Update theme

README.md

@@ -7,15 +7,15 @@
 
 🐣 Minimal template for getting started with [Hextra](https://github.com/imfing/hextra)
 
-![hextra-template](https://github.com/imfing/hextra-starter-template/assets/5097752/c403b9a9-a76c-47a6-8466-513d772ef0b7)
+![hextra-template](https://github.com/imfing/hextra-starter-template/blogs/assets/5097752/c403b9a9-a76c-47a6-8466-513d772ef0b7)
 
 [🌐 Demo ↗](https://imfing.github.io/hextra-starter-template/)
 
 ## Quick Start
 
 Use this template to create your own repository:
 
-<img src="https://docs.github.com/assets/cb-77734/mw-1440/images/help/repository/use-this-template-button.webp" width=400 />
+<img src="https://docs.github.com/blogs/assets/cb-77734/mw-1440/images/help/repository/use-this-template-button.webp" width=400 />
 
 You can also quickly start developing using the following online development environment:
 
@@ -40,7 +40,7 @@ For details, see [Publishing with a custom GitHub Actions workflow](https://docs
 
 Note: in the settings, make sure to set the Pages deployment source to **GitHub Actions**:
 
-<img src="https://github.com/imfing/hextra-starter-template/assets/5097752/99676430-884e-42ab-b901-f6534a0d6eee" width=600 />
+<img src="https://github.com/imfing/hextra-starter-template/blogs/assets/5097752/99676430-884e-42ab-b901-f6534a0d6eee" width=600 />
 
 [Run the workflow manually](https://docs.github.com/en/actions/using-workflows/manually-running-a-workflow) if it's not triggered automatically.
 
@@ -54,7 +54,7 @@ Note: in the settings, make sure to set the Pages deployment source to **GitHub
 
 Override the configuration:
 
-<img src="https://github.com/imfing/hextra-starter-template/assets/5097752/e2e3cecd-c884-47ec-b064-14f896fee08d" width=600 />
+<img src="https://github.com/imfing/hextra-starter-template/blogs/assets/5097752/e2e3cecd-c884-47ec-b064-14f896fee08d" width=600 />
 
 ## Local Development
 

content/_index.md

@@ -1,17 +1,17 @@
 ---
-title: My Site
-toc: false
+title: InfoSecIITR
+toc: true
 ---
 
-This is the landing page.
+We're a bunch of information security enthusiasts from the Indian Institute of Technology, Roorkee.
 
 ## Explore
 
 {{< cards >}}
-  {{< card link="docs" title="Docs" icon="book-open" >}}
+  {{< card link="blogs" title="Blogs" icon="book-open" >}}
+  {{< card link="ctf-writeups" title="CTF Writeups" icon="pencil" >}}
   {{< card link="about" title="About" icon="user" >}}
-{{< /cards >}}
-
-## Documentation
-
-For more information, visit [Hextra](https://imfing.github.io/hextra).
+  {{< card link="achievements" title="Achievements" icon="terminal" >}}
+  {{< card link="tools" title="Tools" icon="collection" >}}
+  {{< card link="resources" title="Resources" icon="newspaper" >}}
+{{< /cards >}}

content/about.md

@@ -1,6 +1,16 @@
 ---
-title: About
-type: about
+title: About Us
+date: 2023-11-20 00:20:14
 ---
 
-This is the about page.
+## Who We Are?
+
+`InfoSecIITR` is a group of information security enthusiasts from `Indian Institute of Technology Roorkee (IITR)`. It is run entirely by students and consists only of IITR students. We are a bunch of self-motivated security enthusiasts who love learning and sharing their knowledge with everyone genuinely interested in information security.
+
+## What We Do?
+- Meetings: We have weekly meetups where we have information security-related discussions and participate in CTFs.
+
+- Capture The Flag: We actively participate in CTFs. These are security competitions which require practical knowledge of topics like binary exploitation, reverse engineering, blockchain, cryptography, web security, forensics, steganography, etc. We also organize our own Capture The Flag competitions. The notable ones being: BackdoorCTF (our annual flagship CTF), n00bCTF (a CTF for recruiting first yearites at IIT Roorkee), Hackentine (a high-school level CTF for beginners).
+
+## How to Join?
+Top scorers from n00bCTF and Hackentine at IIT Roorkee are invited for the interview rounds. Based on the interviews, the final selection will be made. For students who are not freshers, please submit your resume to [email protected]. We may invite you for an interview if your profile meets our criteria.

