LIVE: C2 Hacking | Cybersecurity | TryHackMe
Key Takeaways
The video covers a live hacking session on TryHackMe, focusing on cybersecurity and command and control (C2) servers, with tools such as Nmap, netcat, and Cybersh being used to exploit and analyze the C2 server.
Full Transcript
Hamza is first today beating out Arubius. He must not be available today because I do not see him at the top of the chat. So, uh, well done for for beating that streak there. Hello everyone. How's it going? I just returned from a trip to New York City, which was a lot of fun. Did a lot of walking, like 40,000 steps a day on average. So, it's nice to be back in uh get back in front of a a terminal screen and and get back to work kind of thing. So, yeah, thank you. I'm looking forward to it. I'm curious to see how it uh uh how well I can do or or if it's just going to destroy me. But, um yeah, this is my sort of first day back into sort of uh getting practice in, so to speak. And we'll see how we do with this machine in a bit. So, while people are starting to jump in, hope everyone's doing well. Looks like everyone everyone's saying good morning from uh certain areas of the world and good afternoon from certain areas of the world. It's nice to see. Um let's do a couple of announcements while we're at it, while people are joining. Um because there's quite a lot going on uh at TCM these days, especially with uh our Black Friday stuff. And so, you can see that ticker uh has been applied there. But what I'm going to do is just share my screen for a second. because yes, I'm sure a lot of you have have heard in the past uh probably week or so, uh we're having our big Black Friday sale. Um probably our last big sale of the year. Uh and this is like truly the big one, right? You can see uh all of this stuff. Um you know, there's a there's a ton going on. Um we even have things like exclusive bundles, right? So, uh we have the professional pentester bundle. So, you can see all of the differents that uh this is going to come with along with, you know, all of the classes. So we have over 70 hours of uh lifetime access to all of the training that comes with these certifications. So you have things like uh you know the PJPT, PNPT, even the web stuff, right? PJWT, P uh PWPT, um even the the OSENT certification, right? The OSENT researcher. So um all of this sort of bundles in uh and you even get the practical career ready professional certification as well, which is like again our our six most popular pen testing certifications. This is just a really good deal uh for that kind of side of things. And also we have the ultimate hacking and defending training bundle which basically includes everything 10 certification exams and all of the training that comes along with that. Uh you even get the PJSA involved in there uh which is uh the certification I put together. So um yeah uh I would definitely recommend this one if you really want to get the whole breath of uh you know the different training we offer and this is probably the best time to do it as I said because we have some crazy bundles going on uh right now. Uh we also have a lot of live stuff as well, right? Um, and I will mention obviously uh we have 50% off everywhere on the academy along with 20% off all of the uh certifications academywide as well. And also 20 20% off the live trainings, right? So uh there's so much for me to cover here, right? So all of our live stuff, we have uh the active directory live training coming up in the new year. So that's going to be uh when is that going to be? February 7th. That's going to be hosted by Heath. Uh, and that's probably our most popular uh, live class um, because not only are you learning how to hack Active Directory, but also how to defend and mitigate some of the attacks that uh, Heath demonstrates in the in the training, which is really cool and and you get that benefit of having the live labs as well uh, in the cloud. And we also have the sock level one live training, which is going to be our first iteration of this. Uh, really excited for um, you can see if we go down to the curriculum here, it's going to be a jam-packed four days. um of just pure practical knowledge, right? So, uh a bunch of different tools going to cover a bunch of different methodologies and different uh areas of security operations. So, um uh it's going to be it's going to be a fun time. It's going to be, like I said, a jam-packed uh four days of training there. You also get the sock course with that and I believe a uh the exam certification for the PJSA as well. So, it's kind of going to prep you for that, but also uh really be that kind of um fast track into uh learning everything you need to for uh uh you know, getting into security operations. So, I'm really excited to host that training. It's going to be pretty different and pretty interesting. I'm having some uh really cool labs built up for it and some uh kind of like ticket based stuff as well. So, I'm really excited for that. But I think that is my spiel and we can get back to some questions and um uh in a second we'll get to the uh try hackme room as well. So um thank you for for listening to all of that. Uh hopefully I didn't miss anything but uh yeah, let me maximize myself again and get back to the chat. How's everyone doing? We have some questions. How to get into cyber security? Well, this is probably a question we get at least five times per stream and uh honestly the best advice I can give you and selfishly this is uh uh you know all of he work basically if you look at the YouTube channel we have a lot of these long form videos for uh different road maps into uh ethical hacking and uh it it also depends on which way you want to go right so um I would suggest um you know looking at the most recent uh uh 2025 uh ethical hacking guide that we just put out um week or so ago. Um it's just here on the YouTube channel. It's a long form video and and you'll basically learn every different area you might want to go into and different resources and lowcost um ways into getting into the industry, right? Because there's a lot of different avenues you can take with just getting into cyber security. It's a very big umbrella, right? So, uh if you want to go into the ethical hacking side, well, we have resources for that. if you want to go into the blue team sort of things, there's a lot of stuff these days uh to start getting your feet with that with that kind of thing and it's something we're continuing continuing to develop at uh TCM as well. So, same kind of thing here. Best advice for beginners um honestly just uh research uh you know try to figure out what kind of avenue you want to go down. Um you know there's some uh something like the security plus uh or kind of equivalent will help you get uh sort of involved in all the different aspects or of security operations or even um you know penetration testing the blue team red team that kind of thing and try to figure out what niche uh you're kind of interested in. It doesn't have you don't have to get super specific or specialized but um uh the sooner you can start focusing on what your you know end goal is in say the next 3 to 5 years uh that's when you can start pinpointing on you know what kind of uh training you might want to go for what kind of uh you know experience you