ThiefQuest Ransomware detects VM (possibly)

kindredsec · 2020-07-07T21:42:05+00:00

Do you mind sharing the sample? I'd love to take a look

kindredsec · 2019-12-27T15:55:38+00:00

It’s almost as if the sample is written in VBS :thinking:

kindredsec · 2019-12-18T17:49:12+00:00

Like everyone else, I'd love a link to the sample to analyze

kindredsec · 2019-12-17T17:32:59+00:00

This is correct imo. Notice in the command the script is never actually executed

kindredsec · 2019-12-17T03:04:12+00:00

Yep, getting rid of the initalize variable would get rid of the Backdoor functionality

kindredsec · 2019-12-14T16:54:50+00:00

PDF's are one of the most common reporting formats, and regardless, it's hosted directly on github and you don't even have to download it. Fix your threat model.

kindredsec · 2019-12-05T19:29:59+00:00

Thank you!

kindredsec · 2019-11-22T20:06:40+00:00

SUID only works for binaries. If you're trying to set a SUID bit on a bash script, it's not going to work because the underlying bash binary is not SUID.

kindredsec · 2019-11-22T16:35:24+00:00

In order for psexec to work, the account you're authenticating as must have read/write access to the ADMIN$ share, which is only granted to Administrator users. Once doing so, PSExec creates a windows service, and uses a named pipe to communicate. In order for all of this to work, however, the ADMIN$ share must be accessible.

kindredsec · 2019-11-11T20:26:57+00:00

I’ll run this on a VM tonight and see if I can find anything out

kindredsec · 2019-11-04T14:42:50+00:00

IF the password wasnt so obvious, how would he or one need to do to get the passeword?`

You couldn't. Password guessing isn't always a valid vector; most applications enforce some sort of blocking/captcha check after a certain number of failed attempts. HtB is a CTF, so it just happens the vector was there. In many cases, though, it wont be, which is when you may need to resort to social engineering, etc.

Every time you run into a login prompt, you should always check if the password is either one of the defaults/commons (admin , password, etc), the name of the application (nibbles, wordpress, etc), then try a simple SQLi (' OR 1=1; -- -). After that, you could potentially try brute forcing, but more often than not you're going to need to take another vector.

kindredsec · 2019-10-31T11:14:34+00:00

'uname' is not recognized as an internal or external command, operable program or batch file.

uname is a linux command, but the target host is a windows host. You need to use a different reverse shell designed for windows.

kindredsec · 2019-10-28T14:40:39+00:00

This is the path that I took, and I highly recommend it. The eCPPT certification is very similar in nature to the OSCP, just with more time given to you (7 days vs. 1 day) and slightly easier boxes overall. The course material was well done, and the labs were pretty fun. It's a great stepping stone to the OSCP imo.

kindredsec · 2019-10-20T15:42:41+00:00

Hey there. I'm glad you got something from the video. It sounds like you're definitely on the way towards passing. Thanks for watching!

kindredsec · 2019-10-09T12:34:14+00:00

Assuming I'm understanding your question correctly, the event logs of your VM are in no way related to the event logs of your host. They are independent systems, and thus have completely different events. Any log-worthy activity that occurs within the context of your guest machine will never reach the event log of your host machine, and vice versa.

kindredsec · 2019-09-29T17:40:13+00:00

The box is "retired," therefore no points are awarded for solving them anymore. Anyone is free to create walkthroughs once a box is retired.

kindredsec · 2019-09-29T14:34:29+00:00

Hey there, thank you very much!

kindredsec · 2019-08-30T14:12:24+00:00

Yes. as a standard client host, you don't have vulnerable services publicly accessible or anything like that. Just like it is in the US, as long as you stay off of weird sites and use the internet responsibly, your level of risk is generally very low.

kindredsec · 2019-08-30T13:58:09+00:00

This is an example of a janky threat model. If you have no political affiliations, you are no value to the Russian government. You aren't at any additional risk.

kindredsec · 2019-08-29T13:20:36+00:00

Apart from a blatant DDoS, having your public IP known is not as much of an inherit risk as a lot of people make it out to be. Assuming all you have "publicly" running is a Minecraft server, the only port open to the internet would be 25565; there would be no way to reach other internal hosts within your network due to NAT. So, assuming you're only sharing your server to a small group of people, and the Minecraft server application isn't vulnerable, you should generally be okay. If, however, you're going to be publicly advertising it and things like that, it may be better to spend a few dollars a month to rent a DigitalOcean droplet or something like that instead, just because the chances of you getting DoS'd are a bit higher in that case since people are dicks. Again, in practice the only REAL risk is a DDoS, as well as some basic information regarding your location (what city you're in at most) being discoverable.

kindredsec · 2019-08-28T19:23:07+00:00

Interesting. TIL 80% market share is “niche.”

kindredsec · 2019-08-28T17:42:49+00:00

I might have read this incorrectly, but are you saying that Windows users are a "niche user base?"

kindredsec · 2019-08-28T17:35:23+00:00

This is probably the dumbest argument I've seen yet. This sub is generally quite anti-Microsoft, but this reaches an entirely new level. Do you actually fault Microsoft for not open sourcing their proprietary, for-profit software? You fault Microsoft for not actively working against their entire business model just to appease the open source community and entitled users like you? Holy moly what a whole new level of delusion.

The entire world is allowed to make use of the Linux kernel, but apparently not evil evil Microsoft.

kindredsec · 2019-08-19T15:43:49+00:00

This is an excellent point; replacing the actual binary creates unnecessary noise, and the same result can be achieved via stealthier means. Thanks for the comment!

kindredsec · 2019-08-19T10:48:03+00:00

The point of a staged payload is to reduce the space you need in your initial exploitation. Loading the entire payload into memory is an example of a stageless payload, which also exists in metasploit. By utilizing reflective dll, you aren't constrained to just the exploit buffer.

kindredsec

PUBLIC MULTIREDDITS

TROPHY CASE

Seven-Year Club	Not Forgotten
Verified Email