content/achievements/_index.md

@@ -0,0 +1,55 @@
+---
+title: Achievements
+toc: true
+---
+
+- Qualified for Onsite Finals of Hacktheon Sejong 2023, South Korea
+![](/achievements/assets/achievements/sejong.jpg)
+
+- Four teams, comprised of members of InfoSecIITR , namely “JEE ke baad kya ukhada”, “b1t_bu5t3rs”, “sudo rm -rf JEE” and “Phr34k1ng f00ls” secured the 2nd, 3rd, 8th, and 11th positions at [IITB CTF](https://trustlab.iitb.ac.in/event/capture-the-flag-2023-national-edition), organized by IITB Trust Lab and IITBreachers at IIT Bombay.
+![](/achievements/assets/achievements/trustlabs.jpeg)
+
+- [Rakshit Awasthi](https://x.com/sh4dy_0011/status/1719682213690929518?s=20), a member of InfoSecIITR completed the most reputed reverse engineering competition: Flare-On 10.
+
+- Aryaman Behera and Manan Garg from InfoSecIITR won [DSCI Hackathon 2022](https://www.dsci.in/content/hackathon-2022)
+![](/achievements/assets/achievements/aryaman_manan.png)
+
+- Abhinav Saini and Ashutosh Srivastava from InfoSecIITR emerged as runner-ups in [DSCI Hackathon 2022](https://www.dsci.in/content/hackathon-2022)
+![](/achievements/assets/achievements/abhinav_ashutosh.png)
+
+- [Rakshit Awasthi](https://www.linkedin.com/posts/rakshit-awasthi-114ba91b9_ctf-cybersecurity-nullcon-activity-7120697274065666048-tjkb), a member of InfoSecIITR won Winja CTF , at Nullcon Goa 2023
+
+<img src="/achievements/assets/achievements/rakshit.jpeg" alt="drawing" width="70%"/>
+
+- 4th place globally, [Nullcon HackIM CTF Goa 2023](https://ctftime.org/event/2065)
+
+- Team aprils-worshippers, comprised of few members of our group, secured first place in CSAW-India region and 12th place globally, in [CSAW CTF Finals 2023](https://ctftime.org/event/2091/)
+
+- 7th place globally, [vsCTF 2023](https://ctftime.org/event/2053)
+
+- 9th place globally, [BYUCTF 2023](https://ctftime.org/event/1935)
+
+- 6th place globally, [HackDay Qualifications 2023](https://ctftime.org/event/1869)
+
+- 8th place globally, [Pragyan CTF 2023](https://ctftime.org/event/1931)
+
+- 3rd place globally, [Jade CTF 2023](https://ctftime.org/event/1791)
+
+- First in CSAW-India region and 11th globally, [CSAW CTF Qualification Round 2022](https://ctftime.org/event/1613)
+
+- 9th place globally, [Access Denied CTF 2022](https://ctftime.org/event/1652)
+
+- 7th place globally, [RitSec CTF 2022](https://ctftime.org/event/1558)
+
+- 7th place globally, [MHSCTF 2022](https://ctftime.org/event/1564)
+
+- 4th place globally, 1st among UG, 1st in CSAW-India Region, [CSAW CTF Finals 2021](https://ctftime.org/event/1316)
+
+- Winner, [Foobar CTF 2021](https://ctftime.org/event/1322)
+
+- Winner [CodeFest CTF 2020](https://ctftime.org/event/1305)
+
+- 7th place globally, [White Hat Grand Prix 06- Quals](https://ctftime.org/event/942)
+
+- Nipun Gupta and Aazim Bill SE Yaswant, from InfoSecIITR emerged as runner ups in [DSCI Hackathon, 2019](https://www.facebook.com/photo/?fbid=2382739841765811&set=a.181440098562474)
+![](/achievements/assets/achievements/nipun_aazim.jpg)

