Security Write-ups & Research

Running a Windows-heavy SOC lab from a Linux hypervisor means a lot of RDP sessions. The naive approach — typing credentials every time — gets old fast, and pasting passwords into terminal arguments leaves them visible in ps output and shell history. Here’s the script that replaced all of that. Starting point: one host, one script The first version was a single hardcoded connection to the forensics VM: PASS=$(pass soc-lab/windows-analyst) ARGS=( /v:192.168.10.50 /u:analyst "/p:$PASS" /size:3840x2160 /scale:180 /scale-desktop:180 /scale-device:180 /cert:ignore /clipboard /log-level:ERROR ) printf '%s\n' "${ARGS[@]}" | xfreerdp /args-from:stdin Two things worth noting here. ...

The Starting Point A Fedora 43 VPS on Hetzner. Caddy serving a static site over HTTPS. SSH open on port 22 with public key auth. No fail2ban, SELinux in permissive mode, no automatic updates. Good enough to serve a static site. Not good enough to leave alone. How Much Noise Is There on Port 22? The server had been up for 16 days. Before touching anything, I pulled the last 24 hours to get a sense of the baseline noise: ...

Background The Master File Table (MFT) is a core component of the NTFS filesystem used by Windows. Every file and directory on an NTFS volume has at least one entry in the MFT, storing metadata such as filenames, timestamps, file attributes, and — for small files — the file content itself. When file content is stored directly inside the MFT record it is called an MFT Resident file. In this Sherlock, we are given a raw $MFT file extracted from a compromised Windows machine and asked to investigate a targeted attack against a user named Simon Stark. ...

The Problem The Splunk Universal Forwarder requires glibc. If your log source is running Alpine Linux, a minimal container, an embedded device, or an IoT gateway, you’re out of luck — those environments use musl libc, and the two are binary-incompatible. In my home SOC lab I hit this exact wall. The perimeter firewall VM runs Alpine Linux (chosen for its small footprint and scriptability), and it’s running Suricata generating EVE JSON on the lab-facing interface. I needed that data in Splunk, and the UF wasn’t an option. ...

Why rsyslog to Wazuh? Wazuh normally collects logs through its own agent, but there are situations where syslog forwarding makes more sense: The host can’t run the Wazuh agent (embedded systems, appliances, immutable OSes) You want visibility fast without deploying an agent You’re forwarding from network devices that only speak syslog You need a lightweight option for lab or training environments To prevent log tampering rsyslog gives you a quick path to centralized log collection with minimal footprint on the client. ...

Overview Silent Footprint is a free CTF lab from INE with four challenges that chain together into a full penetration test: enumerate services, gain initial access, pivot through a segmented network, and escalate to root using a recent sudo vulnerability. INE provided a Kali Linux attack box as part of the lab environment. The lab has three target machines — ctf.playground.ine, ctf2.playground.ine, and a hidden third host that doesn’t resolve by name. The attack path crosses two network segments and ends with a privilege escalation via CVE-2025-32463. ...