explore a Wordpress PHP BACKDOOR webshell

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
a few days ago I posted on Twitter a screenshot of a web shell I said with this little caption hey look at this cutesy little web shell it's so small it's so pretty it's so dainty it's so cute and it's from vulnerabilities and Microsoft Exchange servers that were patched literally over a year ago and I think web shells are honestly some really interesting and cool stuff to dive into because it is means for an attacker an adversary a threat actor or a hacker to maintain access over a long period of time it is persistence after all because at any point the threat actor could then reach back out to the web shell with HTTP request parameters like get or post methods and then tell it to do whatever it might want carry out its marching orders now webfields often slip past preventative security measures like antivirus or EDR because they're just so small and stealthy and it's not always easily to be kind of understood and unraveled especially when they are obfuscated or kind of manipulated in the data and code is transformed to camouflage or blend in or at least be harder to decipher from a human analyst I now if you watch my videos you know that I love playing with some obfuscated code but with scripting languages or with scenarios where you just have straight source code it's very very different from some malware analysis that you might do digging it up against hardcore compiled binaries right we're not cracking open Ida Pro or ghidra digging into some disassemblers and debuggers looking through the instruction set of a binary but if you're interested in that hey let me please segue to today's sponsor offset training Solutions or offset with a zero for the O and there's zero to Auto course gets into some of that super duper cool reverse engineering and malware analysis with that said we can roll the clip for that sponsor huge thanks zero to Auto offers in-depth and quality training on all things malware analysis and reverse engineering you learn to cut through malware samples understand the threat landscape and automate your workflow within the training you get access to 25 hours of video content covering cryptographic algorithms initial malware stagers malware evasion techniques core malware functionality like for banking Trojans worms web injects and more you dig into the exploitation process and learn what exactly is needed for professional threat intelligence included with the course is a 10 discount on an Ida Pro named license or an Idaho license a three-month Premium plan to the any.run sandbox and access to an exclusive Discord server where you can collaborate with other students get support for training material and receive new malware challenges right now the course has over 1500 students registered and always have access to new malware to cut up and learn from of course the training comes with the final exam and a course certification with both the theoretical segment and a Hands-On practical challenge where you reverse engineer custom malware and craft a report based off of your findings the zero to auto training comes from some seriously big names in the industry to include Vitale Kremes Daniel Bunce and Jason Reeves I'm sure you have seen them sharing incredible research and threat Intel and this is your opportunity to learn from some of the best check out the links in the description to jump into some zero to auto training right now and get 20 off by using the code malware at checkout if you're perhaps looking for something slightly less Advanced they're also in the process of remastering their original beginner malware analysis course which pre-registration is now open if you head to offset.net beginner.o being a zero you'll be able to register early for the course and grab an early bird discount huge thanks to offset training solutions for sponsoring this video alrighty so in this video I want to play with a different web shell I want to play with one that was sent along to me from a viewer and hey actually please let me add the note here please keep sending me malware please keep sending me weird random just sketchy stuff that you find it's a lot of fun I have a ginormous backlog of things that you've sent along to me and I promise I will get to them at some point slowly eventually but just keep come keep them coming it adds to you know the pile of content that we get to play with and maybe someday in a live stream or when I can kind of dive into this more frequently we'll just keep turning them out and see what we can get into with that please keep sending me malware so back to what I was saying in this video we're going to explore a simple small WordPress or PHP web shell and uh you know enough of me rambling let's get to the computer screen let's dive into the action here and start to have some fun okay so I am inside of my remnux Linux virtual machine or the reverse engineering malware Linux distribution I'm gonna hit Control Alt t on my keyboard and fire up a terminal here and I do have a directory created for me called CPL web shell and this actually is a file cpl.php that was sent Along by a viewer in fact let me see if I can track down the email in this viewer again had