COBALT STRIKE Forensics: PCAP & Memdump - "Strike Back" HackTheBox University CTF 2021

Рет қаралды 80,337

2 жыл бұрын

Join HackTheBox and start rooting boxes! j-h.io/hackthebox
Find some tips and tricks on their blog! j-h.io/htb-blog
For more content, subscribe on Twitch! / johnhammond010
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: / johnhammond010
PayPal: paypal.me/johnhammond010
E-mail: johnhammond010@gmail.com
Discord: johnhammond.org/discord
Twitter: / _johnhammond
GitHub: github.com/JohnHammond
If you would like to support the channel and I, check out Kite! Kite is a coding assistant that helps you code faster, on any IDE offer smart completions and documentation. www.kite.com/get-kite/?... (disclaimer, affiliate link)

Пікірлер: 86

@_JohnHammond 2 жыл бұрын

UPDATE: HackTheBox has let me know that in the official University CTF game, (NOT my sandbox), they corrected the unintentional after the first couple of hours. The PDF was removed from the process dump, the downloadable was updated and the flag was changed -- so, the "unintentional" that I showcase in the first 10 minutes using Cobalt Strike would NOT have worked for you if you played the CTF after that. Sorry! The Cobalt Strike analysis is much cooler anyway 😎

@jacobelliott2420 2 жыл бұрын

I discovered this when I came back to it after downloading it earlier in the day and immediately found the PDF and felt like I had an easy win. Cue my sadness which they said "Flag Is Incorrect" 😢

@splintercelian 2 жыл бұрын

Same as Jacob. Flag wasn't working by the time someone from our team tried to submit it. But I get that for educational purpose it was better to modify the chall and go for the win with the intended way to solve the chall

@logiciananimal 2 жыл бұрын

It introduces an interesting "teachable moment" about how sensitive Windows memory dumps can be.

@DavidAlvesWeb 2 жыл бұрын

We should appreciate the fact that besides everything he has on his plate, he still manages to find time to create and upload these awesome educational videos for us! He's just the GOAT! ♥

@heatherryan9820 2 жыл бұрын

I wasn't bored at all, this is real life. You could have edited it and made it look like it was plain and simple, but you didn't. You showed the process of learning, which I think is really important.

@chrisclark5135 2 жыл бұрын

This was sick and SUPER helpful! Thanks John! More like this, more like this, more like this!!

@b4nd1t02 Жыл бұрын

Hey John! I wanted to thank you for putting this together. This made going through a Cobalt Strike beacon very enjoyable and I learned a lot from this. Given how prevalent CS usage is these days, the ability to decrypt the traffic during analysis is very important and the walkthrough has been useful for outside the CTF purposes.

@SecTechie 4 ай бұрын

John you crank out some of the best videos anywhere! Interesting, thorough and educational. Thanks.

@MrRandomg23 2 жыл бұрын

I am just amazed that John churns out this kind of content for free, so much respect for you John, Thanks so much

@ca7986 2 жыл бұрын

Love your work John!

@timothybadenach2411 2 жыл бұрын

Mr hammond, you make me feel inspired and daunted at the same time lol.

@talbaraz8916 2 жыл бұрын

Great Video as always! The only part I was a little confused is when you used the 69-byte key extracted from the PCAP file to get the HMAC and AES keys, would have it worked with any of the other keys, or did you just get a lucky pick?

@BrenDinner 2 жыл бұрын

You just get me in the mood for netsec! Thanks for being my source of motivation, you’re awesome!

@Docsfortune 2 жыл бұрын

I forget which challenge it was, but it was one of the first 10 you do when loading into picoCTF. I completely bypassed the entire point of the challenge by finding the key with a phd [filename] and scrolling up. The key was in the far right column. PHD is a "pretty hex dump". I was supposed to use python or normal commands to interact with the file and ask it for help (which i did afterwards), but instead I bypassed all of that and found the key anyway in less than a minute.

@tobjasr6034 2 жыл бұрын

informative and fun as always! =) thanks John!

@viltran 2 жыл бұрын

Amazing skill there. Love it.

@hmod7389 2 жыл бұрын

I am so happy! At least one good thing about this Monday.

@cybersecurity3523 2 жыл бұрын

That's was very good bro keep going

@sweelyroot1779 2 жыл бұрын

Finally a new video John 😊

@ryanng55aa 2 жыл бұрын

Nice video! Learnt a lot!

@jaxson8262 2 жыл бұрын

NICE work john !

@NeverGiveUpYo Жыл бұрын

Great video as usual.

@gratefulnoumena1254 Жыл бұрын

This was thoroughly interesting and enjoyable to watch ... Especially interesting because I'm threat hunting an active ransomware threat at work that's leveraging cobolt strike with the lockbid 3 ransomware payload at work Also pretty sure that in the past few months of watching a hand full of your videos I have heard you say the word showcasing More times than I have said in my entire life

@TheH2OWeb 2 жыл бұрын

Thank you John !

@pinaibig 2 жыл бұрын

Thank you !!!!!

@0xmoaz 2 жыл бұрын

finally a new video

@_CryptoCat 2 жыл бұрын

all the hard challs as well plz 🥺

@VickyKumar-jg2lc 2 жыл бұрын

John ur real motivator for me

@davidmiller9485 2 жыл бұрын

As someone who used to frequent Usenet back in the 90's, Scriptkiddy has really changed definition since it was originally used. (to be honest the first time i heard it was on a BBS back in the 80's.) I'm really getting old.

