DEV Community: L0WK3Y | Infophreak

How I Landed A Job In Cyber Security With No Professional Experience, Certifications, Nor A Degree

L0WK3Y | Infophreak — Mon, 08 Aug 2022 17:27:00 +0000

How I Landed A Job In Cyber Security With No Professional Experience, Certifications, Nor A Degree.

About Me

Before I get into the main discussion, I want to introduce myself. My name is Jonathan and I am currently working as a Malware Prevention Reverse Engineer at Bank of America. I also have my brand (IAANSEC) and work as a security consultant/freelancer for other companies in my spare time because I believe one should always have a side hustle, especially in today's economy. I've been studying cyber security full-time for the past 4 years starting in 2019. I mainly studied on platforms such as:

TryHackMe
HackTheBox
PicoCTF
Crackmes.one
Udemy
and more!

College Era

Like many others in this field, I grew up being very curious and loved learning. My interest in Cyber Security peaked in my senior year of high school. After graduating high school in 2016 I realized I wanted to get into Cyber Security as a career, but wasn't entirely sure where to begin. So for about a year I did some research in the field and learned a bit about Penetration Testing on Udemy and studied CompTIA study guides. Although during this time, I was working in retail full-time and proceeded to do so for the next 6 years.

Working in retail was dreadful, but the one thing that got me through the day was looking forward to going home and studying. I enjoyed the material that I was learning, once I got home around 11 pm after work, I stayed up and studied until 4/5 am. For about a year I spent my time studying the CompTIA study guides. I also had no intention of taking the exam for any of the CompTIA certifications because 1. I could not afford to spend that much money at the time and 2. I was still deciding which path in security I wanted to pursue. Around August of 2017 I was pressured into enrolling in college by my parents.

At the time my parents persuaded me that college was the best way to land the career I was aiming for. Since I did not have any other ideas on how to land a career in the Cyber Security field, I reluctantly agreed to enroll in college. Only a few months into college I knew this wasn't for me and this couldn't have been the BEST way to get into the security field... So I dropped out, this event was a decision and a life lesson I will never forget. At that point, I learned not to take advice from anyone as a final say so, I learned to ALWAYS come to my own conclusions. Some may ask if I regret dropping out of school, but I think dropping out of school was the best decision I've ever made.

Coding Bootcamp Era

Now that I was no longer in college I needed a plan because I refused to be stuck in retail. 2 years have gone by since I dropped out of college, and I started to take studying more seriously while still working in retail. There were days when I would bring my laptop to work and study on my lunch break. One day sometime in April, a Youtube ad showed up mentioning a Coding Bootcamp. Desperate, I did lots of research on coding boot camps and found a Bootcamp called Kenzie Academy.

I can't remember why exactly I chose this Bootcamp over others, but I did. Although Kenzie was my final choice for a coding Bootcamp, almost all coding boot camps are advertised the same "You don't owe us anything until you find a job!". ISA or Income Share Agreement was the biggest selling point for me when looking into a coding Bootcamp. Unfortunately, at the time Cyber Security boot camps weren't offering ISA and were very expensive. So I decided to settle with going to a coding Bootcamp instead since I figured I'd need to learn how to code anyways, I needed a solid foundation for learning how to code and there was potential for landing a job afterward.

The software development program was divided into two 6 month segments, the Front End and Back End courses. Fast forward to January 2020, I completed the Front End portion of the coding Bootcamp and it was a challenging journey. I learned a lot and also felt I learned enough to continue my studies in security, and apply what I learned from Kenzie to start creating my own projects for my portfolio. At the time I felt very confident about being able to at least land a development job, but months and soon 2 years started to go by after graduating from the front-end portion of the coding Bootcamp. After 2 years had passed, I still wasn't able to find a job in software development, not even land an internship.

Full-Time Study Era

During this time I was desperate to get into the field and wanted nothing more than to work in Cyber Security. I left the retail job I was working because I could no longer tolerate the toxic work environment I was working in. So I decided to study full-time and build up my LinkedIn network. During this time I transitioned from primarily studying Udemy courses to focusing on CTF sites like TryHackMe and HackTheBox. I practiced on these sites for hours a day on top of building my LinkedIn network and applying to jobs until I burned myself out and had to take breaks. I've learned so much about Cyber Security during this time, but I realized that I still don't know what position within security I wanted to pursue. So I did research into the different positions in Cyber Security.

While researching, I started to go down a rabbit hole looking into the different roles in the security field. Eventually, I came across Incident Response and did more research into the different roles within an Incident Response team and I came across, "Malware Analysis" the title alone piqued my interest. After looking more into Malware Analysis, I knew this was the role for me. Once I made my decision, I focused all my efforts on learning Malware Analysis. I started by studying all of the Malware Analysis content available on TryHackMe then bought a few books on the topic such as "Practical Malware Analysis" by Michael Sikorski and Andrew Honig, "Malware Analyst's Cookbook" by Michael Ligh, Steven Adair, Blake Hartstein, Matthew Richard and more.

I even bought a few Paul Chin courses on Udemy, with all of this material I felt more than confident enough to learn everything I could about Malware Analysis. A year goes by while studying full time, building up my LinkedIn network, and applying to jobs in the IT and Security fields. By this time I've acquired 1000+ connections on LinkedIn and felt confident that I'd be able to get some help from others in the community. I participated in security Discord servers, LinkedIn Cyber Security Livestream events, and more. Eventually, I started connecting with others that were also interested in Malware Analysis to exchange resources and other information to help me get a better understanding of the topic.

In late 2021, I received a connection from the President and Chief Revenue Officer of my first client as a freelancer. This was where I sort of had my initial break into Cyber Security as a content developer. My duty was to develop content for the clients' Cyber Security training platform which is used to educate its users on various cybersecurity topics. My main focus is dealing with malware analysis, computer science, and reverse engineering. Admittedly, this role wasn't something I wanted to do full-time, non the less, it still provided me an income and professional experience I could use on my resume. Things were starting to look up with this new role, sure the income wasn't stable but it was definitely enough to keep me on my feet while gaining valuable experience.

Doors Start Opening

It is now the year 2022, and it's time to start fresh. I am still working as a freelancer and on the hunt for full-time work. At this point I am fully confident that I have what it takes to land a full-time role, it's just a matter of a company being willing to take a chance on me. For about a year now, I've applied to multiple Security Researcher roles as I feel they align with my experiences the most. My main technique for finding jobs is not to search for terms such as " Entry Level Security", "Entry Level Cyber Security Jobs" or any generic search queries like those, instead, my approach was to base my search on skills that I've learned during my studies.

For example, since the career I was aiming for was to become a Malware Analyst, I'd search for some of the tools used in Malware Analysis. So my search queries would be "x64dbg" or "Ghidra" since Malware Analysis was already kind of a niche role in security I could just search "Malware Analysis" or "Reverse Engineering" and sift through the results for job listings that best match my experiences.
Once I find a role that I'm interested in, I will reach out to a recruiter at the company and inquire about the position to show my interest. Here's an example of the inquiry that I'll send the recruiter



Hello <RECRUITER NAME>,

I hope all is well, my name is Jonathan I am a Security Researcher I came across your job posting for a <JOB POSTING> at the company and was hoping I could chat with you to express my interest in the position. I look forward to connecting with you!

Thank you

This technique has gotten me a lot of initial calls which led to interviews. I've been in a dozen interviews, some of which where I've gotten to the selection process but unfortunately was not selected. Even though I was not selected for some of the roles that I applied for, there was one interview that led to a great opportunity. Binary Defense reached out to schedule an interview, during this interview I had a great chat with Randy, the Vice President of Threat Hunting and CounterIntelligence at the company. Unfortunately, I was not qualified enough for the role but Randy was hosting a class on Reverse Engineering and he asked if I'd be interested in volunteering to be a teaching assistant for that class. Here is the course description



"This class is designed for technical security personnel who wish to gain skills in reverse-engineering malicious software for Windows operating systems. Although no prior experience is required to take the class, students who have some programming experience in C or another language will find it easiest to participate fully. The class will focus on disassembly analysis of compiled 32-bit DLL files written in C but may also touch on scripting languages such as PowerShell and Visual Basic that are used to deliver compiled malware payloads. Students will learn practical analysis and report writing techniques to pull the most useful information out of malware that can help inform threat hunting and detection engineering efforts and communicate that information effectively."