want to gain what kind of uh labs or whatever you want to work on that kind of thing or projects. Will this live event be recorded? Yes, it will. Um, you should be able to find it after uh the live stream is finished. You should be able to find it under the live tab uh on the TCM security page on YouTube. We have ping in the chat. Hello. Hello. Welcome. Regarding the PJSA, the exam is 48 hours, but how long you reckon the study might take for a beginner? Uh, yeah. Honestly, it really depends um you know how what you what you're coming into it is, right? So, if you say you're beginner, if you've never touched anything before, this is like your first kind of course or foray into defensive operations, um, you know, the study's going to take a bit longer than someone who has been in the field, say, for a year or so, or has maybe had a security operations center role. But what I'll say is everything on the exam is in covered in the course, right? There are no surprises. There are no um, you know, wrenches that are thrown or or left turns that you're not familiar with. Um, everything in one way or another is in the course. So I would say um even just talking to people who are you know gearing up for the exam and studying um you know as long as it takes you to get through the course is pretty much the preparation you need right so uh some people like to you know watch the lessons at double speed myself included so um you know you can get through the course quicker in that way but um what I will say is don't just watch the videos do the labs build out your own lab environment uh and do the challenges as well because that's going to be relatively the closest thing um you might get to uh what's being asked on the exam. Not in the same kind of way. It's going to be more of a report structure, right? So, make sure you read up on the requirements for the exam, but in terms of the actual practical applications, it's going to be pretty similar. Oops. How long should the class for the PJ PTJ? I'm actually not sure. Um I haven't taken it. So, uh that would be a good question for probably Alex or Heath when they're on next time. Hopefully next week. But um honestly, with every certification, like there's no set, you know, do this many hours, put this many hours in and and you know, you'll get this kind of grade, right? Obviously, but um honestly, it's it just comes down to feeling confident, right? So if you've done a number of labs and uh number of rooms in preparation for the exam um and you know basically everything that's going to be covered uh so you went through the course in good detail, you took good notes uh cuz remember right these are all open book exams so you have your notes to uh go over uh you can always return to like a lesson if you need to brush up during the exam and you're given a lot of time on these exams typically right so um it just comes it's hard to say right it just comes down to when you feel ready um and everyone's different you know someone's going to be you know prepared for in a week and it might take someone else a month or a couple months, right? Good question. Um, do you have any tips for an old man? 40 is not old. Um, with experience in IT. Yeah. So, I mean, you said it right there. You have experience in IT. That's basically, you know, better than prerequisites for a lot of people, right? So a lot of people are getting into cyber security and they don't even have an IT background. And you know I know a lot of people say like you don't need to have an IT background. You don't need to go through you know help desk or cis admin kind of stuff to be a good pentester or be a good you know um you know security engineer analyst and that's true you don't. Um but again that experience is only going to help you in the long run. um you know when when I was hiring for uh was when I was on the hiring team for different sock analysts or engineers uh we would like to see people with uh you know assisted background because especially on the engineering side if you're actually configuring um you know machines and and security applications and controls and doing things like detection engineering as well um you know having an an understanding of the systems that you're actually uh you know monitoring or uh configuring is obviously a good thing. So, uh, if you have a lot of Linux experience, that's really good. Um, so that sort of cisadmin kind of stuff. Um, and so I would use that your previous experience and sort of leverage that in a way to where you can sort of um, you know, find out what or you can sort of frame what security stuff you've done in the past, right? Because if you're a systemman, you're doing a ton of security stuff even if you're you know, your job role is not a security engineer or whatever. um you know if you're doing access uh you know identity and access management if you're hardening systems all of that falls under the umbrella of security and that's all stuff you can leverage um you know come to an interview or come to uh you know uh building up your resume that kind of thing so um that's what I always suggest is um even like developers right so if you're uh doing secure coding right you're not a security analyst or engineer but uh you can leverage your past experience and the security applications you do in your current role and sort of um bridge that over to an actual security role. All right, we will hop over to the box in a second. See if I missed anything pinned. Uh I'm from Pakistan. There's no scope for penetration testing here. I'm 18 years old. Well, you know what? Fact that you're 18 and getting into this is really good. Um you know, it wasn't I wasn't uh I was much older when I started getting into cyber security. So, uh you have sort of the years on your side. Um you want to build a career in pentesting, but your student cannot afford to buy college shirts? Yeah. Uh it's definitely hard especially um when things aren't localized, right? So um you know pricing of courses or whatever um localization plays a big part into that and it it can be really tough. Um but fortunately um which was not really the case many years ago, but there are a lot of free uh stuff that you can get into with cyber security, right? Like we're going to do a tryhackme machine today. Um and try hackme has a number of free um not only just CTFs like those boot to root machines, but also you know learning machines, right? learning paths and learning uh rooms that you can go through and actually pick up things uh you know learn what a C2 is or different C2 frameworks or um you know anything really there's a lot of stuff that's uh requires a subscription but again there's a lot of stuff that's free um even last week we did some blue team labs online stuff uh we did a box from uh we did like memory uh analysis using volatility that was a completely free room right so uh there's a lot of stuff that you can leverage these days that won't cost you a thing other than your time and uh you know a VPN connection in some cases And not to mention all of the free resources we have at TCM, right? We have the free tier. We have a number of videos that I mentioned earlier on the channel um that are all sort of geared to um people in your scenario, right? So, uh folks that can't afford costly trainings uh or you know, certifications