Blog.Bajiri

  Snake Eater: A Malware Analysis Challenge Snake Eater provided an executable file with the comment “I’ve never seen an executable file that looks like this. Can you check it out and see what it’s doing”. The comment is the hint to finding the flag. This challenge requires a Virtual Machine, as the executable is based on live malware and Defender may delete it or prevent it from running. First, we’ll need to get our hands on Sysinternals tools. These can be downloaded from Microsoft. After getting all of the Sysinternals tools, we need to go back to our hint. The line “Can you check it out and see what it’s doing” is a hint that we need to run the malware and see what changes it’s enacting on the system. One way to do this is to use Process Monitor from Sysinternals. We can run the Process Monitor executable and start capturing with no filters enabled. Then, we can execute the snake_eater.exe file and wait for it to close. After it closes, we can stop the Process Monitor c...

HumanTwo: MoveIT IoC Analysis Challenge The HumanTwo challenge is a malware CTF from the 2023 Huntress CTF. This write-up walks through the initial discovery, de-obfuscation, and solving of the challenge. The actual flag will be redacted from the document, but interested parties should be able to follow the steps and derive it themselves. While the write-up assumes a base level of knowledge regarding the command line and Linux. Most tools and commands will be accompanied by short explanations. Step 1: Initial Analysis To start off, we are given an archive with 1000 files named after their file hash. The hint we are given is that there are minor differences between each file. We also know that HumanTwo relates to the MoveIT vulnerability and exploit. The easy way to progress is to look up articles that tell you about the vulnerability and what stands out in each exploit script. However, I didn’t do that, so I’ll put the process I followed down instead. First, because I knew that...

I'm finally getting around to uploading these. My team and I had a blast doing the Huntress CTF and we learned quite a bit doing them! Formatting might be weird on some of these. They're copy/pastes from word docs. Hot off the Press: A PowerShell Malware Challenge Hot off the Press is a malware CTF challenge from the 2023 Huntress CTF. This write-up walks through the initial discovery, de-obfuscation, and solving of the challenge. The actual flag will be redacted from the document, but interested parties should be able to follow the steps and derive it themselves. While the write-up assumes a base level of knowledge regarding the command line, Linux, cryptography, and PowerShell. Most tools and commands will be accompanied by short explanations. This is a fun entry-level malware reversal challenge that is completable by all entry-level cybersecurity students with a little research. Step 1: File Discovery The file “hot_off_the_press” was given with the explanation that thi...

With the competition season mostly over, I've been able to spend some time catching up on write-ups, classwork, and projects. I'm also able to start releasing the materials I created for my team this year. Starting with Get-ADInfo, the first (sort of) Powershell module I've created. You can find it here  https://www.powershellgallery.com/packages/Get-ADInfo/1.0.0 . Additionally, you can also find it on my GitHub . Module Information Get-ADInfo is a module that was created to help facilitate Active Directory object enumeration. I spent a lot of time last year developing security tools for Windows servers, but I hadn't really done anything neat with basic enumeration stuff. So I wanted to create some enumeration tools for our Windows people this year. Get-ADInfo was the first tool I started working on, and probably the one that turned out the best, as I was quickly overwhelmed with relearning bash and some of the more advanced Linux skills I had forgotten after focusing o...

Vynae is now fully released and will likely not be receiving major feature updates to the CLI version. There is a GUI that is still catching up to the CLI version, but new features are not likely to be added (never say never though). This post will go through the original idea behind Vynae, as well as the challenges and process of its development. Vynae can be found here  and is completely open source and available for anyone to use.  Origin and CLI version Vynae has a somewhat interesting history. It started as a small script that traced Parent Process IDs and pulled network information from processes. I needed a solution that was quick and dirty to help me document a CobaltStrike beacon I had found during the CCDC regional competition. Originally, Vynae looked something like this and was called PIDHUNTER, because it only found information on given processes.  After the competition, I wrote it into something a little nicer than the mess I used in the competition, and I c...