Cyber Mayhem Blue Team Gameplay: Process Monitoring with Snoopy (LD_Preload) скачать в хорошем качестве

Cyber Mayhem Blue Team Gameplay: Process Monitoring with Snoopy (LD_Preload)

00:00 - Intro 01:00 - Explaining what LD_PRELOAD is 08:48 - Compiling and installing Snoopy 11:10 - Inspecting how Snoopy is installed, so we can make our own install script without compiling 13:08 - Checking auth.log after snoopy is installed to see it working! 15:30 - Creating a Snoopy installer script on our parrot machine 20:40 - Showing Snoopy won't capture everything via using python to access a file two different ways 22:06 - Reverting our machine, so we can test our install script 28:00 - In the Hacking Battlegrounds lobby! 29:30 - Installing Snoopy on all four of our castles 30:20 - Showing tmux magic - Using synchronize-panes to send our keystrokes to all panes 31:55 - TROLL: Renaming NANO to VI and VI to NANO on one of the boxes for lulz 33:10 - Using a watch command across all our terminals to look for a reverse shell 35:05 - Checking out the first box because of the JAVA Process, and seeing if snoopy see's activity 36:20 - Starting a TCPDump across all of our machines with nohup so it goes in the background 37:40 - Found a shell on the second box! Let's take a look! 38:20 - TROLL: Python PTY found, lets send a message whenever people use pty.py 40:40 - Using Snoopy to snitch out on the Health Checks to find out why it is failing 43:30 - Using find to list files modified recently 46:40 - Editing the sudoers file to keep him from privesc'ing 51:00 - TROLL: He deleted our pcap! Let's break the rm command 51:50 - PRIVESC: Found a cronjob, trolling myself trying to remove it 52:20 - Let's review snoopy, to see what PID edited the crontab, then checking what else happened 58:40 - Someone is on the third box! Let's take a look. See he grabbed the flag directly from apache. Putting a fun patch in 1:03:30 - Going back to the second box, someone accessed a flag, using auth.log to show us an upload script 1:04:27 - The user is using the php system() command to manipulate a shell. Disabling the system() command in php 1:06:10 - Grepping flag.txt on auth.log to see how the user privesc'd... Used Script instead of Python PTY to establish a PTY 1:10:00 - Verifying System() is disabled by checking php error log 1:16:30 - Grabbing a PCAP To show we can do IR based upon pcap data as well