Writeups Archives - eyehatemalwares.com

BTLO PIE

Posted on April 29, 2025April 29, 2025 by randrada

Blue Team Labs Online - PIE Walkthrough

Scenario: We’ve had reports from customers that their credit card details have been stolen! Some affected users have stated that we are the only company they have submitted these details to. Confirm if there has been a breach and collection key information – our reputation depends on it!

Tool: GNU/Linux CLI, Grep, PHPMyAdmin

Question 1: On which web page did the Attacker discovered the API?

Question 2: What is the name of the php file with the configured API?

Question 3: How many fields does the API return when a customer’s data is requested?

Question 4: List all public IP addresses that have abused this API functionality (List the IPs in ascending order, with the smallest initial octet first. Ex. 185.x.x.x, 197.x.x.x)

Question 5: What is the customer name of the first customer that had their data stolen?

Question 6: What is the customer name of the last customer that had their data stolen?

Question 7: How many unique customers data, based on customer IDs(cid), have been successfully accessed?

Question 8: How many customer entries within the database have NOT had their data accessed?

BTLO The Key

Posted on January 17, 2025April 29, 2025 by randrada

Blue Team Labs Online - The Key Walkthrough

Read Lab Instruction

Blue Team Labs Online

Lab Walkthrough

Scenario: Peter, a programmer by profession, was always fascinated by Superhero movies from his childhood. He started a secret project at work without informing his Boss. Peter stored all the project files in his cloud account. His boss came to know about Peter’s secret project and asked the security team to investigate Peter’s laptop. But here comes the real headache, Peter’s secret drive is encrypted!

Tool: FTK Imager, NirLauncher, Arsenal Image Mounter, FRED

Question 1: What is the TimeZone of Peter’s Machine? [hint: Find the Registry Key]

Question 2: Superhero stories were introduced to Peter at his school. What is the name of Peter’s school?

Question 3: What is Peter’s favorite quote?

Question 4: What is Peter’s IP address and Computer Name?

Question 5: What is the name of the programming language Peter is learning?

Question 6: According to Peter’s Day plan, which task is “In progress”?

Question 7: Peter connected with this partner using TeamViewer. What is the Peter’s partner’s TeamViewer ID and Display Name?

Question 8: What is Peter’s TeamViewer ID and Display name?

Question 9: What is the Password Manager used by Peter?

Question 10: What is the VPN service used by Peter?

Question 11: What is the name of Peter’s ‘Secret Project’?

Question 12: According to Peter’s documentation, what is the theme of the project?

Question 13: What is Peter’s cloud credentials?

Question 14: Peter accessed some files from a remote machine using a file transfer service. what is the login name and IP address of the remote location?

Question 15: What is the Bitlocker Recovery Key?

Question 16: What is the Bitlocker password? [Hint: Question 2]

BTLO Dot

Posted on January 3, 2025January 16, 2025 by randrada

Blue Team Labs Online - Dot Walkthrough

Read Lab Instruction

Blue Team Labs Online

Lab Walkthrough

Scenario: Investigate the host(procmon) and network(pcap) logs captured from a compromised machine. Use ProcDOT to correlate both logs and answer the following questions.

Tool: ProcDOT, ProcMon, Wireshark

Question 1: Attacker downloaded a tool from github.com. What is the process initiated the connection and What is the file name it is saved as?

Question 2: Powershell is used to download files from the attacker machine. What is the process ID of the powershell process that downloaded the first file? Also, what is the attacker machine IP?

Question 3: What is the port from which the second file was downloaded and what is the full path of the downloaded file?

Question 4: Attacker got control over the system after the injection, assuming he used Meterpreter, what is the payload he would have used (written as selected in Metasploit) and what is the port?

Question 5: What is the PID of the victim process on which the injection happened?

Question 6: What is the pid and location of the main malware which initiated these actions?

BTLO Maldroid

Posted on January 3, 2025January 16, 2025 by randrada

Blue Team Labs Online - Maldroid Walkthrough

Read Lab Instruction

Blue Team Labs Online

Lab Walkthrough

Scenario: Hey buddy, you are good with computers, right? Can you fix my phone? I installed an application, and all I see on my phone is that I have saved the required files on the Desktop. Please have a look.

Tool: APKTool, jadx, dex2jar-tools, bytecodeviewer

Question 1: What is the package name of the apk?

Question 2: Does the APK enable backups? If so, what file is it declared in, and what is the minimum Android version the ransomware affects?

Question 3: What is the name of the Android application?

Question 4: Can the application run on startup? What is its intent priority?

Question 5: What is the decryption key?