Skip to content

Commit

Permalink
new writeups
Browse files Browse the repository at this point in the history
  • Loading branch information
@H3xKatana
H3xKatana committed Apr 10, 2024
1 parent f97d795 commit d77a671
Show file tree
Hide file tree
Showing 29 changed files with 254 additions and 15 deletions.
71 changes: 71 additions & 0 deletions content/post/Unit42.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
---
title: "hackthebox sherlocks Unit42"
summary: "Unit42 htb sherlocks writeup"
# weight: 1
# aliases: ["/first"]
tags: ["Post","hackthebox","sherlocks","DFIR"]
author: "Katana"
# author: ["Me", "You"] # multiple authors
showToc: true
TocOpen: false
draft: false
hidemeta: false
comments: false
description: "Unit42 htb sherlocks writeup"
canonicalURL: "https://h3xkatana.github.io/Blog/post/unit42/"
disableHLJS: true # to disable highlightjs
disableShare: false
disableHLJS: false
hideSummary: false
searchHidden: true
ShowReadingTime: true
ShowBreadCrumbs: true
#ShowPostNavLinks: true
ShowWordCount: true
ShowRssButtonInSectionTermList: true
UseHugoToc: true
cover:
image: "<image path/url>" # image path/url
alt: "<alt text>" # alt text
caption: "<text>" # display caption under cover
relative: false # when using page bundles set this to true
hidden: true # only hide on current single page
editPost:
URL: "https://github.com/<path_to_repo>/content"
Text: "Suggest Changes" # edit text
appendFilePath: true # to append file path to Edit link
---

INTRO:
In this Sherlock, you will familiarize yourself with Sysmon logs and various useful EventIDs for identifying and analyzing malicious activities on a Windows system. Palo Alto's Unit42 recently conducted research on an UltraVNC campaign, wherein attackers utilized a backdoored version of UltraVNC to maintain access to systems. This lab is inspired by that campaign and guides participants through the initial access stage of the campaign.


![Alt text](/img/1.png)

We have a file containing Windows event logs that capture suspicious activity.
These logs are accompanied by well-defined rules for detection.

Upon filtering, we discovered that there are 56 occurrences of Event ID 11,
which is highly suspicious because this ID typically signifies file creation events.

Event ID 1 provides detailed records of processes, including their names,
hashes, and parent paths. This information can be instrumental in identifying malware.

Event ID 22 presents domain records,
indicating that the file was downloaded from Dropbox, which raises suspicion.

Event ID 2 indicates a process altering file creation times, a behavior that is often indicative of malicious activity.

For Task 5, the instruction is to search for Event ID 11 alongside the presence of "once.cmd",
suggesting a specific detection scenario.

Task 6 involves utilizing Event ID 22 to uncover domain names associated with potentially malicious activities.

Task 7 entails leveraging Event ID 3, which typically indicates network connections,
to identify suspicious connections, particularly those involving TCP connections to suspicious IP addresses.

Finally, Task 8 involves using Event ID 5 to compile a list of terminated processes,
which could provide insights into potentially malicious activities that have been halted.

In summary, by analyzing specific event IDs and their associated details,
we can effectively detect and investigate suspicious activities within the Windows event logs.
2 changes: 0 additions & 2 deletions content/post/first_post.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,6 @@ title: "First_post"
date: 2024-03-27T13:11:06+01:00
tags : ['angr','python','picoCTF2024']
categories : ['ctf-writeups']


