Tech Help

Lets Talk Hacking First Hacking comes in many shapes colors and sizes these days. It could be a single system being taken over by malware, or it could be a cloud account that has access to 20 systems, development keys, and ability to reset other users credentials. There is a wide range of ways to gain access to information in today's modern infrastructure landscape. Some of the more common types is system and account compromise. Both can lead to each other given the right scenarios, and sometimes neither is necessary for compromise of information. Such as a website that has an exploit which leaks information it shouldn't. Finding evidence of these may come in various flavors as well. Such as an antivirus detection alerting but not quarantining, or a network detection tool flagging a suspicious pattern of callback-like activity. In both of these example cases, you'd want to further investigate. In this post, we'll walk through doing this under the system compromise persp...

     So, I made a yara rule a while back based on some suspicious phishing nonsense I found in some open (unauthenticated + file directory listing enabled) cloud storage buckets. I decided only recently to see if I could do some public hunting with these. One possibility was on hybrid analysis. After just a few days, I have 9 detections already found.       The YARA rule is hosted on my github ( https://raw.githubusercontent.com/ferasdour/SpecialYaraRules/refs/heads/main/Bucket%20Phishing%20Kits.yar ) but basically it's like this (notations added for this post): rule phishingKits3 {     meta :       description = "PhishingKits3: This was found in multiple phishing kits hosted on open/unauthenticated S3 buckets."       author = "ferasdour"     strings :       $s1 = "https://ajax.googleapis.com/ajax/libs/jquery/" ascii // adds jquery       $s2 = "https://code.jquery...

 CozyHosting Intro: I went to start another HTB system and figured this would be a good one to write up. I know there are other writeups on this, and from what I've seen, I think I can put together something better to follow. So, lets dig in. Recon: I started with nmap, I have nmap aliased which is basically setting mynmap to "nmap -sS -sV -Pn -p1- --open -sC -oN nmap" which I have setup this way so I can create a folder for the htb challenge, enter the folder, and then nmap from there. saving my file for reference later. This does miss some udp stuff and things like that, so it's not the best scanning, but it's sufficient in most cases to give me an advantage A few other starter things I like to do is start dirb and eyewitness to go grab a picture of the site. Lets not forget to go ahead and get some whatweb detection goodness. So far we've only found login and admin pages, think I'm gonna try to run FFUF to see what else we can find while we investigate ...