COBALT STRIKE Forensics: PCAP & Memdump - "Strike Back" HackTheBox University CTF 2021

John Hammond
John Hammond
80,071
0
Published 2021-11-22
Join HackTheBox and start rooting boxes! j-h.io/hackthebox
Find some tips and tricks on their blog! j-h.io/htb-blog

For more content, subscribe on Twitch! twitch.tv/johnhammond010
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: patreon.com/johnhammond010
PayPal: paypal.me/johnhammond010
E-mail: [email protected]
Discord: johnhammond.org/discord
Twitter: twitter.com/_johnhammond
GitHub: github.com/JohnHammond

If you would like to support the channel and I, check out Kite! Kite is a coding assistant that helps you code faster, on any IDE offer smart completions and documentation. www.kite.com/get-kite/?utm_medium=referral&utm_sou… (disclaimer, affiliate link)
All Comments (21)
  • @_JohnHammond
    UPDATE: HackTheBox has let me know that in the official University CTF game, (NOT my sandbox), they corrected the unintentional after the first couple of hours. The PDF was removed from the process dump, the downloadable was updated and the flag was changed -- so, the "unintentional" that I showcase in the first 10 minutes using Cobalt Strike would NOT have worked for you if you played the CTF after that. Sorry! The Cobalt Strike analysis is much cooler anyway 😎
  • @DavidAlvesWeb
    We should appreciate the fact that besides everything he has on his plate, he still manages to find time to create and upload these awesome educational videos for us!

    He's just the GOAT! ♥
  • @heatherryan9820
    I wasn't bored at all, this is real life. You could have edited it and made it look like it was plain and simple, but you didn't. You showed the process of learning, which I think is really important.
  • @SecTechie
    John you crank out some of the best videos anywhere! Interesting, thorough and educational. Thanks.
  • @b4nd1t02
    Hey John! I wanted to thank you for putting this together. This made going through a Cobalt Strike beacon very enjoyable and I learned a lot from this. Given how prevalent CS usage is these days, the ability to decrypt the traffic during analysis is very important and the walkthrough has been useful for outside the CTF purposes.
  • @Docsfortune
    I forget which challenge it was, but it was one of the first 10 you do when loading into picoCTF. I completely bypassed the entire point of the challenge by finding the key with a phd [filename] and scrolling up. The key was in the far right column. PHD is a "pretty hex dump". I was supposed to use python or normal commands to interact with the file and ask it for help (which i did afterwards), but instead I bypassed all of that and found the key anyway in less than a minute.
  • @MrRandomg23
    I am just amazed that John churns out this kind of content for free, so much respect for you John, Thanks so much
  • @chrisclark5135
    This was sick and SUPER helpful! Thanks John! More like this, more like this, more like this!!
  • @davidmiller9485
    As someone who used to frequent Usenet back in the 90's, Scriptkiddy has really changed definition since it was originally used. (to be honest the first time i heard it was on a BBS back in the 80's.) I'm really getting old.
  • @BrenDinner
    You just get me in the mood for netsec! Thanks for being my source of motivation, you’re awesome!
  • @viltran
    Amazing skill there. Love it.
  • @tobjasr6034
    informative and fun as always! =) thanks John!
  • @gratefulnoumena1254
    This was thoroughly interesting and enjoyable to watch ... Especially interesting because I'm threat hunting an active ransomware threat at work that's leveraging cobolt strike with the lockbid 3 ransomware payload at work
    Also pretty sure that in the past few months of watching a hand full of your videos I have heard you say the word showcasing More times than I have said in my entire life
  • @hmod7389
    I am so happy! At least one good thing about this Monday.