Well, it’s been 3 MONTHS since my last hacking post.

Excuses, excuses

I enrolled in a (free!) Undergraduate Certificate in Applied Technology. Why? Well, it was FREE. Also, I have absolutely no qualifications in technology at all, and I thought maybe it would be a good idea to get one, especially since it was FREE.

So, I spent some time working on that, watching zoom recordings of tutorials, working on assignments etc. And that somewhat limited my available free time. And then….I withdrew just before the census date. It wasn’t very interesting, it was taking up lots of my time, and I wasn’t learning anything I didn’t already know that I actually cared about. Strictly speaking I did learn some things that I didn’t care about, but….yeah. Didn’t care. So even though it was FREE, somehow it still wasn’t worth my time. Sorry.


THM

What else? Well, THM has been an absolute wasteland of interesting content lately. This is my blog, and that’s my opinion.


VulnHub

apology for poor english

where were you when original vm legend dies

i was at home drinking brain fluid when g0tmilk ring

‘vulnhub is die’

‘no’

and you??????????????


HMV

HackMyVM on the other hand, goes from strength to strength and I cannot recommend it highly enough. Also, I got bloods on Decode, was second on Hostname. And I’ve just done Translator. I might write some of these up. Not sure.


Today at work (my normal job) I got an e-mail from someone from another company, who I had previously e-mailed (and hence they had my address). It looked suspicious, because it contained a link to an apparently shared project, and we weren’t collaborating on anything.

I checked the link at Google safe browsing and no flags were raised. The link was to a legitimate (if not well-known) file sharing service, so I went for a look. The ‘shared project’ was on an oddly-named subdomain, and contained a single PDF file called something like ‘private-confidential-project.pdf’; I don’t remember the exact title.

I downloaded the file, and scanned it with Defender. Nothing. I uploaded it to a few different online virus scanners; nothing. Next, I opened Adobe Reader and disabled Javascript and turned on the highest security settings (this disables lots of ‘active’ or ‘advanced’ features and isn’t enabled by default, since it also stops things like printing).

I opened the PDF in Notepad++, and while most of it was illegible I could see a few weird URLs. Next, I uploaded the file at VirusTotal and got one hit for a phishing site - which was one of the URLs I’d seen in the text editor. Next I searched VirusTotal just for that URL and got maybe 12 hits for phishing.

Next, I opened the PDF in Adobe and had a look. It was a somewhat realistic looking document with a link asking you to enter your Microsoft OneDrive credentials. Presumably so you could ‘view the shared document’. Of course what was actually happening was that your credentials were harvested by the threat actor. So that was all very interesting. I rang the sender, and it sounded like the same thing had been sent to his entire contact list, which is roughly all of industry X in location Y. Whoops. I didn’t ask him how his e-mail got compromised in the first place; he was already having a bad morning.

I did suggest to several of my colleagues who had received the same thing that it would be prudent to delete it.