Tag: Information Security

Capture the Flag

Hack the Box Walkthrough: Dream Job-1

Our capture the flag walkthrough today is found over on Hack the Box (HTB). Instead of the offensive security walkthroughs that I’ve been doing, this one is more focused on defensive investigative skills. These classifications for these rooms at HTB are called “Sherlocks” and today’s room is a retired free one called Dream Job-1. It focuses on researching a specific attack campaign, the attackers, and their tactics. Let’s get started.

The first thing we have to do is download the attached zip file called DreamJob1.zip. They give you the password to extract it as hacktheblue. Inside the zip is one file named IOCs.txt containing 3 lines of text. For now, we won’t need this file until Question 10.

Task 1: Who Conducted Operation Dream Job?

So unlike TryHackMe, Hack the Box doesn’t really teach you how to do things. You either have to know how, have worked through some of their training elsewhere, have access to walkthroughs, or be good at searching. In this case, we’re going to go to the MITRE ATT&CK® homepage at https://attack.mitre.org/. Click on CTI then Campaigns.

Scroll down until you get to C0022 Operation Dream Job or Ctrl-F and search for Operation Dream Job on the page.

Task 1 Answer: Lazarus Group

Task 2: When was this operation first observed?

Click the name or ID of the campaign and it takes you here: https://attack.mitre.org/campaigns/C0022/. You can see in the Info Box on the right some quick info about this campaign, including when it was First Seen.

Task 2 Answer: September 2019

Task 3: There are 2 campaigns associated with Operation Dream Job. One is Operation North Star, what is the other?

Using the same image, we can see the Associated Campaigns.

Task 3 Answer: Operation Interception

Task 4: During Operation Dream Job, there were the two system binaries used for proxy execution. One was Regsvr32, what was the other?

Scroll down or search for Binary Proxy Execution. You can see the two mentioned, the answer is the other one.

Task 4 Answer: Rundll32

Task 5: What lateral movement technique did the adversary use?

On the page, near the top, you can click into the ATT&CK® Navigator Layers dropdown and View.

After you get to the layers, horizontally scroll right until you see Lateral Movement. Click the header to have the column highlighted (can be a bit cramped and this helps to see).

Task 5 Answer: Internal Spearphishing

Task 6: What is the technique ID for the previous answer?
Hover/Click on that highlighted part and read the kick out.

Task 6 Answer: T1534

Task 7: What Remote Access Trojan did the Lazarus Group use in Operation Dream Job?

Go back to the Operation Dream Job Campaign Page. Scroll down to Software.

Task 7 Answer: DRATzarus

Task 8: What technique did the malware use for execution?

Click the Software Link for DRATzarus and go to https://attack.mitre.org/software/S0694/

Use the Navigator Layers dropdown like we did before and load up its Enterprise Layer and go to Execution. Native API is highlighted.

Task 8 Answer: Native API

Task 9: What technique did the malware use to avoid detection in a sandbox?

On the same page, under Discovery, there is a box called Virtualization/Sandbox Evasion. Its child box has the answer.

Task 9 Answer: Time Based Evasion

Task 10: To answer the remaining questions, utilize VirusTotal and refer to the IOCs.txt file. What is the name associated with the first hash provided in the IOC file?

Looking in the file, the first hash is 7bb93be636b332d0a142ff11aedb5bf0ff56deabba3aa02520c85bd99258406f

If we go to VirusTotal and put in that hash, it takes us here

After you search, it takes you to the page and the answer is right in the header.

Task 10 Answer: IEXPLORE.EXE

Task 11: When was the file associated with the second hash in the IOC first created?

Second hash from the file is adce894e3ce69c9822da57196707c7a15acee11319ccc963b84d83c23c3ea802. If we search it, it takes us here.

Details -> History -> Creation Time

Task 11 Answer: 2020-05-12 19:26:17

Task 12: What is the name of the parent execution file associated with the second hash in the IOC?

Same page, Relations -> Execution Parents

Task 12 Answer: BAE_HPC_SE.iso

Task 13: Examine the third hash provided. What is the file name likely used in the campaign that aligns with the adversary’s known tactics?

