CompSec Blog

 Recently, I've *allegedly* received some documents on torrent clients on my network. Of course, I wholeheartedly respect copyright laws and do my utmost to ensure that files on my systems are 100% legal. Regardless, I thought creating an offsite file download/share server might be an exciting project.  I already had a VPS I was renting from a VPS provider, so I spun up another one with them. Relatively low specs, 4 CPUs, 4GB RAM, but it has unlimited network usage which is good for my purposes. I went with the most recent version of Ubuntu, but any OS would work with this.  To start off, I had an idea for a setup that used a management IP that I could access to download files and communicate with the torrent client, and a download IP that ran a VPN at all times and was only used for downloading files. Luckily enough, my VPS provider had options for adding extra IPv4 addresses to the server, so I bought an extra address and got that working. OpenVPN also has an option to bind to a

Vynae can be found on my GitHub . Vynae is a fleshed-out version of the original project, PidHunter. PidHunter was written for use in the Collegiate Cyber Defense Competition for tracing process IDs and gathering simple information about processes running in Windows Server environments. It started as a lightweight script that could be deployed on multiple servers and return consistent results. Mainly, it was used to detect Crowd Strike beacons after we discovered one of our servers had a beacon running on it. I wanted a way to pull up process and network information on the fly without needing to run multiple commands or tools. As such, it was hyper-specific to the situation I was in. While I originally tried to expand PidHunter to be useful in normal operations, it never really took off and was abandoned. Cue summer semester 2022 where I found I had a good amount of extra time before classes started in earnest. I needed to take a break from some other projects, and as I'm takin

Code can be found here . For the upcoming CCDC regionals, I'll need to manage multiple different windows machines and servers. In the state competition, I had made a simple script that created some basic firewall rules mostly targetting Active Directory services. I then applied these to both the Windows server 2012 DC and the Windows server 2016 Hyper-V/Docker machine. The rules worked fine for both, especially considering that I decided to 'reduce my threat surface' by removing the net adapters from the Docker box. However, for regionals, I'll be managing multiple Active Directories, Exchange servers, and Docker at the very least.  Having a rigid script that applies the same firewall rules to every box won't work as well as it did in state, and creating a new script for each machine is too time-consuming. So I decided to create something that could detect what services and roles were installed on a given machine and then install the necessary firewall rules based o

EDIT: Related video made for a class The CCDC qualifiers are over now, and my team got 1st! That being said, towards the end of the day, we noticed a lot of suspicious traffic coming to the AD box. While I couldn't figure it out during the competition, it turns out that the red team had been using the zerologon exploit . After we got back, I wanted to learn the ins and outs of this exploit in order to prevent myself from getting hit with it again at the next competition. Turns out, it's relatively easy to set up and execute using Impacket and Risksense' zerologon script.   For the testing environment, I have a Windows lab consisting of a 2012 AD, 2019 Email server, 2016 Docker/Hyper-V box, and Windows 10 and 7 machines. This setup is for CCDC prep and is designed to mirror the environments and machines used in the competition. I also have a kali box running on the same network as the Windows machines. This is what staged the attacks on the 2012 AD server.   To begin with,