Nothing screams legit email like a base64 blob wrapped in escaped HTML
Conversation
Notices
-
Embed this notice
kajer (kajer@infosec.exchange)'s status on Saturday, 08-Nov-2025 02:51:14 JST 
kajer
-
Embed this notice
kajer (kajer@infosec.exchange)'s status on Saturday, 08-Nov-2025 02:51:12 JST
kajer
@nyanbinary then there is @ryanc who can look at
iVBORw0KGgoAAAANSUhEUgAACh0AAAoCCAIAAABtrkfcAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAP+and tell us exactly what file type and "size" this is w/o calling base64 -d
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 08-Nov-2025 02:51:12 JST 
Ryan Castellucci :nonbinary_flag:
@kajer @nyanbinary smol png is smol
-
Embed this notice
nyanbinary (365d/y spoopy) (nyanbinary@infosec.exchange)'s status on Saturday, 08-Nov-2025 02:51:13 JST 
nyanbinary (365d/y spoopy)
@kajer my first ever contact with a soc was being asked "yo, why is your powershell doing weird base64 decoding". I didnt understand and laughed, its just base64!
Now I do understand & think, while slightly mistuned, that might just be the most useful rule in our arsenal.
I also now understand which tools I can use that DO NOT trigger these alerts :neobot_giggle:
-
Embed this notice
kajer (kajer@infosec.exchange)'s status on Saturday, 08-Nov-2025 02:51:13 JST
kajer
@nyanbinary base64 is a staple of the CTF challenges we all know and love... I al ALWAYS surprised how many of my colleagues have no idea what data actually looks like...
I have done NTFS reconstruction at the byte level... fixed corrupted PNG files, re-mapped ZIP files, fixed sqlite, ... all in the name of CTF
then I come across $colleague that got a string with an == at the end, and they have no clue what this gibberish is. :(
Now, in terms of powershell,... Are you even trying to malware if you are not doing json evals? :p
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 08-Nov-2025 02:52:23 JST
Ryan Castellucci :nonbinary_flag:
@kajer @nyanbinary too big to be the 1x1 transparent png tho
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 08-Nov-2025 02:54:32 JST
Ryan Castellucci :nonbinary_flag:
@kajer @nyanbinary is that a 1x1 png with a bunch of superfluous chunks in it?
-
Embed this notice
kajer (kajer@infosec.exchange)'s status on Saturday, 08-Nov-2025 03:26:35 JST
kajer
@ryanc @nyanbinary given it was a cold-email spam thing, I didnt really peel like decoding it...
okay...brb
$ pngchunks spam.png
Chunk: Data Length 13 (max 2147483647), Type 1380206665 [IHDR]
Critical, public, PNG 1.2 compliant, unsafe to copy
IHDR Width: 2589
IHDR Height: 2562
IHDR Bitdepth: 8
IHDR Colortype: 2
IHDR Compression: 0
IHDR Filter: 0
IHDR Interlace: 0
IHDR Compression algorithm is Deflate
IHDR Filter method is type zero (None, Sub, Up, Average, Paeth)
IHDR Interlacing is disabled
Chunk CRC: 1840138204
Chunk: Data Length 1 (max 2147483647), Type 1111970419 [sRGB]
Ancillary, public, PNG 1.2 compliant, unsafe to copy
... Unknown chunk type
Chunk CRC: -1362223895
Chunk: Data Length 4 (max 2147483647), Type 1095582055 [gAMA]
Ancillary, public, PNG 1.2 compliant, unsafe to copy
... Unknown chunk type
Chunk CRC: 201089285
Chunk: Data Length 9 (max 2147483647), Type 1935231088 [pHYs]
Ancillary, public, PNG 1.2 compliant, safe to copy
... Unknown chunk type
Chunk CRC: -948983708
Chunk: Data Length 65445 (max 2147483647), Type 1413563465 [IDAT]
Critical, public, PNG 1.2 compliant, unsafe to copy
IDAT contains image data
Chunk CRC: 0
Chunk: Data Length 0 (max 2147483647), Type 0 []
Ancillary, private, in reserved chunk space, safe to copy
... Unknown chunk type
Chunk CRC: 0
Chunk: Data Length 0 (max 2147483647), Type 0 []
Ancillary, private, in reserved chunk space, safe to copy
... Unknown chunk type
Chunk CRC: 0...
Chunk: Data Length 0 (max 2147483647), Type 0 []
Ancillary, private, in reserved chunk space, safe to copy
... Unknown chunk type
Chunk CRC: 0
Chunk: Data Length 0 (max 2147483647), Type -184597152 [`E]
Ancillary, public, in reserved chunk space, safe to copy
... Unknown chunk type
Chunk CRC: -1182859264
Chunk: Data Length 1086652404 (max 2147483647), Type 32697 []
Ancillary, private, in reserved chunk space, safe to copy
... Unknown chunk type
Segmentation fault (core dumped)Either a shitty PNG encoding, or fun data contained within.
-
Embed this notice
kajer (kajer@infosec.exchange)'s status on Saturday, 08-Nov-2025 04:14:25 JST
kajer
sorry, that snip i pasted above was not the whole blob hust a few lines up front.
-
Embed this notice
nyanbinary (365d/y spoopy) (nyanbinary@infosec.exchange)'s status on Saturday, 08-Nov-2025 04:26:15 JST
nyanbinary (365d/y spoopy)
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 08-Nov-2025 04:51:50 JST
Ryan Castellucci :nonbinary_flag:
@kajer @nyanbinary you gotta lead with that
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 08-Nov-2025 04:57:14 JST
Ryan Castellucci :nonbinary_flag:
@kajer @nyanbinary what's funny is my phone broke on Monday and it was that moment that I got around to logging into tusky on the replacement, you summoned me
-
Embed this notice
All GNU social JP content and data are available under the