COBALT STRIKE Forensics: PCAP & Memdump - "Strike Back" HackTheBox University CTF 2021
Vložit
- čas přidán 11. 09. 2024
- Join HackTheBox and start rooting boxes! j-h.io/hackthebox
Find some tips and tricks on their blog! j-h.io/htb-blog
For more content, subscribe on Twitch! / johnhammond010
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: / johnhammond010
PayPal: paypal.me/john...
E-mail: johnhammond010@gmail.com
Discord: johnhammond.or...
Twitter: / _johnhammond
GitHub: github.com/Joh...
If you would like to support the channel and I, check out Kite! Kite is a coding assistant that helps you code faster, on any IDE offer smart completions and documentation. www.kite.com/g... (disclaimer, affiliate link)
UPDATE: HackTheBox has let me know that in the official University CTF game, (NOT my sandbox), they corrected the unintentional after the first couple of hours. The PDF was removed from the process dump, the downloadable was updated and the flag was changed -- so, the "unintentional" that I showcase in the first 10 minutes using Cobalt Strike would NOT have worked for you if you played the CTF after that. Sorry! The Cobalt Strike analysis is much cooler anyway 😎
I discovered this when I came back to it after downloading it earlier in the day and immediately found the PDF and felt like I had an easy win. Cue my sadness which they said "Flag Is Incorrect" 😢
Same as Jacob. Flag wasn't working by the time someone from our team tried to submit it. But I get that for educational purpose it was better to modify the chall and go for the win with the intended way to solve the chall
It introduces an interesting "teachable moment" about how sensitive Windows memory dumps can be.
We should appreciate the fact that besides everything he has on his plate, he still manages to find time to create and upload these awesome educational videos for us!
He's just the GOAT! ♥
I wasn't bored at all, this is real life. You could have edited it and made it look like it was plain and simple, but you didn't. You showed the process of learning, which I think is really important.
John you crank out some of the best videos anywhere! Interesting, thorough and educational. Thanks.
Finally a new video John 😊
Hey John! I wanted to thank you for putting this together. This made going through a Cobalt Strike beacon very enjoyable and I learned a lot from this. Given how prevalent CS usage is these days, the ability to decrypt the traffic during analysis is very important and the walkthrough has been useful for outside the CTF purposes.
This was thoroughly interesting and enjoyable to watch ... Especially interesting because I'm threat hunting an active ransomware threat at work that's leveraging cobolt strike with the lockbid 3 ransomware payload at work
Also pretty sure that in the past few months of watching a hand full of your videos I have heard you say the word showcasing More times than I have said in my entire life
I forget which challenge it was, but it was one of the first 10 you do when loading into picoCTF. I completely bypassed the entire point of the challenge by finding the key with a phd [filename] and scrolling up. The key was in the far right column. PHD is a "pretty hex dump". I was supposed to use python or normal commands to interact with the file and ask it for help (which i did afterwards), but instead I bypassed all of that and found the key anyway in less than a minute.
This was sick and SUPER helpful! Thanks John! More like this, more like this, more like this!!
You just get me in the mood for netsec! Thanks for being my source of motivation, you’re awesome!
all the hard challs as well plz 🥺
informative and fun as always! =) thanks John!
I am just amazed that John churns out this kind of content for free, so much respect for you John, Thanks so much
I love your content. It's raw. I like it when you 'Learn on the fly'. When you learn, I learn. We learn together. From South Africa.
As someone who used to frequent Usenet back in the 90's, Scriptkiddy has really changed definition since it was originally used. (to be honest the first time i heard it was on a BBS back in the 80's.) I'm really getting old.
lmfao when the shell autocompletes the whole key your reaction is just like the dude in the meme spazzing out in his chair xD
John remebered his password again
He should add it to the rockyou wordlist, so he doesn't run into that issue anymore.
@@kylekelley1450 😂😂
7:50 the way he said "...or whatever learning value." in a very disappointed way made me laugh lol
Mr hammond, you make me feel inspired and daunted at the same time lol.
Thank you for not editing anything out of it xD
Equally impressive as it is terrifying.
Love your work John!
Soooo... I just watched jurassic park again.. Dr. John Hammond.. :p
Great video as usual.
finally a new video
At this point if John is a script kiddy then I'm a bacteria on a fleck of worm 💩
John is back!
Great Video as always!
The only part I was a little confused is when you used the 69-byte key extracted from the PCAP file to get the HMAC and AES keys,
would have it worked with any of the other keys, or did you just get a lucky pick?
the laugh at 27:25 at reading BEEF lol
I super appreciate your Tshirt John.
The thing that baffles me is when he finds a certain type of file... and then proceeds to know exactly what to do with it, and 8 different tools that can read it and what each one does differently. When I attempted hackthebox back along, I acquired a file, then had 0 clue what it was or what to do with it... I got as far as opening in notepad and gave up.
Ways to go me thinks.
I am so happy! At least one good thing about this Monday.
Australia Gang, 2AM Gang!
i -think- his name is pronounced “d-d-a” or deedee-eh, but no idea where the emphasis goes. love these vids btw, thanks for sharing them with us. i learn a lot
Amazing skill there. Love it.
Hi John, thank you for another video! Why did you set it to unlisted?
Thank you !!!!!
OWWWW F...... YEAH :)
Bro where were you. Your last video was dated 1 month ago. I was waiting long for your video. Nice Video BTW.
finally you're back god
Sick!
John ur real motivator for me
Thank you John !
Finally back. Thanks for the entertainment
John love the videos thanks for everything you gave put out. I have learned so many softwares from just watching. Doing write ups watching you, so helpful on understanding where you go and why. Although! Don’t make us wait a month! Hope all is well.
That's was very good bro keep going
Can't wait!
Nice video! Learnt a lot!
NICE work john !
I just can't wait :D
Late to the party but this was great!
Fantastic!
Lol i have used cobalt so that was really relatable for me. now i'm gone decrypt my traffics what i have done with my bacons.
you should have a T-shirt with "If I can type" written on it
Great to see ctf again. But love all your content.
What microphone are you using by the way? :p
With John Black Friday is 24x7x365 😇😁🙏. Respect 🤗😇
Holy crap that was cool
i love you jooohn
Hahaha I thought the dump file for the key about 30 seconds before you did. That is a first as you move so fast most of the time I am just trying to keep up.
Nice one
Could you share that how did you set up your zsh shell? Many thanks!
Amazing video, thank you for the instructive tips!
awesome
XII Blimp Fleet isa Final Fantasy reference.
Nice
15:20 The moment he messed up, and downloaded the malware.
commenting for the algo,
lets fucking goo
Can you please create a playlist named forensics?
I really hope you do more forensics stuff in the future.
Thanks in regards :)
Such good content!
Oh, you're still alive?
Hi John
It's been a long time since last video,
What took you so long 🤔
Life 🙃
waiting for explanation i struggled a lot in forensics
I'm curious what your definition of 'Forensic' is... since there is nothing about this that is actually 'forensics.'
Data analysis? Yes. 'Forensics'. No.
Ive been doing this for 3 years never found a bug. Im done :)
only 2 dislikes XD