sent this some time ago I think this is even back from like April of 2021 but they said hey John tripped over your YouTube channel really enjoy and learn a lot from what you're showing doing and talking about thanks so much I wish I knew what training path you took to learn all about you know hey man I I super appreciate it I know a lot of it is trial and error until you find or get something that is helpful reason for my email we found a malware file in one of our websites that's attached I've I thought you might want to take a look at the content I've decoded the cpl.php file once but there seems to be another three big chunks that don't decode the same way I'm not a PHP programmer but I do understand and write in another of other languages many of which are now dead I'm a little bit old hey man there's nothing wrong with that that's all right finding this malware was not easy we scanned the site using probably 15 or more web-based WordPress malware scanners and clam AV and only two scanners even reported that there was an issue so that is the cpl.php file that we have a web shell located on a WordPress file so let me go ahead and open this thing up in Sublime Text and let's see what we're getting into okay uh jumping right into a Big Blob of base64 uh and let's take a look at this syntax here and see what we're going to end up using I'm going to hit Ctrl shift p on my keyboard to set the syntax to PHP and Sublime Text but because this line is way too stinking long it looks like it's not even going to do some of that syntax highlighting for me uh so never mind we will want to go ahead and extract this and get this data out here if folks are tracking you'll notice that it ends up calling the eval function that eval function is going to evaluate code right go ahead and execute things and this is super duper common for uh scripting languages or even PHP and others that will go ahead and just process this as needed gz inflate will go ahead and inflate what would have been deflated gzip data I believe I might have that wrong or just raw z-lib stuff we'll let PHP unravel this for us ultimately because it is going to be pulled from but some base64 encoded data now this whole chunk is what we want to be able to play with except we don't want this thing to detonate then we want PHP to really unravel this for us but not e-valid out I want it to Simply Echo it out so let me see if I can save a copy of this we'll call it just I don't know stage one dot PHP modified how about that and we'll change again this eval to an echo statement so that way it just displays it out on the standard output and onto the screen here now I can get back to my terminal and I can just honestly use hey let's kick that thing over to PHP let's let it run our stage is one modified.php and boom all of this stuff is just spat out onto the screen in fact there's a whole lot here and that should be a little bit of fun to review for us let me go ahead and redirect that output to stage two dot PHP how about that okay so I'm going to go ahead and now open up stage 2.php and let's see if I can save a copy of this as stage two modified just so like how to whatever have some Scrappy Version Control I want to keep the original file that we had and then any tinkering that I might do I'd like to keep and maintain in here with that said a lot of this looks pretty Jank it is uh out of order Sometimes some cases not having like the most sensible uh indentation or white space so let me see if I can beautify this I'll go ahead and open up a Firefox web browser and then I'll see if I can find just a simple online Google search give me a PHP beautifier looks like there's some super simple cheesy thing from beautifytools.com hey whatever let's just slap it in uh and then beautify PHP there's the button please wait while we are beautifying your code thank you very much we'll grab that copy and paste it and just slap it back into our index here that didn't do a very good job not gonna lie uh anyway because this is going to be put through an eval statement we know that ultimately maybe in fact it just needs that PHP tag in the front to try and clean that up uh yeah there we go that makes it a lot better with some proper indentation here the PHP tag at the beginning denotes that okay this would traditionally be through a PHP file but since this was ran as a second layer as part of what would have been stage one through that eval statement it's not going to include that data this is just a raw text or the string that would have been passed as the argument to that eval function so we check if the server agent ooh is actually going to match an md5 hash you can see that there's a hard-coded md5 hash here and that actually is going to let the user agent of the client connecting this web page basically act as a key or a password or to denote hey what exactly has does the user agent have to be for this page to even load because if it's not equal to that it just dies it craps out it stops rendering it won't execute the whole rest of this application now denote it just prints out the this md5 hash as the argument to die which isn't extremely useful to us I'm curious if we just would happen to be able to crack that with like a stupid dumb crackstation