of the series) the first thing I looked for is the debugging connections for the main GigaDevices processor. This processor looks to be the primary processor for the device and has the most valuable firmware. Since the board was well labeled I didn’t need to use any tools like a JTAGulator or an Arduino board with the JTAGenum firmware to identify which test points are the debug interface.

Enabling old TLS / SSL ciphers in OpenSSL
· β˜• 1 min read · ✍️ suidroot
I was reminded of this tip during the CTF at a recent DC207 meetup. This config change is needed on machines with modern versions of OpenSSL that have disabled the older ciphers. The issue is that the old TLS, SSL and associated cipher suites have become insecure and support is subsequently dropped in OpenSSL. For a workaround to this, you can edit the following lines at the bottom of /etc/ssl/openssl.cnf