While doing some threat hunting I found a server reaching out to pastebin (this was over an hour):

src_ip=<ip> url=hxxp://pastebin[.]com/raw/<snip> count=34

It wasn’t a long running process, but it certainly happened a lot. The paste content was 127.0.0.1:80, which looked like a typical CNC control message. netstat wasn’t doing it, so lsof to the rescue!

I ran this on the server:

sudo watch -n1 lsof -n -i:80 -i:8080 -r1 -sTCP:^LISTEN | grep -v <ip>:http | tee -a ~/pastebin-find.txt

Here’s what the options mean:

Have you upgraded to v14 and Active Directory/LDAP auth to the appliance admin stopped working?

Try running this:

tmsh modify auth ldap system-auth check-roles-group enabled
save sys config

Seems that there was a change in how group enumeration happens, and this fix sorts it. You don’t need to reboot or anything, it just works.

A pretty cool and easy to follow article on configuring filebeat to monitor your Ubuntu/CentOS boxes from Burnham Forensics is pretty cool.

Though, I do have to question any article from a security professional that includes the following line:

Elevate to sudo if not done so already: sudo su

… let alone in an article about logging! :)

While job seeking I’ve been reading the LinkedIn Daily Rundown; I’m not normally one for business news, but it tends to be a good quick thing to catch up on. Today’s instalment was particularly dystopian.

Like your job? Sadly it could be automated sooner than you think, according to a new Organisation for Economic Co-operation and Development (OECD) report.

Not surprising, really - there’s a lot of process work and drivers out there.

A great writeup on how Bansky handles authentication of his artworks.

So Banksy created a not-for-profit company, Pest Control, to sell and authenticate his works. The process is fiendishly clever, as Will Ellsworth-Jones writes in his book ‘Banksy: The Man Behind the Wall’:

Now, for £65 you can get your Banksy print authenticated. And just to keep the whole thing as jokey as possible, the authentication certificate has stapled to it half a ‘Di faced tenner’, a £10 note faked by Banksy with Lady Diana’s face on it. The tenner has a handwritten ID number on it which can be matched to the number on the other half of the of the note held by Pest Control.

[Read More]

A friend asked me for help with this one. I hadn’t planned on doing the Plaid CTF but I’m easily dragged into a neat programming challenge.

can you guess me

Misc (100 pts)

Here’s the source to a guessing game: here

You can access the server at nc canyouguessme.pwni.ng 12349

Nothing ridiculously simple here, the solution’s obviously in the code… here’s the code that was provided:

#! /usr/bin/env python3

from sys import exit
from secret import secret_value_for_password, flag, exec

print(r"")
print(r"")
print(r"  ____         __   __           ____                     __  __       ")
print(r" / ___|__ _ _ _\ \ / /__  _   _ / ___|_   _  ___  ___ ___|  \/  | ___  ")
print(r"| |   / _` | '_ \ V / _ \| | | | |  _| | | |/ _ \/ __/ __| |\/| |/ _ \ ")
print(r"| |__| (_| | | | | | (_) | |_| | |_| | |_| |  __/\__ \__ \ |  | |  __/ ")
print(r" \____\__,_|_| |_|_|\___/ \__,_|\____|\__,_|\___||___/___/_|  |_|\___| ")
print(r"                                                                       ")
print(r"")
print(r"")

try:
    val = 0
    inp = input("Input value: ")
    count_digits = len(set(inp))
    if count_digits <= 10:          # Make sure it is a number
    val = eval(inp)
    else:
    raise

    if val == secret_value_for_password:
    print(flag)
    else:
    print("Nope. Better luck next time.")
except:
    print("Nope. No hacking.")
    exit(1)

Pretty simple so far, it’s got a few imports, allows you to type something in, does a bit of a check and if you do things right, it’ll show you the flag.

This was the challenge:

The flag is contained in the following attached file. You know how QR codes work right? Flag is in format “word”. (So no flag bit on this one) Challenge by Garry.

Attached was a 1.2MB, 20,000 line file which looked like this:

I’ve been around a while and the =’s at the end of the lines made me think of base64, so I copied it out into CyberChef and got my first indication I was on the right path:

Velociraptor is a cool name for a dinosaur, let alone a software package. I did a course today with one of the developers, and it looks like a great FOSS solution to EDR and threat hunting.

First, download the package from the releases page. It’s a very small, self contained file.

Here’s my notes from the day.

To configure the client

rem make the install dir
mkdir "c:\Program Files\Velociraptor\"
rem make the config file
velociraptor.exe --config velo_client.yaml config client > velo_client.yaml
rem connect the client
velociraptor.exe --config velo_client.yaml client -v

To run the server

I couldn’t find an easy list when I went looking for these, so I made a list.

View Window

Keyboard

I’ve been playing around with stackstorm for a little while now, and wanted to get back into it after a bit of distraction on other things. The idea of automating a lot of my daily repetetive tasks really appeals to me, so I started work on another module today.

The end result of today’s head-desking was st2-whois, a pack that does basic whois calls and saves me from having to find the website that works just right for it, or open a shell from a box with the right access.