index.json

[{"content":"Intro It\u0026rsquo;s 10:30PM on a Sunday night, and I\u0026rsquo;m wondering what to do with the last few hours of the weekend. Not feeling like working on project code and digging for bug bounty treasure is sounding tedious at the moment. A CTF however sounds like a good time, and a quick trip over to ctftime.org show there\u0026rsquo;s a CTF ongoing!\nRGB CTF 2020 Theres a few categories here:\n Beginner - Cryptography - Forensics/OSINT - Misc - Pwn/Rev - Web - [ZTC]\n Time is limited so I decided to play my strongest hand and tackle mostly web.\nBefore we get to web, it\u0026rsquo;s important to hit the warmups.\nBeginner Joke Check The punchline.txt file contains a single line, and its immediately apparent its a ROT13 cipher.\nThere is an absolutely awesome tool called CyberChef that was recommended to me at the Defcon OpenCTF a while back, and it has been useful in every CTF since.\nIf we toss in the Cipher we can see at Rotating 13 it doesnt unveil the answer, bumping that up to 15 however yields the flag.\nWeb There was a total of 5 web challenges and they all packed a pretty good punch. With the time constraint I only managed to solve the first two due to a lucky commonality. The fourth challenge seemed tenable but I ran out of time before I got to a proper solution, I\u0026rsquo;m really looking forward to reading that writeup.\nType Racer Type racer was actually the second challenge but I wound up solving this web challenge first due to my familiarity with the type-racer game itself. After all the time I spend building a mechanical keyboard I love to take it on type-racer for a good race.\nFrequently I find myself faced with a prompt to validate my humanity lest I be cheating. This gave me an idea for a starting point with this challenge.\nThe javascript for the challenge is heavily obfuscated, it would burn what little time I have trying to deobfuscate it. Instead with the real type-racer\u0026rsquo;s cheating in mind I sought to create some javascript specific to this type-racer that I could drop in the console to type it all at a record pace for me.\nTo get started I opened up the browsers javascript debugger and set a break point to step through the type-racer challenge in hopes of identifying the array of words to read so I could then select the input field and loop over the array of values dropping them in.\nLo and behold while stepping through it with the debugger, one of the local values caught me eye, sitting next to the victory message was a base64 encoded value that happened to be the flag.\nTic Tac Toe Tic Tac Toe was actually the first challenge in this category, and the dev definitely did their work in ensuring the best outcome of a fair match was going to be a draw.\nArmed with the thought of the debugger outing the value contained in a local variable on the type-racer challenge, I opted to try the same here.\nWith a little scrutiny I was able to identify a suspicious looking base64 value that was the flag.\nNot entirely sure if this is how the creators intended them to be solved, but hey it worked and thats what matters.\nCryptography By this point I\u0026rsquo;m about out of time to spend on the CTF. After throwing in 2.5 hours Sunday evening, I came in with 30 minutes before the end of the CTF to solve one more challenge.\nThis leaves only time for the more basic, top of the category challenges, but hey I\u0026rsquo;ll be happy with that.\nI love Rainbows Whenever I see the word rainbow in a hacking context, rainbow tables immediately come to mind, and with it MD5 hashes.\nThe challenge has an attached file of what looks like\u0026hellip; yup you guessed it, MD5 hashes.\nCracking MD5 hashes is trivial in this day and age, so I opted to see if I could find a website that would do it for me.\nThe hash-cracker can only handle 20 lines at a time, but thats fine since its immediately apparent that my hunch was correct.\nOne more quick paste into the hash-cracker and that leaves us with rgbCTF{4lw4ys_us3_s4lt_wh3n_h4shing}\nConclusion Spending a little bit of time thinking outside the box for this CTF was alot of fun. Normally I dont have cause to step through Javascript with the debugger, so that was a fun thought exercise.\nNext time I\u0026rsquo;ll have to set aside more dedicated time for CTF, it would be great to solve some Pwn/Rev category challenges or actually get through one of the more advanced web challenges.\nUltimately by myself with just a few hours I managed to wind up at 547 out of 1337, which is kind of meh but cool considering the kind folks at RGB Sec are giving Shodan to the top 1000 placing teams.\n","description":"More than overdue for some Capture The Flag","id":2,"section":"posts","tags":["web","crypto","ctf","infosec","hacking"],"title":"RGB CTF 2020","uri":"https://anthonylaiuppa.com/posts/rgb-ctf-2020/"},{"content":"Intro Wanting to streamline and automate actions relating to derivatives trading I sought out to find a calculator library I could wrap an API around to calculate various outcomes.\n A derivative is a contract between two or more parties whose value is based on an agreed-upon underlying financial asset, index or security.\n Sadly I found nothing suitable or simple, so I implemented my own called guant using the Black-Scholes pricing model and Newton-Raphson model.\nConsiderations Derivatives come in many forms and thus have many different associated formulas.\nIn this case we\u0026rsquo;ll be focusing on Options Contracts, so lets take a look at the related formulas.\n  Black-Scholes pricing model Binomial options pricing model Trinomial options pricing model Bjerksund-Stensland Model   Black-Scholes is often used to price European options that can only be exercised on their expiry date, and without consideration to dividends.\nThe other 3 models take into account both of those factors and more to come up with a higher degree of accuracy when pricing American options.\nAfter much reading on the topic I came across this quant stack exchange article explaining why Black-Scholes is still used as the benchmark, so we\u0026rsquo;ll implement this model.\nCalculating implied volatility has it\u0026rsquo;s own considerations but we\u0026rsquo;ll address that specifically later.\nImplementation of Black-Scholes Between Investopedia, Wikipedia, and Khan Academy it\u0026rsquo;s clear what needs to be done.\nAfter watching Khan work through the formula we just need to transfer the following into code.\nThe core of our implementation comes out to these few functions alongside some other helpers for certain values such as time.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15  func (a *Asset) d1() float64 { return (math.Log(a.S/a.K) + ((a.R + (a.Sigma*a.Sigma)/2) * a.T)) / (a.Sigma * math.Sqrt(a.T)) } func (a *Asset) d2() float64 { return (math.Log(a.S/a.K) + ((a.R - (a.Sigma*a.Sigma)/2) * a.T)) / (a.Sigma * math.Sqrt(a.T)) } func blackScholesCall(a Asset) float64 { return ((a.S * a.N.CDF(a.d1())) - ((a.K * math.Exp(-a.R*a.T)) * a.N.CDF(a.d2()))) } func blackScholesPut(a Asset) float64 { return ((a.N.CDF(-1*a.d2()) * (a.K * math.Exp(-a.R*a.T))) - (a.S * a.N.CDF(-1*a.d1()))) }   Implementation of Newton-Raphson An important part of pricing options is knowing their Sigma or Implied Volatility(IV). We can calculate IV with the current option and underlying price. This is useful as it will allow us to nice solve for the option at various underlying prices and times. IV is not a constant, it is an approximation and as such liable to change. We can compensate for this by avoiding buying options at higher implied volatilities or too close to events such as earnings.\nWith this method we choose a starting value for Sigma and iteratively calculate using the option value and underlying price until it converges. This results in a high degree of accuracy.\nThere are more nuanced approaches we can use such as implementing a closed form solution or secant method and then iterating on that to achieve a higher degree of accuracy.\nThis youtuber had a pretty solid breakdown of using Newton\u0026rsquo;s Method so in the interest of being simple but effective we\u0026rsquo;ll implement the same way.\nPulling it all together By combining guant with the go-finance library we can pull options contract values and current stock quotes to calculate options value for a given strike/expiry on a ticker.\nWe\u0026rsquo;ll use a Microsft Call Option with a Strike of $190 and an expiry of 2020-06-05.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53  func main() { //Initial declarations \tticker := \u0026#34;MSFT\u0026#34; var strike float64 = 190.00 expiry := \u0026#34;2020-06-05\u0026#34; t := guant.TimeToExpiry(expiry) //Get current price \tq, err := quote.Get(ticker) if err != nil { panic(err) } currPrice := q.RegularMarketPrice //Get option data \te, err := time.Parse(\u0026#34;2006-01-02\u0026#34;, expiry) if err != nil { fmt.Errorf(\u0026#34;could not parse expiration- correct format is yyyy-mm-dd\u0026#34;) } p := \u0026amp;options.Params{ UnderlyingSymbol: ticker, Expiration: datetime.New(\u0026amp;e), } // Iterate through list of options to find the value of the Call at our Strike/Expiry \tvar mid float64 = 0 iter := options.GetStraddleP(p) for iter.Next() { if iter.Straddle().Call != nil { if iter.Straddle().Call.Strike == strike { mid = (iter.Straddle().Call.Ask + iter.Straddle().Call.Bid) / 2 } } } //To calculate the IV we\u0026#39;ll use the options mid contract price from go-finance (Yahoo) \t// By calculating the IV we can use the IV then to calculate profit at other underlying Price values \tx := guant.Asset{ N: distuv.Normal{Mu: 0, Sigma: 1}, S: currPrice, K: strike, R: guant.DefaultRfir(), T: t, } sigma := guant.NewtonRaphson(x, mid) x.Sigma = sigma contractValue := guant.BlackScholes(x) fmt.Printf(\u0026#34;Call Option Contract: %s -- %s -- Strike Price: %.2f\\n\u0026#34;, ticker, expiry, strike) fmt.Println(\u0026#34;Current Price:\u0026#34;, currPrice) fmt.Println(\u0026#34;Calculated IV:\u0026#34;, x.Sigma) fmt.Printf(\u0026#34;Black-Scholes Call option Price : %.2f\\n\u0026#34;, contractValue) }   Conclusion The results from implementing guant and running the calculation come out as follows:\nFor comparison here is the same options contract listed on Robinhood.\nWe\u0026rsquo;ll notice that our IV is incredibly close to Robinhoods IV, along with the value of the Call option.\nIt\u0026rsquo;s worth noting that these formulas yield approximations, the ultimate value of the contract is determined by the market. Hence the difference between the Bid and Ask prices.\nOf course theres always ways to improve the results, one such easy addition may be making the time input more granular.\nThis has been a fun journey into the world of Quantitative finance and learning about some of the underlying mechanisms in derivatives.\nDisclaimer for anyone who decides to use this, it is not guranteed at all to be reliable or accurate.\n","description":"A simple Golang implementation of Black-Scholes pricing model and Newton-Raphson Method","id":3,"section":"posts","tags":["golang","quantitative","finance","black-scholes","stock","options"],"title":"Calculating the value of derivatives using guant","uri":"https://anthonylaiuppa.com/posts/guant/"},{"content":"Intro This is the fourth reincarnation of my site.\nMy very first site was written in AngularJS, I liked the dynamic feel and the thought of all the pages being served clientside without the need for a backend like WordPress.\nIt soon became tedious to maintain and error prone since I didnt want to take the time to be an Angular dev.\nIn comes my journey along the path of Static Site Generators. They offered me sustainability in the form of easily drafting sites in Markdown and the portability associated with this format. Adding new posts because as easy as writing a Markdown file, and pushing it to Github.\nOf course like everything else it has it\u0026rsquo;s pitfalls, nonetheless join me on this journey and I\u0026rsquo;ll show you why a Static Site Generator is an awesome way to build your website.\nWhat is a static site generator?  A static site generator is a program that reads in templates, such as Markdown, and generates a static HTML based website from them. It doesn\u0026rsquo;t inherently utilize a backend for its content.\n Why use a static site generator? 1. Infrastructure Or lack thereof. Unlike hosting WordPress which requires a LAMP (Linux, Apache, Mysql, PHP) stack to run it, a static site just needs a simple HTTP server.\nThis means you dont have to worry about managing a database or Linux sever. Even better you likely wont even have to manage a HTTP server, you can host the site through simpler options. Such as AWS S3, GCP Buckets, or even Github Pages.\n2. Cost The cost of buckets may be variable, but the cost of Github page is absolutely free. This site costs me nothing but the price of my Domain name to run every month.\n3. Maintenance The maintenance here is none. Theres no need to worry about patching WordPress or my Linux distro, its all just held as files in Github and they handle the rest.\n4. Ease of use Configuring static site generators is easy, they are often well documented with configuration files already having the fields present, you just have to adjust the setting to meet your need.\nOn top of that posting is also as easy as it gets. Simply write your post in Markdown, add the file in Git and push.\nPeriodically saving posts while editing them in a text editor will even render the changes in your web browser if you have your development server running. That way you can preview your changes before you push them live.\nFrameworks Static site generators come in a variety of flavors, heres a rundown of the ones I\u0026rsquo;ve used past through present.\nHexo What is Hexo?\n Hexo is a fast, simple and powerful blog framework. You write posts in Markdown (or other markup languages) and Hexo generates static files with a beautiful theme in seconds.\n Hexo is made in NodeJS and I first rolled it out in January 2017.\nWhile I couldnt really find a theme I liked, I did find plenty of community support. The default theme seemed more than adequate anyway.\nWith Git and Github pages powering things, I could have just reverted to Hexo\u0026rsquo;s last commit in order to snag the picture for this post.\nInstead I opted for the Wayback Machine.\nEventully I moved on from whatever old Ubuntu version I had running to a newer one and had some issues getting NodeJS to work with the older libraries the project required.\nIssues abound I began a search for a new Static Site Generator around October 2018.\nGatsbyJS Around this time I had also learned of ReactJS.\nReact is dynamic in the sense that it uses Javascript to move things around on the page, and in this case the static site generator for it just bundles all the HTML in with the application so it doesnt have to make any backend calls.\nSo what exactly is GatsbyJS.?\n Gatsby is a free and open source framework based on React that helps developers build blazing fast websites and apps.\n It really was quite fast, it acts as a Progressive Web App meaning it loads in all of your resources and pre-fetches the rest for the other pages.\nThis leads to a seamless transitions and a beautiful site.\nTo get a picture of this site I couldn\u0026rsquo;t use the wayback machine due to how the Javascript caches, however a Git commit revert worked like a charm.\nUnfortunately all of these fanciful features come at a cost. Javascript is ever changing and any slight errors resulted in large stack traces and diffcult debugging sessions. To make matters worse the maintainer of the theme left it on GatsbyV1 and it\u0026rsquo;s currently on V2.\nAdd in more issues like portability and NodeJS dependency hell\u0026hellip;..\nMy whole goal here is to spend little time on the website so I can tinker and program on things I enjoy.\nThe last update I pushed incited some error saying it couldnt locate a source map.\nAn hour or two of debugging and it was time to move on.\nOn top of this I\u0026rsquo;d also seen many a post drawing the ire of other devs, asking why we need all this elaborate JS and loading of megabytes in the browser cache just to render blogs.\nHugo Enter Hugo, the framework this site is made of. When I first picked up Golang I learned shortly after that they too had a Static Site Generator, but I was still enthralled with my shiny Gatsby site at the time.\nWhat is Hugo?\n Hugo is one of the most popular open-source static site generators. With its amazing speed and flexibility, Hugo makes building websites fun again.\n Hugo really did turn out to be all of those things. It builds and renders quickly, on top of that the flexibility and customization was straight forward and easier compared to the other two options.\nDespite making mistakes learning along the way I have yet to see a failure to render or stack trace.\nOn top of all that there is no dependency hell, Golang and Hugo make installation and editing a breeze on any system.\nWith built in taxonomies, search engine optimizations, and a rich featureset I can envision using this framework for a long time.\nIt compiles to 100% HTML which will also help my sites compatibility in the long term.\nConclusion Static Site Generators are a simple way to stand up free, highly maintainable, beautiful sites without alot of time or effort.\nMigrating between the frameworks was a breeze as they all use Markdown for their templating.\nIt was as simple as just editing the page headers to the new frameworks spec, tweaking categories and tags as needed.\nMany companies and enthusiasts alike enjoy the benefits Static Site Generators have to offer, and perhaps you will too.\n","description":"Low maintenance, free websites","id":4,"section":"posts","tags":["http","golang","javascript","react","gatsbyjs","hexo","hugo"],"title":"Using a Static Site Generator","uri":"https://anthonylaiuppa.com/posts/use-a-ssg/"},{"content":"Intro The internet is chock full of information, and often times there is a need to aggregate it in order to gain insights through additional analysis. To that end, scraping information from the internet can become somewhat reptitive.\nHere we\u0026rsquo;ll explore a simple approach to automating part of the process of writing the code to retrieve information from the web.\nOverview With the bulk of the internet transitioning to more decoupled models we are seeing more and more API\u0026rsquo;s. This is great on lightening our workload since we wont have to parse HTML to retrieve the information we need.\nAt the same time, it gets a little repetitive writing out our structs and requests. After all, data structures and requests are ubiquitous, surely there is a quicker way to do this too?\nFortunately it seems some wise person had a similar thought and went to the effort of making a simple site to automate the creation of the struct as well as the code for the request in Golang using \u0026quot;net/http\u0026quot;.\nThe economy is topical right now, so to simply demonstrate this process we\u0026rsquo;ll scrape NASDAQ and send the ticker quote to slack.