File entropy is a rating that scores how random the data within a PE file is. With a scale of 0 to 8. 0 meaning the less “randomness” of the data in the file, where a scoring towards 8 indicates this data is more “random”.
Files that are encrypted will have a very high entropy score. Where files that have large chunks of the same data such as “1's” will have a low entropy score.
This can be useful to tell if files have been packed or obfuscated. If an analyst had 1,000 files, they could rank the files by…
Malware infection via malicious macros (or scripts within Microsoft Office products such as Word and Excel) are some of the most successful attacks to date.
For example, current APT campaigns such as Emotet, QuickBot infect users by sending seemingly legitimate documents attached to emails i.e. an invoice for business. However, once opened, execute malicious code without the user knowing. This malicious code is often used in what’s known as a “dropper attack”, where additional malicious programs are downloaded onto the host.
To analyze macros we use Vmonkey, which is a parser engine that is capable of analysing visual basic macros…
PDF’s are capable of containing many more types of code that can be executed without the user’s knowledge. This includes:
remnux@thm-remnux:~/Tasks/3$ peepdf notsuspicious.pdf
Warning: PyV8 is not installed!!File: notsuspicious.pdf
Size: 28891 bytes
Errors: 0Version 0:
My notes on THM Room.
This room will cover accessing a Samba share, manipulating a vulnerable version of proftpd to gain initial access and escalate your privileges to root via an SUID binary.
Scan the machine with nmap, how many ports are open?
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
Notes on THM Room
nmap -p- -A 10.10.107.122
3 — Port 80, 6498, 65534
By The Dark Raver
-----------------START_TIME: Thu Sep 23 20:40:33 2021
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------GENERATED WORDS: 4612---- Scanning URL: http://10.10.107.122/ ----
==> DIRECTORY: http://10.10.107.122/hidden/
+ http://10.10.107.122/index.html (CODE:200|SIZE:612)…
My Notes on THM Room.
The analysis of iPhone backups made with iTunes is an interesting topic, to say the very least. When backing up an iPhone, iTunes accesses the iPhone in a privileged state — similar to using the
sudocommand on Linux to run a command with root privileges.
iPhones will only backup to trusted computers. When plugging into a new device, the iPhone will ask the user whether or not they wish to trust the computer . “Trusting” a computer involves generating a pair certificate on both the iPhone and computer. If the certificate matches up on both…
My notes on THM room.
Yara can identify information based on both binary and textual patterns, such as hexadecimal and strings contained within a file.
Using a Yara rule is simple. Every
yara command requires two arguments to be valid, these are:
1) The rule file we create
2) Name of file, directory, or process ID to use the rule for.
Every rule must have a name and condition.
For example, if we wanted to use “myrule.yar” on directory “some directory” we would use the following command:
yara myrule.yar somedirectory
Yara has a bunch of conditions, below are some of…
My notes on THM room.
You’ve likely encountered a website that requires you to have Special Characters, Capital Letters, and a Number in your password. These are password rules, aimed to make your account more secure and harder for attackers to guess. If you’re trying to bruteforce someones password and you know the password requirements are: 1 Capital Letter, 1 Number, 8 characters. You wouldn’t want to use a wordlist that is 80% lowercase strings.
In this room we’ll be going over how to edit existing wordlists as to not attempt passwords that dont follow the password requirements.
My notes on THM Room.
Sometimes John won’t play nicely with automatically recognising and loading hashes, that’s okay! We’re able to use other tools to identify the hash, and then set john to use a specific format. There are multiple ways to do this, such as using an online hash identifier like this one. I like to use a tool called hash-identifier, a Python tool that is super easy to use and will tell you what different types of hashes the one you enter is likely to be, giving you more options if the first one fails.
The first step into hacking into any system is to uncover as much information before attempting. One of the first steps is always to do an Nmap scan to find open ports and possible exploitation.
From our scan we can see that there are 6 open ports on this box, we see that we have a web server running on port 3333 with the usage of a vulnerable http protocol.
With the web server as our main target, we utilize GoBuster to find all directories under this server. …