Incident Response: P2 - stuck on Q11
I successfully completed the previous question, but I’m currently encountering difficulties with Question 11: “What are the last 6 characters of the MD5 checksum of the malware executable?” I’ve identified and extracted the malware executable and the associated IOCs; however, none of the MD5 hashes I’ve generated appear to match the expected result. Upon reviewing the instructions, I revisited the step: “Using a Python script or a manual deobfuscation method, get the binary from the VBA script.” I suspect this is where my process may be breaking down — specifically in extracting the correct binary from the VBA script. Could one of the instructors kindly provide guidance or clarification on where I might be going wrong?
Trick or Treat on Specter Street: Widow's Web
I am very stucked in Trick or Treat on Specter Street: Widow's Web I can't do none of the questions, but in any case I start by 4th that is the first answerable one Your first task is to simulate the loyal Crawlers. Run legitimate-crawler and inspect the output in Lab-Files to observe their behavior. To simulate the rogue Crawlers, you must discover the hidden paths on the website. Read the blog posts – they contain clues. Disallow these in Website-Files/robots.txt and run malicious-crawler. Inspect the output in Lab-Files. What is the token? I have created the robots.txt file since I understand that malicious-crawler goes expressedly there. My robots.txt contains all url's I can imagin Disallow: /secret Disallow: /treat Disallow: /hidden Disallow: /crypt Disallow: /warden Disallow: /rituals Disallow: /witch-secrets Disallow: /admin Disallow: /vault Disallow: /uncover Disallow: /post1 Disallow: /post2 Disallow: /post3 Disallow: /post4 Disallow: /contact Disallow: /drafts/rituals But the result of malicious-crawler.txt doesn't give me either a token nor a hint I have curl-ed all pages looking for words as token and nothing. I have found some key words in http://127.0.0.1:3000/witch-secrets as intercepted-incantations, decoded them and nothing. I have searched in spider-sigthings.log what hapened at 3.00 am but nothing Can someone gime me a hint?
Active Directory Basics: Demonstrate Your Skills
Hey team, i am working on the lab in the title and quite sure there's an issue with the answer for one of the questions. 12. What is the full name of the user on COMP-SIREN that begins with L? I am pretty sure it is Larry Young as you can see from the screenshot. Could i check whether there is an error with the question? Or am i missing somethingActive Directory Basics: Demonstrate Your Skills
Hey team, i am working on the lab in the title and quite sure there's an issue with the answer for one of the questions. 12. What is the full name of the user on COMP-SIREN that begins with L? I am pretty sure it is Larry Young as you can see from the screenshot. Could i check whether there is an error with the question? Or am i missing somethingIntroduction to Metasploit: Ep.9 – Demonstrate Your Skills
Please help me out here. I managed to brute for to Apache Tomcat Manager using: auxiliary/scanner/http/tomcat_mgr_login QCC:Qlogic66 When i try to log in to site it is not working http://10.10.10.10:9090/manager/html I need to spawn a user level shell on the victim machine using this creds, not sure why they are not working. I need to use any of these exploits and they require a username and password : 1. exploit/multi/http/tomcat_mgr_deploy 2009-11-09 2. exploit/multi/http/tomcat_mgr_upload 2009-11-09
Incident Response Suspicious Email Part 2 last Question
Hello I am getting slowly crazy here. The last question of Suspicious Email Part 2 asks to find the FQDN of the threat actor within the output that in the previous questions we had to deobfuscate after unpacking the vbaProject.bin using Oletools and / or a script. I created a script to convert Decimal to ASCII and the Hash in the end was matching and I solved the 2nd to last question. However afterwards it says the FQDN should be in the file I just created. This is not the case. I checked the file with strings and even read the whole file line by line to find any FQDN. The only sites in there are apache and zeustech which are only in there because ApacheBench got used in the Malware. There is no trace of any further FQDN. So I'm effectively stuck there because I can't find any worthwhile Info. Does anyone have any Idea? Or is this Lab just broken? I redid the whole Lab from scratch 2 times already. Both times I wrote a new Script aswell and everytime the Hash is correct but there is no FQDN to be found anywhere in there.
