Cyber Mayhem Blue Team Gameplay: Process Monitoring with Snoopy (LD_Preload)
00:00 - Intro
01:00 - Explaining what LD_PRELOAD is
08:48 - Compiling and installing Snoopy
11:10 - Inspecting how Snoopy is installed, so we can make our own install script without compiling
13:08 - Checking auth.log after snoopy is installed to see it working!
15:30 - Creating a Snoopy installer script on our parrot machine
20:40 - Showing Snoopy won't capture everything via using python to access a file two different ways
22:06 - Reverting our machine, so we can test our install script
28:00 - In the Hacking Battlegrounds lobby!
29:30 - Installing Snoopy on all four of our castles
30:20 - Showing tmux magic - Using synchronize-panes to send our keystrokes to all panes
31:55 - TROLL: Renaming NANO to VI and VI to NANO on one of the boxes for lulz
33:10 - Using a watch command across all our terminals to look for a reverse shell
35:05 - Checking out the first box because of the JAVA Process, and seeing if snoopy see's activity
36:20 - Starting a TCPDump across all of our machines with nohup so it goes in the background
37:40 - Found a shell on the second box! Let's take a look!
38:20 - TROLL: Python PTY found, lets send a message whenever people use pty.py
40:40 - Using Snoopy to snitch out on the Health Checks to find out why it is failing
43:30 - Using find to list files modified recently
46:40 - Editing the sudoers file to keep him from privesc'ing
51:00 - TROLL: He deleted our pcap! Let's break the rm command
51:50 - PRIVESC: Found a cronjob, trolling myself trying to remove it
52:20 - Let's review snoopy, to see what PID edited the crontab, then checking what else happened
58:40 - Someone is on the third box! Let's take a look. See he grabbed the flag directly from apache. Putting a fun patch in
1:03:30 - Going back to the second box, someone accessed a flag, using auth.log to show us an upload script
1:04:27 - The user is using the php system() command to manipulate a shell. Disabling the system() command in php
1:06:10 - Grepping flag.txt on auth.log to see how the user privesc'd... Used Script instead of Python PTY to establish a PTY
1:10:00 - Verifying System() is disabled by checking php error log
1:16:30 - Grabbing a PCAP To show we can do IR based upon pcap data as well
Other Videos By Hack The Box
Other Statistics
Snoopy Statistics For Hack The Box
There are 41,838 views in 1 video for Snoopy. About an hours worth of Snoopy videos were uploaded to his channel, or 1.22% of the total watchable video on Hack The Box's YouTube channel.