\nMethodology Before we get started, lets lay out a plan of attack for composing our program.\nWe\u0026rsquo;ll identify the JSON with our information, generate a struct to model it, generate the request code from cURL, then add logic to unmarshal the JSON and shoot it back to Slack on command.\nFirst we\u0026rsquo;ll want to head on over to the NADAQ site, browse to a stock and pop open the developer tools network tab.\nImmediately we see what looks like the page making a request to subdomain, api.nasdaq.com.\nWhile some sites still render templates or PHP, alot of modern web apps parse JSON from an API and fill the data into the page.\nIf you directly visit the API subdomain, you\u0026rsquo;re greeted with just the bare JSON object.\nWe have our JSON, so now what? Drop it into the JSON to Go converter\n Next up we\u0026rsquo;ll basically repeat the above process but with the HTTP request that yielded that JSON. Just right click on the request in the Network tab of developer tools and select Copy as cURL.\n Drop it into cURL to Go.\nBe sure to strip authorization tokens and other such sensitive things.\nThere we go, most of the tedious work is done. All thats left for this part is to add logic to unmarshal the response and return a formatted string.\nThe cURL to Go generator generates a nice if resp.StatusCode == http.StatusOK {} for us to drop our logic into.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22  bodyBytes, err := ioutil.ReadAll(resp.Body) if err != nil { log.Fatal(err) } var t TickerInfo err = json.Unmarshal(bodyBytes, \u0026amp;t) if err != nil{ fmt.Println(err) } ti := \u0026amp;t info := fmt.Sprintf(\u0026#34;Symbol: %s\\nCompany: %s\\nPercentage Change: %s %s\\nQuote: %s\\nPrevious Close: %s\\nOpen: %s\\n\u0026#34;, ti.Data.Symbol, ti.Data.CompanyName, ti.Data.PrimaryData.PercentageChange, ti.Data.PrimaryData.DeltaIndicator, ti.Data.PrimaryData.LastSalePrice, ti.Data.KeyStats.PreviousClose.Value, ti.Data.KeyStats.OpenPrice.Value) fmt.Println(info) return info   Then we add the Slack logic to start a http handler that receives the ticker from Slack, calls our GetTicker function, and returns the information back to the user.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24  func slashCommandHandler(w http.ResponseWriter, r *http.Request) { s, err := slack.SlashCommandParse(r) if err != nil { w.WriteHeader(http.StatusInternalServerError) return } if !s.ValidateToken(os.Getenv(\u0026#34;SLACK_VERIFICATION_TOKEN\u0026#34;)) { w.WriteHeader(http.StatusUnauthorized) return } switch s.Command { case \u0026#34;/ticker\u0026#34;: params := \u0026amp;slack.Msg{Text: s.Text} ticker := params.Text response := GetTicker(ticker) w.Write([]byte(response)) default: w.WriteHeader(http.StatusInternalServerError) return }   Conclusion Put it all together and with minimal effort we have ourselves a Slack command that automatically retrieves stock data for us.\n The results of /tickerbot MSFT and /tickerbot FB look something like this:\n There\u0026rsquo;s generators for other languages such as Python, I personally find it irritating to pip install requests, whereas with Go it\u0026rsquo;s already included. Not to mention the whole portability of the static compiled binary at the end.\nWhile not the most complex or ground breaking exercise, it\u0026rsquo;s still a fun exercise nonetheless.\nPracticing coding and methodically breaking down problems into steps is always great practice.\n","description":"Scraping APIs has never been easier","id":5,"section":"posts","tags":["programming","golang","scraping","automation"],"title":"Effortless API Scraping With Golang","uri":"https://anthonylaiuppa.com/posts/golang-api-scraping/"},{"content":"Intro In 2019 I had my first opportunity to drive a Tesla Model 3. This cemented in my mind that it was a car years ahead of the automotive industry, and through technical analysis others seem to agree. Despite this I didn\u0026rsquo;t think to buy any stock, shortly after driving the car it shot up from $330 to over $900. This event fostered a deeper interest in finance, eventually resulting in this post.\nWhile reading through some forums I saw a user lamenting how they would like a gauge of market sentiment.\nSo how hard is it for us to scrape social media and have AI/ML tell us how everyone\u0026rsquo;s feeling?\nOverview Let\u0026rsquo;s think of what is needed to accomplish this goal, mainly an AI/ML that does sentiment analysis, and something to scrape social media posts for processing.\nFor something this simple theres no need to build our own AI/ML, so lets get Google\u0026rsquo;s Natural Language Processing API to do the heavy lifting for us. If our needs were more targeted we would cant to create our own model and train it against our AI/ML.\nNext lets use Golang Reddit API Wrapper (GRAW) to harvest posts from Reddit for analysis.\nBut what if we wanted to scrape other sites, like Twitter or news articles? We would need to decouple the code that does sentiment analysis from the harvesting code.\nSo we\u0026rsquo;ll just start off decoupled by implementing our logic with a Client-Server GRPC model. GKE is used here as this code is all made with the thought of being containerized and ran in Kubernetes upon deployment.\nMethodology First identify what sort of data we\u0026rsquo;ll be working with. GRPC perfectly lines up with this task as it defines data models using Protobuf3. GRPC will then generate the function stubs for our Client and Sever. This sounds way better than having to write API routes and simple things like GET or POST.\nWe\u0026rsquo;ll send our service a MediaPage data structure and it\u0026rsquo;ll send us back a MediaAnalysis.\nFrom there the returned payload could be sent to a database for retention and future display, or sent off to an ETL for further kinds of analysis.\nHere what the .proto file looks.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25  syntax = \u0026#34;proto3\u0026#34;; package redsense; service RedsenseService { rpc Generate(MediaPage) returns (MediaAnalysis); } message MediaPage { string source = 1; string url = 2; string title = 3; string body = 4; uint64 datetime =5; } message MediaAnalysis { string source = 1; string url = 2; string title = 3; string body = 4; uint64 datetime =5; string sentiment = 6; }   With this setup one can run protoc --go_out=plugins=grpc:. *.proto and out comes a .pb.go file with our function stubs.\nWith the core code generated the next step is to to setup a quick server.go and client.go.\nFor the server we just need to extend the Generate function outlined in the .proto and have it execute sentiment analysis before returning a MediaAnalysis.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52  func (s *redsenseService) Generate(ctx context.Context, in *pb.MediaPage) (*pb.MediaAnalysis, error) { log.Printf(\u0026#34;Received MediaPage from %v with title %v\u0026#34;, in.Source, in.Title) //Here we send the text body off for sentiment analysis  sentiment := analyzeSentiment(in.Body) return \u0026amp;pb.MediaAnalysis{ Source: in.Source, Url: in.Url, Title: in.Title, Body: in.Body, Datetime: in.Datetime, Sentiment: sentiment, }, nil } func analyzeSentiment(text string) string{ ctx := context.Background() // Creates a client.  client, err := language.NewClient(ctx) if err != nil { log.Fatalf(\u0026#34;Failed to create client: %v\u0026#34;, err) } // Sets the text to analyze.  t := text // Detects the sentiment of the text.  sentiment, err := client.AnalyzeSentiment(ctx, \u0026amp;languagepb.AnalyzeSentimentRequest{ Document: \u0026amp;languagepb.Document{ Source: \u0026amp;languagepb.Document_Content{ Content: t, }, Type: languagepb.Document_PLAIN_TEXT, }, EncodingType: languagepb.EncodingType_UTF8, }) if err != nil { log.Fatalf(\u0026#34;Failed to analyze text: %v\u0026#34;, err) } if sentiment.DocumentSentiment.Score \u0026gt;= 0 { log.Println(\u0026#34;Sentiment: positive\u0026#34;) return \u0026#34;Positive\u0026#34; } else { log.Println(\u0026#34;Sentiment: negative\u0026#34;) return \u0026#34;Negative\u0026#34; } }   This is made pretty easy as Googles NLP API also has a Protobuf structure for invoking it, allowing us to easily make the API call and pass the data similar to how it\u0026rsquo;s passed between our Client-Server services.\nNow that we know what the server logic looks like, lets look at the client.\nHarvesting Reddit posts is pretty easy.\nAll thats needed is to setup the logic to harvest posts using GRAW and then pack the data into the MediaPage Protobuf before sending it off to our server.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51  func shipIt(out pb.MediaPage)(*pb.MediaAnalysis,error){ conn, err := grpc.Dial(address, grpc.WithInsecure()) if err != nil { log.Fatalf(\u0026#34;did not connect: %v\u0026#34;, err) } defer conn.Close() c := pb.NewRedsenseServiceClient(conn) ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) defer cancel() r, err := c.Generate(ctx, \u0026amp;out) if err != nil { log.Fatalf(\u0026#34;could not greet: %v\u0026#34;, err) } log.Printf(\u0026#34;Media from: %s\\n Has sentiment: %s\\n\u0026#34;, r.Url, r.Sentiment) return r,nil } func readdit(){ bot, err := reddit.NewBotFromAgentFile(\u0026#34;../config/example.agent\u0026#34;, 0) if err != nil { fmt.Println(\u0026#34;Failed to create bot handle: \u0026#34;, err) return } harvest, err := bot.Listing(\u0026#34;/r/investing\u0026#34;, \u0026#34;\u0026#34;) if err != nil { fmt.Println(\u0026#34;Failed to fetch /r/investing: \u0026#34;, err) return } for _, post := range harvest.Posts[:20] { if containsSubs(post.SelfText){ out := pb.MediaPage{ Source: \u0026#34;reddit.com/r/investing\u0026#34;, Url:post.URL, Title:post.Title, Body:post.SelfText, Datetime:post.CreatedUTC, } shipIt(out) } } }   All thats going on above is calling the GRAW function to harvest some Reddit posts, then if it contains a keyword we care for, pack it into the MediaPage Protobuf.\nNext send it to the server by setting up the GRPC client with our generated stubs, and then call the Generate function that was defined and extended earlier.\nThe final result winds up looking something like this.\nConclusion Not only did Google\u0026rsquo;s NLP API make it dead simple to quickly get sentiment analysis, but GRPC made it easy to break things apart into a remote service model so our Reddit Harvester and processing logic were separate. There\u0026rsquo;s many benefits to this from a deployment perspective, but thats more for a DevOps oriented post.\nWith all of the options available in Cloud Platforms we can easily throw together systems like this in no time.\nOn top of this theres a multitude of other services you can roll into your intelligence gathering, such as Google Trends, historical stock data such as volume/OHLC, and maybe some reconnaissance tools to identify unusual options or visualize options data.\nA month of studying and trading so far has yielded a 410% portfolio increase. Not too shabby for missing that great Tesla price surge.\nDisclaimer, none of this is meant to be in any form financial advice or suggestions. What do you do with your investing is of your own volition and risk.\n","description":"Assessing sentiment from social media posts using machine learning","id":6,"section":"posts","tags":["programming","golang","nlp","ai","sentiment analysis"],"title":"Stock Market Sentiment Analysis","uri":"https://anthonylaiuppa.com/posts/market-sentiment/"},{"content":"Intro While digging around on a bug bounty I came across a company\u0026rsquo;s subdomain that hosts a maze challenge. Probably for vetting interviewees.\nOverview The instructions were pretty simple, and we get three endpoints to work with.\n Start - Returns an ~ID~ for the Maze, as well as ~Height~ and ~Width~ Check - Returns a 200 status code if the Maze location(x,y) you sent it is valid Solve - Returns a 200 if you solve the maze  The end of the maze is Height-1, Width-1\nFor this I decided to code the answer in Golang.\nA couple of reasons to use Golang\n Compiles to a static binary not needing dependencies Cross platform compilation is a breeze Great concurrency model  On top of that I find it leads to very readable code. The challengers also recommend something that makes working with HTTP easy which Golang\u0026rsquo;s net/http library does without need to download any particular library or dependencies.\nMethodology Theres an algorithm for just about everything and I\u0026rsquo;m not one to reinvent the wheel, especially one I\u0026rsquo;ve never rolled before. So lets give ~maze solving algorithm~ a whirl and see what we get.\nRelevant Wikipedia Page\nRelevent .edu site\nPretty cool, Wikipedia has a recursive algorithm that looks very relevant and the edu page does well to further elaborate on it.\nEssentially the recursive function iterates over the possible moves calling itself with various increments and decrements of the points to form a path of valid moves, based on what it has seen already and what has been declared a valid move from our CheckRoute function.\nWhen it comes to recursion always have your base case in mind before starting your function calls, in our case its the end of the maze.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39  //Recursive algorithm to solve the maze modified from //https://en.wikipedia.org/wiki/Maze_solving_algorithm func (m *maze) RecursiveSolveMaze(x int, y int) bool { if x == m.Width-1 \u0026amp;\u0026amp; y == m.Height-1 { return true } if m.CheckRoute(x, y) == false || m.Seen[x][y] { return false } m.Seen[x][y] = true if x != 0 { // Checks if not on left edge  if m.RecursiveSolveMaze(x-1, y) { // Recalls method one to the left  m.Path[x][y] = true // Sets that path value to true;  return true } } if x != m.Width-1 { // Checks if not on edge  if m.RecursiveSolveMaze(x+1, y) { // Recalls method one to the right  m.Path[x][y] = true return true } } if y != 0 { if m.RecursiveSolveMaze(x, y-1) { // Recalls method one up  m.Path[x][y] = true return true } } if y != m.Height-1 { // Checks if not on edge  if m.RecursiveSolveMaze(x, y+1) { // Recalls method one down  m.Path[x][y] = true return true } } return false }   That\u0026rsquo;s the algorithm driving our search for a valid maze path. I mentioned before that Go makes HTTP a breeze so lets look at CheckRoute and the function we use to submit the solution.\nOverall they\u0026rsquo;re simple, for the route they use URL parameters so we just craft a URL and make our request then check the status code.\nThe solution route wants an array of objects in the format [{\u0026ldquo;x\u0026rdquo;:\u0026ldquo;1\u0026rdquo;,\u0026ldquo;y\u0026rdquo;:\u0026ldquo;1\u0026rdquo;}\u0026hellip;{}]\nSo when its time we\u0026rsquo;ll just Marshal an array of structs with that format and POST it as the body.\nThey said be mindful of HTTP status codes, 503 came up sometimes and means \u0026lsquo;Service Unavailable\u0026rsquo;, maybe we\u0026rsquo;re hitting the server too quickly? We\u0026rsquo;ll just catch that, add a brief sleep and try again with our request.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44  func (m *maze) CheckRoute(x int, y int) bool { check := root + \u0026#34;/\u0026#34; + m.Id + \u0026#34;/check?x=\u0026#34; + strconv.Itoa(x) + \u0026#34;\u0026amp;y=\u0026#34; + strconv.Itoa(y) resp, err := http.Get(check) if err != nil { panic(err) } defer resp.Body.Close() sc := resp.StatusCode if sc == 503 { time.Sleep(time.Second) resp, err = http.Get(check) sc = resp.StatusCode } if sc == 403 { return false } return true } func (m *maze) CheckSolution(body interface{}) bool { check := root + \u0026#34;/\u0026#34; + m.Id + \u0026#34;/solve\u0026#34; b, err := json.Marshal(body) if err != nil { log.Fatalln(err) } resp, err := http.Post(check, \u0026#34;application/json\u0026#34;, bytes.NewBuffer(b)) defer resp.Body.Close() if err != nil { log.Fatalln(err) } sc := resp.StatusCode if sc == 503 { //Service unavailable try again  time.Sleep(time.Second) resp, err = http.Get(check) sc = resp.StatusCode } if sc == 422 { //Not a valid solution  return false } else { log.Println(\u0026#34;We solved the maze!\u0026#34;) os.Exit(0) return true } }   Conclusion The recursive algorithm made quick work of this problem and I didn\u0026rsquo;t want to play around with alternate maze algorithms since I just wanted this to be some quick coding practice.\nThat leaves us with this -\n","description":"Gophers running mazes","id":11,"section":"posts","tags":["programming","golang"],"title":"Maze runner","uri":"https://anthonylaiuppa.com/posts/maze-runner/"},{"content":"Welcome to my blog, my aim here is to share my learnings in hopes that they help others learn something new too.\nAbout me:  Central Florida based UCF Alumni Owner of one chonky black cat, Felix Mechanical keyboard aficiando Enjoys building custom PCs Of course plays Steam games on said PCs Likes to spend time hiking and in nature Frequent fisherman Powerlifting enthusiast Yearly DefCon attendee  Areas of Interest:  DevOps Cloud Computing Web application security Reverse engineering Red teaming/ Offensive security Python, Go, Assembly, C, Bash Linux Operating Systems Automating all the things  ","description":"About the Laiuppa Blog","id":12,"section":"","tags":null,"title":"About","uri":"https://anthonylaiuppa.com/about/"},{"content":"Intro While working on getting better with Terraform I noticed there weren\u0026rsquo;t alot of examples of Kubernetes and AWS being provisioned at the same time. I forked the sample code provided by the Terraform project, and modularized it. From there I was able to add in a Kubernetes provider and patch in authentication. This allows us to create and provision Kubernetes architecture in AWS with a single command. To give a service to demonstrate, I\u0026rsquo;ve written a simple API endpoint in Golang and accompanying React front end. Break out your bingo card, there\u0026rsquo;s alot of buzz words coming your way.\nArchitecture Overview Lets take a look at what all is acheived by our Terraform code.\nThis is what our ideal architecture looks like in AWS. Our React front end will be hosted in the S3 bucket.\nFurther more at the application layer, this is a diagram of Kubernetes architecture that will be implemented.\nThe master is provided by AWS with their EKS, and we bring the worker-nodes with the EC2 instances.\nThe GO-API is ran in single container pods distributed amongst the nodes.\nThis distributed setup with Kubernetes steering the ship is what gives the backend of our application scalability, availability, and rolling upgrades.\nGolang - API Before we get to Terraforming our Kubernetes, we need something to run in our cluster.\nThis snippet shows our implementation of the endpoint by using the Gin Gonic framework.