content/blogs/CryptNet_ransomware.md

@@ -0,0 +1,247 @@
+---
+layout: post
+title: CryptNET Ransomware
+readtime: true
+date: 2023-06-11
+subtitle: -- written by P0ch1ta
+tags: [Malware,Ransomware,.NET Reversing, Malware Analysis]
+---
+
+# Overview
+
+CryptNET is a .NET Ransomware which has leaks at the site `http[:]//blog6zw62uijolee7e6aqqnqaszs3ckr5iphzdzsazgrpvtqtjwqryid[.]onion/`. The detials of the malware are as below.
+
+# Metadata
+
+`Malware Sample` : <a href="https://www.unpac.me/results/fccb073a-009a-4048-b097-54b5ffff6639#/">here</a> <br>
+`MD5` : 733a808bc1be9d56026fd39b6e587ce4<br>
+`SHA1` : 323c2d8db7a1104a6631f420b3dfa98f693058a0<br>
+`SHA256` : 2e37320ed43e99835caa1b851e963ebbf153f16cbe395f259bd2200d14c7b775<br>
+
+# Initial Analysis
+
+When we try to analyse the malware inside of `DnSpy` we get some obfuscated code like following:
+
+<img src="https://raw.githubusercontent.com/manasghandat/InfoSecImages/main/CryptNET/1.png" alt="Obfuscated Code">
+
+We can dump the strings of the malware to see if we can get any hints about the obfucation. We can find that the malware is obfuscated using <a href="https://www.eziriz.com/dotnet_reactor.htm">.NET Reactor</a>.
+
+<img src="https://raw.githubusercontent.com/manasghandat/InfoSecImages/main/CryptNET/2.png" alt="Strings">
+
+We can deobfuscate the code using tools like <a href = "https://github.com/SychicBoy/NETReactorSlayer" >NET Reactor Slayer</a>. Afterwards we get the proper disassembled view.
+
+```c#
+private static void Main(string[] args)
+{
+	bool flag;
+	new Mutex(true, Environment.MachineName, ref flag);
+	if (flag)
+	{
+		Class0.mwMessage_base64enc = Class0.smethod_15();
+		Class0.mwMessage = Class0.string_4.Replace(Class2.smethod_14(0), Class2.smethod_14(12) + Class0.smethod_9(28) + Class2.smethod_14(20));
+		Class0.smethod_0();
+		Class0.smethod_12(Class0.string_6);
+		if (Class0.smethod_8())
+		{
+			Class0.smethod_14();
+			Class0.smethod_11();
+		}
+		Class0.smethod_13();
+	}
+}
+```
+
+Here the first two lines are just messages from the malware that it writes in the readme.
+
+# Encryption
+
+## Directory Ennumeration
+
+`Class0.smethod_0()` is used for directory ennumeration and encryption. The malware first finds all the drives that are present of the system and then proceeds to encrpyt the drives one by one. It also checks that if we are present in the root directory and in case we are then it excludes the following directories.
+
+```
+windows.old
+windows.old.old
+amd
+nvidia
+program files
+program files (x86)
+windows
+$recycle.bin
+documents and settings
+intel
+perflogs
+programdata
+boot
+games
+msocach
+```
+
+<img src="https://raw.githubusercontent.com/manasghandat/InfoSecImages/main/CryptNET/3.png" alt="Directory Ennumeration">
+