- Using Microsoft Windows 11 Developer VM (free) and Visual Studio 2022 (free), write and compile a very simple DLL file for Windows in C that writes content to a file on disk.
- Run DLL files from the command line using rundll32.
- Using IDA Free 7, perform static code analysis of a very simple DLL file and explain its purpose.
- Using x32dbg, set breakpoints and step through running the
instructions of a simple DLL file via rundll32.
- Create a Microsoft 365 Developer Tenant (free) for testing MS Teams, etc.
- Use vcpkg to install static libraries for Libcurl and cJSON in Visual Studio 2019.
- Modify the C code of a simple DLL project to send a simple message through Microsoft Teams via a webhook URL.
- Using IDA Free and x32dbg, analyze the new version of the DLL and find the instructions responsible for network connections.
- Using C source code provided by the instructor, modify the DLL project to be a typical Remote Access Trojan (RAT) capable of running commands, listing files and processes, and reporting the output to a Command-and-Control server.
- Modify the DLL to allow execution using rundll32, regsvr32, and msiexec.
- Using IDA Free and x32dbg, analyze the relevant portions of the RAT to identify the main command loop, commands recognized, network connections, and behavior-based indications of compromise that could be used by threat hunters and security engineers.
- Write a tactical malware analysis report, focusing on actionable details.
- Provide constructive feedback to other students about their
malware analysis report.
- Analyze another student’s version of the DLL with a few minor modifications and identify the relevant changes in functionality added by the other student.
- Using strings and FLOSS, extract strings from a compiled executable file.
- Using Python and C source code provided by the instructor, modify the DLL file to XOR encode some of the strings in the DLL project.
- Using IDA Free, analyze the XOR decoding function in another
student’s DLL to find the key bytes and decode the encoded strings.
- Using C code provided by the instructor, modify the DLL project to detect when it is being run in a virtual machine or debugger, causing the DLL to modify its behavior when analyzed.
- Using IDA Free and x32dbg, recognize the anti-analysis code in the DLL and patch the instructions to bypass the protections and analyze it anyway.

This course was only 3 months long but it gave me an edge in the experience I'll need to land a Malware Analysis role later on in the future. After completing the course, I feel taking the volunteer role was the right choice to make because I now have new connections within Binary Defense. Around April - May I continue my approach of reaching out to recruiters expressing my interest in roles at their company. While reaching out to companies I came across the company "Huntress" and one of their roles piqued my interest, so I decided to reach out to the CEO and said:



Hello Kyle,
My name is Jonathan, I'm a malware analyst and I was interested in learning more about your company. I was wondering does Huntress host any paid intern/apprenticeships. It seems like a great company to work at with lots of growth potential. I look forward to chatting with you!

Thank you

After doing so, Kyle reached out and wanted to schedule an interview for us to have a chat with him and his team. I was given a chance to chat with Kyle, John Hammond along with other members of the team and gain valuable connections. Unfortunately the role I experienced interest in at the company I did not have enough experience. Although disheartened, this did not discourage me, I continued my search and studies, not much time passed until I received an interview invitation that would be the interview that would make my 6-year-long struggle worth it.

The Internship

In May, I received an invitation for an interview for Threat Analysis Intern role I applied for months prior for the company "IronNet Cybersecurity". I was more than confident I'd be able to land the job, and I did! Here is the job description as it was listed:



Our mission is simple:

Deliver the power of collective cybersecurity to defend companies, sectors, and nations. For decades, companies have been defending against cyberattacks on their own while adversaries have been organizing themselves into sophisticated hacker networks, until now with IronNet Collective Defense.

Bringing together some of the best minds in cybersecurity and an unmatched team of experts from industry, government, and academia, IronNet was born to more effectively defend enterprises, sectors, and nations against highly organized cyber adversaries and increasingly sophisticated attacks.

- Research and create lead generation queries for C2 frameworks
- Analyze C2 servers
- Create queries
- Analyze analytic results for additional use cases
- Develop hunt queries for open search
- Create common queries that look for malicious use

Once I was offered the role my start date was June 1st, and throughout the internship, the amount of anxiety and imposter syndrome I experienced was through the roof. I've had many sleepless nights just trying to get work done and lots of meetings with my mentors to get help with troubleshooting errors that I had and didn't know how to fix. Even though this internship was challenging I still learned a lot of valuable skills and information which I will be able to use later on in my career. I was allowed to work with AWS OpenSearch, ElasticSearch, work in the security teams development environment, and more! The projects I was assigned were to convert Scala hunt queries into OpenSearch queries and dashboards for the security teams to use later in the future. My second project was to create a wrapper for Open and ElasticSearch so that the security teams would be able to query the Open and ElasticSearch database from their CLI.

I am extremely grateful for this experience although it was only a short 2 months. Not only did I get to work on some great projects, but I also got to meet some great people during the internship, make lots of new connections and do some fun activities with the other interns. One of the activities was a book club where we were tasked with reading two books "Leaders Eat Last" and "The Happiness Equation" These two books taught me life skills that I would remember fondly throughout the rest of my journey (I don't want to spoil the books 😉). During the 2 months of the internship, I kept applying to other roles and was still getting interviews for other full-time times during this time from companies such as "Offensive Security", "Cisco", and "Macquarie" and more. There was one company that changed everything for me and was able to help me land the career of my dreams making $190K/yr.

The Finish Line

With the internship coming to a close in less than 2 weeks, a recruiter from Apex Systems reaches out to me looking to fill a Malware Analyst role at Bank of America. I happily agreed to proceed with the interview, although I've been in countless interviews, interviewing never got any easier despite how confident I was. Fast forward to the day of the interview and everything went flawlessly, out of all the interviews I've been in the past 4 years this was the BEST interview I've been in.

Not only did I feel really good about my answers during the technical interview but I also had a chance to bond with the team as well during a few personable questions. Typical after all my other interviews I usually leave the call with a sense of anxiety and discouragement as I know the interview didn't go well. After 6 years of applying for jobs and interviewing I can proudly say that I've never felt such ecstasy after an interview, and with that said I was offered the role a few days later! It's been a long journey and extremely stressful journey getting to where I am today, In the end, it was all worth it.

Connect With Me!

IAANSEC | WannaCry Analysis Report

L0WK3Y | Infophreak — Sun, 10 Apr 2022 05:53:43 +0000

WannaCry Ransomware Report

Apr 09, 2022 | L0WK3Y

Executive Report
High-Level Technical Summary
Malware Composition
Static Analysis
Dynamic Analysis
Indicators of Compromise
Yara Rules

Executive Summary

sha256: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

Wannacry is a ransomware that utilized the EternalBlue exploit to propagate through the targets network and attacked outdated Windows computers globally in May of 2017. WannaCry was a multistage attack starting with a dropper which unpacked a payload onto the targets system under the right conditions. Once the files were encrypted, the threat actors demanded a ransom of $300 worth of Bitcoin. If the ransom is not paid in a specified amount of time, the ransom is increased to $600. This attack infected around 230,000 computers across 150 countries. Marcus Hutchins later discovered a kill switch that stalled the spread of the attack. Click here to view the full analysis report.

High-Level Technical Summary

WannaCry consist of 2 stages:

The first stage being a dropper that tries to make contact with a suspicious URL that can be found in the strings hxxp[://]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com if a connection is established the program exits, if a connection is not established the program proceeds with the rest of the execution. Once the program proceeds with execution a service is created by the program mssecsvc2.0 and has the display name Microsoft Security Center (2.0) Service. The service also contains a path to the executable <PATH_TO_WANNACRY>\wannacry.exe -m security. During this stage the program will attempt to propagate by reaching out to a large range of IPv4 addresses.
Stage two the payload is unpacked from the dropper and proceeds to create persistence mechanisms such as creating a folder in the C:\ProgramData\<GENERATED_STRING>\ directory and creating a file named tasksche.exe in the C:\Windows\ path and copying itself to the newly created directory. Once the file has been copied to the directory, a service is created and is named after the same generated string as the newly created folder and contains a path leading to the payload C:\ProgramData\<GENERATED_STRING>\tasksche.exe. After the service is created and the payload is executed the encryption process starts which changes the background image, drops instructions on how to decrypt the files and more in the generated directory.

Fig.0 Execution flow graph

Malware Composition

Item	SHA-256 Hash
Ransomware.wannacry.exe	`24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c`
tasksche.exe	`ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa`
@WanaDecryptor@[.]exe	`b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25`
taskdl.exe	`4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79`
taskhsvc.exe	`e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb`
taskse.exe	`2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d`

Item	Description
Ransomware.wannacry.exe	`Initial file detonated`
tasksche.exe	`The payload unpacked from the dropper`
@WanaDecryptor@[.]exe	`The GUI application that is executed by tasksche after all files have been encrypted and handles ransom payment`
taskdl.exe	`SQL Client Configuration Utility EXE`
taskhsvc.exe	`Handles communication to TOR URL and other TOR activites`
taskse.exe	`Waitfor - Wait/send a signal over a network`

Static Analysis

The original file name can be found in the "Version" tab of PE Studio

Fig.1 Original filename of dropper.

Compiler time stamp reports Nov. 20, 2010 in PE Studio.

Fig.2 Image showing was date dropper was compiled.

Executable can be found in the .rsrc section of the dropper executable.

Fig.3 Image of executable in the .rsrc header of the dropper.

Fig.4 Payload found in the 00407ce0 function

Found a URL that the dropper tries to communicate with at the start of it's execution.

Fig.5 Reference to DNS query URL string.

A few imports of interest:

Fig.6 Imports of interest in the dropper.

Addresses to the bitcoin wallets can be found in the function starting at address 0x00401E9E within the `tasksche.exe` executable. BTC addresses are randomly selected.