I really really doubt it because it's probably some other special key but it's worth just slapping it in here uh filling out this caption oh goodness I am not a robot I promise stop it I am not a robot okay crack ashes nope totally not going to be found there I'm sure it's a much longer string than a simple word but it's worth exploring anyway this does set up a guard or some sort of little boundary to denote I only want the threat actor the hacker the adversary that knows the secret password that knows the special key using it as their user agent to be able to even access and use this web shell and then it goes ahead and sets some configuration values within PHP like you might see in the php.ini file it turns off logging it says error log is going to be null log arrow set to zero and Max execution zero etc etc and error reporting set to zero ends up using some headers here that might just be part of the response in returning to this page and then we have some functions defined called get perm based off of a file argument now these are going to end up probably being utility functions that will be used throughout the rest of this code so we don't need to dive in to all of this right now but it's interesting in that we're checking out some of the permissions on this file and maybe determining whether or not it is read write or executable or a sticky bit or other things that might help us get a lay of the land as the adversary here trying to determine what is part of this target other functions wso view size I'm assuming this is going to take in a value s that's checking if it's an integer and then printing or oh converting that and passing that to a string here and then determining based off of that value what are we going to end up printing out here based off of gigabytes or or megabytes or kilobytes presumably being okay a size of bytes representing a more human readable method and it does put this in some HTML to add specific fonts here and colors that okay maybe make this a little bit more clear as to whether or not it's a big ginormous file like a gig or a couple megabytes or kilobytes so we'll note that as just again some convenience functions and then we have get magic quotes GPC strip slashes retrieving cookies and post values I wonder if that does anything interesting and then it's actually building its own functions to create the functionality of put file contents that's a little bit interesting same thing for set magic quote runtime I'm curious what that thing actually is let me go back to my uncle Google here and go ask what is that gets the active configuration settings of magic quotes runtime and this is a deprecated function which is probably why they're trying to create it naturally within the code that might be the same way for some of the other functions that they do they're just trying to bake in the functionality so the code can continue to run while they might call that function whether or not it actually existed or not magic quotes and runtime again okay deprecated and removed but functions that return data from any sort of external Source including databases and text files will have quotes escape with the backslash oh okay a little bit interesting and that might do or manipulate some of the data that's returned from other functions so probably why they're just building in that functionality here there is another interestingly named function uh that's gonna be tracking some cookies here Dolly work or Hello Dolly or I'm I'm super duper interested why dolly is a seemingly a theme I wonder if we can use that to track down some other iocs or indicators of compromise or just other similar samples and then if that doesn't exist then we go ahead and remove ourself okay hence the name of the function right and we try to remove other potentially uh malicious web shells I'm going to assume or they may have just back doored some other Pages within WordPress some of the usual okay specific uh files used within WordPress and then it just closes itself out with the die function and Echo header oh we actually have an image like a a gif included as base64 that's kind of weird I would like to pull that out it's a background image it's like literally setting that as the background uh I totally want to grab that and see what this thing looks like copy and pasted that and that is just some other CSS defined for the page that must be the very very beginning of the return page here let me go back to my shell and Echo actually you know what let's just call it subtle background.jif base64. I called it base65. let's do that again rename it to base64 perfect now let's decode that and redirect that to background dot GIF now can I take a look at what that might be do I have I've known I of gnome EOG please no what is it is it ristretto uh let me just open up Nautilus there we go this is our background and image magic is not doing all that good with this it looks like it has some skull icons some PHP logo icons and some WordPress stuff so nothing huge uh maybe that's kind of fun but not a big deal then we are going to end up outputting scripts onto this page we Define a function to set a cookie which is probably just a convenience thing within JavaScript and then get cookie which will again