+It then proceeds to check if the extention of the file is present in `Class0.string_3` and in case it is then it proceeds to encrypt it. 
+
+``` 
+.myd .ndf .qry .sdb .sdf .tmd .tgz .lzo .txt .jar .dat .contact .settings .doc .docx .xls .xlsx .ppt .pptx .odt .jpg .mka .mhtml .oqy .png .csv .py .sql .indd .cs .mp3 .mp4 .dwg .zip .rar .mov .rtf .bmp .mkv .avi .apk .lnk .dib .dic .dif .mdb .php .asp .aspx .html .htm .xml .psd .pdf .xla .cub .dae .divx .iso .7zip .pdb .ico .pas .db .wmv .swf .cer .bak .backup .accdb .bay .p7c .exif .vss .raw .m4a .wma .ace .arj .bz2 .cab .gzip .lzh .tar .jpeg .xz .mpeg .torrent .mpg .core .flv .sie .sum .ibank .wallet .css .js .rb .crt .xlsm .xlsb .7z .cpp .java .jpe .ini .blob .wps .docm .wav .3gp .gif .log .gz .config .vb .m1v .sln .pst .obj .xlam .djvu .inc .cvs .dbf .tbi .wpd .dot .dotx .webm .m4v .amv .m4p .svg .ods .bk .vdi .vmdk .onepkg .accde .jsp .json .xltx .vsdx .uxdc .udl .3ds .3fr .3g2 .accda .accdc .accdw .adp .ai .ai3 .ai4 .ai5 .ai6 .ai7 .ai8 .arw .ascx .asm .asmx .avs .bin .cfm .dbx .dcm .dcr .pict .rgbe .dwt .f4v .exr .kwm .max .mda .mde .mdf .mdw .mht .mpv .msg .myi .nef .odc .geo .swift .odm .odp .oft .orf .pfx .p12 .pl .pls .safe .tab .vbs .xlk .xlm .xlt .xltm .svgz .slk .tar.gz .dmg .ps .psb .tif .rss .key .vob .epsp .dc3 .iff .opt .onetoc2 .nrw .pptm .potx .potm .pot .xlw .xps .xsd .xsf .xsl .kmz .accdr .stm .accdt .ppam .pps .ppsm .1cd .p7b .wdb .sqlite .sqlite3 .db-shm .db-wal .dacpac .zipx .lzma .z .tar.xz .pam .r3d .ova .1c .dt .c .vmx .xhtml .ckp .db3 .dbc .dbs .dbt .dbv .frm .mwb .mrg .txz .mrg .vbox .wmf .wim .xtp2 .xsn .xslt
+```
+
+The malware also does not encrypt the following files
+
+```
+iconcache.db
+autorun.inf
+thumbs.db
+boot.ini
+bootfont.bin
+ntuser.ini
+bootmgr
+bootmgr.efi
+bootmgfw.efi
+desktop.ini
+ntuser.dat
+```
+
+## File Encryption
+
+If the length of the file is less than `524288` bytes then it encrypts the file using `Class0.smethod_4` which encrypts the entire file. The malware uses `AES CBC 256` algorithm to encrypt the files. The `IV` and `Key` is generated and it encrypted using a hardcoded `RSA` key. The `RSA Key` is as follows:
+
+```
+<RSAKeyValue><Modulus>8TO8tQQRyFqQ0VShtSpLkDqtDVsrxS8SfdOsqRAj8mWF7sVoGzyZMcv501DF6iZUdKYsFDlaSMnuckG9+MJmD2ldZwU/0H6Xztkta1BkJWSO2qHg2JAGDp9ZsFGP1wDR9oRb1w7wtBe7Db3wf7q848+qKPWiTP/2R/jlR4evW73M65Jdo9uOzQnbmvw+blsloXeszuYlW2nCcwQ7WarzAK29UmM9ZHS0/lqzU0KHNU+DvyfGwmMJgtb2HN6GFGXq9Z0n3dNBCQVzdUl2G/7fLAMoFbJeExn5USZdFHr2ygheTilo/shmfq7tcPCZM8C4zqBtb0Nbct0f/M48+H920Q==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>
+```
+
+<img src="https://raw.githubusercontent.com/manasghandat/InfoSecImages/main/CryptNET/4.png" alt="File encryption">
+
+In case the file is larger than the limit then the function `Class0.smethod_4` encrypts it. It encrypts only the starting part of the file using the same encryption method as before. The file is moved and the extension of the files is changed as well.