Fig.7 Bitcoin addresses found in the payload

Dynamic Analysis

Dropper tries to reach out to the suspicious URL.

Fig.8 Dropper making DNS query to suspicious URL.

If the connection to the URL fails, the program proceeds and pushes two arguments to the stack `<PATH_TO_WANNACRY>` and `-m security` which are then passed as parameters to the `CreateServiceA` function. The strings `mssecsvc2.0` and `Microsoft Security Center (2.0) Service` are also pushed to the stack in preparation for the creation of the service. The program proceeds to create a service named `mssecsvc2.0` with the display name of `Microsoft Security Center (2.0) Service`. Below are images of the service being prepared and the service after creation.

Fig.9 Dropper creates service as a persistence mechanism

After the creation of the service the payload attempts to connect to a range of IPv4.

Fig.10 Service attempts to reach out to a range of IPv4.

A reference to the payload can be seen being pushed to the stack along with another string of interest can be found stepping through the dropper in x32dbg.

Fig.11 Reference to packed payload.

The payload is later unpacked on to the system in the `C:\Windows` directory and is executed.

Fig.12 Payload is unpacked by dropper.

The payload generates a string based on the host name of the system and creates a folder named after the generated string in the `C:\ProgramData` directory. After the creation of the directory a copy of the payload is moved to the directory.

Fig.13 Payload generates random string based on the system name, creates a folder in the C:\ProgramData directory with the generated name and copies the payload to the generated directory.

Along with the creation of the new directory a service is also created with the same generated name as the directory which uses cmd to execute tasksche as a persistence mechanism.

Fig.14 Service is created with the same name as the generated string.

A registry named `WanaCrypt0r` and registry key named `wd` are created with the key value set to the newly created directory in `C:\ProgramData\<RANDOMLY_GENERATED_STRING>`.

Fig.15 Registry key created by payload service.

After the payload has executed the `@WanaDecryptor@.exe` executable is dropped along with various other files in the same directory as the payload's execution and creates a shortcut to the executable on the Desktop.

Fig.16 Files dropped from payload after encryption process has begun.

Lastly, the system background is changed and a GUI of the `@WanaDecryptor@.exe` is displayed.

Fig.17 Background changed and GUI application displayed

Indicators of Compromise

Network Indicators

Dropper observed making DNS Query to suspicious domain.

Payload attempts establish contact with a range of IPv4 addresses.

Host Based Indicators

Payload is unpacked on to system in `C:\Windows`.

(Note) During the debugging process, there was a mention of a file in the directory C:\Windows named qeriuwjhrf but the file was never created.

Creation of services.

Creation of registry key.

Creation of files following the execution of the payload in the same directory as the execution. Along with files ending in the `.WNCRY` extension.

Background change and appearance of GUI application.

Yara Rules


 yara
rule wannacry_ruleset {
    meta:
    last_updated = "04-09-2022"
    author = "IAANSEC"
    description = "Yara rule to detect wannacry ransomware."
    hash256 = "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"

    strings:
        $MZ_byte = "MZ"
        $querydomain_killswitch = "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea" ascii
        $weird_windows_dir_str = "qeriuwjhrf" ascii
        $reg_name = "WanaCrypt0r" ascii
        $service = "Microsoft Security Center (2.0) Service" ascii
        $payload = "tasksche" ascii
        $exe1 = "taskdl" ascii
        $exe2 = "taskse" ascii
        $import = "Crypt" ascii
        $str = "WNcry@2017" ascii
        $decrypt_exe = "@WanaDecryptor@.exe" ascii
        $wnry = "wnry" ascii
        $decrypt = "decrypt" ascii
        $bitcoin = "bitcoin" ascii
        $btc_wallet1 = "115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn" fullword ascii
        $btc_wallet2 = "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94" fullword ascii
        $btc_wallet3 = "12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw" fullword ascii

    condition:
        $MZ_byte at 0 and
        5 of them     
}

Connect With Me 🙂

TryHackMe - Searchlight - IMINT (Writeup)

L0WK3Y | Infophreak — Mon, 28 Mar 2022 08:05:00 +0000

Welcome to the Searchlight IMINT room!

In this room we will be exploring the discipline of IMINT/GEOINT, which is short for Image intelligence and geospatial intelligence. This room is suited for those of you who are just beginning your OSINT journey or those brand new to the field of IMINT/GEOINT.

This room will introduce you to several topics within IMINT, among them:

Getting into the right mindset and how to be analytical.
Visually extracting key data points from an image or video.
Applying different tools to assist you in geolocation and answering context questions.

When you have completed this room you should be comfortable applying tools and methodologies to geolocate and answer context questions based on visual intelligence alone. This room will prepare you for harder CTF challenges in this category as well as real-world geolocation work.

Any thoughts, feedback or issues can be forwarded to me directly on the THM or Searchlight Discord. You'll find me there as zewen.

The flag format is: sl{flag} - this means that every answer needs to be submitted within the brackets, sl{your answer}. No capitalization is needed.

If you are stuck or you want someone to discuss these challenges with, head on over to the OSINT Curious Discord server. You can also find me on Twitter if you have any questions!

Questions

Task 2: "Your first challenge!"

Q1: What is the name of the street where this image was taken?

With this being an introductory question, the answer is pretty straightforward. The street name is on the sign Carnaby Street.

Task 3: "Just Google It!"

For starters I won't be using reverse image search, because where's the fun in that. Instead I will explain the thought process I had while analyzing the image. With that said, the first thing I noticed was the European architecture of the buildings in the background. Next, I noticed the Circus St... on the sign above the stairway. After doing a Google search with the information gathered Public Subway Underground Circus Station, I was able to obtain the information needed to answer the questions.

Q1: Which city is the tube station located in?

The station is located in London.

Q2: Which tube station do these stairs lead to?

The first result shown after the Google search was a Wiki page for Piccadilly Circus, which lines up with the circus portion of the sign.

Q3: Which year did this station open?

"Piccadilly Circus tube station was opened on 10 March **1906, on the Bakerloo line, and on the Piccadilly line in December of that year." - Wikipedia

Q4: How many platforms are there in this station?

Googling "How many platforms are there in Piccadilly Circus?" returns 4.

Task 4: "Keep at it!"

Right off the bat I see a banner which says "YVR Connects" and "YVR.CA" which leads me to think this building is located in Canada. This is enough intel for me to start doing some research.

Q1: Which building is this photo taken in?

After searching "YVR Connects" on Google, the first result I was presented with was the Vancouver International Airport Wikipedia page.

Q2: Which country is this building located in?

Canada

Q3: Which city is this building located in?

"Vancouver International Airport (IATA: YVR, ICAO: CYVR) is a Transport Canada designated international airport[5] located on Sea Island in **Richmond, British Columbia."

Task 5: "Coffee and a light lunch"

This task requires you to do a bit more searching than the others. After searching the name of the store across the street, "The Edinburgh Wollen Mill" You are presented with numerous results. My approach to near down the choices was by adding "Coffee shops near..." at the start of the initial Edinburgh search. After doing so, a couple coffee shops popped up in the results, but I narrowed my choices down to two coffee shops "The Wee Coffee Shop" and "Courtyard Coffee Shop". I made my final decision by doing a Google Street View for both coffee shop and The Wee Coffee Shop was the right coffee shop. With that I was able to gather the intel needed to answer the questions.

Q1: Which city is this coffee shop located in?

1 Allan St, Blairgowrie PH10 6AB, United Kingdom

Q2: Which street is this coffee shop located in?

1 Allan St, Blairgowrie PH10 6AB, United Kingdom

Q3: What is their phone number?

+447878839128

Q4: What is their email address?

theweecoffeeshop@aol.com (Can be found on their Facebook page which is linked on their businesses Google maps panel.)

Q5: What is the surname of the owners?

Debbie and David Cochrane (Can be found by searching "The Wee Coffee Shop Owners")

Task 6: "Reverse your thinking"

This task will require you to do a reverse image search since there is no text that stands out in the image. The quickest way to do an reverse image search is by dragging and dropping the image into the Google search bar. After doing so you will be presented "Katz's Delicatessen"

Q1: Which restaurant was this picture taken at?

Katz's Deli

Q2: What is the name of the Bon Appétit editor that worked 24 hours at this restaurant?

Andrew Knowlton (Can be found by searching "Katz's Deli Bon Appétit Editor")

Task 7: "Locate this sculpture"

For this task I started off with another reverse image search on Google. After doing so the first link to pop up was . In the description of the URL before clicking it, there is a mention of "Rudolph the Chrome Nosed Reindeer". Once on the site scroll down until you are presented with a map. Once the map is displayed click on the marker that is beneath TJUVHOLMEN. After clicking on the correct marker, a side panel will be displayed with name of the sculpture and the name of photographer.

Q1: What is the name of this statue?

Rudolph the Chrome Nosed Reindeer

Q2: Who took this image?

