My CTF task for the HackIT 2016 battle

Recently, a great hacker event took place in Ukraine, called HackIT. It is a cybersecurity forum with a large international Capture The Flag (CTF) competition. Being one of the speakers, I decided to donate a realistic CTF challenge to the “hacker battle”. As a result, my task appeared to be hard, probably because of the time constraints, though I still consider it as an easy but very interesting one. Below you can find the description:

Congrats, you are an awesome hacker! Your phishing email was successful. By pretending to be the Facebook’s support team, you managed to get account credentials, both login and password, of your target – famous Peter Parker. Though, could you successfully use this information and break into his account? Prove it!

This is the original response to the phishing email:


And this was the target’s account:


Finally, all participants were warned to use ONLY the provided URL when attempting to login to the account (not any of the original Facebook ‘s pages): http://the_actual_challenge_url

During the competition, the actual URL took hackers to the following dummy page:


Of course, just entering the credentials results in the same “Sorry…” message. Any guess, why?..

Continue reading “My CTF task for the HackIT 2016 battle”

On the detection of malicious web shells and compromised websites

For my first blog post on the Cyber Investigator, I would like to show an example of academia research on a cybercrime related topic with elements of security measurements. It does not require enormous resources and collaborations but just understanding the technology and connecting dots. Hopefully, it will encourage young security researches to brainstorm other ways of investigating and preventing cybercrimes.

Closer to the point, today we are going to search for compromised websites and servers around the globe, by detecting malicious web shells on them that are uploaded and used by attackers. Web shells are special scripts that hackers usually use to maintain access to victim machines after successful exploits. Those pieces of software run on compromised servers, providing adversaries with ability to execute remote commands, browse file systems, upload files, elevate privileges, send spam emails, etc. More precisely, our goal is to monitor victim websites and ongoing attacks as shown on the map below. The discussed method gives ability to provide early warning of compromised websites, all the way to remotely disarming a shell and evicting the attacker.

Top 10 compromised websites (black points) by the number of unique remote IP addresses, from which attackers access the detected malicious web shells (shown with arrows)

For the technical part, we need to understand the risks of inclusions from stale domains, so I will start with explaining it…

Continue reading “On the detection of malicious web shells and compromised websites”