there. There's a lot of things that you can still do to pad your experience and and skills. There's Arubius. He finally made it. Yeah, you're not first today, unfortunately, but you still made it. Best of luck with handing over the reins on your last day. And congrats, by the way. All right, let's start moving over slowly into this machine. Um, because again, I mentioned we're going to do some hacking today. Uh, we've been doing some blue team stuff every time I've been on the stream, which obviously I love to do, but I figured uh because it's been a few weeks with no Alex and I know a lot of you are here for the the uh the hacking kind of realm, I thought I would uh give it a go for the first time in a while and see how much I can struggle and maybe learn from you guys as I as I struggle through this machine. But let me get this up. So, this is the machine that I want to do today. Um, and forgive me if Alex has already done this machine. I'm sorry. I uh uh tried to go back and look which ones he'd done, but uh it's possible he might have done this before and some of you recognize it, but I haven't. So, we'll figure it out as we go. Um, yeah, it doesn't seem familiar to me. So, this might be a new one and this might be great. So, it's called Forgotten Implant and uh the link is probably going around in chat if you want to follow along. Um, but basically I I was just going through uh the different challenges or CTFs on try hackme and this one seemed really interesting to me because uh it deals with a command and control implant and sort of from what I gathered from the summary here we're hacking back into a machine that's already been compromised which is always fun. So we'll get started in a second. And the thing that really drew me to this machine is uh where is it? It's a pretty straightforward room, right? So hopefully for the first time getting back into this, I won't struggle too hard. However, the initial attack surface is quite limited. Um and that's interesting, right? Because I remember doing a lot of boxes where um especially on certain exams where you would scan a machine and uh you know 20 to 30 ports would be open and you just have no idea where to start. Uh, and that can be challenging on its own, but maybe the reverse in where there's like, you know, very limited attack surface is also going to be really challenging. So, uh, we'll see how that compares. Um, and probably more realistic, right? If you're scanning a machine, uh, in the real world, you know, typically, unless it's really badly configured, you're not going to have 20 or 30 ports coming back with a bunch of random stuff running on it, right? So, that's kind of, uh, a more realistic setup perhaps rather than, uh, maybe a more gamified um, box. So, we'll see see see how this uh see how this goes. Oh, looks like I got a question pinned on here. I might have accidentally misclicked that. Any suggestions? It's a good one, though. Any suggestions for projects that would be good for an entry-le stock? Yeah. Um, it's a ton of stuff you can do. I mean, uh, a lot of stuff we cover in the sock 101 course, obviously. I'm pretty sure you've gone through it. So, uh, any of that is I kind of consider project based stuff, right? if we're um looking at malicious network traffic or a compromising machine looking on the endpoint level trying to uh trace malware and stuff like that um even like setting up a SIM uh you know that's a huge project and you know it can take you so very far um once you have something set up like that and you can you know continue to use it for different projects but um if you Google or sorry if you go on YouTube and look up my DF DFIR or my he has a ton of videos or at least he has a few really good ones about Um, exactly your question, like entry- level sock projects specifically. Um, and he goes into uh, you know, things like setting up a SIM, but also integrating it with other security controls as well, which is kind of that missing link, um, that, uh, if you want to get into the more engineering side of things is going to be really useful. So, how can you actually integrate, you know, one security uh, controller application into another? How can you have, you know, events forwarded from one system to another and sort of uh, you know, do more workflow kind of stuff? So, um, that's what I would suggest. There are a lot of, uh, really cool videos and my defer is a great example of a, uh, a page that that covers a lot of that stuff as well. I think that would be a good blog topic as well to go through some, uh, you know, uh, not basic, but, uh, foundational kind of projects that would be really good for a resume. All right, let's hop into this machine and see what we can do. We just have a user and root flag, so that that's going to be fun. Cool. No prior knowledge of command and control, you might want to look at the intro to C2 room. So, you know, if you don't know what a command and control is, we can kind of think of it as like a system that an attacker would use to remotely control uh either one or a set of compromised devices, right? So, it's kind of a central hub or a central server um that they can communicate with uh an infected system on, right? So, um we might have like beaconing traffic where it's one way, right? or the kind of heartbeat kind of thing where it's coming from a compromised machine back to the attacker to basically say, "Hey, you know, I'm still compromised." Uh or more more commonly, we'll have two-way traffic where we can or the attacker can actually send commands to any of its compromised endpoints and actually get the responses back, right? So, um sort of sending data back and forth and oftent times there'll be a number of common protocols that sort of C2 will communicate through. So, uh you'll commonly see HTTP or HTTPS traffic. to sort of mask it as normal web traffic. Uh you might see uh sometimes DNS tunneling kind of thing. So um actually having the requests and responses into normal seemingly normal DNS traffic to sort of evade um uh detections because you know commonly an organization is going to have a ton of DNS traffic going on. Um even things like I've seen Discord-based C2 servers like so using different cloud or social media kind of things to um send and receive commands which is really cool. So uh I would look that up if you're curious. Uh, just look up Discord Command and control or something. There's there's probably some good write-ups on that. It was really really interesting a while back. What room are we doing? We are doing what is it called? Forgotten implant on tryh hackme. Probably going to struggle through it because I've not hacked a machine in a long time. So, we'll see. Looks like I'm on the VPN. So, we're ready to go. Let's make sure we can access the machine. There we go. We're getting response. Cool. A virus total C2. That's funny. That's kind of uh ironic. I got to look that up after. That's funny. All right. Looks like we have connectivity. Uh I guess I'm just going to run uh an endmaps scan uh against the target and see what comes back. Again, it's saying the uh attack surface is going to be pretty limited. So, I'm wondering what we actually get returned here. Do not worry, Martin. You're not really late. We're just getting started here with the machine. So, just trying to figure