https://hexpysya.github.io/tags/network-analysis/Recent content in Network Analysis on bubka hacks stuffHugo -- gohugo.ioen-usThu, 16 Apr 2026 00:00:00 +0000https://hexpysya.github.io/investigations/cdef-etherrat/Thu, 16 Apr 2026 00:00:00 +0000https://hexpysya.github.io/investigations/cdef-etherrat/An attacker breached Maromalix’s public-facing web application by exploiting CVE-2025-55182 (Next.js Deserialization RCE). They deployed a multi-stage implant dubbed EtherRAT, which utilizes a blockchain-based C2 mechanism via Ethereum smart contracts to dynamically resolve infrastructure. The attacker exfiltrated sensitive data, established multiple persistence mechanisms, and ultimately patched the vulnerability to lock out other actors.https://hexpysya.github.io/investigations/cdef-lockdown/Tue, 14 Apr 2026 00:00:00 +0000https://hexpysya.github.io/investigations/cdef-lockdown/An attacker performed SYN port scanning against an IIS server, enumerated open SMB shares, uploaded a webshell to the Documents share, triggered a reverse shell on port 4443, and established persistence via AgentTesla dropped into the Startup folder, which exfiltrated data via SMTP to cp8nl.hyperhost.ua.https://hexpysya.github.io/investigations/cdef-hawkeye/Wed, 25 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/cdef-hawkeye/A victim host downloaded a HawkEye Keylogger dropper via HTTP, which established persistence, periodically checked the external IP via bot.whatismyipaddress.com, and exfiltrated harvested credentials every 10 minutes over SMTP.https://hexpysya.github.io/investigations/htb-liberty/Wed, 25 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-liberty/Password spraying led to domain account compromise, followed by NetNTLM hash theft via a malicious .url file, RDP access, data exfiltration to a C2 server, and PSWA backdoor installation for persistence.https://hexpysya.github.io/investigations/cdef-bluesky-ransomware/Tue, 10 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/cdef-bluesky-ransomware/An attacker performed a port scan, exploited a Microsoft SQL Server via the sa account, enabled xp_cmdshell to drop and execute a base64-encoded payload, then deployed a multi-stage PowerShell toolkit to disable AV, dump NTLM hashes, perform lateral movement via SMB, and stage the BlueSky ransomware payload.https://hexpysya.github.io/investigations/htb-telly/Fri, 06 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-telly/An attacker exploited CVE-2026-24061, an authentication bypass in GNU inetutils telnetd, to obtain an unauthenticated root shell, established persistence via linper.sh across multiple cron and systemd locations, and exfiltrated a credit card database before deleting it from the victim server.https://hexpysya.github.io/investigations/htb-sneakykeys/Tue, 03 Feb 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-sneakykeys/https://hexpysya.github.io/investigations/htb-packet-_puzzle/Sat, 31 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-packet-_puzzle/Analyzed network traffic showing exploitation of CVE-2024-4577 (PHP-CGI argument injection) against a Windows server running PHP 8.1.25. Attacker achieved RCE, established reverse shell on port 4545, then escalated privileges using GodPotato to spawn a SYSTEM-level shell on port 5555.