Basic Linux Memory Forensics - Dumping Memory and Files with DD - Analyzing Metttle/Meterpreter

IppSec · Beginner ·🔐 Cybersecurity ·4y ago

00:00 - Intro 00:47 - Discovering a weird binary running in /tmp/ but it doesn't exist on disk 01:55 - Start of explaining dd copying things out of memory 02:30 - Reading maps to identify where the file is, showing how to covnert hex to decimal in bash 04:00 - File extracted from memory 05:15 - Copying the heap from memory and discovering it is mettle/meterpreter based upon strings 06:55 - Showing we don't need to use DD to extract the file, can just use the "exe" file in proc/pid/ 09:15 - Opening the elf in Ghidra and examining its decompiled output 12:00 - Showing what the file looks like in Cutter, which has a different decompile view 13:40 - Reading the Metasploit source code to identify what it looked like, to confirm what our findings from reversing 16:00 - Using MSFVenom to generate our own stager in order to confirm this is indeed what we saw on the box and that we extracted it correctly 18:50 - Using GDB against the stager to just practice reversing

Watch on YouTube ↗ (saves to browser)

Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →

HHC2016 - Analytics

HHC2016 - Analytics

HackTheBox - October

HackTheBox - October

HackTheBox - Arctic

HackTheBox - Arctic

HackTheBox - Brainfuck

HackTheBox - Brainfuck

HackTheBox - Bank

HackTheBox - Bank

HackTheBox - Joker

HackTheBox - Joker

HackTheBox - Lazy

HackTheBox - Lazy

Camp CTF 2015 - Bitterman

Camp CTF 2015 - Bitterman

HackTheBox - Devel

HackTheBox - Devel

Reversing Malicious Office Document (Macro) Emotet(?)

Reversing Malicious Office Document (Macro) Emotet(?)

HackTheBox - Granny and Grandpa

HackTheBox - Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Optimum

HackTheBox - Optimum

HackTheBox - Charon

HackTheBox - Charon

HackTheBox - Sneaky

HackTheBox - Sneaky

HackTheBox - Holiday

HackTheBox - Holiday

HackTheBox - Europa

HackTheBox - Europa

Introduction to tmux

Introduction to tmux

HackTheBox - Blocky

HackTheBox - Blocky

HackTheBox - Nineveh

HackTheBox - Nineveh

HackTheBox - Jail

HackTheBox - Jail

HackTheBox - Blue

HackTheBox - Blue

HackTheBox - Calamity

HackTheBox - Calamity

HackTheBox - Shrek

HackTheBox - Shrek

HackTheBox - Mirai

HackTheBox - Mirai

HackTheBox - Shocker

HackTheBox - Shocker

HackTheBox - Mantis

HackTheBox - Mantis

HackTheBox - Node

HackTheBox - Node

HackTheBox - Kotarak

HackTheBox - Kotarak

HackTheBox - Enterprise

HackTheBox - Enterprise

HackTheBox - Sense

HackTheBox - Sense

HackTheBox - Minion

HackTheBox - Minion

VulnHub - Sokar

VulnHub - Sokar

VulnHub - Pinkys Palace v2

VulnHub - Pinkys Palace v2

HackTheBox - Inception

HackTheBox - Inception

Vulnhub - Trollcave 1.2

Vulnhub - Trollcave 1.2

HackTheBox - Ariekei

HackTheBox - Ariekei

HackTheBox - Flux Capacitor

HackTheBox - Flux Capacitor

HackTheBox - Jeeves

HackTheBox - Jeeves

HackTheBox - Tally

HackTheBox - Tally

HackTheBox - CrimeStoppers

HackTheBox - CrimeStoppers

HackTheBox - Fulcrum

HackTheBox - Fulcrum

HackTheBox - Chatterbox

HackTheBox - Chatterbox

HackTheBox - Falafel

HackTheBox - Falafel

How To Create Empire Modules

How To Create Empire Modules

HackTheBox - Nightmare

HackTheBox - Nightmare

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Bart

HackTheBox - Bart

HackTheBox - Aragog

HackTheBox - Aragog

HackTheBox - Valentine

HackTheBox - Valentine

HackTheBox - Silo

HackTheBox - Silo

HackTheBox - Rabbit

HackTheBox - Rabbit

HackTheBox - Celestial

HackTheBox - Celestial

HackTheBox - Stratosphere

HackTheBox - Stratosphere

HackTheBox - Poison

HackTheBox - Poison

HackTheBox - Canape

HackTheBox - Canape

HackTheBox - Olympus

HackTheBox - Olympus

HackTheBox - Sunday

HackTheBox - Sunday

HackTheBox - Fighter

HackTheBox - Fighter

HackTheBox - Bounty

HackTheBox - Bounty

Related AI Lessons

Why Businesses Quietly Accept Technology Friction as “Normal”

Businesses often accept technology friction as normal, but it can have significant impacts on productivity and security

Medium · Cybersecurity

The Model You Just Downloaded Might Own Your Network — What I Learned Building Defenses Against AI…

AI models from public repositories can pose a significant threat to enterprise security due to poisoned weights, and learning to defend against them is crucial

Medium · Cybersecurity

I Found Backdoored AI Models on Hugging Face — And So Has Everyone Else Who Bothered to Look

Backdoored AI models are prevalent on Hugging Face, posing a significant security risk to the AI supply chain, and it's crucial to secure it

Medium · Cybersecurity

The XSS Escalation Playbook: From Basic Reflection to DOM Breakouts

Learn to escalate XSS attacks from basic reflection to DOM breakouts with this comprehensive playbook

Medium · Cybersecurity

Chapters (12)

Intro

0:47 Discovering a weird binary running in /tmp/ but it doesn't exist on disk

1:55 Start of explaining dd copying things out of memory

2:30 Reading maps to identify where the file is, showing how to covnert hex to deci

4:00 File extracted from memory

5:15 Copying the heap from memory and discovering it is mettle/meterpreter based up

6:55 Showing we don't need to use DD to extract the file, can just use the "exe" fi

9:15 Opening the elf in Ghidra and examining its decompiled output

12:00 Showing what the file looks like in Cutter, which has a different decompile vi

13:40 Reading the Metasploit source code to identify what it looked like, to confirm

16:00 Using MSFVenom to generate our own stager in order to confirm this is indeed w

18:50 Using GDB against the stager to just practice reversing

VPC Service Controls: Day Two Operations