out what attack surface this machine has before we proceed. Nothing. Absolutely nothing. Okay, maybe this will be a little difficult. Uh, well, let's try every port and run pseudo and map. Man, it's been a while. I'm rusty. Uh, paste in that IP and let's get some verosity going just in case anything comes back. Maybe also a UDP scan as well. Um, because what I'm thinking is well, let me get this started. uh pseudo end mapap uh su for UDP and we'll get that verbose as well. I hate doing UDP scans take forever. Um so what I'm thinking based on the name and the fact that uh we'll have to find a way of interacting with the system. I was thinking there's maybe something listening uh for a you know a an attacker compromised this machine. they installed some sort of uh C2 that's beaconing out and we sort of have to leverage that and exploit it um after it's been forgotten I guess and probably get uh code execution that way. So I'm thinking maybe a UDP port is listening or uh some sort of non-standard port but it doesn't look like it unless we just have to wait a long time. I'm hoping not because that would be very boring. But fortunately, while we wait, we can answer some questions. Do you think that this machine is hard? I'm not sure. It I mean, it could be, right, depending on Sorry, throat's killing me from uh all that travel over the weekend to New York. Um, it could be, right, depending on the attack surface. I think it's going to be a hard entryway or an entry point and then hopefully from there on it's going to be pretty straightforward. Uh, but it is a medium-rated room. So, I didn't go for anything hard because again, this is my first time in a while doing any kind of hacking like this. Can you explain the commands when you're writing them? Yeah, sure thing. I love to do that. Um, I might forget at some point, but in this case, we're just running end mapap against every port instead of just the non-standard ports. And I'm adding super verbosity here just in case anything comes back. I don't need to wait for the entire scan to finish to get the results. Uh, same kind of deal here just with SU. We're looking for UDP ports. Which VPN do you use? I just use OpenVPN uh on Cali and I'm just using the uh the you know the tryh hackme configuration file that they give you. How do you get to open new instances in a tab not in a new window whenever I try um in the terminal mean? Right. I just press control shift and t and then it just opens up a new one. just keep keep hitting control shift and t and it's going to open up a bunch of uh terminal windows there. It's a nice uh shortcut when you're doing a bunch of things like setting up a listener and then you know setting up a a web server or something in one one tab. I know a lot of people use things like terminator and I know there's another popular one, but I've never I've never gotten used to those things even like on the OCP exam. I was like trying to learn it while I was also learning how to pass the exam and I was like this is just information overload. I'm not going to remember how to do all this. You'll find I keep things mostly simple, you know. I don't even use auto recon or like uh uh rust scan or anything like that. I just keep it basic. It's done me well for for for this this long. I don't think we're getting anything back here. Um, I'll cancel UDP1 because I'm pretty sure they're not going to make us wait that that long. Maybe they will, but that won't be a fun stream. Uh, what I wanted to try is, uh, we can try netcat and try to see if we get anything back. Like, so end map is reaching out to these ports, right? And apparently it's not getting anything back. Uh, everything's closed. Connection was refused. I want to see if there's any like banners or something that are being returned that maybe could be useful for us. Um, but again, if there's no ports open, how the heck are we going to get in? Unless we'll have to see. Unless it's reaching out, right? But I'm trying to think of how that you would even do that. Um, sorry, I keep clicking on uh I keep clicking on things accidentally. Sorry, I'll get to questions uh when we have breaks. Um, so I'm thinking it might be reaching out, but again, I'm trying to think of like the try hackme setup and how would it know what my IP address is, right? unless it's reaching out to every IP on the subnet which would probably be uh not a good thing right so I'm wondering how they do that uh so let's try netcat against this IP address let's try 80 with tac v there to get a verbose response uh connection refused do we get anything is there like more probosity no uh let's try 443 again just common ports that C2 traffic is usually on um even things like 8080. No. Okay. Fun. Um okay, I'm going to cancel that in case I mean I don't think that's the the play. I don't think there's anything open, but I'm still going off this theory that something is reaching out. So, what I can do is run TCP dump. If I can spell, if I can spell um and I want to look for anything uh what is my on E0 actually I can do anything doesn't matter actually it should be ton zero right but I'll just do any uh source host should be the IP address I just want to see if anything is like what's happening when I reach out to this machine is there any kind of banner or is anything, you know, coming back? Is there any packets that might be missed? Um, that's kind of my goal at this moment. Uh, and so let me try that again. We'll try to reach out with netcat on port 80 connection refused. Um, yeah, we can see here it's just getting the reset flag there as you can see. So that's why uh uh that's why uh it's thinking that it's closed when we run end mapap against it 443 probably same kind of thing right yeah 8080 let's try 22 usually SSH would be open on these machines right Yeah, just getting reset. Uh, well, maybe we have to wait and uh run end map. Was there something I missed in the end map output? Where was that? No. Oh, we did get Okay. Reset. Reset. Reset. What was this one from ours? No, this is the target IP, right? 10241233. That's coming to us on port 81. What? Did I do a typo? Port 80. Oh, okay. Maybe we found something. If that's reaching out to us. Okay, there. Yeah. Yeah, that's got to be it. It's reaching out to us on port 81. And there was a sin. Yeah, there we go. There's another one. Okay. How is it doing that? I'm just trying to think of like how this machine was built. Uh maybe when we ran an end map, it triggered it to reach out to us. I think that's kind of not the point, though. But it looks like something is reaching out to us on port 81. And I'm assuming based on our end map results, this is probably the way in. Uh, so let's see. We're getting some sin packets, right? So I'm just going to set up netcat. Uh, I'm going to listen on port 81. And I guess we have to wait cuz that if we look at the time, yeah, it's every minute assuming. So what I think is happening is uh there was some sort of command and control implant or uh some kind of persistence or whatever that was installed on this machine in theory like in the scenario here and uh it's reaching out to our IP address for some reason uh after the fact and I guess they the the attacker who originally compromised the machine forgot to remove that artifact and it's still reaching out. Oh, there as you