Kjersti Stensrud

Task 8: "...and justice for all"

Once I opened the image, the first thing that stood out to me was The Verge watermark in the bottom right corner. I made sure to keep the watermark in mind once proceeding to the reverse image search. After doing a RIS I realized that I can't always rely on JUST Google RIS, it gave me results differing from Bing's RIS. On Google the RIS returned the name "Blind Justice Man", Bing returned "Lady Justice". After a bit of scrolling through the related images on Bing my trail went cold. My thought process was to see if I could find any images of the statue from a wider angle to see if I could possibly find the building name. So I decided to transition over to Yandex and do a RIS there, I had better luck there because I found this as a related image
On Yandex you can search by image fragment, doing this you can crop just the text in the image and search for related images based on that fragment. After searching by fragment, I found this related image.

We can now see the text "T V. Bryan United States Court". I then search, "V. Bryan United States Court" on Yandex since I'm already on the site, and was then presented with the full name of the courthouse and it's location. With that, I gathered enough information to answer the last question.

Now that I had the name of the court I went to Google Maps Street View and got the name of the building opposite of the courthouse.

Q1: What is the name of the character that the statue depicts?

Lady Justice

Q2: Where is this statue located?

Alexandria, Virginia

Q3: What is the name of the building opposite from this statue?

The Westin Alexandria Old Town

Task 9: "The view from my hotel room"

For this task, we are presented with a video to analyze. A couple seconds into the video we can see a building with the sign "Riverside Point". We can pause the video at this frame, screenshot it and do a RIS on this frame.

On Yandex I was presented with this related image, on the bottom left we can see the location of the building.

Now that I know the location of the building, I do a search on Google Maps for "Riverside Point Singapore". Once I've navigated to the location, I head back over to the video to have a look at the angle the Riverside Point building was recorded from. I've marked the location I believe the video was recorded from on the map.

I then confirmed my suspicions by heading into street view to have a look at the building. Google Street View's last update of this building shows it was under construction as of February 2021.

Although, after searching around the building in Street View, if you click on this entrance to the construction site

It actually reveals an older 3D street view from 2018 before the construction. Once I came across the older street view model, I then noticed the name "Tanyoto". I then searched "Tanyoto Singapore Hotel", and was given the result Novotel Clarke Quay - Singapore, 177a Riv Vly Rd. My guess is Tanyoto is the older name of the hotel before it's reconstruction.

Q1: What is the name of the hotel that my friend is staying in?

Novotel Singapore Clarke Quay

Connect With Me 🙂

IAANSEC - BrickRoll (Official Write Up)

L0WK3Y | Infophreak — Sat, 05 Feb 2022 22:44:40 +0000

Witness the Rick Astley Experience NOW!

Developed by L0WK3Y

Intro

"Odd, I clicked on the Rick Astley Simulator icon but it didn't.... Wait...OH MY GOD MY EARS!!!"

In this IAANSEC CTF you will be tasked with analyzing the Rick Astley Experience binary. This room will test your cryptography, stenography and malware analysis skills. Have fun and good luck!

(Quick note, majority of flags are Rick Roll lyrics and are separated with an underscore "_". Lastly I HIGHLY recommend using Procmon to solve this CTF)

Questions

Task 1: The Rick Astley Experience

Where is that God awful music coming from?

What happened to my wallpaper?

What is the name of the program causing havoc?

What file is created when the executable is ran without internet access?

What is the key to decode the sus.txt flag?

(It was in the directory of the first flag)

What is the sus.txt flag?

(I recommend using https://www.dcode.fr/rot-cipher to solve this flag, don't forget the underscores!)

I hate getting into arguments...

(Decode the base64 for the flag)

TryHackMe - REloaded Writeup

L0WK3Y | Infophreak — Thu, 09 Dec 2021 02:49:17 +0000

Intro

"This room is dedicated for the RE challenges, each challenge has unique concepts divided in each binaries. As if now only phase 1 is added will decide about phase 2 on response. Developed by WhiteHeart and tested by IslaMukheef"

In this TryHackMe room you will be tasked with cracking various executables and in each level the challenges gradually increase in difficulty. This will definitely test your skills as a reverse engineer.

Tools Used

-Windows, Linux
-Ghidra
-x64dbg

Questions

Task 1: This challenge is the most basic of RE. It will teach about how to enumerate files and get juicy details.

Like every reverse engineering CTF, I started things off by pulling strings from the executable to see what catches my eye. After searching for strings in Ghidra I found 1 string that looks like a flag that was referenced in the function FUN_00401410 and address 0040142b and 2 that look like an output string after a comparison is made between the correct string and the users input, 1 more string that tells the user to enter the flag.

After navigating to the address where the "Enter The Flag" string is referenced I am now presented with what you see blow in the decompiler. After analyzing the information I was able to deduce that char local_40 [20]; must be the variable that holds the users input since it is only allowed 20 bytes and the flag itself is 18 bytes. There were also a few empty functions, but looking towards the bottom we can see the same function where the flag string was referenced.

After heading to that function I was presented with this in the decompiler. It's safe to assume that this must be the flag check function. On line 9 and 11, it looks like the author of this program created callback functions that act similarly to how the strcpy and strcmp functions work.

I went ahead and renamed the functions accordingly as you can see below. On line 9 the flag string is copied into the variable local_28. On line 11 the strcmp_callback function is used to compare param_1 (the users input) to local_28 (the flag variable). If at any point the users input gets null terminated in the comparison process the string "Don't Worry its a start ;)" is printed to the terminal, if the users' input and flag variable match, the string "That was easy...Bruh!!!" is printed to the terminal.

Task 2: Level 0 was piece of cake for you now I am keeping my cake in the cage.

Again I start off by pulling strings, and come across a string named "Thats your lucky number !!!" which is referenced in function FUN_00401410.

After heading to the function where the string was referenced I was presented with this code in the decompiler, as you can see the function takes a parameter as an integer if the parameter is equal to the hex value on line 5, we get the lucky number string that was referenced. All we have to do is convert the hex to decimal to get the answer.

Task 3: As a security analyst, you found some suspicious app in your organization which enables employees secretly share their file to the rival organization. Your task is to find who is involved in this treachery, but the app needs some key to log in. Can you patch this app to bypass Authentication?

After pulling strings from the binary I found one interesting string "Wow Ur At L3?" after navigating to the function where the string is located (FUN_004014cb) I was presented with this in the decompiler.

FUN_0040147f on line 13 is just an empty function. FUN_00401410 leads to the function that creates the flag string. After navigating to that function, I was presented with this code in the decompiler. I converted all the local variables from hex to ascii to see what value is returned, after doing so I was given the ascii value: 1_3L02_shT_t1L_3t13. So I tried entering that as the flag and it was incorrect so I figured each hex value must be reversed. After reversing the ascii values and running it against the executable, the program printed the "Get Ready For L4 ;)" string along with the correct flag.

Another method of solving this task would be switching the JG instruction. at address 004014d9 we can see there is a comparison between the hex value 0x1 and the 32bit value located at the address [EBP + param_1]. On the next line we can see if 0x1 was greater than [EBP + param_1], then a jump is made to address 004014f2. If you change the JG instruction to JNE or JNZ, the program will move the function that prints the flag since the conditions have changed.

Now that the jump instruction has been changed, the decompiler should read as follows:

Task 4: Bob was fired due to his inappropriate behavior with colleagues. While leaving he deleted the code which decrypts the password stored in the code. As a reverse engineer it's your task to recover that master password since the code is in prod now and cant is modified but you have a copy of the app. everything depends on you now !!!

After pulling strings I found the string "Rooted !!!" after heading to the function where the string was located, I was presented with this in the decompiler. Upon examining the code in the decompiler, I was able to make an educated guess at what the functions and variables are. Below are before and after images.

I only renamed the functions and variables that seemed important to me also I wasn't entirely sure what local_28 is and what line 13 of the code does, but I was still able to solve the challenge without knowing what they are. As for the xor_string_func was able to come to the conclusion that this was an XOR function seeing how the program behaves in a debugger. I felt the most logical place to set a breakpoint would be at the start of XOR function that way I can see the flag string before it gets ciphered. The XOR function begins at the address 00401410. In x64dbg hit Run until the program reaches the point where it asks you to enter the flag, after entering the wrong flag, step over to the next instruction until the debugger jumps to the XOR function breakpoint. From there continue to step over until you see the flag in the EAX register.

Task 5: They are back!!! and using some sort of encryption algorithm to communicate. Although we intercepted their messages we cant decode them, Agent 35711 has successfully stolen their test encryption code. Now it's on you to build a decryptor for test messages and save this world.

Alright, so this time pulling strings returns nothing of value but when executing the program it prints this in the console "Amcm↨QBu^YP+lD↨V1pvY^BdR" just by looking at this string I can tell it is being encrypted by an algorithm at some point in the program. So I figured since the string is being encrypted and printed to the console, I could see where the printf function was being used in the program. In Ghidra click on "Display Symbol Tree" and search for and click "printf" from there follow the XREF's until you land at the function where the printf function was used (FUN_00401453).

Once I arrived at the function where printf was reference, I was presented with this in the decompiler. After analyzing the function and comparing it to the programs behavior in the debugger, I was able to make an educated guess at what each variable is. Below are before and after pictures of the function.