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21  func v1_timestamp(c *gin.Context) { timestamp := time.Now().Unix() c.JSON(200, gin.H{\u0026#34;message\u0026#34;: \u0026#34;Dont let your dreams be dreams. Time:\u0026#34;, \u0026#34;timestamp\u0026#34;: timestamp,}) } func setupRouter() *gin.Engine { f, _ := os.Create(\u0026#34;api.log\u0026#34;) gin.DefaultWriter = io.MultiWriter(f, os.Stdout) gin.SetMode(gin.ReleaseMode) r := gin.New() r.Use(gin.Logger()) r.Use(gin.Recovery()) r.Use(cors.Default()) r.GET(\u0026#34;/timestamp\u0026#34;, v1_timestamp) return r } func main() { r := setupRouter() r.Run(\u0026#34;:8080\u0026#34;) }   From here it\u0026rsquo;s easy to compile it static with no dependencies, then load it into a Scratch Docker container.\nThis gives us a container image to put in our Pod spec that will then be loaded into our cluster. Once loaded, the API will respond to requests at /timestamp.\nHaving our backend in Golang means we can easiy put it in any Kubernetes cluster regardless of cloud provider, or compile it for an operating system if so choose.\nReact - Front end React is a powerful Javascript library that we can employ to create single page applications. I used create-react-app as a launching point for our front end.\nThis pairs well with our Golang API in giving us a decoupled architecture, meaning we will have to craft a CORS (Cross Origin Resource Sharing) handshake for our requests.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33  async fetchData(){ //await fetch(\u0026#39;http://localhost:8080/timestamp\u0026#39;,{  await fetch(\u0026#39;http://api.ezctf.com/timestamp\u0026#39;,{  method: \u0026#34;GET\u0026#34;, mode : \u0026#34;cors\u0026#34;, headers : { \u0026#39;Content-Type\u0026#39;: \u0026#39;application/json\u0026#39;, \u0026#39;Accept\u0026#39;: \u0026#39;application/json\u0026#39; }, }) .then((Response) =\u0026gt; Response.json()) .then((findresponse)=\u0026gt;{ this.setState({ isLoaded: true, message: findresponse.message, timestamp: findresponse.timestamp, })}) .catch(error =\u0026gt; console.log(\u0026#39;Parsing failed\u0026#39;, error)) } render() { var { isLoaded, message, timestamp } = this.state; if (!isLoaded){ return \u0026lt;div\u0026gt;Loading... \u0026lt;/div\u0026gt;; } else{ return ( \u0026lt;div className=\u0026#34;App\u0026#34;\u0026gt; Loaded \u0026lt;br\u0026gt;\u0026lt;/br\u0026gt; {message} {timestamp} \u0026lt;/div\u0026gt; ); } } }   The benefit of the decoupled architecture is that we can cleanly separate our front end functions and back end functions. Leaving the state in the user\u0026rsquo;s browser session can allow us to achieve an idempotent back end and architecture. This allows us to scale the back end easily during times of heavy traffic.\nBut this is the front end block, what about that? We can static compile our React and host it in an S3 bucket, and if we wanted to go further we could set it up behind a Cloudfront distribution. This would allow our application to be very quickly availble to people all over the world with low latency.\nCompiling the above code and loading it into S3 shows the following when the API is unavailable.\nTerraform, Finally I used EKS Getting Started Guide Configuration as a starting point for getting the cluster up.\nFrom there I modularized the code to make it easier to build upon.\nAfter that I added the EKS-State file with a Kubernetes provisioner for our freshly made cluster.\nThis is the structure of our Terraform code.\n. ├── main.tf ├── modules │ ├── eks-cluster │ │ └── main.tf │ ├── eks-state │ │ └── main.tf │ ├── eks-worker-nodes │ │ └── main.tf │ ├── outputs │ │ └── main.tf │ ├── r53 │ │ └── main.tf │ ├── s3-react │ │ └── main.tf │ ├── vpc │ │ └── main.tf │ └── workstation-external-ip │ └── main.tf └── variables.tf 9 directories, 10 files Unfortunately Terraform doesnt have AWS kubernetes authentication wrapped in quite yet, so we have to use a local binary to circumvent this.\nBasically this just means that we need more than the Terraform Binary for this, AWSCLI + AWS-IAM-Authenticator, but installing those is trivial.\nRelevant Github Issue\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27  data \u0026#34;external\u0026#34; \u0026#34;aws_iam_authenticator\u0026#34; { program = [\u0026#34;sh\u0026#34;, \u0026#34;-c\u0026#34;, \u0026#34;aws-iam-authenticator token -i ${var.cluster-name}| jq -r -c .status\u0026#34;] } provider \u0026#34;kubernetes\u0026#34; { host = \u0026#34;${var.aws_eks_cluster_demo_endpoint}\u0026#34; cluster_ca_certificate = \u0026#34;${base64decode(var.aws_eks_cluster_demo_cert_auth_0_data)}\u0026#34; token = \u0026#34;${data.external.aws_iam_authenticator.result.token}\u0026#34; load_config_file = false } resource \u0026#34;kubernetes_config_map\u0026#34; \u0026#34;aws_auth\u0026#34; { metadata { name = \u0026#34;aws-auth\u0026#34; namespace = \u0026#34;kube-system\u0026#34; } data { mapRoles = \u0026lt;\u0026lt;YAML - rolearn: ${var.aws_iam_role_demo_node} username: system:node:{{EC2PrivateDNSName}} groups: - system:bootstrappers - system:nodes YAML } }   With our token in line, our provider is now authorized to modify our Cluster.\nThe example EKS-Terraform has an output that you need to use kubectl to apply to cluster in order for the nodes to join.\nNow that we\u0026rsquo;re using the Kubernetes provider we can simply use the kubernetes_config_map resource to join those worker nodes.\nNext Terraform adds the following to the Kubernetes cluster:\n Namespace \u0026ndash; Running in the default space is not advised Kube_config_map \u0026ndash; Join our nodes to the cluster ServiceAccount \u0026ndash; A service account on the cluster for our StatefulSets to run under Service \u0026ndash; A LoadBalancer allowing ingress to our GO-API pods StatefulSet \u0026ndash; Provisions 3 replicated pods of our GO-API with 1gb attached storage  In total 36 actions are applied by Terraform. A curl at the end lets us know immediately the service came up correctly.\nWe can use aws eks update-kubeconfig --name timestamp-kube to update our kubeconfig so we can inspect our cluster with kubectl\nWith all this back end infrastructure up, lets take a look at the browser again.\nWith the api subdomain properly displaying our JSON, the front end should now load.\nSuccess! Our front end and back end have successfully communicated.\nWith Terraform managing our infrastructure, we are free to focus on our application code. Maybe add a database of motivational messages to pull from and display them in a table.\nAs an added benefit to this model, updating production code is as easy as just pushing code. Of course you would want to implement a more robust pipeline.\nPushing new React code is as easy as updating the S3 bucket and all we need to push new Golang is to update our container using Kubernetes versioning.\nkubectl rolling-update timestamp-v1 timestamp-v2 --image=timestamp:v2\nThe revision will kick off a rolling update giving our back end continuous integration and delivery with zero downtime. Not to mention rollbacks are easy, just --rollback.\nTo further expand our Terraform code we could add support for workspace naming and then testing new modules without disturbing our production environment.\nConclusion Wrapping an eco system of components with high interopability in Terraform allows us to achieve alot in just one command.\nThat being terraform apply --auto-approve , which in production would be a longer string when ran in a pipeline as you inject env vars or credentials.\nThis post could\u0026rsquo;ve been packed with much more but for readability I\u0026rsquo;m attempting to keep them at a reasonable length.\nIf you\u0026rsquo;d like to see the code or make your own changes here it is on my Github. Fair warning, running it will cost you an AWS bill.\n","description":"So many buzzwords....","id":13,"section":"posts","tags":["programming","golang","scraping","automation"],"title":"Terraforming complete AWS-Kubernetes clusers","uri":"https://anthonylaiuppa.com/posts/one-command/"},{"content":"Preamble There are alot of reasons to look forward to the holiday season and the annual SANS Holiday Hacking Challenge is no exception. This year they went with a conference theme, where you sign into a virtual world and attend Kringlecon \u0026ndash; a mythical conference hosted by santa and his crack team of information security elves. SANS makes things very approachable by giving you smaller terminal challenges to solve in exchange for hints regarding the bigger objectives. This is my writeup on 2018 SANSHHC, aka Kringlecon.\nOn a personal note, this year was my favorite SANSHHC yet, the variety of challenges and exposure to unfamiliar (to me) technologies was phenomenal. The ASCII art was also a great treat, I was always excited to solve the terminal challenges and see what came out. Hopefully you\u0026rsquo;re able to take something away from this and use it in your next CTF.\nTable of Challenges We got a little bit of everything with this years SANS Holiday Hacking Challenge, so heres an overview incase there is anything in particular you want to check out.\n   Title Gist (Objective) Difficulty     1. Essential Editor Skills / Orientation Challenge Vim/HTML 1/5   2. The Name Game / Directory Browsing CMD Injection/ Dir traversal 1/5   3. Lethal ForenseicELFication / De Brujin Sequences Trufflehog / de Brujin Sequence 1/5   4. Stall Mucking Report / Data Repo analysis SMB / Trufflehog 2/5   5. CURLing Master / AD Privelege Discovery cURL / Bloodhound 3/5   6. Yule Log Analysis / Badge Manipulation Windows evtx / SQL injection 3/5   7. Dev Ops Fail / HR Incident Response git / CSV Injection 4/5   8. Python Escape from LA / Network Traffic Forensics Python / Wireshark 4/5   9. Sleighbell Lottery / Ransomware Recovery gdb / Snort / Malware analysis 5/5   10. Santas Vault / Who did it? Music / Story 1/5    Challenge 1 Terminal Challenge 1 : Essential Editor Skills The first elf we come across, Bushy Evergreen, is next to a terminal that is stuck in VIM and needs our help to get out.\nIt feels every other time I bring up VIM\u0026hellip; someone says they can never figure out how to exit it.\nThis is an age old debate, so I\u0026rsquo;ll just say I love VIM, and I\u0026rsquo;d definitely recommend learning it.\nBeing able to use a terminal editor effectively is great when you\u0026rsquo;re dealing with remote Nix systems.\n Escape -\u0026gt; :q!\n Objective 1 : Orientation Challenge The first objective was a quiz with some SANSHHC history, having done the past two, this wasn\u0026rsquo;t too bad at all.\nChallenge 2 Terminal Challenge 2 : The Name Game  To solve this challenge, determine the new worker\u0026rsquo;s first name and submit to runtoanswer.\n The elf dropped a hint relating to command injection and SQLite, from there the path was clear.\nIn this case the ampersand allowed us to append an additional command spilling the DB and info we wneeded for the solve.\nObjective 2 : Directory Browsing  Who submitted (First Last) the rejected talk titled Data Loss for Rainbow Teams: A Path in the Darkness ?\n This objective has you go to a Call For Papers site, with the name of the challenge being Directory Browsing I had all I needed upfront.\nImmediately going to the website it was sparse and attention was immediately drawn to the URL.\nAlright so what if we try to strip the end off?\nThat rejected_talks.c1_solve is looking like our target, lets pop it open and use the find function real quick.\nChallenge 3 Terminal Challenge 3 : Lethal ForenseicELFication  Find the first name of the elf of whom a love poem was written. Complete this challenge by submitting that name to runtoanswer.\n Alright so to get started I always like to look around the directory and see if anything catches my eye. In this case we\u0026rsquo;re immediately draw to .viminfo\nlets spill its contents and see what that\u0026rsquo;s all about.\nWe can see Elinore is a name prominently featured here, as if someone removed it from their poem, thus that is our answer.\nObjective 3: de brujin sequences  The room is protected by a door passcode. Upon entering the correct passcode, what message is presented to the speaker?\n We\u0026rsquo;re presented with a door sporting a pin made up of a combination containing 4 shapes.\nI was fortunate, while clicking around I luckily guessed it, but how do we do this proper?\nWell, opening Chromes developer tools -\u0026gt; network tab we can see where the request is being made to validate the pin, from there we can just use some quick\npythons to automate some brute forcing action. To be incredibly precise you could read about de brujin sequences and adjust your script accordingly.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19  import requests from itertools import product a = [0, 1, 2, 3] possible_pins = list(product(a, repeat=4)) for pin in possible_pins: attempt = \u0026#39;\u0026#39; for thing in pin: attempt = attempt + str(thing) url=\u0026#39;https://doorpasscoden.kringlecastle.com/checkpass.php?i=\u0026#39;+str(attempt)+\u0026#39;\u0026amp;resourceId=undefined\u0026#39; resp=requests.get(url) print(url) print(resp.text) if \u0026#39;true\u0026#39; in resp.text: print(\u0026#39;Found pin {0}\u0026#39;.format(attempt)) exit(0)   Challenge 4 Terminal Challenge 4 : Stall Mucking Report  Complete this challenge by uploading the elf\u0026rsquo;s report.txt file to the samba share at //localhost/report-upload/\n Alright so this challenge references samba, and the only thing on the directory is report.txt.\nWe can use ps aux to check for running processes, looking for something samba.\nFrom there we can see a line with the name manager, and that looks to be of interest, lets use grep to narrow our results.\nWe can see the password used and then craft our own command to upload the report using the same.\nObjective 4 : Data Repo Analysis  Retrieve the encrypted ZIP file from the North Pole Git repository. What is the password to open this file?\n Did you say git repository? Well git tends to retain everything through versioning, which is great\u0026hellip; unless you accidentally committed some sort of secret.\nThen we can use a tool called Trufflehog to find it. I thoroughly recommend implementing Trufflehog as part of your CI/CD process to help spot accidental secret commits early.\nSo all we need to do is pull the repository and point Trufflehog at it.\nChallenge 5 Terminal Challenge 5: CURLing Master  Complete this challenge by submitting the right HTTP request to the server at http://localhost:8080/ to get the candy striper started again.\n Alright, following that statement they say to checkout /etc/nginx/nginx.conf, if we cat it and take a look\u0026hellip; we see a comment helping us narrow down whats important here.\nHTTP2 is different, so a quick consult to our CURL documentation gives us a flag to throw in.\nAfter that the output tells us to add a POST and have status=on, no problem just throw it on the end of our CURL command and voila.\nObjective 5 : AD Privelege Discovery  Using the data set contained in this SANS Slingshot Linux image, find a reliable path from a Kerberoastable user to the Domain Admins group. What’s the user’s logon name?\n Alright, so if we throw the image into virtualbox and fire up bloodhound the data is already preloaded.\nFrom there I was able to spot a filter that would give us our desired result.\nThis was pretty sweet, I\u0026rsquo;d never seen Bloodhound before but being able to visualize all these AD relations was great. Then being able to create attack paths off it sounds even more awesome.\nChallenge 6 Terminal Challenge 6 : Yule Log Analysis  Submit the compromised webmail username to runtoanswer to complete this challenge.\n This challenge has a .evtx logfile and a Python script to convert it to something you can grep.\nWindows event logs are pretty straight forward and well documented, you can see the standard structure below.\nI used targetusername as a filter to narrow results down, then looked at various users until I could identify which was compromised via the log.\nComing back to do this writeup I noticed I didnt take a picture of the exact event that tipped me off. Whoops.\nObjective 6 : Badge Manipulation  Bypass the authentication mechanism associated with the room near Pepper Minstix. A sample employee badge is available. What is the access control number revealed by the door authentication panel?\n Immediately two things become clear.\n This is going to be a SQL Injection Challenge Based on that badge I\u0026rsquo;m going to have to load it into a QR code.  I\u0026rsquo;m by no means a SQLi ninja, I just know enough to be dangerous. So lets stick an apostrophe in a QR code and see what happens.\n{\u0026quot;data\u0026quot;:\u0026quot;EXCEPTION AT (LINE 96 \\\u0026quot;user_info = query(\\\u0026quot;SELECT first_name,last_name,enabled FROM employees WHERE authorized = 1 AND uid = '{}' LIMIT 1\\\u0026quot;.format(uid))\\\u0026quot;): (1064, u\\\u0026quot;You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '''' LIMIT 1' at line 1\\\u0026quot;)\u0026quot;,\u0026quot;request\u0026quot;:false}\nFrom this I understand that we\u0026rsquo;re injecting our payload into uid, and the DB flavor is MariaDB.\nAfter trying many payloads and trying to think through the backend logic, I felt like I was at an impasse.\nI reached out to a DBA friend of mine, JB for some SQL knowledge and he helped me understand what I was missing here.\nBefore I go ahead show the final payload lets talk about something else I missed here, the added relevance of the employee badge.\nIf we give the door our employee badge, we get this message {\u0026quot;data\u0026quot;:\u0026quot;Authorized User Account Has Been Disabled!\u0026quot;,\u0026quot;request\u0026quot;:false}\nThey keyword here being disabled. Now proceeding onward, what does our SQLi payload look like?\nI really wanted to understand why this was the answer as opposed to something like or '1='1';--.\nThe logic:\n Assuming our SQL roughly evaluates to SELECT first_name,last_name,enabled FROM employees WHERE authorized = 1 AND uid = 'a' or enabled = 1 and ''=' LIMIT 1 dont worry about uid, if we were supposed to manipulate that, then Alabaster Snowball\u0026rsquo;s QR code would\u0026rsquo;ve had a UID to look at so we add the subquery in to bypass the logic, SQLs ordering will execute that first which will cause the conditional to evaluate as true this allows us to get results back from the query the limit 1 on the end however means that we only get the first result, and the first results account is disabled adding enabled=1 allows us to return a result with a passing account  Challenge 7 Terminal Challenge 7 : Dev Ops Fail This one is succinct, and similar to the Trufflehog challenge being git is the culprit. Except this time we get no Trufflehog, what do we do??\nWe use Git. git help -\u0026gt; git log (Identify commit to examine) -\u0026gt; git diff _commit_\nObjective 7 : HR Incident Response  Santa uses an Elf Resources website to look for talented information security professionals. Gain access to the website and fetch the document C:\\candidate_evaluation.docx. Which terrorist organization is secretly supported by the job applicant whose name begins with \u0026ldquo;K\u0026rdquo;?\n Web challenges are always fun and the hints all point to this one being a csv injection. Looking at the site we see a nice form with a file upload.