can see here on port 81 making an HTTP request with a get for this random URL and it's yeah it's looking for our IP address right yeah on port 81 it's using Python requests to actually make that connection and this is the URL and this looks like B 64 right so let's see let me copy that I think yeah we have to kill that and what we can do is figure out what that is. So I can echo out uh that B 64 string. And the reason I think it's B 64 is you can just kind of tell if you've seen enough B 64. Sometimes you'll see um equal sign either one or two equal signs at the end of a string as sort of padding characters. That's another tell as well. You can just tell by the uh type of characters that are being used. So what I can do is echo out that string and then uh just for verbosity sake you can see we're just echoing it out to the standard output. Then we can base 64 decode that string. We're getting some JSON. Interesting. Yeah. So this is definitely C2 traffic. Um oftent times you'll see like a JSON object like this and it'll contain things like the timestamp of the you know request or response. Uh it looks like we have some information about the system that was compromised. So the host name is forgotten implant. It's running Linux. Um and then we have some interesting OB an interesting object here uh for the latest job. So we have job ID of zero. Uh looks like it's running a command or requesting to run a command or either sending a response back but it looks like uh you know it's requesting to run a command of who am I but it was not successful. Okay. Why not? Looks like we might have to. Now I'm thinking ahead. Okay, let's see why that was uh success equals false. Uh so that was just netcat, right? So I was looking for that connection and once we got that initial connection, it kind of dropped, right? Uh but if we look back, uh I think I cleared it. I have a bad habit of that. It looks like there were multiple uh sin packets, right? So, what I'm going to do instead of using netcat is I'll just set up uh a Python ser web server on port 81 uh http-server. So, I'm just calling the hp server module to set up a listening web server on port 81. And now I think we just wait a minute and we should get some more information or uh at least if there were multiple requests we should see uh some more stuff here. It's just more, you know, uh, stable than just using netcat that's going to bind to that connection. Oh, looks like we have something. Just checking the chat. Yeah. Awesome. Why can't I run live streams on two times speed? Uh, think about it. Uh, if I could, that would be awesome. If I could uh uh deliver a live stream at at twice the speed and uh have you guys speedrun it live, that would be funny. Uh, but honestly, once the uh stream is finished and uploaded to YouTube, uh like the VOD, you can then watch that at double speed. But because it's live, obviously, uh uh even though I watched Back to the Future on Broadway over the weekend, um I cannot time travel, unfortunately. I don't want to hack. I want to learn defense. Nice. Um yeah, we do some some blue team streams or at least I' I've started to do some blue team streams on here. Um if you go back to the previous stream last week, uh we did some memory analysis. A couple weeks before that, we did um some ransomware uh investigations using Splunk. Um so uh yeah, we definitely have some blue team stuff building out. All right. So, it looks like we have some requests here. Uh, so this was the initial get request with that B 64 string. Uh, I'm assuming it was different than the original one. Yeah, we have a couple here. So, I'm going to see if anything is different about these. I'm assuming because we have that time stamp uh timestamp attribute, they're going to be different. So, I can just do look up diff checker and and paste in the two strings. Whoops. to see if there's any difference. Ah, stop it. There we go. Wow, that's really laggy. Why is it so slow? Yeah, they're different. I'm assuming because of the time stamp. Okay. Oh, that might be really annoying actually if we have to like um you know craft our own. I'm thinking we might have to like serialize our own B 64 string to sort of exploit the uh uh this heartbeat here and sort of instruct the mechanism to like run a command that we want. Uh if we have to like anticipate what the time stamp is going to be, that's going to be super annoying. Um I hope we don't have to. Okay, but it makes that request. So we just have multiple iterations of that same thing. Uh so it's making a request to that string and then it's getting a 404. Obviously we don't have you know this path on our web server. Um and then it's making another request for get job with this string here. So what is that? That's interesting. Let's see what that is. So I'm just going to again echo out that string which again is B 64. You can tell by the padding here. Uh, and then pipe that over to base 64. TAC D to decode and it's just the word latest. Okay. So, what if we h the heartbeat is the only thing I'm concerned about because what happens if we don't because how am I supposed to anticipate this string? Uh, unless I know what the time stamp is going to be to probably to the exact second because or the exact millisecond. Nah, that can't be it. That's going to be too hard, right, to anticipate what this is going to be. And then we set up our own uh, you know, page or path on the website with this string. But this if we can uh exploit this string here and sort of set up uh so if I set up a directory on our web server called get job and then I set up a file called this which is latest in B 64. Uh maybe we can then leverage that to tell it to run commands that we want. Right? Maybe that's how the actual C2 worked originally in this scenario and we can sort of exploit and leverage that to run our own commands. So let's see. Uh so what I can do I don't need that anymore. I guess what I'll do is create that folder then. So I'll make a directory called get-j job. And then if we go into get-j job uh we just need to create a file with this name. Right? So I can touch to create that file. Just going to be an empty file for now. And now if I have to go back one. And now if I run our web server, we shouldn't get a 404 at least for this request now, right? It should actually find something. So let's see. Uh yeah. Okay. So it's making another request now to job-res. Um because again we can see a 200 here. Before it was a 404 because it now exists. And so now it's making a third request here to job results with this string. So again, let's uh decode this and see what the actual result was. Uh so what I'll do is just echo out again string we got and decode it. Success false. Okay, JSON error. Okay, so it's expecting some JSON in that weird file. And based on what we had originally with this heartbeat, we kind of have uh we kind of know what the structure might look like, right? So uh again, instead of this string, let me echo out that heartbeat string. You can see we have a JSON object here. What I can do is copy this over to Cyershe and sort of make it look uh easier to understand. And if you think about JSON's just like key value pairs, right? You can have objects inside of that, which it looks like we have here. So, what I'll do is look up beautifier. JSON beautify. Yeah, there