retrieve a cookie value within JavaScript and then we'll use filter uh to retrieve some filters and maybe use the date module to determine what we're going to end up showcasing or not with our filter function to force a new location interesting trying to replace the location to worker.php fsdsfss gotcha fast presumably fast scan paranoid paranoid scans I'm curious what these all might do the client side code I don't have that much of a concern with but there's other things that might happen here again with those other function names that do some weird animation stuff that's curator work methods looks like that is what you might be able to use as the instructions for what you want this web show to do whether it's going to be retrieving a directory getting a file running code or passing in parameters all those things could presumably be controlled in JavaScript here and it has some workers that will go ahead and do these things now we have other functions that we might end up checking for seeing if they're existing in the PHP runtime that this is being used in or the version number like hey do we have open SSL verify or curl in it presumably this is going to end up using curl to again reach out to other remote locations and do interesting different things with them two worker looks like it's going to end up taking the actual directory that this file is in presumably a WordPress location exploding out the file path to get oh that full location and then try to create some worker tasks to do things building out the directory and then kind of plopping other files in other locations correct it returns to right so it looks like it uses some base64 encoding there that's a little bit odd to me I don't exactly know what they're accomplishing which is kind of spitting that out but otherwise there is the table that ends up creating everything again for the interface as to how this might work uh paranoid scans filtering on information and building forms men styles etc etc oh this must be the file manager I'm presuming it's actually going to end up like showing you all the files within the current directory on the target so that way it looks like hey some nice very very user-friendly and big interface to be able to click around and do unique things on this target this is a pretty versatile web show right and this goes on for a little bit of time again just kind of presenting all these files building them out as a table and that's why you saw it okay get the file size or check the permissions see the date when it would have been modified access created the typical file metadata that you might be interested in edit file as another function where we might be able to modify something delete file or some other functionality and oh here's an interesting one here's another exact PHP function so this can sort of work as that remote access Trojan in a way like again the web shell to run and execute more commands there's that eval statement of course you're checking if a c HTT parameter is present and then it ends up checking uh where we might go ahead and put a file here looks like there is a script again using some JavaScript here but also weirdly enough including PHP in this uh oh checking like WordPress user stuff like trying to see okay can we get some of the WordPress admins or plugins uh all to be explored and get user by email so SC file 374 at mailmail.com and it tries to delete that user delete evil is some of the instructions that this might use I'm super curious and again we might want to take note of that to do some more Googling and research and dig into that a little bit more uh here's our make worker function and this looks like another ginormous blob of base64. this goes on for quite some time but it ends up ultimately spitting that out to the worker dot PHP file uh and that's using that file put contents function that's defined up here so we could grab this if we really really wanted to we could explore and decode that let me save that as a worker dot PHP dot b64 very slick we'll dig into that in the moment but I do want to explore some more of this file see if there's anything else interesting looks like there's a download function CH mod to change modifications of permissions on files there are a whole lot of other functions here to kind of explore and dig into specific WordPress functionality like are there WordPress files that I might end up either seeing or using or recreating or working with um and then it offers that all to be able to play with this thing and there's that Dolly again reference here here's Dolly code again base64 presumably so let's go ahead and grab that and let's see what they do with this thing uh let me save this as dolly code.php and we're looking at the WordPress plugin directory exists if we have right access to it oh could we see if we could uh maybe modify or delete some files with that unlink function like a hello.php inside of the plugin directory oh and it sees that's interesting how far it could go with this even an interesting function uh update WordPress that might update WordPress based off of the current PHP version checking out oh what are we going to end up grabbing another WordPress version for and again it looks like it actually uses curl to download