author: "Katana"
# author: ["Me", "You"] # multiple authors
showToc: true
Expand Down
3 changes: 1 addition & 2 deletions public/categories/ctf-writeups/index.html
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
<!doctype html><html lang=en dir=auto><head><script src="/livereload.js?mindelay=10&amp;v=2&amp;port=1313&amp;path=livereload" data-no-instant defer></script><meta charset=utf-8><meta http-equiv=X-UA-Compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=robots content="index, follow"><title>Ctf-Writeups | Katana</title>
<meta name=keywords content><meta name=description content="This is my personal blog. I'm CS studen and ctf player"><meta name=author content><link rel=canonical href=http://localhost:1313/categories/ctf-writeups/><link crossorigin=anonymous href=/assets/css/stylesheet.4599eadb9eb2ad3d0a8d6827b41a8fda8f2f4af226b63466c09c5fddbc8706b7.css integrity="sha256-RZnq256yrT0KjWgntBqP2o8vSvImtjRmwJxf3byHBrc=" rel="preload stylesheet" as=style><link rel=icon href=http://localhost:1313/favicon.ico><link rel=icon type=image/png sizes=16x16 href=http://localhost:1313/favicon-16x16.png><link rel=icon type=image/png sizes=32x32 href=http://localhost:1313/favicon-32x32.png><link rel=apple-touch-icon href=http://localhost:1313/apple-touch-icon.png><link rel=mask-icon href=http://localhost:1313/safari-pinned-tab.svg><meta name=theme-color content="#2e2e33"><meta name=msapplication-TileColor content="#2e2e33"><link rel=alternate type=application/rss+xml href=http://localhost:1313/categories/ctf-writeups/index.xml><link rel=alternate hreflang=en href=http://localhost:1313/categories/ctf-writeups/><noscript><style>#theme-toggle,.top-link{display:none}</style><style>@media(prefers-color-scheme:dark){:root{--theme:rgb(29, 30, 32);--entry:rgb(46, 46, 51);--primary:rgb(218, 218, 219);--secondary:rgb(155, 156, 157);--tertiary:rgb(65, 66, 68);--content:rgb(196, 196, 197);--code-block-bg:rgb(46, 46, 51);--code-bg:rgb(55, 56, 62);--border:rgb(51, 51, 51)}.list{background:var(--theme)}.list:not(.dark)::-webkit-scrollbar-track{background:0 0}.list:not(.dark)::-webkit-scrollbar-thumb{border-color:var(--theme)}}</style></noscript><meta property="og:title" content="Ctf-Writeups"><meta property="og:description" content="This is my personal blog. I'm CS studen and ctf player"><meta property="og:type" content="website"><meta property="og:url" content="http://localhost:1313/categories/ctf-writeups/"><meta property="og:site_name" content="katana"><meta name=twitter:card content="summary"><meta name=twitter:title content="Ctf-Writeups"><meta name=twitter:description content="This is my personal blog. I'm CS studen and ctf player"></head><body class=list id=top><script>localStorage.getItem("pref-theme")==="dark"?document.body.classList.add("dark"):localStorage.getItem("pref-theme")==="light"?document.body.classList.remove("dark"):window.matchMedia("(prefers-color-scheme: dark)").matches&&document.body.classList.add("dark")</script><header class=header><nav class=nav><div class=logo><a href=http://localhost:1313/ accesskey=h title="Home (Alt + H)"><img src=http://localhost:1313/apple-touch-icon.png alt aria-label=logo height=35>Home</a><div class=logo-switches><button id=theme-toggle accesskey=t title="(Alt + T)"><svg id="moon" xmlns="http://www.w3.org/2000/svg" width="24" height="18" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M21 12.79A9 9 0 1111.21 3 7 7 0 0021 12.79z"/></svg><svg id="sun" xmlns="http://www.w3.org/2000/svg" width="24" height="18" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="5"/><line x1="12" y1="1" x2="12" y2="3"/><line x1="12" y1="21" x2="12" y2="23"/><line x1="4.22" y1="4.22" x2="5.64" y2="5.64"/><line x1="18.36" y1="18.36" x2="19.78" y2="19.78"/><line x1="1" y1="12" x2="3" y2="12"/><line x1="21" y1="12" x2="23" y2="12"/><line x1="4.22" y1="19.78" x2="5.64" y2="18.36"/><line x1="18.36" y1="5.64" x2="19.78" y2="4.22"/></svg></button></div></div><ul id=menu><li><a href=http://localhost:1313/archives/ title=Archive><span>Archive</span></a></li><li><a href=http://localhost:1313/categories/ title=categories><span>categories</span></a></li><li><a href=http://localhost:1313/search/ title="Search (Alt + /)" accesskey=/><span>Search</span></a></li><li><a href=http://localhost:1313/tags/ title=tags><span>tags</span></a></li></ul></nav></header><main class=main><header class=page-header><div class=breadcrumbs><a href=http://localhost:1313/>Home</a>&nbsp;»&nbsp;<a href=http://localhost:1313/categories/>Categories</a></div><h1>Ctf-Writeups