Third hash from the file is 0160375e19e606d06f672be6e43f70fa70093d2a30031affd2929a5c446d07c1. If we search it, it takes us here.

Go to Details -> Names

Remember that according to the task, the victims of this were job seekers and that they used “fake job lures”, so…

Task 13 Answer: Salary_Lockheed_Martin_job_opportunities_confidential.doc

Task 14: Which URL was contacted on 2022-08-03 by the file associated with the third hash in the IOC file?

Relations -> Contacted URLs, look for Scanned = 2022-08-03

Task 14 Answer: https://markettrendingcenter.com/lk_job_oppor.docx

That’s it. I hope you enjoyed this little Blue Team exercise in researching some details of an attack from some artifacts!

Capture the Flag

TryHackMe Room Walkthrough: OhSINT

Today’s room is called OhSINT. It is another Free Room on TryHackMe, which means that anyone can follow along with me as long as you sign up for a free account. The point of this room is to show you some of the very basics of OSINT (Open-Source Intelligence), which is the process of gathering and analyzing publicly available information to gain insights and intelligence on a subject or target.

Note: This room was updated 2/1/2024, so this walkthrough will probably be different from others if you’re Googling around and found someone who did it closer to release date. This is noted in the room itself.

In this one, we only have an image to go off of. Let’s start with the basics and read the metadata on the image.

$ exiftool WindowsXP_1551719014755.jpg
ExifTool Version Number         : 13.00
File Name                       : WindowsXP_1551719014755.jpg
Directory                       : .
File Size                       : 234 kB
File Modification Date/Time     : 2025:03:08 15:53:27-05:00
File Access Date/Time           : 2025:03:08 15:54:52-05:00
File Inode Change Date/Time     : 2025:03:08 15:54:52-05:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
XMP Toolkit                     : Image::ExifTool 11.27
GPS Latitude                    : 54 deg 17' 41.27" N
GPS Longitude                   : 2 deg 15' 1.33" W
Copyright                       : OWoodflint
Image Width                     : 1920
Image Height                    : 1080
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 1920x1080
Megapixels                      : 2.1
GPS Latitude Ref                : North
GPS Longitude Ref               : West
GPS Position                    : 54 deg 17' 41.27" N, 2 deg 15' 1.33" W

Question 1

Searching for the user that has the copyright, “OWoodflint”, I found this Twitter/X profile here.

What is this user’s avatar of? – Cat

Question 2

In this person’s tweets, they have one that says:

From my house I can get free wifi ;D

Bssid: B4:5D:50:AA:86:41 - Go nuts!

BSSID is “Basic Service Set Identifier” and is a unique ID to identify a wifi access point.

If I search bssid lookup, the first result is WiGLE: Wireless Network Mapping at https://wigle.net. Okay, let’s check that out. I put the BSSID in the search on the right of the page and hit Filter and my map didn’t change (except all of the dots that had been on there are now gone). My guess was maybe this left *ONLY* that network on the map, so I zoomed all the way out and saw a dot in Europe. I zoomed in and it is in London. This could be me not knowing how to use the site, but it worked.

What city is this person in? – London

Question 3

Same site, just get the info of that point.

What is the SSID of the WAP he connected to? – UnileverWiFi

Question 4

Back to googling the username. The first result for me was https://github.com/OWoodfl1nt/ I know people associate their emails on GitHub sometimes, so I went into there. In the readme of his people_finder project, it says “Project starting soon! Email me if you want to help out: OWoodflint@gmail.com”

What is his personal email address? – OWoodflint@gmail.com

Question 5

What site did you find his email address on? – GitHub

Question 6

I didn’t see anything about a holiday/vacation on X/Twitter or GitHub, so back to the google search. It also returns his blog at https://oliverwoodflint.wordpress.com/ His first – and apparently only – post has the answer.

Where has he gone on holiday? – New York

Question 7

I actually found this one multiple places on the internet because of this challenge, but not the intended places. So I’m going to work this as intended. From google, basically I just have these three sites: X/Twitter, GitHub, and his blog. Since this is an OSINT challenge, I don’t expect they want us to try to crack his wordpress site. So, in true CTF-style thinking, I went looking for clues in his blog’s HTML source. I scrolled down and found this:

<p style="color:#ffffff;" class="has-text-color">pennYDr0pper.!</p>

Given the HTML, that would mean that it is actually on his site visible except that the text is the same color as the background. And sure enough:

What is the person’s password? – pennYDr0pper.!

