2023-11-01 | #base65536
Summary Author: @JohnHammond Maybe you already know about base64, but what if we took it up a notch? Steps To start this challenge I ran file against the basefff1 file and see that its is baseffff1: Unicode text, UTF-8 text, with no line terminators. Next, previewing the file I see these characters: After many failed decoding attempts, I went back to the challenge description and started to work on what FFFF+1 means.
2023-11-01 | #batch #deobfuscation #malware
Summary Author: @JohnHammond I was reading a report on past Trickbot malware, and I found this sample that looks a lot like their code! Can you make any sense of it? Steps The the start of this code was heavily obfuscated and after getting an understanding of what was happening I started to manually deobfuscate the code. Looking at the code it looks like multiple variables tired together. @echo off set bdevq=set %bdevq% grfxdh= %bdevq%%grfxdh%mbbzmk== %bdevq%%grfxdh%xeegh%mbbzmk%/ %bdevq%%grfxdh%jeuudks%mbbzmk%a %bdevq%%grfxdh%rbiky%mbbzmk%c %bdevq%%grfxdh%wzirk%mbbzmk%m %bdevq%%grfxdh%naikpbo%mbbzmk%d %bdevq%%grfxdh%ltevposie%mbbzmk%e %bdevq%%grfxdh%uqcqswo%mbbzmk%x %bdevq%%grfxdh%zvipzis%mbbzmk%i %bdevq%%grfxdh%kquqjy%mbbzmk%t %bdevq%%grfxdh%kmgnxdhqb%mbbzmk% %bdevq%%grfxdh%%xeegh%%jeuudks%%grfxdh%bpquuu%mbbzmk%4941956 %% 4941859 %rbiky%%wzirk%%naikpbo%%kmgnxdhqb%%xeegh%%rbiky%%kmgnxdhqb%%ltevposie%%uqcqswo%%zvipzis%%kquqjy%%kmgnxdhqb%%bpquuu% %bdevq%%grfxdh%grtoy%mbbzmk%%=exitcodeAscii% %bdevq%%grfxdh%%xeegh%%jeuudks%%grfxdh%fqumc%mbbzmk%9273642 %% 9273544 %rbiky%%wzirk%%naikpbo%%kmgnxdhqb%%xeegh%%rbiky%%kmgnxdhqb%%ltevposie%%uqcqswo%%zvipzis%%kquqjy%%kmgnxdhqb%%fqumc% %bdevq%%grfxdh%kbhoesxh%mbbzmk%%=exitcodeAscii% %bdevq%%grfxdh%%xeegh%%jeuudks%%grfxdh%uhtsvvtj%mbbzmk%9196704 %% 9196605 %rbiky%%wzirk%%naikpbo%%kmgnxdhqb%%xeegh%%rbiky%%kmgnxdhqb%%ltevposie%%uqcqswo%%zvipzis%%kquqjy%%kmgnxdhqb%%uhtsvvtj% %bdevq%%grfxdh%fxflckau%mbbzmk%%=exitcodeAscii% %bdevq%%grfxdh%%xeegh%%jeuudks%%grfxdh%anbayva%mbbzmk%2699100 %% 2699000 %rbiky%%wzirk%%naikpbo%%kmgnxdhqb%%xeegh%%rbiky%%kmgnxdhqb%%ltevposie%%uqcqswo%%zvipzis%%kquqjy%%kmgnxdhqb%%anbayva% %bdevq%%grfxdh%pxesvvz%mbbzmk%%=exitcodeAscii% I started to manually replace the variables with the ASCII representation.
2023-11-01 | #
Summary Author: @JohnHammond Someone stole my S's and replaced them with Z's! Have you ever seen this kind of file before? Steps After downloading comprezz to my Kali instance, I ran file comprezz an d received the following output ��f9�'FnĠ���j�CC�34h̐q���f0Z�% Based on the challenge name and that the file is not readable, I decided to try to uncompress the file using. First I changed the file name from comprezz to comprezz.
Summary Author: @JohnHammond#6971 Well would you listen to those notes, that must be some long phone number or something! Steps In this challenge I was given a file called dialtone.wav. Listening, I hear the audible dial pad when dialing a phone number. After some research, I discoverd a github respository by ribt that will convert a .wav file dial press and correlate this with the actual number being dialed. I executed .
2023-11-01 | #forensics
Summary Author: @JohnHammond We found all this data in the dumpster! Can you find anything interesting in here, like any cool passwords or anything? Check it out quick before the foxes get to it! Steps I downloaded the file to my system and executed tar -xf dumpster_fire.tar.xz to extract the files. Looking at the extracted files it appears to be a copy of a linux file system. Based on the challenge description, we are looking for passwords.
