karoltaikhoado.blog

Author: Karol Taikhoa Do

Tryhackme Friday Overtime challenge write-up
Tryhackme friday overtime – Challenge overview

Tryhackme Friday Overtime challenge is a simulation task. In it, you become a CTI (Cyber Threat Intelligence*) Analyst and have to analyse malware based on real-world cyberattack. To accomplish this, I interacted with malware samples in the virtual machine (VM), which acts as isolated environment.

Note: In order to launch a VM and ,consequently, to complete the task, you must be a premium user on the Tryhackme platform.

* Cyber Threat Intelligence is evidence-based knowledge about adversaries, including their indicators, tactics, motivations, and actionable advice against them (definition from tryhackme platform)

Before I begin…

Feel free to jump to a question that you find interesting.

Table of content:

Q1: Who shared the malware samples?

Q2: What is the SHA1 hash of the file “pRsm.dll” inside samples.zip?

Q3: Which malware framework utilizes these DLLs as add-on modules?

Q4: Which MITRE ATT&CK Technique is linked to using pRsm.dll in this malware framework?

Q5: What is the CyberChef defanged URL of the malicious download location first seen on 2020-11-02?

Q6: What is the CyberChef defanged IP address of the C&C server first detected on 2020-09-14 using these modules?

Q7: What is the md5 hash of the spyagent family spyware hosted on the same IP targeting Android devices in Jun 2025?

Treat this article as a helpful walkthrough for the challenge. I’m not going to just give you the answers – after all, where would be fun and value in it? Instead, I will demonstrate how to find the answers to each question, but ultimately, YOU will have to do the work. Have fun and let’s begin Tryhackme Friday Overtime 🙂

Q1: Who shared the malware samples?

Once you log into the account provided in the task, you will be redirected into main dashboard. From there, you’ll see an email titled “Urgent: Malicious Malware Artefacts Detected” by SwiftSpend Finance. To proceed, click on it to view its full message.

As the question suggests, we are looking for the sender of the attached malware samples (samples.zip are visible on the right). The sender is not an organization, but an individual. (Check out image below)

Q2: What is the SHA1 hash of the file “pRsm.dll” inside samples.zip?

After downloading “samples.zip” (check out image above), we need to unzip it. Open the terminal (in the top left corner “Applications > Terminal emulator”) and use the command:
```
unzip ./Downloads/smaples.zip // optionally -d <directory name> to extract files into a specific folder. Though in this case, ut's not necessary.
```
Next, the system will ask for a password, which you can find in the email.

To answer the question, compute SHA1 hash of the file “pRsm.dll” using:
```
sha1sum pRsm.dll
```
Note: in Linux there are many commands to calculate particular hash. The structure is usually like :<hash_algorithm>sum e.g. sha256sum, md5sum etc.

Q3: Which malware framework utilizes these DLLs as add-on modules?

For this one we need to access internet from our own computer (remember the VM is isolated and the whole task is based on real-world cyber-attack). A quick search for “pRsm.dll malware” should lead you to an article on “welivesecurity” titled “Evasive Panda APT group delivers malware via updates for popular Chinese software“.

While reading/scanning through that article you should spot the answer to the question.

Q4: Which MITRE ATT&CK Technique is linked to using pRsm.dll in this malware framework?

We are still working with article titled “Evasive Panda APT group delivers malware via updates for popular Chinese software” published on “Welivesecurity”. Because this article is a report on a cyberattack, it naturally includes analysis of the incident – specifically using the MITRE ATT&CK Technique ( Adversarial Tactics, Techniques, and Common Knowledge framework developed by research and development non-profit organization MITRE )

As you continue reading, you will find a section labeled “MITRE ATT&CK techniques” with a table outlining various tactics. To answer the question, simply locate technique code associated with the “pRsm.dll” file.

Q5: What is the CyberChef defanged URL of the malicious download location first seen on 2020-11-02?

We are still working with article titled “Evasive Panda APT group delivers malware via updates for popular Chinese software” published on “Welivesecurity”. In the section “Technical analysis” section, you will find a URL that matches the date in the question.
Once you have copied the URL, head over to CyberChef – a free online tool to analyse data used by cybersecurity professionals and enthusiasts.

To begin, search for “Defang URL” operation and drag it to a “Recipe” section. Next, paste the URL from the article into the input field. Finally, run the operation to get the result.

