During penetration testing of the target system, I discovered an exposed MySQL database service with weak authentication controls. This lab demonstrates direct database enumeration techniques and data extraction methodologies that led to complete compromise of sensitive data.
1. Nmap Service Discovery:
2. MySQL Client Installation:
3. Direct Database Connection:
Database Discovery:
Table Enumeration:
Flag Extraction:
This authorized penetration test demonstrates a sophisticated multi-stage phishing campaign targeting C-level executives using the Social Engineering Toolkit (SET). The attack chain combines reconnaissance, social engineering, macro-enabled payload delivery, and command & control infrastructure to achieve persistent remote access.
OSINT Gathering Process:
Target Selection Criteria:
SET Installation and Setup:
Campaign Theme Selection:
Based on reconnaissance, I identified recent regulatory changes in financial reporting requirements that would create urgency for immediate executive response. The Sarbanes-Oxley Act amendments and new SEC cybersecurity disclosure rules provided perfect pretext for urgent compliance action.
Subject Line Engineering:
Email Content Strategy:
Macro-Enabled Document Development:
VBA Macro Code Structure:
PowerShell Payload (payload.ps1):
C2 Server Setup:
Payload Hosting:
Unicode Spoofing Implementation:
SMTP Configuration:
Email Delivery Statistics:
Successful Compromise Details:
Access Gained:
This lab demonstrates the complete deployment of a T-Pot honeypot infrastructure on Amazon Web Services. T-Pot is a multi-honeypot platform that combines multiple honeypot technologies to capture and analyze attack patterns, providing valuable threat intelligence for security research.
Initial AWS Configuration:
EC2 Instance Configuration:
Initial Security Settings:
Post-Installation Security Rules:
Key Generation Process:
Initial SSH Connection:
System Preparation:
Installation Commands:
Installation Options Selected:
System Reboot Message:
Access Methods:
Within minutes of deployment, the honeypot infrastructure began capturing attack traffic from automated scanners and botnet activities. The T-Pot dashboard provides real-time visualization of:
This CTF challenge involves analyzing a .pcap file to extract JPEG frames from a network stream. By identifying the correct stream and viewing frames in sequence, we uncover a hidden flag revealed across multiple surveillance camera images.
Key observations from the packet capture:
This multifaceted challenge combined deep packet inspection with media file reconstruction, showcasing the intersection of network forensics and digital evidence recovery in real-world security investigations.
I built this comprehensive home lab to simulate a realistic enterprise network environment using VirtualBox virtualization. My setup includes 5 virtual machines that I configured to represent WAN/LAN separation with firewall protection.
My Network Topology:
1. My WAN Attacker Machine (Kali Linux)
2. My Firewall Machine (pfSense)
3. My Metasploitable 2 Target
4. My Internal Kali Machine
5. My Windows 10 Target
My Lab Status: Fully Operational - Continuously Testing New Attack Vectors
During my SOC shift, I processed 47 SIEM alerts across multiple threat vectors. This writeup documents my analysis methodology and findings from a particularly busy day that included phishing campaigns, suspicious downloads, and firewall blocks.
Alert: Suspicious Email Pattern Detected
My Investigation Process:
I received an alert for 8 emails from sender: finance-update@microsooft[.]com
Subject: "URGENT: Verify Account Credentials" - sent to accounting department
My Analysis Steps:
User Interaction Analysis:
I checked web proxy logs for the malicious URL pattern:
Immediate Actions I Took:
Documentation I Created:
This incident chain demonstrated the importance of correlating alerts across multiple security tools. The phishing email that bypassed initial controls led to credential compromise and attempted malware installation. My systematic triage approach helped identify the connection between seemingly separate events.
Shift Result: Successfully identified and contained active compromise