this from Car Wash lewiston.nl WordPress in the version I don't know if this is still alive let's go C let me see if I can go ahead and curl this down uh that would be looking for wp.zip correct are you alive no uh that URL just might be dead I don't mind I don't I'm okay with it I can I can Google I'll fire it up in a web browser we'll see what's going on with that thing nope looking dead can I dig that URL or that domain name really here nope not currently obviously nslookup would just do the very very same not track in that domain then we go ahead and if we were able to download this again maybe this file was from a year ago I'm sure there are different variations of this we would download that zip archive go ahead and extract it and then do some other peculiar stuff with other functions that are defined here like debugging WordPress presumably right and after all these functions are defined we eventually get to see what this web shell does naturally all those convenience functions have been built out and we check if the count of the post arguments is equal to zero or if the count of the get parameters are equal to zero uh or and really here so if it's not providing any instructions via HTTP request methods then it goes ahead and Echoes all of this out with its header with its scripts with its functions and its big form and table like the file manager and everything that's necessary and needed to go ahead and display this page like a interactive command and control or a little or that's the wrong word there remote access Trojan or web shell to gain control of this endpoint and do interesting things now if an argument actually is provided if we take the else branch of this logic then we do a switch and test against the a argument again using the request PHP variable to be specifying it could be either a get parameter or a post parameter but then we'll call different functions that we've kind of defined up here like edit save or manipulate some of the file managers and files here delete files Etc or execute PHP and others with this action which I'm assuming is going to be that a a argument or variable there that's kind of peculiar and that is the real instructions that's how this does what it might do but now I'm super curious what is our worker PHP base64 and our Dolly code end up doing uh let me go ahead and move our Dolly code to that Dolly code.b64 and again let's base64 decode our Dolly code into Dolly code there let's do the very very same with our worker redirect that to a worker code dot PHP and let's take a look at what Dolly code is going to do only 106 lines so nothing wild here oh this is a uh supposedly WordPress plugin uh Hello Dolly this is not just a plug-in it symbolizes the hope and enthusiasm of an entire generation summed up in two words sung most famously by Louis Armstrong Hello Dolly when it's activated you'll randomly see lyric from Hello Dolly in the upper right of your admin screen on every page that is pure art and that's and that's what it does why do we have this why is this included here okay there's dolly did it do something with that like we had we had other functions to see if Hello Dolly was doing its thing and then whoa update option update Dolly CSS this looks like other base64 code but it doesn't look like it's malicious did I like completely skip this update option Dolly CSS what does Dolly CSS do that's it it doesn't do anything else other than that let's just slap this on the command line and see what does that give us whoa that has a couple more uh little indicators of compromise websites in uh external locations to look at that are a little bit weird let me redirect that to Dolly css.php how about that let's see what you do what all right let's add a little PHP tag in here so we get our syntax highlighting let's do a Hello check signature and we have a public key included here using some openssl stuff decoding the signature that's been cooked out and put together hello action whoa that's going to do some unserializing data that presumably can be used to execute code of course correct like you can execute serialized data and and have it do things with hosts and there's more actions here hello delete post with Dolly posts is it trying to masquerade this super silly and Easy Hello Dolly plug-in with CSS code supposedly right that is actually going to be executed maliciously like this is genuine this is the original Dolly CSS that they have here and then they clobber it they rewrite that function that's that's what they do update option changing what does update option do we Define that do we not oh it's going to be uh if if we have that function no it's not checking that what PHP update option please what do you do oh it's a WordPress it's a WordPress function updates a value of an option that was already added so yeah it might very well be kind of just switching up some of the supposedly CSS file with this malicious PHP code that's going to continue to do more sketchy stuff update option Dolly posts hello update uh am I wrong there hello Dolly PHP freemius this is real there's a GitHub repository for this thing and this is the original source code that we were kicking around with what is the hello world Dolly WordPress plug-in Extravaganza