Q6: What is the CyberChef defanged IP address of the C&C server first detected on 2020-09-14 using these modules?

We are still working with article titled “Evasive Panda APT group delivers malware via updates for popular Chinese software” published on “Welivesecurity”. In the “Network” section, you will find an IP address of command and control server (C&C), which matches exact date as in the question.

Once you have located the IP address, open CyberChef – same free online tool we used earlier. To continue, search for “Defang IP address” operation and drag it into “Recipe” ssection. Then, paste the IP address into the input field and run operation to get the result.

Q7: What is the md5 hash of the spyagent family spyware hosted on the same IP targeting Android devices in Jun 2025?

To answer this question, we need to use the IP address from Q6 and head to the VirusTotal – a platform analyzes data for known malware.

Start by searching for IP address in VirusTotal’s search bar. The default dashboard will show scan results from various antivirus software. To find the answer, go to the “Relations” section. Once there, look for a hash file targeting Android devices with date that matches the one in the question.

Tryhackme Friday Overtime -Conclusion

The Tryhackme Friday Overtime challenge did require some Linux command knowledge. However, more importantly, it tested ability to research like a CTI Analyst. I hope you find this write-up helpful and enjoyed the task of being CTI Anaylst.
03.08.2025
What is IDOR? OWASP Broken Access Control

Introduction

In this article I will briefly introduce a concept of IDOR vulnerability and its impact. I will also show a simple example of taking advantage of an unsecure fake website.

IDOR – overview

IDOR or Insecure Direct Object Reference refers to an access control weakness in web applications. It is an important concept as it is listed on Open Web Application Security Project (OWASP) Top 10 Vulnerabilities.

It occurs when a web application exposes an identifier that points to a specific object on a web server. By object, I mean a file or user account attributes e.g. user id. That is an unwanted scenario since web application fails to validate if the logged-in user should have access to the requested object. This allows attackers to bypass authorization and gain unauthorized access to user accounts, databases or admin functionalities.

More info:
https://owasp.org/Top10/A01_2021-Broken_Access_Control/
Insecure direct object reference – Wikipedia

Example of IDOR weakness

In the example below we have a login panel from an unsecure fake website. I will first log into guest account and then observe how the URL changes. After the website redirected us to the guest’s dashboard, we can see changed URL with a parameter ‘user=guest‘. To take advantage of IDOR I will change user parameter to ‘admin’.

This video was made thanks to CTF from tryhackme.com

As we can see on the video, I was able to access admin dashboard without admin credenctials.

14.07.2025
What is digital SSL certificate for a website?
Introduction

In this article I will briefly describe the concept of SSL certificate for a website and its importance. In addition I’m going to show an example how this knowledge helped me. With that knowledge I solved a CTF (capture the flag) problem which ultimately led to me writing this blog post.

SSL Certificate – overview

SSL certificate is component of a website that is used to establish secure connection between user’s browser and web server. The name of the term contains the abreviation SSL meaning Secure Socket Layer, which is a cryptographic protocol designed for secure data exchange in computer network. However, there is a newer and more secure protocol TLS (Transport Layer Security). It is used widely today, but the term “SSL certificate” is still commonly used.

You can see instantly if the website is secure by either finding “lock” icon next to or “https” prefix in the URL of a website.

Benefits of having valid SSL certificate include:
- secure communication between browser and webserver by encrypting data to prevent stealing data by hackers
- in case of certificate granted by Certificate Authority it gives increased trust to the website
- Higher search rankings of the website in web browser
The process of verifying and encryption of data transfer is hidden from user. Basically, in order to establish secure connection, the browser needs to check validity of server’s signature (“ID” of a certificate created using hash function – I will cover this topic more indepth in different post).

Usually a website will have intermediate signatures that should lead to Root Certificate that belongs to highly trusted Certification Authority (CA) e.g. Let’s Encrypt or DigiCert. All these signatures (IDs) create a “trust chain” and if all those are valid then the browser and server will encrypt data transfer.

Check out this short video demo of the “trust chain” and how to view certificate in a browser. In this example I used microsoft edge browser. However, the process should be similar in other browsers.