\nAt this point Im not sure what my csv injection should be, so I try my favorite approach \u0026ndash; poking around the site and seeing what I find\nOh alright, armed with this fresh knowledge lets make a super simple payload.csv\nSubmitting this triggers a file download of the aforementioned candidate_evaluation.docx.\nChallenge 8 Terminal Challenge 8 : Python Escape from LA  To complete this challenge, escape Python and run ../../images/posts/kringlecon/i_escaped\n This one has an accompanying talk so I watched that to learn how to get this one done.\nEscaping Python Shells\nIn the talk he was implementing a black list on the python shell and demonstrating creative ways to circumvent it.\nI like Python so I thought Id try some other creative ways to get around it.\nThe first thing that came to mind was base64 encoding for a filter bypass\nNext someone had mentioned I should look up the globals function in the Python standard library.\nIf its not blacklisted then we can use it to overwrite the global variable containing the blacklisted function names.\nLooks line restricted terms is what we want to overwrite, lets give it a go.\nObjective 8 : Network Traffic Forensics  Santa has introduced a web-based packet capture and analysis tool to support the elves and their information security work. Using the system, access and decrypt HTTP/2 network activity. What is the name of the song described in the document sent from Holly Evergreen to Alabaster Snowball?\n Armed with my new found knowledge of HTTP/2 from the CURL master challenge, and the hints from the Python Escape I was feeling ready to tackle this one.\nI also don\u0026rsquo;t do alot with Wireshark so I\u0026rsquo;m excited to get some more time in using it.\nWell heres the site. When you sign in and poke around it has a nice UI, but that\u0026rsquo;s not what we\u0026rsquo;re here for. It gives us our PCAP file but its encrypted.\nSo what do we do? Directory traversal is easy, lets start there. The app is snappy so we\u0026rsquo;ll look for something associated with those kinds of web frameworks.\nBoy do I love a good error message. A quick Google and it looks like we\u0026rsquo;re working with NPM/Node.\nA comment line in the HTML of the site mentions rushing into production and accidentally including dev code\u0026hellip;\nLook at that, the source code! Not to mention, if our goal is to decrypt then seeing server.key is looking promising.\n\u0026hellip;But its not, its a red herring. They\u0026rsquo;re trying to draw our eyes away. If we look above the variables dev_mode and key_log_path start to look interested. Dev mode is set to true (Because its dev code remember? How fortunate.), so that means we can reach it. Lets throw SSLKEYLOGFILE onto the end of our URL.\nAnother error message\u0026hellip; but at least we can clearly see the next breadcrumb. Some more mild fiddling around with the URL and we finally get.\nSweet, the key! Now we can download it, and feed it to Wireshark to decrypt our HTTP/2 traffic. The SANS videos accompanying Kringlecon helped me understand more about Wireshark and its filters, making this much easier.\nWell I don\u0026rsquo;t see any indication of an attachment in this PCAP, but finding some credentials gives me a new direction. What if we try to log into Alabaster Snowballs account using them?\nI was wondering why have us login, and I thought some of the text on that login screen was phrased interestingly.\nMoving on, from here we can download the PCAP, open it, and see it\u0026rsquo;s not encrypted. Not only that, but it\u0026rsquo;s easy to scroll through and see where the email begins as a Follow TCP Stream. So if we just right click Follow Stream we\u0026rsquo;re rewarded with this.\nLook, Base64! We can wrangle that with a few lines of Python to dump it out into a file. Opening the file I see the word PDF, so I immediately close it, save it as .pdf and reopen it.\nSeeing the PDF open with nothing wrong was pretty awesome, I\u0026rsquo;d never pulled an attachment out of Wireshark like this before.\nChallenge 9 Terminal Challenge 9 : Sleigh Bell Lottery  Complete this challenge by winning the sleighbell lottery for Shinny Upatree.\n Descriptive right? Theres a little lottery binary, objdump, and GDB in the directory, chances are we need to call a function.\nMost of the terminal challenge have been simple so far, so lets treat this one the same way.\nFirst we\u0026rsquo;ll use objdump to look at the functions in the binary and see if any jump out at us.\nIt does get much more apparent than that, so how do we call it?\nSince we were provided with GDB we can just place a breakpoint at main then jump to the winwinwin function.\nPretty straight forward, a great introductary challenge for GDB if you\u0026rsquo;re not familiar with it already.\nSadly this is the last piece of ASCII art, I thoroughly enjoyed them all and could\u0026rsquo;ve easily spent a whole post admiring the art they put into this.\nObective 9 For me Challenge 9 was a doozy, both for introducing me to new concepts, and challenging my understanding of existing ones.\nObective 9.1 : Catch the Malware  Assist Alabaster by building a Snort filter to identify the malware plaguing Santa\u0026rsquo;s Castle.\n They provide us a snort terminal to input our answer onto, and some PCAPs with traffic to analyze. More Wireshark action!\nImmediately we notice quite a few things going on here.\n They DNS queries with malicious traffic all have hex strings at the start The DNS names are dynamic The content size of the packets containing the malicious code is apparent Decoding the malicious packets TXT segment shows us the malware transmitting its source  Neat but we cant block based on the hex body, or the packet size, or the DNS names because then we may shun legit traffic.\nSo what does that leave? Upon closer inspection you\u0026rsquo;ll notice that all the DNS names begin with that same hex string, we can use that!\nI\u0026rsquo;ve not done anything with Snort outside of studying for cert exams so writing a rule was new to me. After reading a few sites it became\napparent that we would need to use Content as our blocker, and a kind person recommended I convert the hex string to bytes for this.\nAfter doing that we windup with the following rule.\nI\u0026rsquo;ve been alternating between turning the answers ingame, and on that static site you see, when we give it the terminal output from the above it gives us the Word document for the next challenge.\nObective 9.2 : Identify the Domain  Using the Word docm file, identify the domain name that the malware communicates with.\n Analyzing Powershell Malware\nUsing the awesome Kringlecon talk on Powershell Malware analysis we have our base of knowledge to work through this.\nLets get started, first thing we need to do is extract the Macro from the Doc that is calling the powershell code that has the virus.\nThere\u0026rsquo;s our Macro alright but its heavily obfuscated, if we just drop the iex() function from the code we can pipe the deobfuscated string to standard output.\nWell that URL certainly looks like it could be the domain the malware communicates with, lets try that out.\nObective 9.3 : Stop the Malware  Identify a way to stop the malware in its tracks!\n Wannacookie is a clear name play on that nasty wannacry malware, so we know theres a killswitch involved!\nIf we slightly modify the dropper code by removing things like iex() and then execute it, it\u0026rsquo;ll reward us with the source.\nSweet we have source code now! Sadly its a single line, so from here I had to drop it into Powershell ISE and prettify it back into something human readable.\nAfter we do that, we have alot of type conversion functions, some encryption functions, and a main function called wanc.\nThe first line of wanc has an interesting string that it attempts to resolve on the next line in a conditional, a prime suspect for our killswitch domain.\nWhat we\u0026rsquo;ll wanna do is set a breakpoint on the following line then manually run that string through its decoder functions so we can examine the output.\nThey provide us a fun little \u0026lsquo;Ho-Ho Daddy\u0026rsquo; domain registrar, so lets go try our string there.\nSlightly different from the Powershell reversing video, but obvious enough to get us moving forward.\nObjective 9.4 : Recover Alabaster\u0026rsquo;s Password  Recover Alabaster\u0026rsquo;s password as found in the the encrypted password vault.\n This challenge was ranked the hardest and rightfully so, you need a firm grasp on the concepts of encryption to tackle this one.\nWe can see by analyzing the functions in the Malware that they are implementing asymmetric encrpytion.\nWhat is asymmetric encryption?\nThe two actions we want to hone in on are:\n Create a private key for just that user, this would be the unique one the malware authors give upon payment. Encrypt the private key using the private key from their C\u0026amp;C server  We\u0026rsquo;ll want to do the opposite. We already have our source code from 9.3, what does 9.4 give us?\nThis challenge supplies us with a memory dump of the program and an encrypted DB \u0026ndash; alabasters-passwords.elfdb.wannacookie .\nThe memory dump is relevant becuse the private key is generated with random bytes, so we\u0026rsquo;ll need to fish the exact key used out of the dump using Power dump\nIn order to narrow the search critera out of all the 11000 variables, I put a break point in the malware and just grabbed the length of p_k_e_k, the encrypted private key that was used to encrypt the elfdb.\nSweet, now lets run a length match in Power dump against the powershell memory dump.\nWe\u0026rsquo;re lucky to have gotten one result back, this makes things much easier for us.\nAlright, so now we have the solution, but its unusable since it\u0026rsquo;s encrypted. We\u0026rsquo;ll need to get the asymmetric encryption pieces in order to decrypt it.\nImmediately one thing stands out, we have to change our computers WORKGROUP to KringleCastle or the program wont continue to execute.\nMoving past that, I noticed another hex string a function called g_o_dns() containing a hex string. Decoded the string evaluates to server.crt.\nA quick breakpoint, a function call\u0026hellip;. and we\u0026rsquo;re rewarded with our server.crt, the first half of the asymmetric pair.\nAwesome, now all we need is a private key. Maybe the attackers didn\u0026rsquo;t secure their infrastructure and we can leak the private key the same way, just with a hex encoded string containing a value of server.key.\nWith both pieces of the puzzle, now comes the hard part. We need to combine them together into a certificate, and then import the certificate and use it to decrypt the p_k_e_k to then decrypt the database.\nFortunately a fellow with kringlecon attendee with the handle marlas linked me these two pages which helped me get everything assembled together. I\u0026rsquo;ve worked with certificates on Linux systems but on Windows in Powershell this is new territory.\nHow to create a PFX Certificate\nUsing a PFX Certificate in powershell\nI lined out what I felt was a good decryption function. I made a slight mistake when I copy pasted the script, so for a while I was spinning in circles. I didn\u0026rsquo;t notice a syntax error I made earlier since the function e_d_file hadn\u0026rsquo;t been called until now.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16  function p_k_d($pkek){ $PFXPath = \u0026#39;C:\\Users\\user\\power_dump\\cert.pfx\u0026#39; $PFWPassword = \u0026#39;lol\u0026#39; $PFX = New-Object -TypeName \u0026#39;System.Security.Cryptography.X509Certificates.X509Certificate2Collection\u0026#39;; $PFX.Import($PFXPath, $PFWPassword, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::PersistKeySet); $cert_bytes = $(H2B $pkek) $decKey = $PFX.PrivateKey.Decrypt($cert_bytes, $true); return $decKey }; function eat_cookies{ $pkek = \u0026#39;3cf903522e1a3966805b50e7f7dd51dc7969c73cfb1663a75a56ebf4aa4a1849d1949005437dc44b8464dca05680d531b7a971672d87b24b7a6d672d1d811e6c34f42b2f8d7f2b43aab698b537d2df2f401c2a09fbe24c5833d2c5861139c4b4d3147abb55e671d0cac709d1cfe86860b6417bf019789950d0bf8d83218a56e69309a2bb17dcede7abfffd065ee0491b379be44029ca4321e60407d44e6e381691dae5e551cb2354727ac257d977722188a946c75a295e714b668109d75c00100b94861678ea16f8b79b756e45776d29268af1720bc49995217d814ffd1e4b6edce9ee57976f9ab398f9a8479cf911d7d47681a77152563906a2c29c6d12f971\u0026#39; $dec_key = (p_k_d($pkek)); $DBFile = \u0026#39;C:\\Users\\user\\power_dump\\alabaster_passwords.elfdb.wannacookie\u0026#39; (e_d_file $dec_key, $DBFile, $false); };   The extension is .elfdb and not knowing any elves, I opted to open it in N++ because I am not sure what else to use..\nOh, thats what else Im going to open it with, SQLite.\nFortunately they didnt fill this with alot of data and we have our answer immediately.\nChallenge 10 : Santa\u0026rsquo;s Vault That password looks alot like musical notes\u0026hellip; and there\u0026rsquo;s a piano on the wall.\nNot only that, but the PDF we got from the TCP Stream earlier mentioned the key of D.\nLets throw this all together in an online music transposer, and I\u0026rsquo;m not sure what key to start with so we\u0026rsquo;ll use the default of E.\nE was the right key to start with! With that, we\u0026rsquo;ve completed all the challenges we need to finish Kringlecon.\nObjective 10 : Who did it?  Who was the mastermind behind the whole KringleCon plan?\n Santa reveals he did this all for us.\nI actually answered this one before I found got through the piano door, I gave it a guess. Trying \u0026ldquo;Santa\u0026rdquo; as a guess kind of felt like trying \u0026ldquo;password\u0026rdquo; but it worked! My second lucky guess in this writeup.\nPrologue This was the first SANS Holiday Hacking Challenge I\u0026rsquo;ve completed. It felt really great for so many technical concepts to come together in accomplihing these objectives. I learned an immense amount and had the opportunity to hone some existing skills with practice. Not to mention, that ASCII art was pretty sweet.\nI get asked regularly by people how to learn or get better at InfoSec type skills.\nCTFs like this SANSHHC are the place to do just that. Especially with the Holiday Hack challenge; SANS provides you so much information, challenges to pit it against, and an environment to mingle with other like minded people. Thats a solid environment to learn in as opposed to trudging through youtube videos and documentation, if you say you want to learn but don\u0026rsquo;t take advantage of these opportunities then you\u0026rsquo;re missing out. Don\u0026rsquo;t worry if you aren\u0026rsquo;t sure where to start, just jump into the CTF and see what it asks of you.\nIn the end it\u0026rsquo;s all just learning and practice, which was Kringlecons gift to us all along this holiday season.\n","description":"SANS Holiday Hacking Challenge","id":14,"section":"posts","tags":["ctf","hacking","python","powershell","infosec","security","pcap","linux","windows","reverse engineering"],"title":"Kringlecon 2018","uri":"https://anthonylaiuppa.com/posts/kringlecon/"},{"content":"Intro A little bit ago a friend sent me a link to a CTF put on by the Leap Security forum. It seems like there\u0026rsquo;s always a shortage of time so I was only able to get through one challenge, but I wanted to share anyways incase someone out there is wanting to play in CTF\u0026rsquo;s but doesn\u0026rsquo;t feel ready.\nThe Challenge So lets dive in, off the bat this challenge is in the reverse category and we\u0026rsquo;re met with the following code alongside the following hint. I split the string up a little for legibility.\n1 2 3 4 5 6 7 8 9  import base64 import os yo =\u0026#34;TiNcB01HJ0BmPCccTCw7HExHPwpsEx0bdSM0F0wZOx5OLCNAdSwkH2QgAjtsIwEHZjBdF2YeKApgJ1lBYCdZRWInWUVhJyQ7bCwkF38nLwl1LCtBdSwjQEwNWAdNRyNAZDcJH0s8PwdgHVUGZQ0sAmYzAQdmNx4XZQ4CRGIwCgdjRisHTidUCXUjCQBMR\u0026#34; +\u0026#34;z8cTB0OA2YzPxhLMyhJSg0JGEwzAQJ1LAYeYB0JJXUaBRh6Mzc+exkoCUwONzt1GgEydiw7HX8OIzxMRD8dZUddAGwTHRt1IzQXTTMBCksyVBh1RjsFSzwgH2QgAjtsIwEHZjBdF2YeKApgJ1lBYCdZRWInWUVhJyQ7bCwkF38nLwl1LCtBdSwjQEwNWB51L\u0026#34; +\u0026#34;DwfZUYFQEs8LEZjDVUeZjceF04sLBdkDSweYB4KB2AwLAZ2LC8AY0YVAExHPB5jNy8bdiw/\u0026#34; +\u0026#34;GH8sHh52LC8ATkY7RWUOAh55MzdEdiIvHXshWBhiGiBCfBk3RX4jK0F1HlUKfEcjNXUdDgNmNwkdTiMVHGUOAh54IgkbTTMnBXoaHT1NGCRAdTErBn8nCUlkJQI6TDwnAE0aPBdMHVgaTUZYQHUjWEBsEx0JdSMJAExHPxxMHQoAbBNQTQ==\u0026#34; exec base64.b64decode(bytearray(a^b for a,b in zip(*map(bytearray, [base64.b64decode(yo), str(os.environ[\u0026#34;PWD\u0026#34;])*460]))))    \u0026ldquo;We found this malware in our /tmp directory, probably not wise to run it.\n I dont think thats quite the exact hint, but you\u0026rsquo;ll see how relevant it is.\nAnalysis I\u0026rsquo;ve wrote previously about obfuscating python, and it\u0026rsquo;s immediately apparent that is whats going on here.\nBefore fiddling with the code its important to understand what all is going on. The bytearray function alongside the *460 make me think of padding and some bitwise shifting, similar to XOR. So one would think that a password is required, but I didn\u0026rsquo;t make the connection that the password was something I knew already.\nSo I set out to try some analysis on the program, I pulled up the Python docs and read over bytearray map and zip , it wasn\u0026rsquo;t immediately helpful but I always enjoy learning more and understanding functions is crucial to gaining a deeper understanding of what code is doing.\nHere I try picking the code apart at different points to see if it gives anything up immediately.\nNothing stands out and we seem to be no closer to solving the challenge, so what can we do now?\nWell I had considered a dynamic analysis situation, where I place the script in a sandbox and use wireshark to snag the IP it\u0026rsquo;s going to phone home to, but wheres the fun in that? This is a reversing challenge after all, let\u0026rsquo;s try to think of a simpler solution.\nSolved Lets reiterate over what we have so far:\n The obfuscated code is implementing some sort of XOR so we probably need a specific password Decoding the payload and trying some different manipulations gave nothing up We havent addressed str(os.environ[\u0026quot;PWD\u0026quot;] yet  What I always try to keep in mind for CTF\u0026rsquo;s is KISS, Keep it Simple Stupid, after all the organizers want you to learn.\nAt this point I really felt I was far over complicating things and that PWD was important after all and not just some sort of extra padding.\nWhat did that hint say again? Something about /tmp ? Obviously flipping their exec to print isnt just going to give up the answer\u0026hellip; but what if we try that in the /tmp directory?\nVoila, we\u0026rsquo;ve solved it and it was far simpler than initially thought. In this case the flag they wanted was the IP Address.