should you delete it 2015 one of our app users recently asked what does this thing do there's a video it just puts the hello it just puts the Hello Dolly values there anyway let's get back to the code here because it is presumably like letting you insert or create posts and control like content on the WordPress website but it also has execute capabilities and make shell uh potential capabilities that do this dolly work Shenanigans and of course Dolly work will end up again evaluating gzip base64 encoded data running all of these actions in that capability above for every single post argument that's provided hello script methods are defined up here and let's see if these are still alive .com avocats vacavilla odoo are any of these still alive curl that down that one's still alive oh that's dumb it's just no like cheesy cookie thing but it does try to go to claim your prize take your prizes.life with some unique keys and encoded here let's go down the rabbit hole shall we I don't want to dig into that right now I don't want to I don't want to I don't want to what about the next one let me check it out also still alive other file ones are these genuine are those real oh no that one's alive but doesn't have that file anymore I dot PHP I presume might be other just weird wacky stuff another alive that brings me to the exact same take your prize's life another one up here nothing no one's dead does that page still exists what you got move permanently going to oh do 20 dot fr what do you got follow the redirect what all right I think it's con curl tack L to follow the redirect nah yeah they're just I guess that's dead so whatever okay that's still pretty wacky that's still pretty weird I don't know if I'm misinterpreting or misunderstanding this I know I do these things like on the fly so I could totally just be like blazing past something that I I'm not making sense of um but what does our worker do I think that's the last stone unturned here but oh geez this is exactly what you would expect it to be it is just PHP code to be able to do things uh and there are some other Oddities in other URLs that it might play with many many whoa GitHub links what do you got okay I kind of want to check these out not gonna lie as much as I didn't want to keep going to the rabbit hole I would like to whoa check it out jiggly three web PHP shell back in 2015. but what are these arrays being used for datecenter.com as a URL other random Shenanigans this is a disaster my God what is it supposed to be regular expressions I mean yes all of these code segments have been and file names and everything in this array has been regular Expressions uh hence a lot of these but there's just weirdness in here what do you do with this array you define all of this stuff and what do you do with this more random domains man the internet is a wild place okay end replace section and then we had more arrays in our paranoid scan dead letter and work check get task number get task these are these are just works it is the worker unit correct so it's trying to do some tasks in it will add tasks Etc get URL make log and basically it's just I I think this file was created as a temporary thing so that it could have something specific to do and then follow out those commands and executions and then clean itself up but whether it's looking through a directory or other miscellaneous things it just does this and it gets a random tag appended on so it never caches uh any of the locations that you go to because that way you always get the latest and your web browser doesn't cache it that's a trick that is oftentimes done um with web-based stuff you might see like the time be appended as a URL parameter or just a random number it's so that it doesn't cache it all right there were some interesting GitHub things in here right lagergost.github uh a hex.github.io slash marijuana what plugin name CMS map WordPress shell so some of these I I'm curious which one of them is this what is this CPL shell because we did see this digitally three web PHP shell 2015 what are you check it out here's a GitHub this looks pretty similar to what we had just a moment ago uh but is using eval and then using hex codes here to include more Basics E4 encoded stuff but so this this is probably going to be typing out the base 64 decode shenanigans that it might need to uh execute that out so that's not exactly what we were looking for but this should probably be reported so we could do that once I'm done recording this video what are you doing miniso one day you'll leave this world behind so live a life you remember deploying WordPress shells for long-term persistent access and malicious activity web shell orb with php7 this is where I just go down the rabbit hole oh and here's some uh here's some gists that actually digs into this this is the cpl.php that does the seemingly similar thing that we did yeah yeah in fact this is the exact same code that we just saw so this is how it tracked it down does this have different uh URLs at the end here no it doesn't have any of them it's kind of weird but this is also the Herald full screen you can see the original CPL uncompressed same exact hash so this is the same sample that we've been playing with this fella says hey one of