Adams Write-ups and References

Summary Author: @JohnHammond We saw this odd technique in a previous malware sample, where it would uncover it's next payload by... well, you'll see. Steps I started the docker instance for this challenge and navigated to the website and am presented with a button to Retrieve the Payload The web server generates 20 302 redirects and at this point the browser interrupts and stops redirecting and generates an error. Looking at the history in burp suite, I noticed that every other request had a MIME type of text.

Continue reading 

Summary Author: @proslasher This trick is nothing new, you know what to do: iSteg. Look for the tail that's older than time, this Spike, you shouldn't climb. Steps The challenge description gave us a hint by calling for iSteg. Looking on Github I discovered iSteg by rafiibrahim8. I downloaded the the jar file to Kali and executed it using java -jar iSteg-v2.1_GUI.jar. This launched the GUI and I was able to reveal the hidden text and get the flag.

Continue reading 

Summary Author: @JohnHammond It takes a team to do security right, so we have layered our defenses! Steps After downloading Layered_security I executed file layered_security and observed the file is GIMP XCF image data. Next, I launched gimp layered_security to open the file in GIMP. Initially, I see a photo with multiple layers. Starting at the top layer, I removed each layer one at a time until getting to Pasted Layer $3 where I found the flag.

Continue reading 

Summary - General Info Author: @David Carter Welcome to our hackable M365 tenant! Can you find any juicy details, like perhaps the street address this organization is associated with? Steps Upon authenticating to the server, I noticed the ADDInternal suite of tools was being used. I looked at the documentation for AADInternals by DrAzureAD and found a cmdlet for Get-AADIntCompanyInformation which had the flag. Flag: flag{dd7bf230fde8d4836917806aff6a6b27} Summary - Conditional Access Author: @David Carter This tenant looks to have some odd Conditional Access Policies.

Continue reading 

Summary Author: Adam Rice We got our hands on an NTDS file, and we might be able to break into the Azure Admin account! Can you track it down and try to log in? They might have MFA set up though... Steps This challenge we given a NTDS.zip file and a docker instance to connect to. I extracted the file and confirmed with file that its a Windows registry file. Next I used impacket-secretsdump to dump the hashes from the .

Continue reading 