Nate Christian — Cybersecurity Writeups

Welcome

A collection of concise cybersecurity project write-ups and CTF solutions.

Use the navigation to the left (or the hash links) to view each writeup. Each page contains a summary, the approach taken, key artifacts, and references.

Web Exploit — Authentication Bypass

Target: vulnerable-app.local — Techniques: SQLi, logical flaws

Summary

Found an authentication bypass via an unsanitized login parameter combined with a logic flaw in the password check.

Approach

1. Enumerated endpoints and parameters using Burp and manual inspection.
2. Tested for SQL injection with payloads like admin' OR '1'='1.
3. Identified short-circuiting logic allowing empty password acceptance when session flag present.

Key Artifacts

Request: POST /login
username=admin&password=' OR '1'='1

Mitigation

• Use parameterized queries and enforce server-side authentication flow.
• Implement proper session and state validation.

References

• OWASP

Network Forensics — PCAP Analysis

Dataset: capture_2025.pcap — Focus: data exfiltration detection

Summary

Analyzed PCAP to identify suspicious TLS-over-HTTP tunnels and anomalous DNS queries indicative of exfiltration.

Approach

1. Loaded pcap in Wireshark, filtered by suspicious ports and TLS fingerprints.
2. Used tshark to extract HTTP objects and reviewed timing patterns.
3. Correlated DNS and TLS sessions to identify C2 beaconing.

Key Artifacts

tshark -r capture.pcap -Y "tls" -T fields -e ip.src -e ip.dst -e tls.handshake.extensions_server_name

Findings

• Repeated queries to unusual domains with consistent 30s intervals.
• Encrypted payloads sent to third-party cloud storage endpoints.

Malware Analysis — Sample Triage

Sample: suspicious.exe — Tools: rizin, strings, Cuckoo

Summary

Performed static triage to identify anti-analysis checks and network indicators.

Approach

1. Collected strings and PE headers to identify imports and timestamps.
2. Used a sandbox to capture runtime network behavior.
3. Analyzed packed sections and unpacked payload with rizin.

Key Artifacts

strings suspicious.exe | grep -i "http\|cmd\|powershell"
rizin -A suspicious.exe

Recommendations

• Block identified C2 domains and update IDS signatures.
• Harden endpoints and enable EDR telemetry collection.

CTF Writeup — Reverse Engineering

Challenge: crackme_rev — Goal: retrieve flag string

Summary

Reverse-engineered a small binary that performed an obfuscated XOR-based check against a hardcoded key.

Approach

1. Loaded into Ghidra to locate input validation routine.
2. Extracted key and rewrote the check in Python to brute-force formatted input.

Solution Snippet

key = b"\x5f\x2a..."
def check(inp):
    return bytes(a^b for a,b in zip(inp,key)) == b"FLAG{...}"