It looks like the function gets the length of the flag, performs a preliminary check on lines 10-11 if the string meets certain requirements, the encryption algorithm is ran against the flag string. Skipping ahead a bit, if you set a breakpoint at the start of the address where the function is located (00401453), the flag will be displayed in memory before it is run through the encryption algorithm.

That concludes this write-up if you have any feedback, feel free to comment. Feedback is always appreciated and will help me learn and grow 😊.

Connect With Me 😊

TryHackMe - Classic Passwd Writeup

L0WK3Y | Infophreak — Tue, 28 Sep 2021 10:37:00 +0000

Intro

"I forgot my password, can you give me access to the program?"

In this TryHackMe room you will be tasked with cracking the password to a binary by bypassing the authentication sequence. There are multiple ways to solve this CTF, but I will go over a few of the ways I solved it.

Scenario

Practice your skills in reversing and get the flag bypassing the login.

Questions

Task: What is the flag?

Method 1: Convert the Hex Values to Decimal

To start things off, I pull the strings to find what catches my eye, scrolling through the strings I find THM{ %d%d }. After doing countless CTFs I already know that flags are typically formatted this way (e.g flag{}, THM{}, htb{}), %d is a string format that takes an argument and prints it as an integer we will see that later on in Ghidra. You can read more about %d here.

After importing the file into Ghidra and head over to the main function we can see that two functions are called, vuln and gfl. For this method I will only be focusing on the gfl function. Once in the function we can see the printf function where the flag and the hex arguments that are being formatted into the flag string with %d. If we convert the hex values to decimal (0x638a78 = 65235128496) and (0x2130 = 8496) then append them to the string we get the full flag THM{652351284968496}.

Method 2: ltrace

For the second method I use a command line debugging utility called ltrace. After running the binary through ltrace it will ask the user to input the username. After doing so we can see that there is a strcmp function called with compares the users input to the correct username (AGB6js5d9dkG7). We can test this by executing the binary again and using the same username from the comparison and we can see that it is valid and prints the flag.

Method 3: Swap the Jump Instruction

The third method involves changing the jump instruction that leads to the "Welcome" message and the flag. In this method we will focus on the vuln function, this is where the user input is handled along with the if statement that handles the authentication. Below is the if statement and jump condition that handles the authentication. We can see that at address 00101261 there is a JNZ instruction which leads to the address 00101271 which prints the Authentication Failure message.

We can bypass this by switching the JNZ condition to JZ and patching the binary, which will essentially have the opposite output than that of the original program. Take a look back at the ltrace screenshot, you can see that in the original binary for the first comparison the word "test" was entered and was compared with the expected input the program returned a status code of 51. When the correct username is entered and compared the status code is 0. By swapping the jump condition, the user can input the wrong username, and the program will still print the Welcome message and flag.

I am actively looking for work, feel free to connect with me and lets talk business. Also feedback is appreciated! Thank you!

Connect With Me 🙂

TryHackMe - OhSINT Writeup

L0WK3Y | Infophreak — Sat, 25 Sep 2021 17:53:21 +0000

Intro

In this TryHackMe room you will be tasked with gathering intel on a target based on an image, you must use Open Source Intelligence to solve the questions.

Scenario

What information can you possibly get with just one photo?

Questions

Q1. What is this users avatar of?

To get started you will need to extra metadata from the photo, this can be done using a tool called Exiftool. This tool needs to be downloaded but I will be using an online version of this tool called ExifMeta. After uploading the image to exifmeta, you will be presented with a list of RAW data pulled from the image's metadata. Right off the bat, I see a few things that catch my eye. XMP-exif:GPSLatitude, XMP-exif:GPSLongitude, and XMP-tiff:Copyright. After Googling OWoodflint the first result should be a twitter user with the profile picture of a cat.

System:FileName	WindowsXP.jpg
System:FileSize	234081
System:FileModifyDate	2021:09:24 19:18:32+00:00
System:FileAccessDate	2021:09:24 19:18:32+00:00
System:FileInodeChangeDate	2021:09:24 19:18:32+00:00
System:FilePermissions	100644
File:FileType	JPEG
File:FileTypeExtension	JPG
File:MIMEType	image/jpeg
File:ImageWidth	1920
File:ImageHeight	1080
File:EncodingProcess	0
File:BitsPerSample	8
File:ColorComponents	3
File:YCbCrSubSampling	2 2
XMP-x:XMPToolkit	Image::ExifTool 11.27
XMP-exif:GPSLatitude	54.2947963
XMP-exif:GPSLongitude	-2.2503684
XMP-tiff:Copyright	*OWoodflint*
Composite:ImageSize	1920 1080
Composite:Megapixels	2.0736
Composite:GPSLatitudeRef	N
Composite:GPSLongitudeRef	W
Composite:GPSPosition	54.2947963 -2.2503684

Q2. What city is this person in?

Q3. What's the SSID of the WAP he connected to?

After finding the targets' Twitter account, you will find the user made a tweet with a BSSID. For this question you will need to head over to a site called WiGLE (a website for collecting information about the different wireless hotspots around the world). Once on the site enter the BSSID in the map search box and hit "Filter". After hitting filter, zoom out on the map and head over to the marked location on the map, once you find the marked location zoom all the way in and you'll find the answers for questions 2 (London) and 3 (UnileverWiFi).

Q4. What is his personal email address?

Q5. What site did you find his email address on?

The answer to questions 4 and 5 can be found by doing a Google search on the targets username and searching through the each link. Eventually you will come across their Github page which has an email on one of their repos.

Q6. Where has he gone on holiday?

Q7. What is this persons password?

The last two questions can be answered by heading over to the targets WordPress blog page, the target states that they are in New York at that point in time. Their is also hidden text on the page that is colored the same color as the background of the webpage (if you don't have a night mode extension enabled)

This was a really fun room and a great room to test your OSINT skills, OSINT is personally one of my favorite aspects of Cyber Security! 😊

I am actively looking for work, feel free to connect with me and lets talk business. Also feedback is appreciated! Thank you!

Connect With Me 🙂

TryHackMe - Dunkle Materie Writeup

L0WK3Y | Infophreak — Mon, 20 Sep 2021 12:54:58 +0000

Intro

This blog is a brief writeup of the TryHackMe room Dunkle Materie and how to solve each question. This room revolves around using the tool ProcDot to investigate a ransomware attack. Let's begin!

Scenario

The firewall alerted the Security Operations Center that one of the machines at the Sales department, which stores all the customers' data, contacted the malicious domains over the network. When the Security Analysts looked closely, the data sent to the domains contained suspicious base64-encoded strings. The Analysts involved the Incident Response team in pulling the Process Monitor and network traffic data to determine if the host is infected. But once they got on the machine, they knew it was a ransomware attack by looking at the wallpaper and reading the ransomware note. Can you find more evidence of compromise on the host and what ransomware was involved in the attack?

Questions

Q1. Provide the two PIDs spawned from the malicious executable. (In the order as they appear in the analysis tool)

The first question can be found after uploading the Logfile.CSV and traffic.pcap files from the Analysis Files to ProcDot and selecting the Launcher button to select a process from the list. After doing so a list of processes that were active while procmon was monitoring while be shown. After looking through the list I was able tell these two PIDs (8644,7128) were spawned from the malicious executable exploreer.exe. It's safe to assume it was given this name so that it could be easily overlooked and would be confused for the actual explorer.exe.

Q2. Provide the full path where the ransomware initially got executed?(Include the full path in your answer)

Once ProcDot graphs all active processes and network activity, after looking through the data we can see the file path where exloreer.exe was initially executed. c:\users\sales\appdata\local\temp\exploreer.exe.

Q3. This ransomware transfers the information about the compromised system and the encryption results to two domains over HTTP POST. What are the two C2 domains? (no space in the answer)

Q4. What are the IPs of the malicious domains? (no space in the answer)

To answer this question you will need to head over to the second instance of the malicious process 7128 after scrolling through the captured data, you'll find a segment where exploreer.exe is sending and receiving a stream of TCP traffic from cisco[.]com, mojobiden[.]com IP: 146.112.61.108 and, paymenthacks[.]com IP: 206.188.197.206. Based on the flow of the traffic exploreer.exe seems to be sending and receiving data from mojobiden[.]com it's safe to assume that this is how the threat actor sends commands to the malware and receives data from the victims system. Paymenthacks[.]com must be where all the data that was collected from the victims system is being sent to based on the flow of the traffic, there is only outgoing traffic being sent to that domain.

Q5. Provide the user-agent used to transfer the encrypted data to the C2 channel.

If you right click on the mojobiden server and click Follow TCP Stream you can scroll down until you come across information in red text, here you will find the User-Agent information which is Firefox/89.0.

Q6. Provide the cloud security service that blocked the malicious domain.

Going back to the network traffic from question 3&4 there was data being sent to and from a Cisco server with the address 23.204.14.115. If you right click on the Cisco Server bubble you will find Cisco Umbrella being mentioned in the data. You can read more about Cisco Umbrella here.