\n","description":"Remember, keep it simple","id":15,"section":"posts","tags":["hacking","infosec","python","ctf"],"title":"More CTF fun!","uri":"https://anthonylaiuppa.com/posts/more-ctf-fun/"},{"content":"Intro Ever sit down to learn something and at first the examples are great, but then when it comes to getting advanced \u0026ndash; you\u0026rsquo;re lost wondering what happened inbetween? When learning I always found it easy to get started, but hard to get anywhere meaningful as all the examples felt like this picture\nIt was always hard to find comprehensive code examples that covered a wide range of topics, so I figured I would share this project in hopes someone takes away some newfound information or motivation.\nPre-Reqs All the pieces at work in the project come from the below technologies and documentation.\nIn short what I\u0026rsquo;ve done here is written my own web app, conformed it to the specs demonstrated in the Flask blog tutorial, then added my own supporting structures around it.\nWhenever there was a need for a specific feature, I would check the following docs to make sure I wasn\u0026rsquo;t reinventing the wheel. Otherwise it was poignant to roll my own code for the feature.\n Theory - Software Development Life Cycle Database - SQLAlchemy Database - PyMySql Back End - Flask Tutorial Front End - Bootstrap4 Front End - Jinja2/Flask Tests - PyTests/Flask Tests - UnitTest/Selenium Automation - Ansible AWS Deployment - Terraform  Sometimes you may find features in libraries that kind of meet your use case, if you\u0026rsquo;re lucky you can extend or build upon their code to make it work for you.\nEZCTF Coming back from DEFCON I was beyond amped to write some code. It was about time to finally complete a full stack web project. Having participated in the OPENCTF at DC26, I had a great idea. Why not make a little hacking game to play with some colleagues?\nThe mission of this writeup: by showing some different aspects of creating a webapp that isnt a standard example, I hope to illustrate different ways basic concepts come together to achieve more nuanced features. Getting started was never a problem, but we\u0026rsquo;ve all spent alot of time staring at the blinking cursor wondering what next.\nSo what is a CTF?\n Capture the Flag (CTF) is a kind of computer security competition. CTF contests are usually designed to serve as an educational exercise to give participants experience in securing a machine, as well as conducting and reacting to the sort of attacks found in the real world.\n Having a clear cut goal from the beginning is key to building clean code. We want to set our scope and stick to it.\nIn our case, all we want is to make a web application that will receive flags and track a user\u0026rsquo;s score on the scoreboard.\nFor added robustness we will add some admin features and tools to make our lives easier. Without further ado, lets dive in.\nIncase you\u0026rsquo;d like to just read the code, here you go\nProject Directory Structure\nTheres obviously many more subdirectories, but for explanation we only need to concern ourselves with these four.\nezctf ├── ezctf-alpha ├── ezctf-ansible ├── ezctf-terraform ├── linted_ctf 39 directories, 71 files ---  alpha - The first version of the app where all functionality was prototyped linted - The cleaned up version of the app where all functionality is modular and code coverage is provided by Tests Ansible - The Configuration Management tools used to configure Vagrant and Linux to run our application Terraform - Infrastructure As Code providing us with both infrastructure deployment and provisioning  Back End Due to the ease of use and speed of prototyping you can achieve, Python was the natural choice for the back end. Here we use Flask as it has minimal overhead allowing us to pick and choose our pieces.\nThis is an overly simplistic explanation of the back end, if you want to learn how Flask works read the linked above tut.\nOriginally in the alpha everything was in one app.py file, thats obviously not great, so we split it out. Using Blueprints from the Flask tutorial we wind up with 3 files running our app.\napp/ ├── auth.py ├── cruds.py ├── extensions.py ├── __init__.py The __init__.py provides an entry point for Gunicorn, which is what will handle the HTTP requests so that Flask doesnt have to, Gunicorn is typically what goes infront of Flask or Django in production environments.\nauth.py is fairly self explanatory, it handles authentication for our users.\ncruds.py is the bulk of our logic and the most important part here. When planning functionality of our app, CRUDS provides a great starting point.\n Create Read Update Delete  This helps us layout initial functionality for our app, from there we can begin to add CTF specific features \u0026ndash; such as when Updating a Challenge to show add a completion, update the users score who solved it as well.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31  if request.method == \u0026#39;POST\u0026#39; and form.validate(): submitted_flag = request.form[\u0026#39;flag\u0026#39;] if submitted_flag == flag and int(solved[0][\u0026#39;f\u0026#39;]) != 1: #Add the flag to the users so we can keep track of their challenges update_flags = cur.execute(\u0026#39;UPDATE users set flags = JSON_SET(flags, %s, 1) WHERE username = %s\u0026#39;, (cid,[session[\u0026#39;username\u0026#39;]])) mysql.connection.commit() #Update the users score to show they solved the challenge get_score = cur.execute(\u0026#39;SELECT score FROM users WHERE username = %s\u0026#39;, [session[\u0026#39;username\u0026#39;]]) user_score = cur.fetchone() new_score = (int(user_score[\u0026#39;score\u0026#39;]) + int(article[\u0026#39;ch_score\u0026#39;])) updated_score = cur.execute(\u0026#39;UPDATE users set score = %sWHERE username = %s\u0026#39;, (new_score,[session[\u0026#39;username\u0026#39;]])) mysql.connection.commit() #Update the challenges number of solves get_solves = cur.execute(\u0026#39;SELECT ch_solves from challenges WHERE ch_id = %s\u0026#39;, ([id])) solves = cur.fetchone() update_solves = int(solves[\u0026#39;ch_solves\u0026#39;]) + 1 updated_solves = cur.execute(\u0026#39;UPDATE challenges set ch_solves = %swhere ch_id =%s\u0026#39;, (update_solves, [id])) mysql.connection.commit() flash(\u0026#39;Good job! Your score has been updated\u0026#39;,\u0026#39;success\u0026#39;) cur.close() return redirect(url_for(\u0026#39;cruds.dashboard\u0026#39;)) else: cur.close() flash(\u0026#39;Incorrect answer\u0026#39;, \u0026#39;danger\u0026#39;)   So theres some of our backend functioanlity to handle scoring, we can elaborate more on the SQL in the database portion. When users solve the challenges all of this is put into the Scoreboard page, a fixture CTFs everywhere.\nFront End Front end design is not a favorite of mine, so we\u0026rsquo;ll let Bootstrap4 and Jinja2 do all the work for us.\nThe goal here isnt to teach you to make a front end or use Jinaj2 like a pro, its to hopefully give you something to draw upon when you\u0026rsquo;re trying to think of the code you need to put in your application.\nIn short Jinja2 is a templating engine, so we can give it a placeholders and Flask will inject the content and render it as HTML on the front end.\nNext up, we\u0026rsquo;ve got the Challenges page laid out in a jeopardy style. It was a mild pain at first to make the grid layout but a little help from the Modulus operator alongside the Jinja2 docs and we\u0026rsquo;ve got the code to render it in our desired layout.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32  {% for challenge in challenges %} {% if (loop.index) % 3 == 1 %} \u0026lt;div class=\u0026#34;row\u0026#34;\u0026gt; {% endif %} \u0026lt;div class=\u0026#34;col-sm\u0026#34;\u0026gt; \u0026lt;div class=\u0026#34;card\u0026#34;\u0026gt; \u0026lt;div class=\u0026#34;card-header\u0026#34;\u0026gt;\u0026lt;/div\u0026gt; \u0026lt;div class=\u0026#34;card-body\u0026#34;\u0026gt;\u0026lt;/div\u0026gt; \u0026lt;/div\u0026gt; \u0026lt;/div\u0026gt; {% if loop.index % 3 == 0 or loop.last %} {% if loop.last and loop.index % 3 == 1 %} \u0026lt;div class=\u0026#34;col-sm\u0026#34;\u0026gt;\u0026lt;/div\u0026gt; \u0026lt;div class=\u0026#34;col-sm\u0026#34;\u0026gt;\u0026lt;/div\u0026gt; {% endif %} {% if loop.last and loop.index % 3 == 2 %} \u0026lt;div class=\u0026#34;col-sm\u0026#34;\u0026gt;\u0026lt;/div\u0026gt; {% endif %} \u0026lt;/div id=\u0026#34;row-close\u0026#34;\u0026gt;\u0026lt;!-- /row --\u0026gt; {% endif %} {% endfor %}   Which turns out to look like this\nHitting the floor of our front end, the last thing to look at is the Challenges page. We use Jinaj2 and Flask to render parts of page based on a users context such as; Is_Admin or Is_Logged_In.\nAchieved easily by using some simple conditionals and passing the Session object into the template.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20  {% if session.logged_in %} \u0026lt;h2\u0026gt;Submit Flag\u0026lt;/h2\u0026gt; \u0026lt;div class=\u0026#34;form-group\u0026#34;\u0026gt; {{ render_field(form.flag, class_=\u0026#34;form-control\u0026#34;) }} \u0026lt;/div\u0026gt; \u0026lt;p\u0026gt;\u0026lt;input class=\u0026#34;btn btn-success\u0026#34; type=\u0026#34;submit\u0026#34; value=\u0026#34;Submit\u0026#34;\u0026gt;\u0026lt;/p\u0026gt; \u0026lt;/form\u0026gt; {% if article.ch_id == 1 %} \u0026lt;!-- Youre very close but Im a little more tricky than that. --\u0026gt; {% endif %} {% if session.admin %} \u0026lt;h2\u0026gt; Admin panel \u0026lt;/h2\u0026gt; {% endif %} {% else %} \u0026lt;p\u0026gt; {{message}}\u0026lt;/p\u0026gt; {% endif %}   Logged out view Logged in view Tests  Test coverage \u0026ndash; a measure used to describe the degree to which the source code of a program is executed when a particular test suite runs.\n We have two kinds of test coverage at play here.\n PyTest - Used before committing code, based off the example laid out in the Flask tutorial.  UnitTest/Selenium - Used post deployment to check renders and verify page content.  Oh would you look at that, a failure. We changed the About page to be Rules so we need to change our tests to match, hence the second one succeeding.\nFor those familiar with test driven development \u0026ndash; the above picture probably made you twitch a little, but after debugging failed tests you begin to understand how the creator mustve felt.\nYou can run Selenium headless, which works great if we want to shove it into a CI/CD pipeline in order to validate our deployments.\nOtherwise running it with the Chrome Driver we can see the tests iterating over our application.\nEach suite has its own structure and fixtures you can use to simplify to your testing, just go with what fits your use caser best..\nIn general it can be difficult to wrap your head around unit tests but by working them into your code you will be able to prevent against Undefined behavior, which in alot of cases leads to security issues. My unit tests don\u0026rsquo;t hit 100% code coverage but in an ideal world that is what we would want to strive for.\nTo be continued This post was dragging on quite a bit so check out part 2 for the remaining topics\n Databases Ansible Terraform  Coming soon!\n","description":"Capture The Flag!","id":16,"section":"posts","tags":["python","web","ctf","hacking","security","selenium"],"title":"EZCTF, a full stack webapp..","uri":"https://anthonylaiuppa.com/posts/ezctf-full-stack/"},{"content":"Intro Previously we virtualized a Kubernetes cluster on our localhost, but that is just simulating the cloud. Why dont we take GoKu to the actual cloud and see how it does? I actually tried to tie this in and scan the same 111 URLs from the last post, but it finished so fast I couldnt believe it. Lets bump things up a notch, what if we want to scan 5000+ sites?\nWhat is scaling? What is scalability?\n Scalability is the capability of a system, network, or process to handle a growing amount of work, or its potential to be enlarged to accommodate that growth.\n We actually demonstrated some local scalability in the previous post, but were hindered by the fact that we were only using a single node since we were running Minikube.\nWith resource optimization and configurations we were able to run 87 pods in paralell, which is pretty good for a single workstation. But what if we had the power of the cloud?\nHere we will use Google Compute Platform and more specifically the Google Kubernetes Engine to handle our needs. I had considered the Amazon EKS solution since it would be trivial to Terraform, but it has limitations with its autoscale setup out the box. AWS cant natively monitor its EKS workers memory utilization without further configuration, and since memory is our main consideration here thats a big deal. Naturally GCP/GKE became the optimal choice, its Kubernetes functionality is well integrated as a first class citizen and very easy to leverage its full potential.\nWhen we ran this test on the single node desktop, memory became our bottle neck. As this is a distributed computing model we should easily be able to remedy this by running a cluster with more nodes.\nI wasnt ready to be surprised by a large GCP bill caused by autoscaling, so we will roll with the free tier and scale up with 4 nodes of their high memory machines.\nOur Test We\u0026rsquo;ll use our GenerateTargets tool from the repo to make a directory full of pod.yml just like before, except this time we\u0026rsquo;ll pick a target with alot of subdomains.\nAlibaba had over 6500, worth mentioning I removed a couple hundred email servers. The sheer number of email servers alone was in the thousands.\nIn our terminal lets move into the manifest directory with all the targets and throw it a kubectl apply -f .\nThe containers are created incredibly fast and shortly move to completed. We can view this as well in our Kubernetes Workload and see that we have over a thousand pods going. Huge improvement from the 87 pods one our one node in the previous post.\nJust imagine, if thats four nodes distributing our workload, what if we had the wallet to turn autoscale on? Its likely it would scan all 5000+ in under 5 minutes.\nLets take a look at the database and see what all of this volume is doing to it.\nWe can see the initial peak as things get ramped up, the middle as it tries to scan hundreds of email servers it cant reach, and then a second peak as it once more gets to domains that are actually in use.\nThe DB instance is a t2.micro in AWS RDS running MySql, for something with micro in the name it is easily handling this traffic.\n##Conclusion\nHere are the main findings:\n GoKu\u0026rsquo;s containerized build and Go binary made perfect for scaling container counts Our GKE Cluster was able to scan the 111 domains from the previous post in less than 2 minutes. The GKE cluster made it through all 5565 websites in about 40 minutes. Our database was filled with the status of over 1800 sites that were reachable  Forty minutes is insanely fast cosindering it took us 8 to scan 111 using my desktop minikube setup, of course with the power of Google Cloud Platform it should be no surprise we saw a massive increase in performance.\nNow to be perfectly fair, we could just write or leverage a multi-threaded scanner that already exits.\nIf anyone wants to foot the autoscale bill, Id be willing to bet my setup can crunch 10000+ sites in less than 15 minutes, now thats scaling!\n","description":"The program is containerized so....","id":17,"section":"posts","tags":["golang","kubernetes","gcp","containers","devops","aws"],"title":"GoKu, scaling the kube to the max!","uri":"https://anthonylaiuppa.com/posts/goku-will-it-scale/"},{"content":"Intro Recently I sat down to learn more about Go and Kubernetes, and figured I would share some distributed computing fun had along the way. Youll notice the map tool from the previous post can be slow when getting statuses, we\u0026rsquo;ll use that as a starting point and refine it.\nOverview Lets go over the core technologies at work here, starting with the most basic definition.\n Container: a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another.\n  Go: an open source programming language that makes it easy to build simple, reliable, and efficient software. Docker: a kind of container image that is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings. Kubernetes: an open-source container-orchestration system for automating deployment, scaling and management of containerized applications. Minikube: a tool that makes it easy to run Kubernetes locally. Minikube runs a single-node Kubernetes cluster inside a VM on your laptop Pods: Pods are the smallest deployable units of computing that can be created and managed in Kubernetes.  With everything laid out lets go over what we\u0026rsquo;re doing\n Virtualizing our own k8s Cluster Compiling our own self sufficient Go program that retrieves data and inserts it into a db Inserting that binary into a scratch Docker container and Testing/Running it Building this image and pushing to Docker hub Running multiple instances of the Docker image as Pods in our Kubernetes cluster  In essence everything will look roughly like this.\nDont worry if the visual seems overwhelming, we\u0026rsquo;ll break down simply whats going on.\ngoku.go goku.go is an incredibly small Go program. All it does is make a HTTP Get request to a URL provided through an environmental variable, then write some of the data to a database. The standalone nature of this means the program is idempotent and asyncronous.\nGoKu on Github\nWe compile it statically with all of its dependencies included so it can be ran in a scratch Docker container, allowing us to achieve an incredibly small image size of 6.3mb. This is much more efficient and manageable from a dependency perspective than if we were trying to deal with an interpreted language like Python.\nHaving the URL provided by an environmental variable is what allows us to make this Go program run in a distributed manner. We can use the Python Script GenerateTargets.py to generate many different pod.yml templates with the variable set to whatever URL we want to get data from.\nHeres what the sample output of goku.go looks like\nDistributed Computing I wanted to pick a task with a little size to it but couldnt go too crazy since Im just virtualizing all of this on my desktop, as opposed to running on a cloud kubernetes service such as EKS or GKE. In the cloud we would have autoscale groups and more resources which would make this blazing fast, however as an individual my wallet doesnt like the sound of autoscale groups.\nSo what we\u0026rsquo;ll do is get the status of flickr.com and its give or take 110 subdomains. Virtualizing 111 containers sounds like alot but in the pod.yml we\u0026rsquo;re able to specify memory usage allowing us to work well within our means.\nLets kick off the bash script to create all of the pods in our cluster, and set it to \u0026ndash;watch so we can monitor it\nSince we are using Minikube, we can pop open a new terminal and type\nminikube dashboard\nto see this all in a cool display\nAfter a couple a minutes we already have results\nOnly a single node (my desktop) is being used here so it takes more time to create all the pods, on a cloud provider it would be much much faster.\nWe can also take a look at resource utilization as this is all being ran. This picture as taken at the peak.