@teddybear9152 2 жыл бұрын

Can't wait!

@andyli 2 жыл бұрын

John is back!

@0xissam 2 жыл бұрын

finally you're back god

@keithmwesigwa9742 2 жыл бұрын

I just can't wait :D

@peterzudel2420 2 жыл бұрын

I super appreciate your Tshirt John.

@ok-jq1jh 2 жыл бұрын

lmfao when the shell autocompletes the whole key your reaction is just like the dude in the meme spazzing out in his chair xD

@BatikanDulger 2 жыл бұрын

Sick!

@DcWHaT07 2 жыл бұрын

John love the videos thanks for everything you gave put out. I have learned so many softwares from just watching. Doing write ups watching you, so helpful on understanding where you go and why. Although! Don’t make us wait a month! Hope all is well.

@sliceoflife5812 Жыл бұрын

Equally impressive as it is terrifying.

@vasquezitosanchezito 2 жыл бұрын

Fantastic!

@user-ux7sy9jf4o 2 жыл бұрын

Amazing video, thank you for the instructive tips!

@kevinmitnick6423 2 жыл бұрын

Could you share that how did you set up your zsh shell? Many thanks!

@JB4lly 2 жыл бұрын

Hi John, thank you for another video! Why did you set it to unlisted?

@nagaprasadvr2893 2 жыл бұрын

Nice one

@notalessandro 2 жыл бұрын

7:50 the way he said "...or whatever learning value." in a very disappointed way made me laugh lol

@Rojawa 2 жыл бұрын

John remebered his password again

@kylekelley1450 2 жыл бұрын

He should add it to the rockyou wordlist, so he doesn't run into that issue anymore.

@viv_2489 2 жыл бұрын

@@kylekelley1450 😂😂

@ilikeapple8551 Жыл бұрын

Thank you for not editing anything out of it xD

@ethanhermsey 2 жыл бұрын

Soooo... I just watched jurassic park again.. Dr. John Hammond.. :p

@cater1337 2 жыл бұрын

awesome

@hossainratul9221 2 жыл бұрын

What microphone are you using by the way? :p

@JamesCollins90 2 жыл бұрын

The thing that baffles me is when he finds a certain type of file... and then proceeds to know exactly what to do with it, and 8 different tools that can read it and what each one does differently. When I attempted hackthebox back along, I acquired a file, then had 0 clue what it was or what to do with it... I got as far as opening in notepad and gave up. Ways to go me thinks.

@rdp8545 2 жыл бұрын

Late to the party but this was great!

@fannah24 2 жыл бұрын

Holy crap that was cool

@burekhacks 2 жыл бұрын

the laugh at 27:25 at reading BEEF lol

@jackysmith1376 2 жыл бұрын

I love your content. It's raw. I like it when you 'Learn on the fly'. When you learn, I learn. We learn together. From South Africa.

@TechnologyMakers 2 жыл бұрын

i love you jooohn

@FOGGY_403 2 жыл бұрын

Australia Gang, 2AM Gang!

@jorgevilla6523 2 жыл бұрын

Great to see ctf again. But love all your content.

@autumnqoqo 2 жыл бұрын

Nice

@securityresearcher3336 2 жыл бұрын

Bro where were you. Your last video was dated 1 month ago. I was waiting long for your video. Nice Video BTW.

@maside7165 2 жыл бұрын

Finally back. Thanks for the entertainment

@rationalbushcraft 2 жыл бұрын

Hahaha I thought the dump file for the key about 30 seconds before you did. That is a first as you move so fast most of the time I am just trying to keep up.

@hannahprobably5765 2 жыл бұрын

OWWWW F...... YEAH :)

@sprBEAST211 2 жыл бұрын

At this point if John is a script kiddy then I'm a bacteria on a fleck of worm 💩

@XiSparks 2 жыл бұрын

Such good content!

@abepl 2 жыл бұрын

you should have a T-shirt with "If I can type" written on it

@mrrobot1o1 2 жыл бұрын

Lol i have used cobalt so that was really relatable for me. now i'm gone decrypt my traffics what i have done with my bacons.

@stupiduser6646 2 жыл бұрын

XII Blimp Fleet isa Final Fantasy reference.

@debarghyadasgupta1931 2 жыл бұрын

With John Black Friday is 24x7x365 😇😁🙏. Respect 🤗😇

@bhaitabahi786 2 жыл бұрын

waiting for explanation i struggled a lot in forensics

@kele9127 2 жыл бұрын

Hi John

@gacekkosmatek 2 жыл бұрын

lets fucking goo

@osman_gedik 2 жыл бұрын

Can you please create a playlist named forensics? I really hope you do more forensics stuff in the future. Thanks in regards :)

@notmyname1486 2 жыл бұрын

commenting for the algo,

@Docsfortune 2 жыл бұрын

15:20 The moment he messed up, and downloaded the malware.

@zikkthegreat 2 жыл бұрын

i -think- his name is pronounced “d-d-a” or deedee-eh, but no idea where the emphasis goes. love these vids btw, thanks for sharing them with us. i learn a lot

@IAmCandal 2 жыл бұрын

Ive been doing this for 3 years never found a bug. Im done :)

@fedorp4713 2 жыл бұрын

Oh, you're still alive?

@The_Privateer 2 жыл бұрын

I'm curious what your definition of 'Forensic' is... since there is nothing about this that is actually 'forensics.' Data analysis? Yes. 'Forensics'. No.