Q7. Provide the name of the bitmap that the ransomware set up as a desktop wallpaper.

Q8. Find the PID (Process ID) of the process which attempted to change the background wallpaper on the victim's machine.

If you follow the thread 4892 created by 7128 you will see that there is a value set in the register path HKCU\Control Panel\Desktop\Wallpaper the value is c:\programdata\ ley9kpi9r.bmp.

Q9. The ransomware mounted a drive and assigned it the letter. Provide the registry key path to the mounted drive, including the drive letter.

You can find the answer to this question by following the thread 4892 and you will see the registry path for the mounted device. HKLM\SYSTEM\MountedDevices\DosDevices\Z:.

Q10. Now you have collected some IOCs from this investigation. Provide the name of the ransomware used in the attack. (external research required)

For this question you can look up the C2 servers on threat intel sites like VirusTotal and AlienVault. On VirusTotal enter the C2 address in the VirusTotal search bar and head to the community tab. This concludes the Dunkle Materie room and I hope you enjoyed this room as much as I did. Happy Hacking! 😊

I am actively looking for work, feel free to connect with me and lets talk business. Also feedback is appreciated! Thank you!

Connect With Me 🙂

Network Security & Database Vulnerabilities

L0WK3Y | Infophreak — Sat, 18 Sep 2021 00:40:51 +0000

Introduction to the TCP/IP Protocol Framework

Alright, time to dive into one of the most important parts of cybersecurity. NETWORKING! This blog will teach about network basics of TCP/IP and OSI models, DNS, DHCP, as well as switching and routing concepts, IP addressing, NAT, packet sniffing and finally, structures and vulnerabilities of key databases including SQL, CouchDB, Oracle and MongoDB. Let's get started!

Stateless Inspection

To start off the topic of networking let's discuss what firewalls are and how they utilize stateless and stateful inspection, then compare stateless firewalls to stateful firewalls. According to Cisco (one of the leading companies in network technology) firewalls are "A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. Firewalls have been a first line of defense in network security for over 25 years. They establish a barrier between secured and controlled internal networks that can be trusted and untrusted outside networks, such as the Internet. A firewall can be hardware, software, or both.". Now that we know what a firewall is, let's dig a little deeper into how firewalls filter incoming and outgoing network traffic stateless and stateful inspection. Regular routers and some firewalls use the stateless way of filtering packets, this means the firewall inspects each packet without any knowledge of previous packets, the firewall will inspect the destination and source address of the packet and then block or restrict addressess that are deemed untrusted. There may also be an Access Control List rule (ACL) that will determine weather the source addess and destination port of the packet is allowed on the network or if the destination address is allowed to be accessed or not. A few use cases for stateless inspection include:

Protecting routing engine resources.

Controlling traffic going in or out your organization.

Troubleshooting purposes.

Control traffic routing (through the use of routing instances).

Perform QoS/CoS (marking the traffic).

Stateful Inspection

Heading back over to Cisco, a Stateful Inspection is "Now thought of as a “traditional” firewall, a stateful inspection firewall allows or blocks traffic based on state, port, and protocol. It monitors all activity from the opening of a connection until it is closed. Filtering decisions are made based on both administrator-defined rules as well as context, which refers to using information from previous connections and packets belonging to the same connection.". In some cases there can be a stateless and stateful inspection, the stateless inspection is going to be performed first and then will be followed up by an evaluation of the stateful data. Now that we know about stateless and stateful inspections what are the pros and cons of each method ? Below is a list of the pros and cons of each inspection method courtesy of CDW.

IDS and IPS Systems

Now that we've talked about firewalls and the different types of firewalls, let's talk a little about 2 types of firewall filters. Intrusion Detection and Intrusion Prevention Systems. An Intrusion Detection System (IDS) "is a network security technology originally built for detecting vulnerability exploits against a target application or computer.". Intrusion Prevention Systems (IPS) "extended IDS solutions by adding the ability to block threats in addition to detecting them and has become the dominant deployment option for IDS/IPS technologies.".

Intrusion Detection Systems

An IDS needs to only detect threats on a network, because the IDS only detects threats and reports it's finds to an administrator. It is placed outside of the real-time communication path of the sender and receiver of information, which makes it a passive system. Due to the IDS not keeping up with real-time communication it will often take advantage of a TAP or SPAN port to analyze a copy of the inline network traffic stream. This ensures that the IDS does not impact inline network performance. Unfortunately due to the nature of IDS solutions, they lack the ability to prevent a detected exploit from taking over the system. Attackers are capable of quickly exploiting vulnerabilities once they've infiltrated the network. Rendering the IDS useless.

Intrusion Prevention Systems

IPS on the other hand, has the ability to block threats along with detecting them. The IPS often sits directly behind the firewall and adds a layer of analysis that actively searches for dangerous content. The IPS sites inline or in the direct path of communication of the sender and receiver and takes automated actions on all traffic flows that enter the network. The actions performed by an IPS include:

Sending an alarm to the administrator(as would be seen in an IDS)

Dropping the malicious packets

Blocking traffic from the source address

Resetting the connection

Since the IPS works as an inline security component, it is crucial that the IPS works fast and efficiently to avoid degrading network performance as well as detect and respond to exploits accurately since exploits can happen in near real time. When it comes to detection methods IPS has a number of different detection methods but signiture-base and stistical anomaly-based are the two dominant methods. Signature-based detection "is based on a dictionary of uniquely identifiable patterns (or signatures) in the code of each exploit. As an exploit is discovered, its signature is recorded and stored in a continuously growing dictionary of signatures. Signature detection for IPS breaks down into two types:"

Exploit-facing signatures identify individual exploits by triggering on the unique patterns of a particular exploit attempt. The IPS can identify specific exploits by finding a match with an exploit-facing signature in the traffic stream

Vulnerability-facing signatures are broader signatures that target the underlying vulnerability in the system that is being targeted. These signatures allow networks to be protected from variants of an exploit that may not have been directly observed in the wild, but also raise the risk of false positives.

Statistical anomaly detection "takes samples of network traffic at random and compares them to a pre-calculated baseline performance level. When the sample of network traffic activity is outside the parameters of baseline performance, the IPS takes action to handle the situation."

Network Address Translation

NAT or Network Address Translation is essentially a method of converting a private IP address to a public IP address when connecting to the Internet. NAT remaps the IP address by modifying information in the IP datagram packet headers as they transit across a traffic routing device. This is just a summerized version of what NAT is but you can read more about it through a FAQ form on CISCO's website Network Address Translation (NAT) FAQ. Below is a diagram of a Juniper NAT router and 4 key facts about NAT.

Static, Dynamic, and PAT Address

Static NAT- Allows one-to-one mapping between local and global addresses.

Dynamic NAT- A technique in where multiple public IP addresses are mapped to a local IP address to be used.

Port Address Translation (PAT) - Maps multiple local IP address to a single public address to conserve IP addresses. This method is often referred to as "Overloading". By using overloading, thousands of users can be connected to the Internet by using only one real public IP address.

I am actively looking for work, feel free to connect with me and lets talk business. Also feedback is appreciated! Thank you!

Connect With Me 😊

Introduction to Cybersecurity Tools & Cyber Attacks

L0WK3Y | Infophreak — Sat, 18 Sep 2021 00:34:41 +0000

DISCLAIMER: TO AVOID COPYRIGHT INFRINGEMENT I WILL NOT BE REVIEWING EVERY ASPECT OF THIS COURSE. IF YOU WANT TO ACCESS THE FULL COURSE GO TO: IBM Cybersecurity Analyst Professional Certificate. ENJOY!

Introduction to Cybersecurity Tools & Cyber Attacks

In the first of a series of 7 courses within the IBM "Cybersecurity Analyst Professional Certification," you will learn about the current challenges that are occurring within the cybersecurity field. As more and more valuable information and resources that have monetary worth become available, the more security threats and alerts will increase. With this increase in security threats, one would think, "with so many bad guys creating security threats and attacks, there must be a ton of good guys to counter the bad guys, right?". Well, unfortunately, that is not the case, there is a lack of skilled security professionals in the cybersecurity field. There was a global study conducted by the Information Systems Security Association (ISSA) and Enterprise Strategy Group (ESG) which states that "the cybersecurity skills shortage is exacerbating the number of data breaches,” with the top two contributing factors to security incidents being “a lack of adequate training of non-technical employees” (31%) first and “a lack of adequate cybersecurity staff (22%)” second. As attacks become more complex, the knowledge that is required to deal with these attacks begins to increase whilst the time we have to deal with the attacks unfortunately decreases. The longer it takes for professionals to respond to attacks, the more it will cost to recover.

SOC Analyst

"What is a SOC Analyst and what do they do?"

A Security Operations Center (SOC) Analyst "is a cybersecurity professional who works as part of a team to monitor and fight threats to an organization's IT infrastructure". A SOC Analyst will also "assess security systems and measures for weaknesses and possible improvements." It is up to the SOC Analyst to use tools for reviewing Security Incident and Event Management (SIEM) and decide which events should recieve a high level of priority over others. You can check out the article "SOC analyst job description, salary, and certification" by Josh Fruhlinger to learn more about what a SOC Analyst does and how you can get a career by becoming a SOC Analyst.