+
+<img src="https://raw.githubusercontent.com/manasghandat/InfoSecImages/main/CryptNET/5.png" alt="Large File encryption">
+
+<img src="https://raw.githubusercontent.com/manasghandat/InfoSecImages/main/CryptNET/ex.png" alt="Encrypted Files">
+
+# Background Image
+
+The malware then proceeds to change the background image and replaces it with something as follows:
+
+<img src="https://raw.githubusercontent.com/manasghandat/InfoSecImages/main/CryptNET/8.png" alt="Background Image">
+
+This image is generated dyanmically inside of the malware and the generation is done inside the `Class0.smethod_12`. The image is then saved at the path `C:\Users\(Current_User_Name)\AppData\Local\Temp`
+
+<img src="https://raw.githubusercontent.com/manasghandat/InfoSecImages/main/CryptNET/9.png" alt="Image Gen">
+
+# Killing Services
+
+Inside of `Class0.smethod_8` the malware checks if it has admin privileges or not. In case it has admin privileges then it proceeds to kill the following services
+
+```
+BackupExecAgentBrowser
+veeam
+VeeamDeploymentSvc
+PDVFSService
+BackupExecVSSProvider
+BackupExecAgentAccelerator
+vss
+sql
+svc$
+AcrSch2Svc
+AcronisAgent
+Veeam.EndPoint.Service
+CASAD2DWebSvc
+CAARCUpdateSvc
+YooIT
+memtas
+sophos
+veeam
+DefWatch
+ccEvtMgr
+SavRoam
+RTVscan
+QBFCService
+Intuit.QuickBooks.FCS
+YooBackup
+BackupExecAgentBrowser
+BackupExecRPCService
+MSSQLSERVER
+backup
+GxVss
+GxBlr
+GxFWD
+GxCVD
+GxCIMgr
+VeeamNFSSvc
+BackupExecDiveciMediaService
+SQLBrowser
+SQLAgent$VEEAMSQL2008R2
+SQLAgent$VEEAMSQL2012
+VeeamDeploymentService
+BackupExecJobEngine
+Veeam.EndPoint.Tray
+BackupExecManagementService
+SQLAgent$SQL_2008
+BackupExecRPCService
+zhudongfangyu
+sophos
+stc_raw_agent
+VSNAPVSS
+QBCFMonitorService
+VeeamTransportSvc
+```
+
+<img src="https://raw.githubusercontent.com/manasghandat/InfoSecImages/main/CryptNET/6.png" alt="Kill Services">
+
+# Kill Process
+
+The malware at last proceeds to kill other certain processess that might be running on the deivce inside of `Class0.smethod_13`. The processes it kills are as follows:
+
+```
+sqlwriter
+sqbcoreservice
+VirtualBoxVM
+sqlagent
+sqlbrowser
+sqlservr
+code
+steam
+zoolz
+agntsvc
+firefoxconfig
+infopath
+synctime
+VBoxSVC
+tbirdconfig
+thebat
+thebat64
+isqlplussvc
+mydesktopservice
+mysqld
+ocssd
+onenote
+mspub
+mydesktopqos
+CNTAoSMgr
+Ntrtscan
+vmplayer
+oracle
+outlook
+powerpnt
+wps
+xfssvccon
+ProcessHacker
+dbeng50
+dbsnmp
+encsvc
+excel
+tmlisten
+PccNTMon
+mysqld-nt
+mysqld-opt
+ocautoupds
+ocomm
+msaccess
+msftesql
+thunderbird
+visio
+winword
+wordpad
+mbamtray
+```
+
+<img src="https://raw.githubusercontent.com/manasghandat/InfoSecImages/main/CryptNET/7.png" alt="Kill Process">