That’s it. Just a fun little very introductory primer on using search engines and social profiles to do some very basic OSINT and show you the beginning of what’s possible. Any questions, let me know.

InfoSec

A Primer on Information Security

Picture of a Safe Door
I’ve been spending a lot of time at work recently being involved in audits of our company’s security. Some of them we are paying for (3rd party pentesting), some are voluntary compliance (SOC 2), and some are from clients doing their due diligence on vendors. In conducting and discussing the requests and our answers, it occurred to me just how vital that having a good understanding of Information Security is becoming table stakes to be in the industry, whether you’re a budding programmer, an aspiring entrepreneur, or just someone curious about the tech world. Let’s dive into the basics in the first post of what I hope will become a series.

What is Information Security (Infosec)?

At its essence, information security (infosec) is about safeguarding data from unauthorized access and alterations. It’s the practice of defending our digital valuables – be it personal information, business data, or governmental records. We live in a world where data flows everywhere, and just like dams ensure water flows in controlled and safe ways, infosec ensures data remains confidential, intact, and accessible only by those meant to access it.

Why is Infosec Important?

Imagine writing a personal letter and leaving it at a coffee shop. Anyone could read it, modify it, or take it away. That’s what the digital world is like without information security. With the invention and expansion of the internet, we’re more connected than ever. That means that our data – from emails to credit card numbers – is exposed to potential misuse.

The CIA Triad is a common model to use to talk about information systems. CIA doesn’t stand for the United States Central Intelligence Agency, rather it is an acronym for these concepts:

Confidentiality: This principle ensures that sensitive information is only accessed by those who have the right to view it. Think of it like putting a letter in a sealed envelope rather than leaving it open for all to see.
Integrity: Ensuring data remains unaltered during storage or transmission is vital. It’s like ensuring that the letter you wrote reaches its destination without anyone changing the words inside.
Availability: Data needs to be accessible when needed. Imagine sending a letter and ensuring it reaches its destination on time for whenever the recipient wants to read it. Availability in infosec ensures that systems and data are available when required.

What’s at Stake?

Every day, new vulnerabilities and threats emerge. From ransomware attacks holding data hostage to data breaches leaking sensitive information, it can seem like we’re in a Wild West scenario. Companies of all sizes heavily invest in securing the data that they generate and are entrusted with by having dedicated security teams (both offensive and defensive) to constantly remain vigilant while finding their own weaknesses to fix before the adversaries do. This can take many forms, including monitoring, proactive Bug Bounty Programs to engage ethical hackers, simulated attacks, and tabletop exercises, to name a few.

If these companies fail, the results can be disastrous. Compromising one or more points of the CIA Triad can directly affect a company’s revenue and reputation. One great example of this is what happened to LastPass after they had a large security incident. Customers left in droves for other alternatives like BitWarden, 1Password, and KeePass. That certainly will hurt LastPass’ revenue, but even worse is that the attack directly harmed their customers’ finances. The Verge reported that there was a potential link was made between the 2022 data theft and a total of more than $35 million in cryptocurrency that had been stolen, due the fact that almost all victims were LastPass users. Those are sobering consequences.

Why Should You Care?

As we plunge deeper into the digital era, infosec isn’t just a concern for IT departments but is everyone’s responsibility. Understanding infosec can not only make you a more informed digital citizen but can also open doors to a thriving career path. Even if you’re not interested in becoming a cybersecurity specialist, you should look to secure your online presence. Your security is only as strong as the weakest link and you should do all that you can to not be that weak link, and the journey into information security can be rewarding and eye-opening.

What’s Next?

Embarking on the infosec journey equips you with the knowledge to protect not just your data but also contribute to a safer digital ecosystem. From teaching to policy-making to ethical hacking, the field is vast and ripe with opportunity. Over the next few posts, I hope to explore these points more in depth and talk more about what we in technology can do to sharpen these tools in our own toolkits.

Pete on Software