What are We Talking about when We Talk about Cybersecurity?

In this section we will discuss the definition of cybersecurity, a few key terms and roles within security. Let's get started!

Information Security

Now I know what you're thinking when it comes to defining the term "Information Security", and if you were thinking something along the lines of "securing information" then you are absolutely right! Information Security, according to the National Institute of Standards and Technology (NIST) is "The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to ensure confidentiality, integrity, and availability." Within this definition are three importatant key words, "Confidentiality, Integrity, and Availability.". These three words together are known as the "CIA Triad", "but what does confidentiality, integrity, and availability have to do with information security?" you might ask, well it actually has alot to do with information security, since the CIA triad is practically the building blocks to securing information. Let's get into more detail about what the CIA Traid really means!

The CIA Triad

In the Information Security sub-section I mentioned the CIA Triad and what it is in minor detail, but lets discuss in further detail what the C.I.A in the triad really means.

Confidentiality

The dictionary definition of "Confidentiality" is "The ethical principle or legal right that a physician or other health professional will hold secret all information relating to a patient, unless the patient gives consent permitting disclosure." of course this is looking at it from a medical standpoint, but I'm sure you get the general idea 😊. Ok let's take Dictionary.com's definition and try to think of confidentiality from a technical standpoint, think about all the data a company has in their database, and we have security professionals taking measures to prevent said data from falling into the wrong hands. That is confidentiality.

Integrity

By definition Integrity is "the state of being whole, entire, or undiminished", so think of Integrity as the prevention of data being deleted or modified from an unauthorized source is essentially what Integrity stands for in the triad.

Availability

Available meaning to be "suitable or ready for use; of use or service; at hand", when it comes to security, availability in essence means to have your data always ready to access when needed, by authorized users of course. A few best practices for maintaining availability would include:

Business Continuity Plans

Disaster Recovery

Redundancy

I am actively looking for work, feel free to connect with me and lets talk business. Also feedback is appreciated! Thank you!

Connect With Me 😊

How To Get a HackTheBox Invite Code! (Outdated)

L0WK3Y | Infophreak — Fri, 17 Sep 2021 18:35:08 +0000

How To Get a HackTheBox Invite Code.

So you want to practice penetration testing, you're looking around on your favorite search engine for a few pen-testing labs. Low and behold, you come across the holy grail that is hackthebox, you're interested in joining, so you click the "Join Now" button at the top right of the webpage. Expecting to be met with the basic username and password sign up, you're greeted with this...

Challenge Accepted.

To start things off let's look at the signup/invite page in its entirety.

As you can see there's a "Click Here" button for help, there's a good chance you've already clicked the said button and are wondering what to do afterward. Head over to Developer Tools by pressing F12 or CTRL+Shift+I and head to the Console tab. You will then be greeted by a nifty looking banner, here you will see another hint "This page loads an interesting javascript file. See if you can find it :)"

Getting Closer...

With another clue to guide us in the right direction, we can now head over to the Sources tab to view the source code for the webpage. In the Sources tab head over to the Page sidebar, there you will find the folders css, images, js. Inside the js folder, you'll find a file that should catch your eye and it's titled inviteapi.min.js. I wonder what could be in this file... Once inside the file, you'll see a long single line of code, you'll want to Pretty-Print to make the code a bit more readable.

Once Pretty-Print is enabled, the code should look like this...

//This javascript code looks strange...is it obfuscated???

eval(function(p, a, c, k, e, r) {
e = function(c) {
return c.toString(a)
}
;
if (!''.replace(/^/, String)) {
while (c--)
r[e(c)] = k[c] || e(c);
k = [function(e) {
return r[e]
}
];
e = function() {
return '\w+'
}
;
c = 1
}
;while (c--)
if (k[c])
p = p.replace(new RegExp('\b' + e(c) + '\b','g'), k[c]);
return p
}('0 3(){$.4({5:"6",7:"8",9:\'/b/c/d/e/f\',g:0(a){1.2(a)},h:0(a){1.2(a)}})}', 18, 18, 'function|console|log|makeInviteCode|ajax|type|POST|dataType|json|url||api|invite|how|to|generate|success|error'.split('|'), 0, {}))

Now that we have a better idea of what we're looking at, we can observe the code a little better. At first glance, the code seems a bit complex, but we can still extract a few keywords like:

"makeInviteCode"

"generate"

"success"

Although, if you have some experience in programming, there should be a few keywords that also stand out to you, such as:

"ajax"

"POST"

"json"

"url"

"api"

If these 5 keywords look familiar to you, then you probably can guess what is coming next 😉,(POST Request) BUT before we get to that there's still one more clue that we missed if you got too caught up scratching your brain, trying to figure out what on Earth you're looking at. Then you probably looked over the most important clue in all of the code...

Obfuscation

Taking a look back at the code, in the very first line some text is commented out reading, "This javascript code looks strange...is it obfuscated???" "hmmm... obfuscated??? What does that mean? 🤔 you are probably thinking to yourself, well let's take a trip to Dictionary.com.

In programming, obfuscation is used to "to confuse, bewilder, or stupefy." those who try to read the code. With that said now, you're probably thinking "how do we deobfuscate the code then?" For deobfuscation we will be using an online tool called de4js by lelinhtinh, the tool is super easy to use, all you have to do is copy and paste the JavaScript code into the textbox and click Auto Decode, and BOOM! You have the original JavaScript code.

function makeInviteCode() { $.ajax({ type: "POST", dataType: "json", url: '/api/invite/how/to/generate', success: function (a) { console.log(a) }, error: function (a) { console.log(a) } }) }

Now that we can see the original code, we can see that the "makeInviteCode" is actually a function that creates the API key, and this is where those 5 programming keywords we mentioned early now come into play.

POST Requests

Within the function we see that ajax is being used, "Ajax is a set of web development techniques using many web technologies on the client side to create asynchronous web applications. With Ajax, web applications can send and retrieve data from a server asynchronously without interfering with the display and behaviour of the existing page. We can see in the function that, the type of data that Ajax is sending to the server is a POST and it is being sent to the url: '/api/invite/how/to/generate'. Now that we have an idea of what Ajax is doing in the function, let's talk a little about what a POST request is and how to make a POST request to the server. In computing, POST is a request method supported by HTTP used by the World Wide Web. By design, the POST request method requests that a web server accepts the data enclosed in the body of the request message, most likely for storing it.[1] It is often used when uploading a file or when submitting a completed web form. To make a POST request to the HTB server, we will be using this amazingly easy to use tool called reqbin. Simply type the main website URL "hackthebox.eu" into the text field and then take the URL from the makeInviteCode function and append them this should be your final URL for the POST request: hackthebox.eu/api/invite/how/to/generate Now you're all set to send the POST request!

Once you've sent the POST request you should receive a status code of 200(OK) meaning that the request was sent successfully, and should also receive data inside of curly brackets. This data is called JSON or JavaScript Object Notation it's essentially a data type primarily used to store and transmit data. If you look back to the makeInviteCode function you can see that the person who wrote the code is telling Ajax the data type to expect when making the POST request is JSON. The JSON data that you received should look something like this.

{ "success": 1, "data": { "data": "SW4gb3JkZXIgdG8gZ2VuZXJhdGUgdGhlIGludml0ZSBjb2RlLCBtYWtlIGEgUE9TVCByZXF1ZXN0IHRvIC9hcGkvaW52aXRlL2dlbmVyYXRl", "enctype": "BASE64" }, "hint": "Data is encrypted \u2026 We should probably check the encryption type in order to decrypt it\u2026", "0": 200 }

Now we are in the home stretch, and time to solve the second to last hint to get our invite code."Data is encrypted. We should probably check the encryption type in order to decrypt it.".

