Sign in

File entropy is a rating that scores how random the data within a PE file is. With a scale of 0 to 8. 0 meaning the less “randomness” of the data in the file, where a scoring towards 8 indicates this data is more “random”.

Files that are encrypted will have a very high entropy score. Where files that have large chunks of the same data such as “1's” will have a low entropy score.

This can be useful to tell if files have been packed or obfuscated. If an analyst had 1,000 files, they could rank the files by…


Malware infection via malicious macros (or scripts within Microsoft Office products such as Word and Excel) are some of the most successful attacks to date.

For example, current APT campaigns such as Emotet, QuickBot infect users by sending seemingly legitimate documents attached to emails i.e. an invoice for business. However, once opened, execute malicious code without the user knowing. This malicious code is often used in what’s known as a “dropper attack”, where additional malicious programs are downloaded onto the host.

To analyze macros we use Vmonkey, which is a parser engine that is capable of analysing visual basic macros…


PDF’s are capable of containing many more types of code that can be executed without the user’s knowledge. This includes:

  • Javascript
  • Python
  • Executables
  • Powershell Shellcode

We can use peepdf to analyze a pdf file to see if there is JavaScript.

remnux@thm-remnux:~/Tasks/3$ peepdf notsuspicious.pdf 
Warning: PyV8 is not installed!!
File: notsuspicious.pdf
MD5: 2992490eb3c13d8006e8e17315a9190e
SHA1: 75884015d6d984a4fcde046159f4c8f9857500ee
SHA256: 83fefd2512591b8d06cda47d56650f9cbb75f2e8dbe0ab4186bf4c0483ef468a
Size: 28891 bytes
Version: 1.7
Binary: True
Linearized: False
Encrypted: False
Updates: 0
Objects: 18
Streams: 3
URIs: 0
Comments: 0
Errors: 0
Version 0:
Catalog: 1
Info: 7…

My notes on THM Room.

This room will cover accessing a Samba share, manipulating a vulnerable version of proftpd to gain initial access and escalate your privileges to root via an SUID binary.

Enumeration with Nmap

Scan the machine with nmap, how many ports are open?

7

Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|…

Notes on THM Room

Enumeration through nmap

nmap -p- -A 10.10.107.122

How many ports are open?

3 — Port 80, 6498, 65534

What is the version of nginx?

1.16.1

What is running on the highest port?

Apache

Compromising the Machine

Using GoBuster, find flag 1.

dirb http://10.10.107.122-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Sep 23 20:40:33 2021
URL_BASE: http://10.10.107.122/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------GENERATED WORDS: 4612---- Scanning URL: http://10.10.107.122/ ----
==> DIRECTORY: http://10.10.107.122/hidden/
+ http://10.10.107.122/index.html (CODE:200|SIZE:612)…

My Notes on THM Room.

Data Acquisition & Trust Certificates

The analysis of iPhone backups made with iTunes is an interesting topic, to say the very least. When backing up an iPhone, iTunes accesses the iPhone in a privileged state — similar to using the sudocommand on Linux to run a command with root privileges.

iPhones will only backup to trusted computers. When plugging into a new device, the iPhone will ask the user whether or not they wish to trust the computer . “Trusting” a computer involves generating a pair certificate on both the iPhone and computer. If the certificate matches up on both…


My notes on THM room.

Yara can identify information based on both binary and textual patterns, such as hexadecimal and strings contained within a file.

Introduction to Yara Rules:

Using a Yara rule is simple. Every yara command requires two arguments to be valid, these are:
1) The rule file we create
2) Name of file, directory, or process ID to use the rule for.

Every rule must have a name and condition.

For example, if we wanted to use “myrule.yar” on directory “some directory” we would use the following command:

yara myrule.yar somedirectory

Exapanding on Yara Rules

Yara has a bunch of conditions, below are some of…


My notes on THM room.

You’ve likely encountered a website that requires you to have Special Characters, Capital Letters, and a Number in your password. These are password rules, aimed to make your account more secure and harder for attackers to guess. If you’re trying to bruteforce someones password and you know the password requirements are: 1 Capital Letter, 1 Number, 8 characters. You wouldn’t want to use a wordlist that is 80% lowercase strings.

In this room we’ll be going over how to edit existing wordlists as to not attempt passwords that dont follow the password requirements.

We use…


My notes on THM Room.

Identifying Hashes

Sometimes John won’t play nicely with automatically recognising and loading hashes, that’s okay! We’re able to use other tools to identify the hash, and then set john to use a specific format. There are multiple ways to do this, such as using an online hash identifier like this one. I like to use a tool called hash-identifier, a Python tool that is super easy to use and will tell you what different types of hashes the one you enter is likely to be, giving you more options if the first one fails.

To use hash-identifier…


Recon-

The first step into hacking into any system is to uncover as much information before attempting. One of the first steps is always to do an Nmap scan to find open ports and possible exploitation.

From our scan we can see that there are 6 open ports on this box, we see that we have a web server running on port 3333 with the usage of a vulnerable http protocol.

Locating Directories with GoBuster-

With the web server as our main target, we utilize GoBuster to find all directories under this server. …

Jona

cyber enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store