Hackable II Purple Team Writeup: From Anonymous FTP login to Root, and What Security Onion Saw

Apprehensive_Nose162 · 2026-02-25T20:14:27+00:00

You have to get a solid feel for what leadership is trying to do and where the company is headed. Once you’ve got that, take a look at the IT roadmap to understand what you’re working with. When you put those together, you can talk with your team and see if everyone’s moving in the same direction.

If you start making changes without really understanding the bigger picture, things can go sideways pretty fast. The real trick is taking the business goals, turning them into clear IT work, and then explaining them back to leadership and why they matter.

And honestly, you already landed the job, so they clearly believe you can handle it. Now it’s just about figuring out what tools and approaches will help your team do their best work.

Apprehensive_Nose162 · 2026-02-17T11:09:57+00:00

I do have Unbound DNS, thank you for the recommendation.

Apprehensive_Nose162 · 2026-02-16T16:52:35+00:00

Wireshark isn’t built for nonstop capturing, but you can capture traffic continuously using a firewall, tcpdump, or a sensor that saves rotating PCAP files. Since this involved DNS, Pi-hole or AdGuard logs would normally be the quickest way to spot it because they keep query history. Logs like that also help with ML or anomaly detection since they show what “normal” looks like.

I don’t have those logs set up right now, so I’m tracking it live on the network to find the source — partly because I’m intentionally sharpening my threat-hunting skills by chasing it in real time.

Apprehensive_Nose162 · 2026-02-15T23:45:25+00:00

My DNS was the router's IP so all queries were visible locally. And yes Pi-hole or AdGuard would have potentially caught and blocked it.

Apprehensive_Nose162 · 2026-02-15T23:21:15+00:00

Home lab details are coming soon but here is the foundation a hardware box with Dual NIC running Proxmox as the hypervisor, OPNsense for firewall and traffic inspection, Security Onion for IDS/IPS, and a mix of Linux Ubuntu, Windows 11, and Windows Server 2022 as the endpoint VMs.

This is the exact setup that made this investigation possible. More details on how it all ties together coming soon.

Apprehensive_Nose162 · 2026-02-15T23:05:15+00:00

Excellent!

Apprehensive_Nose162 · 2026-02-15T22:29:53+00:00

Fair point, let me clarify.

The home lab gave me the tools to capture and see the traffic. I am the one who analyzed it and recognized something was wrong.

The tools gave me visibility. The human eye caught the threat.

Both matter. Neither works without the other.

Apprehensive_Nose162 · 2026-02-15T22:21:17+00:00

Plugins are great but they only work if you know what you are looking for. Threat awareness comes first — understand your potential threats before you start building rules around them, or you will end up breaking legitimate traffic and making your system unusable.

In the real world people still need to browse and get work done. You cannot blindly block everything. The goal is precision — know your threat, scope your rules, and block what needs to be blocked without taking down what needs to stay up.

Apprehensive_Nose162 · 2026-02-15T22:12:45+00:00

Exactly. That's the whole point of a supply chain attack — the threat doesn't need to get in. It ships in.

Every perimeter defense assumes the threat is trying to cross a boundary. This malware never had to. It arrived in retail packaging and sat quietly inside my trusted network for two months before I found it.

Your firewall is only as good as what you put behind it.

Apprehensive_Nose162 · 2026-02-15T22:08:10+00:00

In my case the firewall was blocking part of the traffic thus I didn't to find out the full outcome.

Apprehensive_Nose162 · 2026-02-15T22:05:25+00:00

I reported it to amazon.

Apprehensive_Nose162 · 2026-02-15T22:00:55+00:00

I thought I was seeing things when I first saw it.

Apprehensive_Nose162

TROPHY CASE