\nWhile pods are in various states the number will go up and down until all the work is complete.\nResults It took about 8 minutes to gather information from all 111 sites.\nQuerying the db shows that it received data from the pods.\nNow if we run the map tool from my previous post and have it get the statuses, it takes about 19 minutes.\nConclusion Surprisingly the minkube virtualized kubernetes cluster was able to perform more quickly at 8 minutes, than the map python tool from my previous post that came clocking in at 19 minutes.\nPretty interesting given we had to wait on the containers to be created. Although it helps that this approach is effectively asynchronous, compared to the python tool which is single threaded.\nOverall getting some practice in with Go and Kubernetes was a great way of getting more familiar with both technologies. Dont be afraid to try and make something yourself, just remember to reference the documentation.\n","description":"featuring Golang, Docker, and Kubernetes!","id":18,"section":"posts","tags":["golang","minikube","kubernetes","containers","aws","gcp","virtualization","python"],"title":"GoKu distributed computing","uri":"https://anthonylaiuppa.com/posts/goku-distributed-computing/"},{"content":"2020 Retrospective While migrating my site years later, it\u0026rsquo;s worth mentioning theres alot of wonderful toolchains available now that really nail this. The biggest one being someone put in the work to properly parse the site-maps.\nIntro Trying bug bounties can be fun, you might even walk off like a prospector with gold. Of course similar to sifting through river water looking for gold, youve got sifting through websites looking for things that catch your eye. It can be pretty repetitive, so lets get some practice in by making a tool of our own to help make this attack surface for us.\nMethodology First off, what is an attack surface?\n The attack surface of a software environment is the sum of the different points (the \u0026ldquo;attack vectors\u0026rdquo;) where an unauthorized user (the \u0026ldquo;attacker\u0026rdquo;) can try to enter data to or extract data from an environment.\n In this case our attack surface is the sum of all points comprising the companies web infratructure that we can reach. From there the surface widens to all methods and actions on the site that will allow us to interact with the back end.\nVisualized a companies attack surface could look something like this, containing internet facing services alongside their internal network. Typically you wont ever see much of the latter except for in cases such as SSRF, the 10k Host Header bug bounty writeup comes to mind in particular. 10k Host Header\nThere will be plenty we dont hit due to not being discovered or out of scope. When it comes to subdomains we of course want to find things to potentially exploit as side services may be neglected, or we want to look for things that dont belong such as a public facing build server.\nNext once we have a site or service targeted, we can speed up some information gathering by spidering the site to harvest all of the URLs in hopes of finding ones with parameters to interact with.\nexample.com/ProductID?=product_1\nIdeally by looking at URLs we can spot potential ways to interact with the backend in hopes of producing some sort of undefined behavior. Of course going over attack vectors is a whole in depth topic of its own so we\u0026rsquo;ll leave it at that.\nMapSnatch.py \u0026amp;\u0026amp; map.py To help us with these tasks we have MapSnatch.py and map.py\nMapSnatch is our logic that will do the following:\n Spider all links off domain.com Find all subdomains of domain.com Assess the status of all subdomains (Whats the use if we cant reach it?) Spider all the links of subdomain.com (Pending implementation)  map is our entry point into the program, so as such you can see we wrap it in click so it functions as a command line tool, from there we can pass our params into the logic class to handle the rest of the operations.\nIts pretty cool, after installing it with pip we can call it just like a cli tool.\nThe code that makes it all happen is pretty simple, its all in our click wrappers and setup.py\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21  from __future__ import absolute_import, unicode_literals from MapSnatch import MapSnatchLogic import click @click.command() @click.option(\u0026#39;--domain\u0026#39;, default=None, help=\u0026#39;Domain to perform reconaissance on.\u0026#39;) @click.option(\u0026#39;--substatus\u0026#39;, default=False, help=\u0026#39;Enable to pull all status codes of sub domain pages.\u0026#39;, type=bool) @click.option(\u0026#39;--mapsubs\u0026#39;, default=False, help=\u0026#39;Enable to pull all URLs found on sub domain pages.\u0026#39;, type=bool) def start_mapping(domain, mapsubs, substatus): \u0026#34;\u0026#34;\u0026#34; Lightweight recon program. Used to assess status of a (sub)domain and map all URLs. This will help identify targets and points of interest. \u0026#34;\u0026#34;\u0026#34; print(\u0026#39;[*] Starting with domain - {0}\u0026#39;.format(domain)) msl = MapSnatchLogic(domain) if substatus: msl.get_subs() msl.get_statuses() msl.spider_links()   Installation Im not a fan of reinventing the wheel so map relies on another tool to do some of its dirty work.\nSublist3r is a fantastic tool at pulling subdomains, and doing much more.\nIts easy, first we pull our map repo, then cd into it and pip install -e . I recommend using a virtualenv.\nWhile there, clone Sublist3r, install its requirements.txt , and move the files to resemble this structure\nTheres no shortage of ways to package software, I just threw this together in a few hours while procrastinating on finishing a project.\nLogic \u0026amp;\u0026amp; Results If you were to look at our flows as these:\nget domain.com -\u0026gt; harvest links -\u0026gt; map links\ndiscover subdomain.com -\u0026gt; assess status -\u0026gt; harvest links -\u0026gt; map links\nthen you can probably guess alot of how we would go about this.\nBoth are mostly pretty easy,\ndomain.com\n Use requests to get the content Use beautiful soup to parse the content Map results to a dict={domain_name: [\u0026lsquo;list of links\u0026rsquo;]}  then for subdomains,\nsubdomain.com\n Use sublist3r to discover Requests to check for statuscode==200 Requests get content Bs4 to parse content Map results to a dict={subdomain_name: [\u0026lsquo;list of links\u0026rsquo;]}  So if we were to give it a site such as casper.com heres what it looks like when its building links and we can see some with paramters.\nThe awesome part is we didnt have to much to find those! Dont get me wrong, browsing around is half the fun.\nThere are plenty of better ways to visualize this, however the real goal is just give us subdomains and links to form our map of the attack surface. So for now well just leave the mapps alone.\nConclusion A little bit of coding and we\u0026rsquo;ve got enough information gathering automated to get an overview of a site before inspecting it at a deeper level.\nThis can help pick a place to start or identify something our eyes may glance over and miss.\nTheres no shortage of improvements or optimizations that can be made to these sorts of things. I encourage you to try and throw some tools together yourself. Itll help foster an understand of what youre doing and different methods of achieving your goals.\nHappy hacking.\n","description":"...using our own custom scanning tool!","id":19,"section":"posts","tags":["python","bug bounty","reconnaissance","osint","hacking"],"title":"Mapping website attack surfaces","uri":"https://anthonylaiuppa.com/posts/mapping-website-attack-surface/"},{"content":"Intro Over six years of studying, and working in technology Ive acquired over 600+ links. Losing these links to me would feel like the burning down of the Library of Alexandria. I use alot of them as references for programming and information security based work.\nWhile scraping all these links I saw the word beginner become less frequent as we got closer to the present day, so I even found a fun way to add a visualization to this post.\nBrowser based Library of Alexandria I cant stress the importance of reading enough, it will advance you more than you can imagine.\nWhile writing a brief script to scrape all these links, which I will link shortly, I realized there are actually trends in these links.\nWe can actually use some python libraries and heuristics to identify these trends amongst the links.\n Script I used to harvest my saved links from reddit, frequency data, and simultaneously create a word cloud The organized and sorted links.  You can find the raw unsorted copy of all of the links here https://pastebin.com/raw/9K5sNfgK\nItll have a good deal of extraneous links that I found interesting, but Ive omitted them from this in order to keep it on topic of security.\nSecurity is more than just knowledge of mechanism or inner-workings of code, its also a mindset. So I have some materials relating to social engineering, and overall thought process mixed in some places.\nget_links \u0026amp;\u0026amp; make_wordcloud 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79  from __future__ import absolute_import, unicode_literals import praw import json from wordcloud import WordCloud, STOPWORDS import matplotlib.pyplot as plt class LinkSave(object): def __init__(self, mode=None): self.mode=mode def load_config(self, data): self.config = json.load(open(data)) return self.config def auth_reddit(self): try:\tself.reddit = praw.Reddit( client_id = self.config[\u0026#39;reddit\u0026#39;][\u0026#39;id\u0026#39;], client_secret = self.config[\u0026#39;reddit\u0026#39;][\u0026#39;secret\u0026#39;], user_agent = self.config[\u0026#39;reddit\u0026#39;][\u0026#39;user_agent\u0026#39;], username = self.config[\u0026#39;reddit\u0026#39;][\u0026#39;username\u0026#39;], password = self.config[\u0026#39;reddit\u0026#39;][\u0026#39;password\u0026#39;] ) self.me = self.reddit.user.me() return self.reddit except Exception as exc: print(\u0026#39;{0} - Unable to auth to reddit, check your creds\u0026#39;.format(exc))\texit(0) def get_links(self): target = open(\u0026#34;saved_links.txt\u0026#34;, \u0026#34;w\u0026#34;) self.words = \u0026#39;\u0026#39; for link in self.me.saved(limit=None): try: target.write(\u0026#39;{0} -- {1}\u0026#39;.format(link.title, link.url)) self.words = self.words + \u0026#39; \u0026#39; + link.title\texcept Exception as exc: print(\u0026#39;{0} - This exception handles saved comments \u0026#39;.format(exc)) target.close() return self.words def make_cloud(self): stopwords = set(STOPWORDS) stopwords.add(\u0026#34;using\u0026#34;) stopwords.add(\u0026#34;programming\u0026#34;) stopwords.add(\u0026#34;post\u0026#34;) stopwords.add(\u0026#34;source\u0026#34;) wordcloud = WordCloud(background_color=\u0026#34;white\u0026#34;, width=800, height=400, stopwords=stopwords).generate(self.words) plt.imshow(wordcloud, interpolation=\u0026#39;bilinear\u0026#39;) plt.axis(\u0026#34;off\u0026#34;) #render a second slightly different wordcloud wordcloud = WordCloud(background_color=\u0026#34;white\u0026#34;, stopwords=stopwords, max_font_size=40).generate(self.words) plt.figure() plt.imshow(wordcloud, interpolation=\u0026#34;bilinear\u0026#34;) plt.axis(\u0026#34;off\u0026#34;) plt.show() if __name__ == \u0026#39;__main__\u0026#39;: driver = LinkSave() driver.load_config(\u0026#39;user_config.json\u0026#39;) driver.auth_reddit() driver.get_links() driver.make_cloud() \u0026#39;\u0026#39;\u0026#39; user_config.json { \u0026#34;reddit\u0026#34;: { \u0026#34;id\u0026#34;: \u0026#34;\u0026#34;, \u0026#34;secret\u0026#34;: \u0026#34;\u0026#34;, \u0026#34;user_agent\u0026#34;: \u0026#34;\u0026#34;, \u0026#34;username\u0026#34;: \u0026#34;\u0026#34;, \u0026#34;password\u0026#34;: \u0026#34;\u0026#34; } } \u0026#39;\u0026#39;\u0026#39;   Its a pretty succint script, I try to operate under the thought that if its clean enough its fairly self explanatory. Its a little personalized but you could easily edit it to do the same for you.\n4 Step Linear flow:\nRead in config -\u0026gt; Auth to reddit -\u0026gt; Scrape links into string and save to file -\u0026gt; generate word cloud\nSo what does this give us?\nPersonally I find that pretty neat, its a visualization of all Ive tried to hone in on over the years.The one that stands out most to me is Reverse Engineering, Ive been working on learning for a while. Its definitely one of the more challenging things Ive tried to wrap my mind around.\nSo Ive decided to throw it at the top of this list. Without delay, here is my best attempt at a sorted list.\nReverse Engineering \u0026amp;\u0026amp; Malware    Title URL     An Introduction to the CAN Bus: How to Programmatically Control a Car https://news.voyage.auto/an-introduction-to-the-can-bus-how-to-programmatically-control-a-car-f1b18be4f377   DhavalKapil/libdheap: A shared (dynamic) library that can be transparently injected into different processes to detect memory corruption in glibc heap https://github.com/DhavalKapil/libdheap   Reverse Engineering My Home Security System: Decompiling Firmware Updates https://markclayton.github.io/reverse-engineering-my-home-security-system-decompiling-firmware-updates.html   Project Zero: Over The Air - Vol. 2, Pt. 3: Exploiting The Wi-Fi Stack on Apple Devices https://googleprojectzero.blogspot.com/2017/10/over-air-vol-2-pt-3-exploiting-wi-fi.html   smashthestack.pdf https://avicoder.me/papers/pdf/smashthestack.pdf   Where-theres-a-JTAG-theres-a-way Where-theres-a-JTAG-theres-a-way https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Where-theres-a-JTAG-theres-a-way.pdf Where-theres-a-JTAG-theres-a-way.pdf   New emotet hijacks windows api evades sandbox analysis http://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/   Skeleton in the closet. MS Office vulnerability you didn’t know about https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about   ROPEmporium: Pivot 32-bit CTF Walkthrough With Radare2 http://radiofreerobotron.net/blog/2017/11/23/ropemporium-pivot-ctf-walkthrough/   ropchain @kvakil   Escape Docker Container Using waitid() CVE-2017-5123   ROPEmporium: Pivot 64-bit CTF Walkthrough With Radare2 - Zero State Machine http://radiofreerobotron.net/blog/2017/12/04/ropemporium-pivot-ctf-walkthrough2/   /lobotomy: Android Reverse Engineering https://github.com/rotlogix/lobotomy   java-decompiler/jd-gui: A standalone Java Decompiler GUI https://github.com/java-decompiler/jd-gui   Defusing a Binary Bomb with Binary Ninja https://kukfa.co/2016/06/05/defusing-a-binary-bomb-with-binary-ninja/   Notepad+++ - Break it, Fix it, Write It Down - Putting stuff together so you dont have to google as hard as I did https://remotephone.github.io/lab/homelab/budget/testing/2016/12/20/practical-docker.html   SetgidDirectoryPrivilegeEscalation/CreateSetgidBinary.c http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/CreateSetgidBinary.c   buffer overflow explained https://www.uperesia.com/buffer-overflow-explained   Vulnerable Security - Reverse Engineering a book cover https://vulnsec.com/2017/reverse-engineering-a-book-cover/   CVE-2017-5521: Bypassing Authentication on NETGEAR Routers https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2017-5521   C++ DLL Injector Version 2 - BOTH 32-bit and 64-bit - Clean Code! - Multiple Functionalities! https://www.youtube.com/watch?v=W6HpX85ICh8   An in-depth explanation of how a 10 year old bug in Guitar Hero was reverse-engineered and fixed without using the source code https://www.youtube.com/watch?v=A9U5wK_boYM   Breaking the x86 Instruction Set https://www.youtube.com/watch?v=KrksBdWcZgQ   The Wonderful World of MIPS http://www.ringzerolabs.com/2018/03/the-wonderful-world-of-mips.html   A good two-part lecture on the basics of x86 architecture and system calls in *Nix systems [for beginners] https://www.youtube.com/watch?v=xHu7qI1gDPA   Linux ASLR and GNU Libc: Address space layout computing and defence, and “stack canary” protection bypass [PDF and Github Sources] https://github.com/blackzert/aslur/raw/master/offensivecon-talk.pdf   Reverse Engineering a MMORPG Bot to Find Vulnerabilities https://www.youtube.com/watch?v=irhcfHBkfe0   Reverse Engineering A Mysterious UDP Stream in My Hotel · Gokberk Yaltirakli https://gkbrk.com/2016/05/hotel-music/   Keyshuffling Attack for Persistent Early Code Execution in the Nintendo 3DS Secure Bootchain https://github.com/Plailect/keyshuffling   Reverse Engineering Malware 101 https://securedorg.github.io/RE101/   This channel explains a good deal of C/C++ for malware creation for Windows and lots of low-level fundamentals https://www.youtube.com/channel/UCDk155eaoariJF2Dn2j5WKA   Cracking Sublime Text 3 http://blog.fernandodominguez.me/cracking-sublime-text-3   Coding A Keylogger - Understand How Actual Keyloggers Work https://github.com/MinhasKamal/StupidKeyLogger   Docker 0-Day Stopped Cold by SELinux http://rhelblog.redhat.com/2017/01/13/docker-0-day-stopped-cold-by-selinux/   How Can Drones Be Hacked? The Vulnerable drone and attack tools Compilation http://medium.com/@swalters/how-can-drones-be-hacked-the-updated-list-of-vulnerable-drones-attack-tools-dd2e006d6809#.o9nyxc3yz   a single byte write opened a root execution exploit on ChromeOS https://daniel.haxx.se/blog/2016/10/14/a-single-byte-write-opened-a-root-execution-exploit/   Internet Explorer has a URL problem http://blog.innerht.ml/internet-explorer-has-a-url-problem/   How to crack a totally blurred captcha? (any lead?) https://www.reddit.com/r/hacking/comments/4v5trz/how_to_crack_a_totally_blurred_captcha_any_lead/   MS16-039 – “Windows 10” 64 bits Integer Overflow exploitation by using GDI objects https://blog.coresecurity.com/2016/06/28/ms16-039-windows-10-64-bits-integer-overflow-exploitation-by-using-gdi-objects/   Hey guys, Ive gone and put together a github repo containing in-depth tutorials designed to teach binary exploitation from the ground up. Tell me what you think! https://github.com/bert88sta/how2exploit_binary   Just released the Practical Malware Analysis Starter Kit, a collection of pretty much every binary mentioned in the book.