my websites running WordPress got hacked and found this file uploaded do you have any idea how this could happen there's a vulnerability with the WordPress file manager plugin this is back in 2020 the malware virus adds it Snippets to all JS HTML and PHP files and changes their permissions to 777 or World readable writable and executable it also adds it Snippets the WordPress database on the post table every single entry so you need to clean up your database as well you can read more about this exploit on word fence whoa whoa 700 000 WordPress users affected by zero day vulnerability in the file manager plugin the morning on September 1st 2022 the word fence threat intelligence team was alerted the presence of a vulnerability being actively exploited in file manager a WordPress plugin with over 700 000 active installations this vulnerability allowed unauthenticated users to execute commands and upload malicious files on a Target site that sounds bad so this talks a little bit about the potential vulnerability where this all came from and again the ginormous attack surface that is WordPress and WordPress plugins but it doesn't specifically get into this malware or this web shell and this attacks here this speculation I I I'd have to think and I would have to go look through again those other lines of code if it's injecting itself to all Snippets of JavaScript HTML and PHP files it looked like it made it it very well did that and had the capability to do that but again I don't mean to be tossing those claims out as I've just scrolled through this within an hour like this is pretty cursory this is an endless Rabbit Hole um but it's wild and kind of crazy to see all the capability that could be built in to this original Gunk of nonsense that is just even simply base64 encoded uh Hey gzip deflated inflated whatever and then executed and kind of powering up and doing everything within all these files potentially the database HTML and JavaScript included to build out this Dynamic interface for that control on the endpoint and Target so I've been rambling for way too long I think this turned out to be a significantly longer video than it should have been uh but it was just kind of fun to explore there wasn't a whole lot of D obvious getting that we needed to do more than just a whatever some beginning base64 and then things here and there and then it was just kind of exploring and poking around uh I hope that was fun to watch if just a little bit and again I hope it drives home that idea man web shells for persistence can just do a heck of a lot and implant and put their Hooks and Claws and Talons in this victim and targets and eventually be used for persistence and later long-term access from a threat actor adversary and hacker even if it's that small simple thing just run a command or it's like yo you've got the full Suite you've got the Ferrari look at the file system edit modify files do anything and even hide in Hello Dolly lyrics I guess so uh hope that was a good time thanks so much for watching everybody hope you enjoyed this video please do go check out our sponsor offset training Solutions offset with a zero and the zero to auto training platform they have some incredible stuff where you can dig into some hardcore real malware analysis and binaries with disassemblers and debuggers and other sweet stuff that's super smart that's way way over my head thanks again everybody we'll see in the next video take care
Info
Channel: John Hammond
Views: 117,153
Rating: undefined out of 5
Keywords: cybersecurity, learn, programming, coding, capture the flag, ctf, malware, analysis, dark web, how to learn cybersecurity, beginners
Id: uWlaBmBrZe8
Channel Id: undefined
Length: 40min 8sec (2408 seconds)
Published: Fri Dec 02 2022
Related Videos
Kubernetes Tutorial for Beginners [FULL COURSE in 4 Hours]
TechWorld with Nana
7.3M
Snip3 Crypter/RAT Loader - DcRat MALWARE ANALYSIS
John Hammond
481K
Unraveling the IcedID Malware Stager & Phishing Email
John Hammond
75K
Unraveling a REMOTE ACCESS TROJAN (VBScript Deobfuscation)
John Hammond
156K
PHP 8.1.0-dev BACKDOOR Hack (Easy RCE)
John Hammond
129K
How Hackers Move Through Networks (with Ligolo)
John Hammond
63K
catch EVERY reverse shell while hacking! (VILLAIN)
John Hammond
208K
React Crash Course for Beginners - Learn ReactJS from Scratch in this 100% Free Tutorial!
Academind
1.4M
HAFNIUM - Post-Exploitation Analysis from Microsoft Exchange
John Hammond
135K
This Cybercrime Group Puts Its Hackers Through School
John Hammond
69K
a Hacker's Backdoor: Service Control Manager
John Hammond
89K
Windows Pentest Tutorial (Active Directory Game Over!)
David Bombal
209K
Reverse Shell UNDETECTED by Microsoft Defender (hoaxshell)
John Hammond
151K
APIs for Beginners - How to use an API (Full Course / Tutorial)
freeCodeCamp.org
4.2M
Google Cloud Platform Full Course | Google Cloud Platform Tutorial | Cloud Computing | Simplilearn
Simplilearn
640K
This Company Got Hacked... but HOW?
John Hammond
85K
Data Analysis with Python for Excel Users - Full Course
freeCodeCamp.org
1.5M
The real DARK WEB 😱 // How you can get easy access // Ransomware awareness
David Bombal
743K
How To Hack APIs with Python
John Hammond
69K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.