Paid vs free SSL certificate

Digital certificates for websites can be obtained by buying one from Certificate Authority (CA) or getting a free one from some SSL Certificate providers e.g. “Let’s Encrypt”. In short, the free one only verifies if that the domain is registered and connection is encrypted. This option is a good option for small and non-commercial organizations.

On the other hand the paid one has also proof that the owner of the domain is a legitimate. Hence, it is expected that websites collecting personal information have a certificate from CA.

In addition, there are tools to create a digital certificate at no cost aka self-signed certificates, but this won’t be viewed as secure connection by browsers.

Links:

For more information, you can check following links:
Personal example – solving simple CTF

Once I underestimated that SSL certificates may contain some usefull information like alternative domain name. I couldn’t have found that by just simple enumeration in search of website’s subdomains. That fact was the key to help me finish solve a simple CTF task ( capture the flag – task for hackers to break into fake system to get the flag – secret text). Check video below:
09.07.2025
How does Bachelor thesis defense look like?
Indroduction

After successfully defending my Bachelor thesis, many people around me began asking how does the process of thesis defense look like. So, I decided to write this article to give you a clear overview of this procedure. I will also share my own experience defending a Bachelor thesis at Warsaw University of Technology.

Hopefully, this guide will help you understand what to expect and how to prepare for your own defense.

Prerequisites for thesis defense

Once a student finishes writing their thesis (document) and passes all the required subjects, there are a few steps to complete before actual defense. Here is a quick breakdown:
1. Accept data policy
  The university needs some personal information to prepare your diploma. This step is simple and you can do it through your online student university system.
2. Preparing diploma supplement
  This document includes your grades and other achievements such as scholarships, exchange programs, internships or involvement in student organizations.
3. Checking thesis for plagiarism
  You can either ask your thesis supervisor to run the check or upload the document yourself using the university’s anti-plagiarism system.
4. Supervisor’s review
  Your thesis supervisor must submit a formal review through the university platform.
5. Reviewer’s evaluation
  Another faculty memeber (your thesis supervisor chooses) will also review your thesis and upload their evaluation.
6. Preparing for post-presentation questions
  At my university – Warsaw University of Technology, the exam board asks 3 general questions after your presentation. Your supervisor may help you prepare by suggesting sample questions.
The actual thesis defense

My Bachelor thesis defense had 2 parts – a short presentation (5-8 minutes) and 3 general post-presentation questions. The presentation should be concise – no more than 8 slides, including the title and closing slide.

After presenting, the exam board may ask follow-up questions. Then, they will move on to the general questions based on topics covered during your studies.

Post presentation

During my Bachelor of Computer Science defence, the exam board asked me the following questions:
1. What is a hash data structure?
  Short answer: Data stucture that allow for a fast data lookup. It relies on hash function, which converts any data into a fixed -size string – essentially creating “ID” for that data. If two different inputs produce the same hash – its a collision. To solve that problem, techniques like linear probing or double hashing are used. Example of real hash functions: MD5, NTLM, SHA-3 etc.
2. What are some popular display screen technologies? Which one will give “true black” colour?
  Short answer: There are 2 main types of display technologies – LCD and OLED.
  * LCD uses external LED diodes as backlight. These lights pass through liquid crystals to produce images on screen.
  * OLED uses organic LEDs that emit their own light. When displaying black colour they simply turn off. As a result we have a deep black and higher contrast. So, OLED is the one that delivers “true black”.
3. Describe briefly differences between existing Wifi generations.
  Short answer: There are currently 7 generations of Wifi. All of them have different speeds (thoughput), frequency they operate at (2.4 GHz, 5GHz and now 6GHz) and ability to penetrate objects e.g. walls.
  Newer generations typically offer speeds, but may not pass well through walls (objects). Most of them are backward compatible with older frequencies.
Getting results

After answering the questions, you will leave the exam room. During that short time, the exam board dicusses your grade. This usually takes 1-3 minutes. Then, you are invited back in to receive your result.
If you pass – congratulations! You are officially a Bachelor graduate!

Your diploma should be ready within one month. Keep in mind that the day you defend your thesis is also the day you lose student status, which means you are no longer get student discounts 🙁
That is of course if you don’t plan on doing another degree.

Final thoughts

And that’s the overview of defending Bachelors at Warsaw University of Technology. I hope this guide gave you a clear picture of the process and helped you feel more prepared.
19.06.2025