<a href=/categories/ctf-writeups/index.xml title=RSS aria-label=RSS><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" height="23"><path d="M4 11a9 9 0 019 9"/><path d="M4 4a16 16 0 0116 16"/><circle cx="5" cy="19" r="1"/></svg></a></h1></header><article class="post-entry tag-entry"><header class=entry-header><h2 class=entry-hint-parent>First_post</h2></header><div class=entry-content><p>ANGR this is a challnge from the last picoctf 2024 its named crackme101
import angr import claripy import sys proj = angr.Project("./crackme100", auto_load_libs=False) flag = claripy.BVS('flag', 8*50) state = proj.factory.full_init_state( add_options=angr.options.unicorn, stdin=angr.SimPackets(name='stdin', content=[(flag, 50)]), #remove_options={angr.options.LAZY_SOLVES} ) for i in range(50): state.solver.add(flag.get_byte(i) >=b'a') state.solver.add(flag.get_byte(i) &lt;=b'z') def is_successful(state): stdout_output = state.posix.dumps(sys.stdout.fileno()) return b"SUCCESS" in stdout_output def should_abort(state): stdout_output = state.posix.dumps(sys.stdout.fileno()) return b"FAILED!" in stdout_output sm = proj.factory.simulation_manager(state) sm.explore(find=is_successful, avoid=should_abort) sm.run() if sm.found: sol = sm....</p></div><footer class=entry-footer><span title='2024-03-27 13:11:06 +0100 WAT'>March 27, 2024</span>&nbsp;·&nbsp;1 min&nbsp;·&nbsp;77 words&nbsp;·&nbsp;Katana</footer><a class=entry-link aria-label="post link to First_post" href=http://localhost:1313/post/first_post/></a></article></main><footer class=footer><span>&copy; 2024 <a href=http://localhost:1313/>Katana</a></span>
<a href=/categories/ctf-writeups/index.xml title=RSS aria-label=RSS><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" height="23"><path d="M4 11a9 9 0 019 9"/><path d="M4 4a16 16 0 0116 16"/><circle cx="5" cy="19" r="1"/></svg></a></h1></header><article class="post-entry tag-entry"><header class=entry-header><h2 class=entry-hint-parent>First_post</h2></header><div class=entry-content><p>PicoCTF crackme101 with ANGR</p></div><footer class=entry-footer><span title='2024-03-27 13:11:06 +0100 WAT'>March 27, 2024</span>&nbsp;·&nbsp;1 min&nbsp;·&nbsp;77 words&nbsp;·&nbsp;Katana</footer><a class=entry-link aria-label="post link to First_post" href=http://localhost:1313/post/first_post/></a></article></main><footer class=footer><span>&copy; 2024 <a href=http://localhost:1313/>Katana</a></span>
<span>Powered by
<a href=https://gohugo.io/ rel="noopener noreferrer" target=_blank>Hugo</a> &
<a href=https://github.com/adityatelange/hugo-PaperMod/ rel=noopener target=_blank>PaperMod</a></span></footer><a href=#top aria-label="go to top" title="Go to Top (Alt + G)" class=top-link id=top-link accesskey=g><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 12 6" fill="currentcolor"><path d="M12 6H0l6-6z"/></svg>
Expand Down
Binary file added public/img/1.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 1 addition & 1 deletion public/index.html
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<!doctype html><html lang=en dir=auto><head><meta name=generator content="Hugo 0.124.1"><script src="/livereload.js?mindelay=10&amp;v=2&amp;port=1313&amp;path=livereload" data-no-instant defer></script><meta charset=utf-8><meta http-equiv=X-UA-Compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=robots content="index, follow"><title>Katana</title>