[x-post /r/reverseengineering] https://bluesoul.me/practical-malware-analysis-starter-kit/   X86 Shellcode Obfuscation - Part 2 - The obfuscception! (source in Python included) https://breakdev.org/x86-shellcode-obfuscation-part-2/   Practical Reverse Engineering of a Router Part 2: Scouting the Firmware http://jcjc-dev.com/2016/04/29/reversing-huawei-router-2-scouting-firmware/   Building a Home Lab to Become a Malware Hunter - A Beginner’s Guide https://www.alienvault.com/blogs/security-essentials/building-a-home-lab-to-become-a-malware-hunter-a-beginners-guide   Lisa.py - An exploit Developers swiss army knife (With ROP gadget support ) https://github.com/ant4g0nist/lisa.py   Android Reverse Engineering using apktool https://www.youtube.com/watch?v=K35AkvE8ulY   Ghost in the Droid: Reverse Engineering Android Apps https://pen-testing.sans.org/blog/2016/12/05/ghost-in-the-droid-reverse-engineering-android-apps   Mining Android Secrets (Decoding Android App Resources) https://pen-testing.sans.org/blog/2016/12/10/mining-android-secrets-decoding-android-app-resources   Reverse engineering a router part 1 - Hunting for hardware debug ports http://jcjc-dev.com/2016/04/08/reversing-huawei-router-1-find-uart/   New self-protecting USB trojan able to avoid detection http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/   attactics[dot]org: Bypassing Antivirus With Ten Lines of Code or (Yet Again) Why Antivirus is Largely Useless http://www.attactics.org/2016/03/bypassing-antivirus-with-10-lines-of.html   AceDeceiver: First iOS Trojan Exploiting Apple DRM Design Flaws to Infect Any iOS Device (x-post /r/programming) http://researchcenter.paloaltonetworks.com/2016/03/acedeceiver-first-ios-trojan-exploiting-apple-drm-design-flaws-to-infect-any-ios-device/   Assembly Optimizations I: (Un)Packing Structures https://haneefmubarak.com/2016/02/25/assembly-optimizations-i-un-packing-structures/   Breaking homegrown crypto https://kivikakk.ee/cryptography/2016/02/20/breaking-homegrown-crypto.html   Exploiting a Kernel Paged Pool Buffer Overflow in Avast Virtualization Driver https://www.nettitude.co.uk/exploiting-a-kernel-paged-pool-buffer-overflow-in-avast-virtualization-driver/   glibc getaddrinfo() stack-based buffer overflow https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html   DLL Injection with an old MMO client http://kukfa.co/2015/12/dll-injection-with-an-old-mmo-client/   Reverse Engineering the Yik Yak Android App http://randywestergren.com/reverse-engineering-the-yik-yak-android-app/   Hacking the PS4, part 1 - Introduction to PS4s security, and userland ROP https://cturt.github.io/ps4.html   [VIDEO] Software Hacking - Simple Patching (IDA Pro, C) https://www.youtube.com/watch?v=Awg4_6d5Nb8   Where do I start with reverse engineering malware? I recommend \u0026ldquo;RE for Beginners\u0026rdquo;, I like the method used to teach reverse engineering. Then you can start doing some challenges.   MacOS X 10.11.1 File System Buffer Overflow https://cxsecurity.com/issue/WLB-2015100149   Statically Linking a Windows Kernel Driver as an ELF http://gaasedelen.blogspot.com/2015/10/statically-linking-windows-kernel.html   A closer look at an operating botnet http://conorpp.com/blog/a-close-look-at-an-operating-botnet/   How to Reverse Engineer Android Applications http://darkmatters.norsecorp.com/2015/07/15/how-to-reverse-engineer-android-applications/?utm_content=buffer1915a\u0026amp;utm_medium=social\u0026amp;utm_source=twitter.com\u0026amp;utm_campaign=buffer   hackme: Deconstructing an ELF File http://manoharvanga.com/hackme/   Lots of Reversing Tutorials for Newbs https://www.cyberguerrilla.org/blog/what-the-blackhats-dont-want-you-to-know-series/   Meet \u0026lsquo;Tox\u0026rsquo;: Ransomeware for the Rest of Us https://blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us   Code injection – a simple PHP virus carried in a JPEG image http://php.webtutor.pl/en/2011/05/13/php-code-injection-a-simple-virus-written-in-php-and-carried-in-a-jpeg-image/   Source for malware, backdoors etc for whitehat testing. https://www.reddit.com/r/AskNetsec/comments/18vymh/source_for_malware_backdoors_etc_for_whitehat/   Building an SSH Botnet C\u0026amp;C Using Python and Fabric http://raidersec.blogspot.com/2013/07/building-ssh-botnet-c-using-python-and.html   Malware as a service [pdf] http://blog.checkpoint.com/wp-content/uploads/2016/08/InsideNuclearsCore_UnravelingMalwarewareasaService.pdf    Bug Bounties    Title URL     How i Hacked into a PayPals Server - Unrestricted File Upload to Remote Code Execution http://blog.pentestbegins.com/2017/07/21/hacking-into-paypal-server-remote-code-execution-2017/   Yahoo Bug Bounty: Exploiting OAuth Misconfiguration To Takeover Flickr Accounts – MISHRE https://mishresec.wordpress.com/2017/10/12/yahoo-bug-bounty-exploiting-oauth-misconfiguration-to-takeover-flickr-accounts/   Slack SAML authentication bypass http://blog.intothesymmetry.com/2017/10/slack-saml-authentication-bypass.html   How I hacked Google’s bug tracking system itself for $15,600 in bounties https://medium.freecodecamp.org/messing-with-the-google-buganizer-system-for-15-600-in-bounties-58f86cc9f9a5   Escalating XSS in PhantomJS Image Rendering to SSRF/Local-File Read https://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/   Facebook Bug Bounties https://www.facebook.com/notes/phwd/facebook-bug-bounties/707217202701640/   Image removal vulnerability in Facebook polling feature https://blog.darabi.me/2017/11/image-removal-vulnerability-in-facebook.html   All your Paypal OAuth tokens belong to me - localhost for the win http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html   Authentication bypass on Airbnb via OAuth tokens theft https://www.arneswinnen.net/2017/06/authentication-bypass-on-airbnb-via-oauth-tokens-theft/   Bug bounty left over (and rant) Part III (Google and Twitter) http://blog.intothesymmetry.com/2018/02/bug-bounty-left-over-and-rant-part-iii.html   How I have hacked Facebook again (..and would have stolen a valid access token) http://blog.intothesymmetry.com/2014/04/oauth-2-how-i-have-hacked-facebook.html OAuth 2   Taking over Facebook accounts using Free Basics partner portal https://www.josipfranjkovic.com/blog/facebook-partners-portal-account-takeover   How I hacked Tinder accounts using Facebook’s Account Kit and earned $6,250 in bounties https://medium.freecodecamp.org/hacking-tinder-accounts-using-facebook-accountkit-d5cc813340d1   Stored XSS, and SSRF in Google using the Dataset Publishing Language https://s1gnalcha0s.github.io/dspl/2018/03/07/Stored-XSS-and-SSRF-Google.html   Authentication bypass on Uber’s Single Sign-On via subdomain takeover – Arne Swinnens Security Blog https://www.arneswinnen.net/2017/06/authentication-bypass-on-ubers-sso-via-subdomain-takeover/   AirBnb Bug Bounty: Turning Self-XSS into Good-XSS #2 http://www.geekboy.ninja/blog/airbnb-bug-bounty-turning-self-xss-into-good-xss-2/   Piercing the Veil: Server Side Request Forgery to NIPRNet access https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a   My Public Evernote: 0day writeup: XXE in uber.com https://httpsonly.blogspot.co.ke/2017/01/0day-writeup-xxe-in-ubercom.html?m=1   Advice From A Researcher: Hunting XXE For Fun and Profit https://blog.bugcrowd.com/advice-from-a-researcher-xxe/   Hunting For Bugs With AFL 101 - A PRIMER http://research.aurainfosec.io/hunting-for-bugs-101/   Content Injection Vulnerability in WordPress 4.7 and 4.7.1 https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html   Slack SAML authentication bypass http://blog.intothesymmetry.com/2017/10/slack-saml-authentication-bypass.html   Microsoft didn’t sandbox Windows Defender, so I did https://blog.trailofbits.com/2017/08/02/microsoft-didnt-sandbox-windows-defender-so-i-did/   [WARNING] Intel Skylake/Kaby Lake processors: broken hyper-threading https://lists.debian.org/debian-devel/2017/06/msg00308.html   [Bug Bounty] GitHub Enterprise SQL Injection http://blog.orange.tw/2017/01/bug-bounty-github-enterprise-sql-injection.html   Node.js code injection (RCE) on demo.paypal.com https://artsploit.blogspot.se/2016/08/pprce2.html   Poisoning the Well – Compromising GoDaddy Customer Support With Blind XSS https://thehackerblog.com/poisoning-the-well-compromising-godaddy-customer-support-with-blind-xss/   How I Hacked Facebook, and Found Someones Backdoor Script http://devco.re/blog/2016/04/21/how-I-hacked-facebook-and-found-someones-backdoor-script-eng-ver/   Google increases bug bounty reward for Chromebook to $100,000 https://www.hackread.com/google-increases-bugs-bounty-reward-chromebook/   Hack The Pentagon: DoD Launches First-Ever Federal Bug Bounty Program http://www.darkreading.com/threat-intelligence/hack-the-pentagon-dod-launches-first-ever-federal-bug-bounty-program/d/d-id/1324542?_mc=NL_DR_EDT_DR_weekly_20160303\u0026amp;cid=NL_DR_EDT_DR_weekly_20160303\u0026amp;elqTrackId=83ac6139d95e4093b9a2186e03f662cb\u0026amp;elq=fd5fc2039aab426283a3737b96c99471\u0026amp;elqaid=68121\u0026amp;elqat=1\u0026amp;elqCampaignId=19869   Details of eBays JavaScript bug that they refuse to fix. http://thedailywtf.com/articles/bidding-on-security   PayPal Remote Code Execution Vulnerability using Java Deserialization http://artsploit.blogspot.com/2016/01/paypal-rce.html   Even the LastPass Will be Stolen Deal with It! http://www.martinvigo.com/even-the-lastpass-will-be-stolen-deal-with-it/    Penetration Testing (Exploit POCs, vulnerabilities)    Title URL     Introduction to Manual Backdooring http://www.abatchy.com/2017/05/introduction-to-manual-backdooring_24.html   CVE-2017-3881 Cisco Catalyst RCE Proof-Of-Concept https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/   Node.fz: fuzzing the server-side event-driven architecture https://blog.acolyer.org/2017/06/09/node-fz-fuzzing-the-server-side-event-driven-architecture/   Rooting a Printer: From Security Bulletin to Remote Code Execution https://www.tenable.com/blog/rooting-a-printer-from-security-bulletin-to-remote-code-execution   Escaping a restricted shell – humblesec https://humblesec.wordpress.com/2016/12/08/escaping-a-restricted-shell/   The Weak Bug - Exploiting a Heap Overflow in VMware http://acez.re/the-weak-bug-exploiting-a-heap-overflow-in-vmware/   Penetration Testing Flash Apps (aka “How to Cheat at Blackjack”) – PrivSec https://privsec.blog/penetration-testing-flash-apps-aka-how-to-cheat-at-blackjack/   PenTest Tools for your Security Arsenal http://www.kitploit.com/   Linux privilege escalation using weak NFS permissions https://haiderm.com/linux-privilege-escalation-using-weak-nfs-permissions/   Using Python To Get A Shell Without A Shell https://depthsecurity.com/blog/using-python-to-get-a-shell-without-a-shell   86_64 TCP bind shellcode with basic authentication on Linux systems https://pentesterslife.blog/2017/11/01/x86_64-tcp-bind-shellcode-with-basic-authentication-on-linux-systems/   Building and Attacking an Active Directory lab with PowerShell https://1337red.wordpress.com/building-and-attacking-an-active-directory-lab-with-powershell/   interference-security/icmpsh: Simple reverse ICMP shell https://github.com/interference-security/icmpsh   Meltdown and Spectre https://spectreattack.com/   Bypassing Anti-viruses with transfer Backdoor Payloads by DNS traffic https://www.peerlyst.com/posts/bypassing-anti-viruses-with-transfer-backdoor-payloads-by-dns-traffic-damon-mohammadbagher   [PentesterLab] Our exercises https://pentesterlab.com/exercises/   Mount a Raspberry Pi File System Image https://pen-testing.sans.org/blog/2016/12/07/mount-a-raspberry-pi-file-system-image   IOActive Labs Research: In Flight Hacking System http://blog.ioactive.com/2016/12/in-flight-hacking-system.html   Shortcuts: another neat phishing trick https://d.uijn.nl/2016/12/28/shortcuts-another-neat-phishing-trick/   Basics of Making a Rootkit: From syscall to hook! https://d0hnuts.com/2016/12/21/basics-of-making-a-rootkit-from-syscall-to-hook/   Cracking 12 Character Above Passwords http://www.netmux.com/blog/cracking-12-character-above-passwords   ImageTragick/PoCs: Proof of Concepts for CVE-2016–3714 https://github.com/ImageTragick/PoCs   ImageTragick Remote Code Execution http://4lemon.ru/2017-01-17_facebook_imagetragick_remote_code_execution.htmlFacebooks   A pure python, post-exploitation, data mining tool and remote administration tool for macOS https://github.com/manwhoami/Bella   Using the Registry to Discover Unix Systems and Jump Boxes https://www.fireeye.com/blog/threat-research/2017/03/using_the_registryt.html   The most complete open-source tool for Twitter intelligence analysis (With Sources) https://github.com/vaguileradiaz/tinfoleak   Five Pentesting Tools and Techniques (That Every Sysadmin Should Know) https://medium.com/@jeremy.trinka/five-pentesting-tools-and-techniques-that-sysadmins-should-know-about-4ceca1488bff   Various Docker Images for Pentesting https://github.com/ZephrFish/DockerAttack   SharpShooter - a weaponised payload generation framework with anti-sandbox analysis, staged and stageless payload execution and support for evading ingress monitoring [See comment for Sources] https://www.mdsec.co.uk/2018/03/payload-generation-using-sharpshooter/   Any Interest in a Web Application PenTesting Methodology Cheat Sheet? https://www.reddit.com/r/AskNetsec/comments/7zz80i/any_interest_in_a_web_application_pentesting/   An ICMP reverse shell to bypass TCP firewall rules https://github.com/interference-security/icmpsh   On a pentesting gig, you pivot from credential harvesting to an authenticated command injection to a privilege escalation for root. http://1.media.collegehumor.cvcdn.com/84/37/5f290f6d1def6c35fc73777a817f2672.gif   A Review of PentesterLab https://littlemaninmyhead.wordpress.com/2017/10/29/a-review-of-pentesterlab/   OSCP Survival Guide Cheatsheet https://github.com/frizb/OSCP-Survival-Guide/blob/master/README.md   Screwdriving BLE devices https://www.pentestpartners.com/security-blog/screwdriving-locating-and-exploiting-smart-adult-toys/   Operation Luigi: How I hacked my friend without her noticing https://defaultnamehere.tumblr.com/post/163734466355/operation-luigi-how-i-hacked-my-friend-without   5 severe Vulnerabilities found in IoT smart alarm system that could allow remote execution http://dojo.bullguard.com/blog/burglar-hacker-when-a-physical-security-is-compromised-by-iot-vulnerabilities/   rtfm.py A python cheat sheet program à la red team field manual   Stealing passwords from McDonalds users https://finnwea.com/blog/stealing-passwords-from-mcdonalds-users   p0wnedShell - PowerShell Runspace Post Exploitation Toolkit https://github.com/Cn33liz/p0wnedShell   Wide Impact: Highly Effective Gmail Phishing Technique Being Exploited https://www.wordfence.com/blog/2017/01/gmail-phishing-data-uri/   Truffle Hog: A tool that Searches Entire Commit History in Git Repositories for High Entropy Strings to Find Secrets Accidentally Committed to Version Control https://github.com/dxa4481/truffleHog   A thorough Guide to Pentesting Tutorials \u0026amp; WalkThroughs https://www.youtube.com/channel/UC9Qa_gXarSmObPX3ooIQZrg   $3 USB Rubber Ducky https://www.youtube.com/watch?v=_yJWwKO3_Z0   Best 5 Websites to Master Hacking With Kali Linux : For Beginners http://www.kalitutorials.net/2016/10/best-5-website-to-master-hacking-with.html   Hacking the Hard Way at the DerbyCon CTF https://labs.signalsciences.com/hacking-the-hard-way-at-the-derbycon-ctf-d35b4dd4c97d   Metasploit Cheat Sheet - a handy quick reference guide with the most useful commands http://www.tunnelsup.com/metasploit-cheat-sheet/   nmap cheatsheet + examples https://highon.coffee/docs/nmap/   “Fileless” UAC Bypass Using eventvwr.exe and Registry Hijacking https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/   22 Hacking Sites, CTFs and Wargames To Legally Practice Hacking https://hackerlists.com/hacking-sites/   Pentest Series: The State of Security - What Project Zeros font bug can teach us about engineering workflow, the nature of exploits, and legacy issues http://sten0.ghost.io/2016/07/06/the-state-of-security/   Building a Brute-Force Zip File Cracking Tool (this is my first truly original cracking script and I just wanted to show it off, \u0026lsquo;cause I\u0026rsquo;m proud of it. I would love any constructive criticism on the code). https://www.youtube.com/watch?v=jqpjF5o1SGs   VMware Escapology - Researchers from ZDI release Metasploit modules for VMware Escapes https://www.zerodayinitiative.com/blog/2017/10/04/vmware-escapology-how-to-houdini-the-hypervisor   Random Vulnerable VM Generator! https://github.com/cliffe/SecGen   A Secure Shell (SSH) scanner / bruteforcer controlled via the Internet Relay Chat (IRC) protocol. https://github.com/acidvegas/spaggiari   oss-sec: server and client side remote code execution through a buffer overflow in all git versions before 2.7.1 (unpublished ᴄᴠᴇ-2016-2324 and ᴄᴠᴇ‑2016‑2315) http://seclists.org/oss-sec/2016/q1/645   Getting Domain Admin with Kerberos Unconstrained Delegation http://www.labofapenetrationtester.com/2016/02/getting-domain-admin-with-kerberos-unconstrained-delegation.html   Pwning CCTV cameras https://www.pentestpartners.com/blog/pwning-cctv-cameras/   DLL Hijacking Just Won’t Die http://textslashplain.com/2015/12/18/dll-hijacking-just-wont-die/   How to embed an executable into Outlook, disguised as a .docx https://medium.com/@networksecurity/oleoutlook-bypass-almost-every-corporate-security-control-with-a-point-n-click-gui-37f4cbc107d0#.luji1r9xf   I created a beginner\u0026rsquo;s tutorial for performing DoS and DDoS attacks for y\u0026rsquo;all https://toastersecurity.blogspot.com/2015/12/dos-101-ping-of-death.html   Useful PHP Exploitation Methods in Metasploit https://youtu.be/iD9Qm5KtsWk   Breaking 512-bit RSA encryption with Amazon EC2 is so easy novices can do it. http://arstechnica.com/security/2015/10/breaking-512-bit-rsa-with-amazon-ec2-is-a-cinch-so-why-all-the-weak-keys/   Attacking Ruby on Rails Applications http://phrack.org/papers/attacking_ruby_on_rails.html   Kali Linux 2.0 Android phone hack. https://www.youtube.com/attribution_link?a=PB984nZ6uqw\u0026amp;u=%2Fwatch%3Fv%3DmWcK_E1xujM%26feature%3Dshare   Kali linux 2.0. ~ Wireless Network Hacking ~ https://www.youtube.com/watch?feature=player_embedded\u0026amp;v=-fu5Wtx7K-o   Hack Like the Bad Guys – Using Tor for Firewall Evasion and Anonymous Remote Access http://foxglovesecurity.com/2015/11/02/hack-like-the-bad-guys-using-tor-for-firewall-evasion-and-anonymous-remote-access/   How I hacked my IP camera, and found this backdoor account http://jumpespjump.blogspot.com/2015/09/how-i-hacked-my-ip-camera-and-found.html   Here is a quick video series I made on Metasploit (for Beginners) https://www.reddit.com/r/hacking/comments/3nypx0/here_is_a_quick_video_series_i_made_on_metasploit/   Pupy: a RAT with an embeded Python interpreter. can load python packages from memory and transparently access remote python objects. The payload is a reflective DLL and leaves no trace on disk https://github.com/n1nj4sec/pupy   Exploiting MS15-100 Vulnerability (CVE-2015-2509) http://resources.infosecinstitute.com/exploiting-ms15-100-cve-2015-2509/   Twittor, a Python backdoor that uses Twitter as a C\u0026amp;C server https://github.com/PaulSec/twittor   The Latest on Stagefright: CVE-2015-1538 Exploit is Now Available for Testing Purposes https://blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/   0x00.txt - the write-up/guide from the FinFisher hack https://www.reddit.com/r/HowToHack/comments/3j2as7/0x00txt_the_writeupguide_from_the_finfisher_hack/   Things you should do after you install Kali Linux/how to fix things https://www.reddit.com/r/HowToHack/comments/3d7e1c/things_you_should_do_after_you_install_kali/   DLL Injection Resources - more in comments http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html   Help with SLMailv5.5 Buffer Overflow https://www.reddit.com/r/AskNetsec/comments/3c4i2y/help_with_slmailv55_buffer_overflow/   