we go. And now we're getting some syntax highlighting, as you can see, uh, as well as, you know, some some spacing and padding makes it look a lot easier. So, we have a couple of, you know, subobjects inside this JSON object. So, we have the time, which I'm hoping we don't need to mess with. Uh, system info. again we don't really need to care about and then latest job uh is going to be in this case command who am I but it's return returning as uh uh incorrect JSON yeah so we need to basically uh what I think is we need to take this JSON object and serialize it kind of in B 64 uh no what do we need to do we need to set this JSON object as the contents of that file we created or the file we touched right so that's going to be under get job I think so we have this file here and inside this file we need to you know paste in this JSON just as a proof of concept if we do that we might figure out you know the results to who am I I'm hoping when we get the job result does that make sense to all of you or am I just am I going crazy. So, I'm going to try that. Uh, so let's edit this file. Currently empty. I'm just going to paste in, as you can see, uh, that string just as a proof of concept. Brit is crazy. She can't tell me. That's okay. We're all a little crazy. Can you please list these sites you're using? Yeah. Um, trying to repeat what you've learned. Yeah. So, uh, yeah, obviously the the site that we're doing this box on is try hackme. Um, the site I was using to, uh, figure out the the differentials between those two strings, uh, is just called diff checker.com. And basically, you can paste in two different strings and it'll tell you, uh, if there's any difference between them. And the reason I use this is just cuz I had that long B 64 string that I couldn't really tell if there was a character different than the other one. So, just a quick way for me to check if anything changed, which we found out it did. Um, and then for here to basically format this better, I'm just using uh Cybersh, which is like a really useful tool for uh if you have to do any decoding, right? So, typically we've been just echoing out strings and B 64 decoding them in the terminal. But we can also do that just as easily with um cyershift, right? So, I can just search for B 64 and we can uh drag in this here to basically decode it. It's not going to work because we don't actually have uh B 64 string, but it's very useful for doing that kind of uh manipulation with data. And that's just if you just Google cyershift, it's kind of a weird UR URI. Um gcq.github.io. Break it down a bit once you resolve. Yeah, if we hopefully get root on this machine, I'll I'll uh basically retrace everything we've done. I think we're on the right path though. And so what I did just recently was uh edit uh I edited this file that we created that the C2 implant is expecting to connect to and I pasted in just this base uh just this JSON object that we found earlier just to see if we can get the result of this who am I command. And so if I go back to our web server, we should see the job result here. uh and we can see what that entails. Actually, let me use Cybersh for this. Um just to demonstrate, we can use different tools to decode stuff, right? Uh so I'll paste in that B 64 string and then I'll just drag over from B 64. There we go. You can see success false result encoding error. Okay, interesting. Oh, maybe it does have to be uh basic for encoded. Yeah. Okay. So, what I can do is what do we have here? Yeah. So, we don't actually need to uh base 64 decode this. So, what I'm going to do is change the uh contents of uh our get job and then this IMX file and I'm just going to paste in directly the B 64 string. I think that was the issue. Um, now if we cat out get job under IMX, we have a B 64 string that it's expecting. Okay, I might have just overlooked that. So now we'll wait for another request. It looks like we have a new one here. It's a lot longer. That's a good sign. Um, we'll see what we get. So, same kind of deal. Um, job ID zero, command, who am I? Success false. Result, no command. That's not true. We had a command command equals who am I? I think we need to alter the command. Yeah, I think so too. My next thought was um this job ID might need to increment or something. Maybe that could be causing an issue. So, I'll try that next. Uh could we put a oneline reverse shell in that JSON file and get it executed? Yeah, that's that's what I'm thinking. Once we can sort of get a proof of concept, if I can return the result of who am I, then we'll know that we have command execution and then we can start messing around with uh actually popping shells with it, right? So that's usually my methodology is I try to like get the most basic uh proof of concept out of the way. Um you know, just running something like who am I? There's not a ton of variables there that can go wrong. But if you're just starting out trying to get a shell on the first try, um there could be a number of issues as to why you don't get a call back, right? could be maybe a typo, maybe uh um you know it needs to be encoded in some way or uh you know the special characters that are messing things up or maybe just you know the method of shell that you're getting isn't working on the machine for some reason. That definitely happens. Um so just some running something like who am I first or even like host name or you know a simple command uh helps us build up um to to to doing more things once we figure out that we do in fact have execution. What are ways to deoffcate PowerShell commands? Uh there are a bunch of different ways. Uh a lot of times you'll see B 64. So if you see like encode uh like dash encode or encoded or whatever in a powershell command, it's usually uh they're trying to obiscate something. Oftent times it is legitimate, right? So B64 is used all the time for legitimate purposes. It's a good way to transfer information or data across the network. Um, but that's an uh one way you can figure or you can sort of start to deoffiscate stuff if they're using a lot of B 64 which you actually see in uh a lot of um uh like payloads or droppers. Uh so that can be a way. Um sometimes you know it's just difficult like they'll uh run it through different uh you know compilers or um offiscators that make it really difficult to understand what variables are what. Uh they'll have like a variable named a and you have to like trace that back. So it can be difficult. Um but there are there a bunch of methodologies. It can be a time uh it can be a time in uh intensive process as well. But yeah, right way to think definitely. Yeah, that's what we're going to do. Once we get code execution, we'll we'll throw in a shell there. Uh but let's try to figure out why didn't work. So I'm just going to edit uh actually let's use let's use cyershe for it. So, uh, I'm going to decode this, and then we can paste that in here. And we can use this to mess around with, uh, uh, our payload here. So, I'm going to make sure we're encoding this B 64. Uh, that's actually the wrong string. We need, uh, this, I believe. Uh, so what I'm going to try is change job ID to one and see if we get anything different. So now what I'll do is just paste this back into our file and we'll wait for another call back. Make things more clear. I'll just