<meta name=keywords content="Blog,CTF,ctfwriteups,hacking,reverse,pwn"><meta name=description content="This is my personal blog. I'm CS studen and ctf player"><meta name=author content><link rel=canonical href=http://localhost:1313/><link crossorigin=anonymous href=/assets/css/stylesheet.4599eadb9eb2ad3d0a8d6827b41a8fda8f2f4af226b63466c09c5fddbc8706b7.css integrity="sha256-RZnq256yrT0KjWgntBqP2o8vSvImtjRmwJxf3byHBrc=" rel="preload stylesheet" as=style><link rel=icon href=http://localhost:1313/favicon.ico><link rel=icon type=image/png sizes=16x16 href=http://localhost:1313/favicon-16x16.png><link rel=icon type=image/png sizes=32x32 href=http://localhost:1313/favicon-32x32.png><link rel=apple-touch-icon href=http://localhost:1313/apple-touch-icon.png><link rel=mask-icon href=http://localhost:1313/safari-pinned-tab.svg><meta name=theme-color content="#2e2e33"><meta name=msapplication-TileColor content="#2e2e33"><link rel=alternate type=application/rss+xml href=http://localhost:1313/index.xml><link rel=alternate type=application/json href=http://localhost:1313/index.json><link rel=alternate hreflang=en href=http://localhost:1313/><noscript><style>#theme-toggle,.top-link{display:none}</style><style>@media(prefers-color-scheme:dark){:root{--theme:rgb(29, 30, 32);--entry:rgb(46, 46, 51);--primary:rgb(218, 218, 219);--secondary:rgb(155, 156, 157);--tertiary:rgb(65, 66, 68);--content:rgb(196, 196, 197);--code-block-bg:rgb(46, 46, 51);--code-bg:rgb(55, 56, 62);--border:rgb(51, 51, 51)}.list{background:var(--theme)}.list:not(.dark)::-webkit-scrollbar-track{background:0 0}.list:not(.dark)::-webkit-scrollbar-thumb{border-color:var(--theme)}}</style></noscript><meta property="og:title" content="Katana"><meta property="og:description" content="This is my personal blog. I'm CS studen and ctf player"><meta property="og:type" content="website"><meta property="og:url" content="http://localhost:1313/"><meta property="og:site_name" content="katana"><meta name=twitter:card content="summary"><meta name=twitter:title content="Katana"><meta name=twitter:description content="This is my personal blog. I'm CS studen and ctf player"><script type=application/ld+json>{"@context":"https://schema.org","@type":"Organization","name":"Katana","url":"http://localhost:1313/","description":"This is my personal blog. I\u0026#39;m CS studen and ctf player","thumbnailUrl":"http://localhost:1313/favicon.ico","sameAs":["https://twitter.com/h3xkatana","https://www.linkedin.com/in/kara-mohamed-mourtadha-658a02280/","https://github.com/H3xKatana"]}</script></head><body class=list id=top><script>localStorage.getItem("pref-theme")==="dark"?document.body.classList.add("dark"):localStorage.getItem("pref-theme")==="light"?document.body.classList.remove("dark"):window.matchMedia("(prefers-color-scheme: dark)").matches&&document.body.classList.add("dark")</script><header class=header><nav class=nav><div class=logo><a href=http://localhost:1313/ accesskey=h title="Home (Alt + H)"><img src=http://localhost:1313/apple-touch-icon.png alt aria-label=logo height=35>Home</a><div class=logo-switches><button id=theme-toggle accesskey=t title="(Alt + T)"><svg id="moon" xmlns="http://www.w3.org/2000/svg" width="24" height="18" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M21 12.79A9 9 0 1111.21 3 7 7 0 0021 12.79z"/></svg><svg id="sun" xmlns="http://www.w3.org/2000/svg" width="24" height="18" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="5"/><line x1="12" y1="1" x2="12" y2="3"/><line x1="12" y1="21" x2="12" y2="23"/><line x1="4.22" y1="4.22" x2="5.64" y2="5.64"/><line x1="18.36" y1="18.36" x2="19.78" y2="19.78"/><line x1="1" y1="12" x2="3" y2="12"/><line x1="21" y1="12" x2="23" y2="12"/><line x1="4.22" y1="19.78" x2="5.64" y2="18.36"/><line x1="18.36" y1="5.64" x2="19.78" y2="4.22"/></svg></button></div></div><ul id=menu><li><a href=http://localhost:1313/archives/ title=Archive><span>Archive</span></a></li><li><a href=http://localhost:1313/categories/ title=categories><span>categories</span></a></li><li><a href=http://localhost:1313/search/ title="Search (Alt + /)" accesskey=/><span>Search</span></a></li><li><a