SuperSonic: Ep.6 – TEMPLE
I have Problems with the last two questions: In which file did the attacker find the credentials for the second account they accessed? I extracted the 14 files with SMB/Wireshark but i am not able to find anyything. Which two user accounts did the attacker use to access the SMB share? (Use a comma to separate the two usernames.) I think i found one Account in the 14 files but at restart of the lab i dont find it anymore. (This are the last two Questions for Supersonic-Badge)
CVE-2022-29799/CVE-2022-29800 (Nimbuspwn) – Defensive
Hello community, I can't find the answer to these question I tried using the Sigma file provided in the lab to query Splunk it returned no events. I also tried doing custom queries with using similar strings. But I never got the correct answers Any helpis appreciated. Thanks
Foundational Static Analysis: Analyzing Structures
The question is asking me "In the disassembly at address 00401567, what is the structure EDX is pointing to? Look at Microsoft Docs for help!" At the very end of the briefing they go over the explanation of how to identify which offset is determining which call. I am 90% positive that the offset we are supposed to be identifying in this case is 0x17c. However within this SAME blurb while they are explaining the way the stack line up they simply identify which API the offset in their example is pointing to. THEY NEVER MENTION HOW THEY GOT THERE! I am sure that it requires some research an I have been trying to identify anything within MSDN database but I can't find a single clue how identify what API 0x17c is pointing to. I have even tried looking up references for the offset they had 0x138 which they identified as STARTUPINFO. (I googled both terms together.) Now I am most definitely missing something here. I step within the assembly analysis mayb ebut I am at a loss. If anyone could help me out I would appreciate it.Node.js - Beginner -- What am I missing?
In the Node.js - Beginner collection there is a practical lab on Forced Browsing. I have completed what is setup as the criteria for the lab but it keeps telling me that the code isn't secure. I have tested with two different users and the solution works to prevent forced browsing. Is there some other criteria that needs to be met that I'm missing. Remediation: Authorization check: returns a 401 if the user isn't logged in I have also added the author check to verify that only the logged in user retrieves their own drafts.
WinDbg: Ep.5 – Kernel Internals
Question 9:Looking at the system process and the !token command, what is the User field? What I did: [...] lkd> !process 0 0 **** NT ACTIVE PROCESS DUMP **** PROCESS ffffdf0609685200 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 001aa002 ObjectTable: ffffc8001ac04d40 HandleCount: 1895. Image: System lkd> dt nt!_eprocess ffffdf0609685200 [...] lkd> !token Thread is not impersonating. Using process token... _EPROCESS 0xffffdf060f46e080, _TOKEN 0x0000000000000000 TS Session ID: 0x2 User: S-1-5-21-926794839-1820024918-4247477861-500 Is it possible the Lab was migrated to a new OS? Or what do I miss here?WinDbg: Ep.4 – Debugging a Windows Crash
Hi Q7:Identify the invalid reference to a memory address that causes the crash. instead of instructions, what characters are shown at this location? It seems I have issues understanding the question. From WinDbg: 1: kd> !analyze -v [...] PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: ffff828b0e60658f, memory referenced. Arg2: 0000000000000000, value 0 = read operation, 1 = write operation. Arg3: fffff8047dcebb37, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000002, (reserved) Arg1 has nothing (dc <addr> -> ????????????????) Arg3 has asm (da <addr> -> ".....D.eH.sD..f....."), (u <addr> -> movzx ebx,word ptr [rsi]). The TRAP_FRAME says both ebx and rsi are 0. In short, I have no idea what reference I should identify. Can anyone give me a hint?