start up our server again. Can I paste something to a file created using echo and redirecting? Yeah. um you can uh but you would need to well it depends what you're trying to do right um the double arrows that you have there is going to append to the file uh if you want to completely rewrite the file with whatever output or standard output you're piping into it uh you just want one arrow like I did here um so what this is going to do is take this entire string and completely um replace the contents of this file with just the string if I were to use two arrows it would like add a new line and then add this second string which we don't What's the name of the CVE? Uh, it's not really CVE. I think we're just exploiting um I think we're just exploiting a a command and control uh agent that someone left on a server in this scenario, which is kind of interesting, right? Uh so let's go back to our server, see if we got a response. There we did. And see what it says. Okay, I'm going to use this tab for our decoding and the first tab for our encoding. Uh, so from B 64, no command. Okay, still nothing. Yeah, there you go. So the the one arrows overwrite, two appends to the bottom of the file. Okay, so maybe we don't need maybe we just need the job, right? Maybe we just need a single object with this. That's my next guess. I don't know if the job ID is affecting anything either. So there's a there's actually a few variables at play here. So let's just try to keep it simple. We'll just run uh this single JSON object of job ID equals 1 command equals who am I? Let's see. So same kind of thing. I'm going to paste in that new string and overwrite our file there using that single arrow. I could just go into like nano and and you know uh clear out the file and paste it in but again it's a lot quicker just to do it um using a single command right so we'll just wait a minute let me clear out uh our server and start again Victor from a defensive standpoint how would you go about this if someone I'm assuming if uh you know if this was on a actual server, someone exploited it. Uh I guess we'll see um once we get execution if uh this is actually the right way to do it. But in my mind, um yeah, I mean this is just an example probably of uh uh an organization not realizing they've been compromised or an organization that got compromised and didn't uh you know back up accordingly, right? uh maybe they uh you know removed traces of the initial infection but again they forgot a persistence mechanism or they forgot an implant that uh is still executing. So um if you think about like indicators in this case uh definitely a network indicator right because uh at some point or another this machine is actively uh beaconing out uh to our machine. So u you'd expect to see some beacon traffic there. So a lot of threat hunting techniques could be involved to um you know sort of get statistics on the different connections going out from this machine and um in this case it's really easy right because it's happening every minute pretty much to the exact second. So that's something that a lot of detection tools could like flag just like that right if you're seeing a uh connection coming out every 1 minute to a certain IP address. Um, so a lot of times you'll see C2 servers implement things what's called jitter in the sense that instead of beaking every one minute or every five minutes or 10 minutes, uh, it'll add or subtract some seconds onto that, right? So it's not just a, you know, minute minute minute, it's like, you know, minute 30, minute 35, you know. Um, so that's called jitter and it's a way to sort of get around those uh, easy detections. Okay, so we have a new result here. Let's see. It's a lot shorter. So, let's decode. There we go. We got execution. There we go. So, I don't know if it's the job ID or if we just needed to simplify our our object, but look at that. You can see in this JSON object. Let me actually beautify this, make it easier to view. So, we're getting this object returned from the command and control agent, right? That's running on the infected system. So it's saying the job ID is one. The command that we sent is who am I? We have a successful result. And the result is ADA or ADA. I'm assuming that's the user that we are on the system. There we go. We have remote code execution by exploiting someone's old command and control agent that they left on the server. And now let me try to find uh I can scroll up but someone mentioned we should now uh try to get an actual shell from this. Right? So that's kind of why I worked up just using who am I. Now that we've confirmed we have execution on the server we can now do some some fun things and uh actually exploit the machine. Right. And so uh we just need to edit this one. I don't think we'll need that tab anymore. instead of who am I? Uh let's try running a reverse shell payload. Right. So I'm just going to go to revshells.com. This site is awesome. It's created by uh Zero Day or Oday. Uh if you don't know him, uh Ryan McGomery, I think his name is. Uh he's like the master of Try Hackne. I think he's like rated number one on the platform. He's always like the the first one to solve any new machine. Um but yeah, this this is a great site that I use all the time. uh that I did once I was doing a lot more hacking in the past um just to generate you know quick shells uh syntax or uh you can do bind shells or even it'll give you the MSS uh MSF venom syntax uh if you're using interpreter. So all we need to do is change our IP to uh my machine's IP on the tryhackme VM. So that's 10 1358 58 uh for the port uh I don't know elite. Let's let's do something elite here. Uh, I saw a question. Is there an offline version of Rev Shells? I'm not sure. I imagine it would be pretty easy to have an offline version of this. Um, but the repository is here, so you can probably clone it and uh run it locally, right? Um, I don't think it needs to, you know, it doesn't use the internet for anything, so I imagine uh you can run an offline version of it. Yeah. Yeah, it's really good. Uses a quic
Original Description
The TCM Security Academy Black Friday Cyber Monday deals are HERE! Enjoy 20% off certifications and live trainings, and 50% off your first payment to the Academy.
Save on certs and live trainings - like our upcoming SOC Live Training with Andrew Prince and Hacking and Defending AD Live!: https://www.tcm.rocks/acad-certs-y
Save on the Academy: https://www.tcm.rocks/acad-bfcm-y
Save even more when you purchase our bundles - the Professional Penetration Tester Bundle and the Ultimate Hacking and Defending Training Bundle.
The Professional Penetration Tester Bundle disappears December 2, so act fast: https://www.tcm.rocks/pro-pentester-y
The Ultimate Hacking and Defending Training Bundle (which includes a 1-on-1 session with Heath): https://www.tcm.rocks/ultimate-hack-defend-y
If you like Andrew's style, consider joining January's SOC Live training! https://tcm.rocks/soc-live-y
Watch this livestream recording to watch Andrew Prince - an avowed Blue Teamer - try his hand at a Red Stream challenge! He answers a few audience questions, discusses the TCMS Black Friday sale, and offers his opinion about various industry topics. Remember, we livestream 12 PM ET every Wednesday, so subscribe to see when we go live next.