Base64

Picking up from where we left off, upon inspecting the JSON data we can see an attribute called "enctype": "BASE64". Base64 is the most popular binary-to-text algorithm used to convert data as plain text in order to prevent data corruption during transmission between different storage mediums. In addition, it is often used to embed binary data into text documents such as HTML, CSS, JavaScript, or XML. (XML has been replaced by JSON). To decrypt the data we will need to use a base64 decoder, we could use the many base64 decoders online. Instead, I decided to make my own in python just for the fun of it 😁.

import base64 import subprocess from sys import platform

def osCheck():
if platform == "win32":

    while True:
        try:
            subprocess.call(['cls'],shell=True) 
            modeSelect = input('Select a conversion mode: \n1: Encode\n2: Decode\n0: Exit\n\nSelection: ')
            if modeSelect == '1':

                def enc():
                    subprocess.call(['cls'], shell=True)
                    userInput = input("Enter plain text here: ")
                    subprocess.call(['cls'], shell=True)

                    """
                    Uses base64 library to encode and decode text
                    https://docs.python.org/3/library/base64.html
                    """
                    b64enc = base64.b64encode(userInput.encode('utf-8'))

                    print('Original Text: ' + userInput + '\n\nEncoded Conversions\n_______________________\n\nBase64 Encoded:', b64enc.decode())

                    input('\n\n\nPress Enter to continue...')

                enc()


            if modeSelect == '2':
                subprocess.call(['cls'],shell=True)
                def b64dec():
                    try:
                        subprocess.call(['cls'], shell=True)
                        userInput = input("Enter encoded text here: ")
                        subprocess.call(['cls'], shell=True)

                        """
                        Uses base64 library to encode and decode text
                        https://docs.python.org/3/library/base64.html
                        """
                        b64dec = base64.b64decode(userInput)

                        print('Converted Text: ' + b64dec.decode() + '\nBase64 Encoded: ', userInput)
                        input('\n\n\nPress Enter to continue...')


                    except:
                        input('Incorrect text format, please enter encoded Base64.\n\nPress enter')
                b64dec()  


            if modeSelect == '0':
                subprocess.call(['cls'], shell=True)
                break

        except KeyboardInterrupt:
            subprocess.call(['cls'], shell=True)
            input('Program Terminated. Press Enter to continue...')
            subprocess.call(['cls'], shell=True)

            break
if platform == "linux" or platform == "linux2" or platform == "darwin":

    while True:
        try:
            subprocess.call(['clear'],shell=True) 
            modeSelect = input('Select a conversion mode: \n1: Encode\n2: Decode\n0: Exit\n\nSelection: ')
            if modeSelect == '1':

                def enc():
                    subprocess.call(['clear'], shell=True)
                    userInput = input("Enter plain text here: ")
                    subprocess.call(['clear'], shell=True)

                    """
                    Uses base64 library to encode and decode text
                    https://docs.python.org/3/library/base64.html
                    """
                    b64enc = base64.b64encode(userInput.encode('utf-8'))

                    print('Original Text: ' + userInput + '\n\nEncoded Conversions\n_______________________\n\nBase64 Encoded:', b64enc.decode())

                    input('\n\n\nPress Enter to continue...')

                enc()


            if modeSelect == '2':
                subprocess.call(['clear'],shell=True)
                def b64dec():
                    try:
                        subprocess.call(['clear'], shell=True)
                        userInput = input("Enter encoded text here: ")
                        subprocess.call(['clear'], shell=True)

                        """
                        Uses base64 library to encode and decode text
                        https://docs.python.org/3/library/base64.html
                        """
                        b64dec = base64.b64decode(userInput)

                        print('Converted Text: ' + b64dec.decode() + '\nBase64 Encoded: ', userInput)
                        input('\n\n\nPress Enter to continue...')


                    except:
                        input('Incorrect text format, please enter encoded Base64.\n\nPress enter')
                b64dec()  


            if modeSelect == '0':
                subprocess.call(['clear'], shell=True)
                break

        except KeyboardInterrupt:
            subprocess.call(['clear'], shell=True)
            input('Program Terminated. Press Enter to continue...')
            subprocess.call(['clear'], shell=True)

            break

osCheck()

text-converter.py | GitHub

You try out the script on an online IDE called Repl.it or of course, you can use an online decoder, for this demonstration I will be using the decoder I wrote on Repl.it: L0WK3Y's Text Encoder/Decoder. Once you are on Repl select the decode mode and then copy and paste the encoded data string from the JSON into the terminal, and the script will decode the data string for you and give you the last URL string for the last POST request to getting the invite code /api/invite/generate. Now it's time to head back to reqbin for the final POST request.

Invite Code Acquired

We've finally reached the last stage of our quest to getting the invite code to hackthebox once you've made a POST request to hackthebox.eu/api/invite/generate.

{ "success": 1, "data": { "code": "Q0VUQ1EtUk5FRlItT0VES1ktTUtQTk0tSkNaVU4=", "format": "encoded" }, "0": 200 }

You will receive yet another base64 encoded data string. Just pop that bad boy in the text decoder again and you've got your invite code!

There it is in all of its glory the final key to getting into hackthebox, with that said, this concluding our journey to getting the invite code for hackthebox. I hope you've learned a lot from this blog and hope you continue to strive in your cybersecurity endeavors. This has been your guide L0WK3Y, and I hope you visit again in another learning adventure with me. Happy Hacking! 😊

DEV Community: L0WK3Y | Infophreak

How I Landed A Job In Cyber Security With No Professional Experience, Certifications, Nor A Degree

How I Landed A Job In Cyber Security With No Professional Experience, Certifications, Nor A Degree.

About Me

College Era

Coding Bootcamp Era

Full-Time Study Era

Doors Start Opening

The Internship

The Finish Line

Connect With Me!

IAANSEC | WannaCry Analysis Report

WannaCry Ransomware Report

Apr 09, 2022 | L0WK3Y

Table of Contents

Executive Summary

High-Level Technical Summary

Malware Composition

Static Analysis

The original file name can be found in the "Version" tab of PE Studio

Compiler time stamp reports Nov. 20, 2010 in PE Studio.

Executable can be found in the .rsrc section of the dropper executable.

Found a URL that the dropper tries to communicate with at the start of it's execution.

A few imports of interest:

Addresses to the bitcoin wallets can be found in the function starting at address 0x00401E9E within the tasksche.exe executable. BTC addresses are randomly selected.

Dynamic Analysis

Dropper tries to reach out to the suspicious URL.

After the creation of the service the payload attempts to connect to a range of IPv4.

A reference to the payload can be seen being pushed to the stack along with another string of interest can be found stepping through the dropper in x32dbg.

The payload is later unpacked on to the system in the C:\Windows directory and is executed.

The payload generates a string based on the host name of the system and creates a folder named after the generated string in the C:\ProgramData directory. After the creation of the directory a copy of the payload is moved to the directory.

Along with the creation of the new directory a service is also created with the same generated name as the directory which uses cmd to execute tasksche as a persistence mechanism.

A registry named WanaCrypt0r and registry key named wd are created with the key value set to the newly created directory in C:\ProgramData\<RANDOMLY_GENERATED_STRING>.

After the payload has executed the @WanaDecryptor@.exe executable is dropped along with various other files in the same directory as the payload's execution and creates a shortcut to the executable on the Desktop.

Lastly, the system background is changed and a GUI of the @WanaDecryptor@.exe is displayed.

Indicators of Compromise

Network Indicators

Dropper observed making DNS Query to suspicious domain.

Payload attempts establish contact with a range of IPv4 addresses.

Host Based Indicators

Payload is unpacked on to system in C:\Windows.

Creation of services.

Creation of registry key.

Creation of files following the execution of the payload in the same directory as the execution. Along with files ending in the .WNCRY extension.

Background change and appearance of GUI application.

Yara Rules

Connect With Me 🙂

TryHackMe - Searchlight - IMINT (Writeup)

Welcome to the Searchlight IMINT room!

Questions

Task 2: "Your first challenge!"

Q1: What is the name of the street where this image was taken?

Task 3: "Just Google It!"

Q1: Which city is the tube station located in?

Q2: Which tube station do these stairs lead to?

Q3: Which year did this station open?

Q4: How many platforms are there in this station?

Task 4: "Keep at it!"

Q1: Which building is this photo taken in?

Q2: Which country is this building located in?

Q3: Which city is this building located in?

Task 5: "Coffee and a light lunch"

Q1: Which city is this coffee shop located in?

Q2: Which street is this coffee shop located in?

Q3: What is their phone number?

Q4: What is their email address?

Q5: What is the surname of the owners?

Task 6: "Reverse your thinking"

Q1: Which restaurant was this picture taken at?

Q2: What is the name of the Bon Appétit editor that worked 24 hours at this restaurant?

Task 7: "Locate this sculpture"

Q1: What is the name of this statue?

Q2: Who took this image?

Task 8: "...and justice for all"

Q1: What is the name of the character that the statue depicts?

Q2: Where is this statue located?

Q3: What is the name of the building opposite from this statue?

Task 9: "The view from my hotel room"

Q1: What is the name of the hotel that my friend is staying in?

Connect With Me 🙂

Addresses to the bitcoin wallets can be found in the function starting at address 0x00401E9E within the `tasksche.exe` executable. BTC addresses are randomly selected.

The payload is later unpacked on to the system in the `C:\Windows` directory and is executed.

The payload generates a string based on the host name of the system and creates a folder named after the generated string in the `C:\ProgramData` directory. After the creation of the directory a copy of the payload is moved to the directory.

A registry named `WanaCrypt0r` and registry key named `wd` are created with the key value set to the newly created directory in `C:\ProgramData\<RANDOMLY_GENERATED_STRING>`.

After the payload has executed the `@WanaDecryptor@.exe` executable is dropped along with various other files in the same directory as the payload's execution and creates a shortcut to the executable on the Desktop.

Lastly, the system background is changed and a GUI of the `@WanaDecryptor@.exe` is displayed.

Payload is unpacked on to system in `C:\Windows`.

Creation of files following the execution of the payload in the same directory as the execution. Along with files ending in the `.WNCRY` extension.