Generate Memory Dump from .vmss file using vmss2core
zam Previously, I’ve encountered a problem where I’m unable to copy the .vmem file for further analysis. So, the next alternative way that we can do is to use .vmss file…
Global Community CTF: Mini Bootup by SANS – NM02
Question: Let’s try connect to the domain & port given via netcat Hmm. There’s mathematic question that we need to solve. But we’re too slow on solving it.. What if…
Global Community CTF: Mini Bootup by SANS – NM01
Question: Download & extract the file. You’ll see named “nm01.pcapng“ Open the pcap file using Wireshark. Usually, I sort frame with large “Length” number and view the content. On Frame…
Hunting for possible attacker Cobalt-Strike infra
Recently, we have an incident where suspicious traffic was observed related to external C2. Initial finding found that this IP 172.241.27.17 (172.241.24.0/21) resolved to atakaitechnologieshost; according to pDNS in Virustotal…
HackTheBox.eu – Reminiscent (Forensics 40 points)
For this question, I use Volatility to solve it. You can try to use Volatility Workbench. For me, it seems like not working properly (or I’m just too noob to…
Analyzing Phishing Email – Word XML File Analysis
Recently I’ve observed a phishing mail as below:https://www.virustotal.com/#/file/cf027dd938f1a268f45f2ea786dc538ab47f35006fb12d0b64e0867bccf789c0/detection – clean The file seems to be clean per VT. Interestingly, on details sections, found 2 URLs under OpenXML Doc Info; section…
Check bulk IP for reverse DNS (rDNS)
Recently I’ve encounter list of IPs that are related to CoinHive. So I want to check for domains that tied to these IPs. We can do that by using dig…
Import & export installed Cygwin packages
Recently I’ve changed my workstation to new one. Previously I’ve installed bunch of Cygwin packages on my old workstation. So I thought; can I somehow migrate my installed Cygwin packages…
Analyzing Oracle WebLogic attack
Recently we received an alert from our WAF related to an attack towards our environment. Further review of the alert found that the attacker is using Oracle WebLogic RCE Deserialization…
Wargames 2017 – Challenge 12 : ezfile sharing
Challenge 12 : ezfile sharing and the hint for this challenge: Initially, one of our teammate was fuzzing around the website and found “.git” folder. Seems related to the hint.…