📕 Related Resources 📕
TryHackMe Challenge: https://tryhackme.com/r/room/forgottenimplant
SOC 101 Course: https://www.tcm.rocks/soc101-y
PJSA (Practical Junior Security Analyst) from TCM Security: https://tcm.rocks/pjsa-y
How to Pass the PJSA Exam (Blog): https://tcm-sec.com/pass-the-pjsa-exam/
How to Be an Ethical Hacker in 2025 (Blog): https://tcm-sec.com/how-to-be-an-ethical-hacker-in-2025/
How to Be an Ethical Hacker in 2025 (Video): https://www.youtube.com/watch?v=EdFiH_BfEH4
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from The Cyber Mentor · The Cyber Mentor · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Buffer Overflows Made Easy - Part 1: Introduction
The Cyber Mentor
Buffer Overflows Made Easy - Part 2: Spiking
The Cyber Mentor
Buffer Overflows Made Easy - Part 3: Fuzzing
The Cyber Mentor
Buffer Overflows Made Easy - Part 4: Finding the Offset
The Cyber Mentor
Buffer Overflows Made Easy - Part 5: Overwriting the EIP
The Cyber Mentor
Buffer Overflows Made Easy - Part 6: Finding Bad Characters
The Cyber Mentor
Buffer Overflows Made Easy - Part 7: Finding the Right Module
The Cyber Mentor
Buffer Overflows Made Easy - Part 8: Generating Shellcode and Gaining Shells
The Cyber Mentor
HackTheBox - Sunday Walkthrough (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - TCP, UDP, and the Three-Way Handshake (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - Network Subnetting (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - Network Subnetting Part 2: The Challenge (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - Building A Basic Network with Cisco Packet Tracer (Re-Up)
The Cyber Mentor
HackTheBox - Fighter Walkthrough (Re-Up)
The Cyber Mentor
Beginner Linux for Ethical Hackers - Navigating the File System
The Cyber Mentor
Beginner Linux for Ethical Hackers - Users and Privileges
The Cyber Mentor
Beginner Linux for Ethical Hackers - Common Network Commands
The Cyber Mentor
Beginner Linux for Ethical Hackers - Viewing, Creating, and Editing Files
The Cyber Mentor
Beginner Linux for Ethical Hackers - Controlling Kali Services
The Cyber Mentor
Beginner Linux for Ethical Hackers - Scripting with Bash
The Cyber Mentor
Beginner Linux for Ethical Hackers - Installing and Updating Tools
The Cyber Mentor
Cracking Linux Password Hashes with Hashcat
The Cyber Mentor
Reminder: Twitch Hacking Live Stream Tonight! 2/26/19 at 8PM EST
The Cyber Mentor
Hacking Live Stream: Episode 1 - Kioptrix Level 1, HackTheBox Jerry, and Career Q&A / AMA
The Cyber Mentor
Hacking Live Stream: Episode 2 - HackTheBox Active, Vulnserver Buffer Overflow, and Career Q&A / AMA
The Cyber Mentor
Hacking Live Stream: Episode 3 - Hack The Box Blue, Devel, and Career Q&A / AMA
The Cyber Mentor
New Zero to Hero Pentest Course, New Website, and 2K Subs?!
The Cyber Mentor
Zero to Hero Pentesting: Episode 1 - Course Introduction, Notekeeping, Introductory Linux, and AMA
The Cyber Mentor
Zero to Hero Pentesting: Episode 2 - Python 101
The Cyber Mentor
Zero to Hero Pentesting: Episode 3 - Python 102, Building a Terrible Port Scanner, and a Giveaway
The Cyber Mentor
Zero to Hero Pentesting: Episode 4 - Five Phases of Hacking + Passive OSINT
The Cyber Mentor
Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
The Cyber Mentor
Zero to Hero Pentesting: Episode 6 - Enumeration (Kioptrix & Hack The Box)
The Cyber Mentor
Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing
The Cyber Mentor
Installing Windows Server 2016 on VMWare in 5 Minutes
The Cyber Mentor
Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
The Cyber Mentor
A Day in the Life of an Ethical Hacker / Penetration Tester
The Cyber Mentor
Active Directory Exploitation - LLMNR/NBT-NS Poisoning
The Cyber Mentor
Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
The Cyber Mentor
Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
The Cyber Mentor
Writing a Pentest Report
The Cyber Mentor
Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing
The Cyber Mentor
The Complete Linux for Ethical Hackers Course for 2019
The Cyber Mentor
Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
The Cyber Mentor
Popping a Shell with SMB Relay and Empire
The Cyber Mentor
Pentesting for n00bs: Episode 1 - Legacy (hackthebox)
The Cyber Mentor
Pentesting for n00bs: Episode 2 - Lame
The Cyber Mentor
Pentesting for n00bs: Episode 3 - Blue
The Cyber Mentor
Web App Testing: Episode 1 - Enumeration
The Cyber Mentor
Pentesting for n00bs: Episode 4 - Devel
The Cyber Mentor
Pentesting for n00bs: Episode 5 - Jerry
The Cyber Mentor
Web App Testing: Episode 2 - Enumeration, XSS, and UI Bypassing
The Cyber Mentor
Pentesting for n00bs: Episode 6 - Nibbles
The Cyber Mentor
Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
The Cyber Mentor
How NOT to Approach a Cybersecurity Mentor
The Cyber Mentor
Web App Testing: Episode 4 - XXE, Input Validation, Broken Access Control, and More XSS
The Cyber Mentor
Pentesting for n00bs: Episode 7 - Optimum (hackthebox)
The Cyber Mentor
Pentesting for n00bs: Episode 8 - Bashed (hackthebox)
The Cyber Mentor
Pentesting for n00bs: Episode 9 - Grandpa
The Cyber Mentor
Top 5 Internal Pentesting Methods
The Cyber Mentor
More on: AI Security
View skill →Related Reads
📰
📰
📰
📰
Australia finds serious gaps in Big Tech’s response to child sexual abuse online
The Next Web AI
The Future of Endpoint Security: Why Visibility, Intelligence, and Automation Will Define the Next…
Medium · Cybersecurity
Why Every Cybersecurity Product Needs Enterprise-Grade Connectors in 2026
Dev.to · Shivang Patel
Malware Deep Dive: Gandcrab
Dev.to · jordanricky1604-ship-it
🎓
Tutor Explanation
DeepCamp AI