href=http://localhost:1313/tags/ title=tags><span>tags</span></a></li></ul></nav></header><main class=main><article class="first-entry home-info"><header class=entry-header><h1>H3x_Blade team</h1></header><div class=entry-content>👋 Welcome to my personal blog ,here i post ctf-writeups and projects</div><footer class=entry-footer><div class=social-icons><a href=https://twitter.com/h3xkatana target=_blank rel="noopener noreferrer me" title="Share PaperMod on X/Twitter"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="currentcolor"><path d="M18.244 2.25h3.308l-7.227 8.26 8.502 11.24H16.17l-5.214-6.817L4.99 21.75H1.68l7.73-8.835L1.254 2.25H8.08l4.713 6.231zm-1.161 17.52h1.833L7.084 4.126H5.117z"/></svg>
</a><a href=https://www.linkedin.com/in/kara-mohamed-mourtadha-658a02280/ target=_blank rel="noopener noreferrer me" title="View My Portfolio"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M16 8a6 6 0 016 6v7h-4v-7a2 2 0 00-2-2 2 2 0 00-2 2v7h-4v-7a6 6 0 016-6z"/><rect x="2" y="9" width="4" height="12"/><circle cx="4" cy="4" r="2"/></svg>
</a><a href=https://github.com/H3xKatana target=_blank rel="noopener noreferrer me" title="View Source on Github"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M9 19c-5 1.5-5-2.5-7-3m14 6v-3.87a3.37 3.37.0 00-.94-2.61c3.14-.35 6.44-1.54 6.44-7A5.44 5.44.0 0020 4.77 5.07 5.07.0 0019.91 1S18.73.65 16 2.48a13.38 13.38.0 00-7 0C6.27.65 5.09 1 5.09 1A5.07 5.07.0 005 4.77 5.44 5.44.0 003.5 8.55c0 5.42 3.3 6.61 6.44 7A3.37 3.37.0 009 18.13V22"/></svg></a></div></footer></article><article class=post-entry><header class=entry-header><h2 class=entry-hint-parent>First_post</h2></header><div class=entry-content><p>PicoCTF crackme101 with ANGR</p></div><footer class=entry-footer><span title='2024-03-27 13:11:06 +0100 WAT'>March 27, 2024</span>&nbsp;·&nbsp;1 min&nbsp;·&nbsp;77 words&nbsp;·&nbsp;Katana</footer><a class=entry-link aria-label="post link to First_post" href=http://localhost:1313/post/first_post/></a></article></main><footer class=footer><span>&copy; 2024 <a href=http://localhost:1313/>Katana</a></span>
</a><a href=https://github.com/H3xKatana target=_blank rel="noopener noreferrer me" title="View Source on Github"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M9 19c-5 1.5-5-2.5-7-3m14 6v-3.87a3.37 3.37.0 00-.94-2.61c3.14-.35 6.44-1.54 6.44-7A5.44 5.44.0 0020 4.77 5.07 5.07.0 0019.91 1S18.73.65 16 2.48a13.38 13.38.0 00-7 0C6.27.65 5.09 1 5.09 1A5.07 5.07.0 005 4.77 5.44 5.44.0 003.5 8.55c0 5.42 3.3 6.61 6.44 7A3.37 3.37.0 009 18.13V22"/></svg></a></div></footer></article><article class=post-entry><header class=entry-header><h2 class=entry-hint-parent>First_post</h2></header><div class=entry-content><p>PicoCTF crackme101 with ANGR</p></div><footer class=entry-footer><span title='2024-03-27 13:11:06 +0100 WAT'>March 27, 2024</span>&nbsp;·&nbsp;1 min&nbsp;·&nbsp;77 words&nbsp;·&nbsp;Katana</footer><a class=entry-link aria-label="post link to First_post" href=http://localhost:1313/post/first_post/></a></article><article class=post-entry><header class=entry-header><h2 class=entry-hint-parent>hackthebox sherlocks Unit42</h2></header><div class=entry-content><p>Unit42 htb sherlocks writeup</p></div><footer class=entry-footer>2 min&nbsp;·&nbsp;285 words&nbsp;·&nbsp;Katana</footer><a class=entry-link aria-label="post link to hackthebox sherlocks Unit42" href=http://localhost:1313/post/unit42/></a></article></main><footer class=footer><span>&copy; 2024 <a href=http://localhost:1313/>Katana</a></span>
<span>Powered by
<a href=https://gohugo.io/ rel="noopener noreferrer" target=_blank>Hugo</a> &
<a href=https://github.com/adityatelange/hugo-PaperMod/ rel=noopener target=_blank>PaperMod</a></span></footer><a href=#top aria-label="go to top" title="Go to Top (Alt + G)" class=top-link id=top-link accesskey=g><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 12 6" fill="currentcolor"><path d="M12 6H0l6-6z"/></svg>
Expand Down
Loading

0 comments on commit d77a671

Please sign in to comment.