Security CheatSheets a wealth of knowledge for a pen-tester https://github.com/Snifer/security-cheatsheets   (My) Introduction to Doxing. Various Sites and (Basic-Advanced) Information Gathering Techniques. https://www.reddit.com/r/HowToHack/comments/34ges4/my_introduction_to_doxing_various_sites_and/   Pwning a thin client in less than two minutes http://blog.malerisch.net/2015/04/pwning-hp-thin-client.html   net-creds.py: the most thorough network/pcap credential harvester https://github.com/DanMcInerney/net-creds   Hacking Oklahoma State University’s Student ID http://snelling.io/hacking-oklahoma-state-university-student-id   PowerShell: Better phishing for all! http://d.uijn.nl/?p=116   [Screenshots] LANs.py: catch usernames, passwords, and messages on a network + inject arbitrary HTML into visited pages https://www.reddit.com/r/hacking/comments/1q70ic/screenshots_lanspy_catch_usernames_passwords_and/   How to Approach Hacking https://www.reddit.com/r/HowToHack/comments/1mf46x/how_to_approach_hacking/   What do we think about compiling all our social engineering into some easy-to-read guides? https://www.reddit.com/r/SocialEngineering/comments/18yrff/what_do_we_think_about_compiling_all_our_social/   Tactics to Hack an Enterprise Network http://blog.strategiccyber.com/2013/01/14/tactics-to-hack-an-enterprise-network/    Web Application Security    Title URL     Your interpreter isn’t safe anymore — The PHP module rootkit https://blog.paradoxis.nl/your-interpreter-isnt-safe-anymore-the-php-module-rootkit-c7ca6a1a9af5   On a high level, how does OAuth 2 work? - Stack Overflow https://stackoverflow.com/questions/4727226/on-a-high-level-how-does-oauth-2-work/32534239#32534239   Inject All the Things - Shut Up and Hack http://blog.deniable.org/blog/2017/07/16/inject-all-the-things/   XSS Contexts and some Chrome XSS Auditor tricks - web 0x03 - YouTube https://www.youtube.com/watch?v=8GwVBpTgR2c   Basic of SQL for SQL Injection part 3 http://securityidiots.com/Web-Pentest/SQL-Injection/Part-3-Basic-of-SQL-for-SQLi.html   Java Deserialization Security FAQ https://www.christian-schneider.net/JavaDeserializationSecurityFAQ.html   SAMLRaider/SAMLRaider: SAML2 Burp Extension https://github.com/SAMLRaider/SAMLRaider   The Grey Corner: CommonCollections deserialization attack payloads from ysoserial failing on JRE 8u72 http://www.thegreycorner.com/2016/05/commoncollections-deserialization.html   Mobile penetration testing on Android using Drozer – Security Café https://securitycafe.ro/2015/07/08/mobile-penetration-testing-using-drozer/#more-945   An Overview of Deserialization Vulnerabilities in the Java Virtual Machine https://www.slideshare.net/joaomatosf_/an-overview-of-deserialization-vulnerabilities-in-the-java-virtual-machine-jvm-h2hc-2017   Bypassing SAML 2.0 SSO with XML Signature Attacks http://research.aurainfosec.io/bypassing-saml20-SSO/   OAuth 2 attacks - Introducing The Devil Wears Prada and Lassie Come Home http://blog.intothesymmetry.com/2013/05/oauth-2-attacks-introducing-devil-wears.html   Hunting in the Dark - Blind XXE https://blog.zsec.uk/blind-xxe-learning/   Cracking the Lens: Targeting HTTPs Hidden Attack-Surface http://blog.portswigger.net/2017/07/cracking-lens-targeting-https-hidden.html   S3 bucket enumerator https://github.com/bbb31/slurp bbb31/slurp   Extract subdomains with GAN GETALTNAME   Gaining Domain Admin from Outside Active Directory https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html   Dear developers, beware of DNS Rebinding https://www.twistlock.com/2018/02/28/dear-developers-beware-dns-rebinding/   In-Depth Subdomain Enumeration https://github.com/caffix/amass caffix/amass   Triggering a DNS lookup using Java Deserialization https://blog.paranoidsoftware.com/triggering-a-dns-lookup-using-java-deserialization/   mpirnat/lets-be-bad-guys: A deliberately-vulnerable website and exercises for teaching about the OWASP Top 10 https://github.com/mpirnat/lets-be-bad-guys   RIPS - The State of Wordpress Security https://blog.ripstech.com/2016/the-state-of-wordpress-security/   Infection Monkey - GuardiCore https://www.guardicore.com/infectionmonkey/   Getting MOAR Value out of PHP Local File Include Vulnerabilities https://pen-testing.sans.org/blog/2016/12/07/getting-moar-value-out-of-php-local-file-include-vulnerabilities   Location based XSS attacks http://www.thespanner.co.uk/2008/12/01/location-based-xss-attacks/   What is DOM Based XSS (Cross-site Scripting)? https://www.netsparker.com/blog/web-security/dom-based-cross-site-scripting-vulnerability/   Mining Meteor https://pen-testing.sans.org/blog/2016/12/06/mining-meteor   Tampermonkey https://tampermonkey.net/   nidem/MeteorMiner https://github.com/nidem/MeteorMiner   PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html   dns - GitHub pages custom domain infinite redirect loop http://stackoverflow.com/questions/11382544/github-pages-custom-domain-infinite-redirect-loop   XML External Entity (XXE) Processing https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing   SSRF bible. Cheatsheet https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit#heading=h.xm4muaotv626   GitHub’s post-CSP journey - GitHub Engineering https://githubengineering.com/githubs-post-csp-journey/   fWaf – Machine learning driven Web Application Firewall Fsecurify   Major version release 1.0.0 of amass, the subdomain enumeration tool written in Go. Shown to be more effective than Sublist3r. https://github.com/caffix/amass/releases   Extract subdomains with GAN python tool that extract subdomains from HTTPS certificates.   introduction xml external entity attack and exploitation https://www.youtube.com/attribution_link?a=aGkEjpF2Jrs\u0026amp;u=%2Fwatch%3Fv%3DLkz_98SY-m8%26feature%3Dshare   Lab for Java Deserialization Vulnerabilities https://github.com/joaomatosf/JavaDeserH2HC   Exposing Server IPs Behind CloudFlare http://www.chokepoint.net/2017/10/exposing-server-ips-behind-cloudflare.html   RESTful DOOM: HTTP/JSON API for classic Doom http://1amstudios.com/2017/08/01/restful-doom/   Injection Vulnerabilities - or: How I got a free Burger https://www.youtube.com/watch?v=WWJTsKaJT_g   AWS Security Primer https://cloudonaut.io/aws-security-primer/   The entire WebGL Insights book is now free: 23 chapters on advanced topics from 42 authors and 25 reviewers! http://webglinsights.com/   Exploiting PHPMailer https://hackr.pl/2016/12/27/exploiting-phpmailer-cve-2016-10033/   Bypassing PHP Null Byte Injection protections - Challenge https://www.securusglobal.com/community/2016/08/15/bypassing-php-null-byte-injection-protections/   Bypassing PHP Null Byte Injection protections - Part II (Challenge Write-up) https://www.securusglobal.com/community/2016/08/19/abusing-php-wrappers/   XSS Cheat Sheet SecLists/Fuzzing has some good text file examples of XSS along with a lot more, like password lists.   owasp is great too    another good xss list    the big list of naughty strings is another fun one.    Use good libraries to prevent it whenever you get a chance, because implementing secure sanitization yourself is always going to be a large project on its own, outside the scope of whatever app you\u0026rsquo;re making.    for real examples, visit /r/xss and check https://www.openbugbounty.org/ (also a good place to disclose them)    SQL cheat sheet https://zeroturnaround.com/rebellabs/sql-cheat-sheet/   Using Multi-byte Characters to Nullify SQL injection sanitizing http://howto.hackallthethings.com/2016/06/using-multi-byte-characters-to-nullify.html   Probing to Find XSS http://brutelogic.com.br/blog/probing-to-find-xss/   The Genesis of an XSS Worm – Part I http://brutelogic.com.br/blog/genesis-xss-worm-part-i/   Looking for XSS in PHP Source Code http://brutelogic.com.br/blog/looking-xss-php-source/   How The Hacker that Hacked The Catalan Police Union Did It? He Posted A Video Of The Process https://tune.pk/video/6528544/hack   Pastejacking: Using JavaScript to override your clipboard contents and trick you into running malicious commands https://github.com/dxa4481/Pastejacking   XSS on GoDaddy, Match, CalvinKlein, ToysRus, Southwest, Senate.Gov, RuneScape, CNET, DeviantArt and more http://antincode.com/post/144664272101/xss-on-godaddy-match-calvinklein-toysrus   How I broke a mobile banking application to gain unrestricted access to several Billion Dollars worth of Deposits. https://boris.in/blog/2016/the-bank-job/   Blind XSS Code http://brutelogic.com.br/blog/blind-xss-code/   I’m not a human: Breaking the Google reCAPTCHA https://www.blackhat.com/docs/asia-16/materials/asia-16-Sivakorn-Im-Not-a-Human-Breaking-the-Google-reCAPTCHA-wp.pdf   Domino\u0026rsquo;s: Pizza and Payments http://www.ifc0nfig.com/dominos-pizza-and-payments/   Issue 773 - google-security-research - TrendMicro: A remote Node.js debugger stub is listening in default install https://bugs.chromium.org/p/project-zero/issues/detail?id=773   SQL Injection Cheat Sheet by Netsparker https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/   XSS without HTML: Client-Side Template Injection with AngularJS http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html   On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption http://www.nds.rub.de/media/nds/veroeffentlichungen/2015/08/21/Tls13QuicAttacks.pdf   CSS based Attack: Abusing unicode-range of @font-face http://mksben.l0.cm/2015/10/css-based-attack-abusing-unicode-range.html   Security for building modern web apps http://dadario.com.br/security-for-building-modern-web-apps/    Computer Science \u0026amp;\u0026amp; Algorithms    Title URL     algorithm - Python- Sieve of Eratosthenes https://stackoverflow.com/questions/6687296/python-sieve-of-eratosthenes-compact-python   Improve Your Python: Python Classes and Object Oriented Programming https://jeffknupp.com/blog/2014/06/18/improve-your-python-python-classes-and-object-oriented-programming/   Quick Guide To Polymorphism In Java https://www.sitepoint.com/quick-guide-to-polymorphism-in-java/   Google Infrastructure Security Design Overview Google Cloud Platform https://cloud.google.com/security/security-design/#secure_service_deployment   Avoid Else, Return Early http://blog.timoxley.com/post/47041269194/avoid-else-return-early   Genius explanation of Meltdown/Spectre malware https://www.reddit.com/r/sysadmin/comments/7ot0ke/genius_explanation_of_meltdownspectre_malware/   Pi-Tac 1.0 - A Raspberry Pi Zero W in a Tic-Tac box, with an Adafruit PiOLED display, and a Powerboost 1000C for push-button power, and safe shutdown on low battery. https://imgur.com/a/UTMGZ   500 Data Structures and Algorithms practice problems and their solutions https://www.reddit.com/r/learnprogramming/comments/76g2lo/500_data_structures_and_algorithms_practice/   I created a beginners guide to SSH Keys video tutorial https://www.youtube.com/watch?v=hHs98hLtZJo   I want to practice Python but I have no idea what to make. https://www.reddit.com/r/learnprogramming/comments/6u218q/i_want_to_practice_python_but_i_have_no_idea_what/   Bootloader and Low-Level Programming Tutorial: How To Develop Your Own Boot Loader https://www.apriorit.com/dev-blog/66-develop-boot-loader   Things you didn\u0026rsquo;t know a bunch of Pis can do: Playing a single video on multiple, freely arranged screens (more in a comment) https://gfycat.com/TheseHighlevelFlyingfox   My journey to getting hired with no CS degree and no professional programming experience https://www.reddit.com/r/learnprogramming/comments/6ps3lg/my_journey_to_getting_hired_with_no_cs_degree_and/   Free Microsoft e-book giveaway with thousands of books. Grab \u0026lsquo;em. https://www.reddit.com/r/learnprogramming/comments/6nrsy2/free_microsoft_ebook_giveaway_with_thousands_of/   Maze generation code, inspired by working through Mazes for Programmers https://github.com/defndaines/meiro   I built a self-driving car! https://www.reddit.com/r/cars/comments/6dhzvn/i_built_a_selfdriving_car/   Six programming paradigms that will change how you think about coding http://www.ybrikman.com/writing/2014/04/09/six-programming-paradigms-that-will/   Java/C++ bots playing StarCraft live at Twitch. Commentary each Sunday 11:00 AM PT. \u0026gt; BWMirror API is a Java wrapper for C++ BWAPI. It wraps all the classes, constants and enums inside Java objects, while providing the exact same interface as the original C++ BWAPI. This is achieved by heavily utilising JNI. http://www.sscaitournament.com/index.php?action=tutorial   500 Data structures and algorithms interview questions and their solutions https://techiedelight.quora.com/500-Data-structures-programming-interview-questions   Practical Color Theory for People Who Code https://tallys.github.io/color-theory/   How I Ruined Office Productivity With a Face-Replacing Slack Bot http://blog.zikes.me/post/how-i-ruined-office-productivity-with-a-slack-bot/   A beginners trick I learned way too late in the game of learning to code: repetition repetition repetition https://www.reddit.com/r/learnprogramming/comments/5pyx5t/a_beginners_trick_i_learned_way_too_late_in_the/   Google Infrastructure Security Design Overview https://cloud.google.com/security/security-design/   We\u0026rsquo;re programming a virtual machine - from scratch! https://www.reddit.com/r/learnprogramming/comments/59zjcc/were_programming_a_virtual_machine_from_scratch/   Google Interview University - multi-month study plan for going from web developer (self-taught, no CS degree) to Google software engineer https://github.com/jwasham/google-interview-university   Researchers Demonstrated How NSA Broke Trillions of Encrypted Connections http://thehackernews.com/2016/10/nsa-crack-encryption.html   Found an interactive game to learn programing https://www.reddit.com/r/learnprogramming/comments/51lz7z/found_an_interactive_game_to_learn_programing/   How I made over $50,000 in 5 days with a drone (a step-by-step plan). https://www.reddit.com/r/Entrepreneur/comments/4wzh45/how_i_made_over_50000_in_5_days_with_a_drone_a/   Over 183,000 datasets on Data.gov - if you\u0026rsquo;re looking for data for a personal project, here you go http://catalog.data.gov/dataset   Become a GDB power user! http://undo.io/resources/presentations/accu-2016-become-gdb-power-user/   Detecting cats in images with OpenCV. http://www.pyimagesearch.com/2016/06/20/detecting-cats-in-images-with-opencv/   Your favorite scripts you have stolen or made https://www.reddit.com/r/sysadmin/comments/4oxxgv/your_favorite_scripts_you_have_stolen_or_made/   My new Raspberry Pi espresso controller: touchscreen GUI + PID control + Siri http://hallee.github.io/espresso-arm/   Pi-Hole doing its job! http://i.imgur.com/vo92mbx.png   For all of you who are starting programming, here is a site that lets you visualise some data structures and algorithms involving them. I wish I had this in college. https://www.reddit.com/r/learnprogramming/comments/4oi604/for_all_of_you_who_are_starting_programming_here/   A simple stack overflow question becomes an interesting lesson in tech history (ZIP) http://stackoverflow.com/questions/20762094/how-are-zlib-gzip-and-zip-related-what-are-is-common-and-how-are-they-differen   Taking over 17000 hosts by typosquatting package managers like PyPi or npmjs.com http://incolumitas.com/2016/06/08/typosquatting-package-managers/   A game about hacking an imaginary device using a real assembly instruction set. It gives you a debugger and a memory dump and you have to figure out how to exploit it. Xpost from r/programming https://microcorruption.com   Facebook begins tracking non-users around the internet http://www.theverge.com/2016/5/27/11795248/facebook-ad-network-non-users-cookies-plug-ins   Google just open sourced something called ‘Parsey McParseface,and it could change AI forever http://thenextweb.com/dd/2016/05/12/google-just-open-sourced-something-called-parsey-mcparseface-change-ai-forever/   Googling is a skill. How to use Google.   Open Source remake of Red Alert / C\u0026amp;C / Dune with working multiplayer \u0026amp; a really active community! http://www.openra.net/   Two Google developers have drafted an API for direct USB access via web pages https://wicg.github.io/webusb/   Building your own GSM station has become the simplest task in the world http://www.evilsocket.net/2016/03/31/how-to-build-your-own-rogue-gsm-bts-for-fun-and-profit/#.VwiZPRSPDjo.reddit   C/C++ Program Memory - Easily the most helpful book I\u0026rsquo;ve ever read. https://www.reddit.com/r/learnprogramming/comments/4d1etw/cc_program_memory_easily_the_most_helpful_book/   Why is calculus important for programming, specifically algorithms? https://www.reddit.com/r/learnprogramming/comments/4cog17/why_is_calculus_important_for_programming/   Markov Chains explained visually http://setosa.io/ev/markov-chains/   The gloves are off: FBI argues it can force Apple to turn over iPhone source code http://www.extremetech.com/mobile/224709-the-gloves-are-off-fbi-argues-it-can-force-apple-to-turn-over-iphone-source-code   Surprise! NSA data will soon routinely be used for domestic policing that has nothing to do with terrorism https://www.washingtonpost.com/news/the-watch/wp/2016/03/10/surprise-nsa-data-will-soon-routinely-be-used-for-domestic-policing-that-has-nothing-to-do-with-terrorism   About SQL Server on Linux http://turnoff.us/geek/sql-server-on-linux/   activate-power-mode https://atom.io/packages/activate-power-mode   PSA: Learn Discrete Math https://www.reddit.com/r/learnprogramming/comments/465wkd/psa_learn_discrete_math/   ELI5: Why do even numbers feel safer and more pleasing than odd numbers? https://www.reddit.com/r/explainlikeimfive/comments/45zunb/eli5_why_do_even_numbers_feel_safer_and_more/   \u0026ldquo;An important thing to become better at programming is to read good code\u0026rdquo;. I agree but where do I find code for my language and skill level and how do I know it\u0026rsquo;s good? https://www.reddit.com/r/learnprogramming/comments/45yv6a/an_important_thing_to_become_better_at/   What\u0026rsquo;s the coolest mathematical fact you know of? https://www.reddit.com/r/AskReddit/comments/45m1zl/whats_the_coolest_mathematical_fact_you_know_of/   Parsing 10TB of Metadata, 26M Domain Names and 1.4M SSL Certs for $10 on AWS http://blog.waleson.com/2016/01/parsing-10tb-of-metadata-26m-domains.html   A critique of \u0026ldquo;How to C in 2016\u0026rdquo; https://github.com/Keith-S-Thompson/how-to-c-response   How to C (as of 2016) https://matt.sh/howto-c   If you are learning Python and want to build system monitoring or data driven web apps, then here is something to get you started https://www.reddit.com/r/sysadmin/comments/3udqgm/if_you_are_learning_python_and_want_to_build/   15 Sorting Algorithms in 6 Minutes-Visualization https://www.youtube.com/watch?feature=youtu.be\u0026amp;v=kPRA0W1kECg\u0026amp;app=desktop   How Cello, a library offering high-level functionality to C, implements (portable) garbage collection http://libcello.org/learn/garbage-collection   CPython internals: A ten-hour codewalk through the Python interpreter source code http://pgbovine.net/cpython-internals.htm   Learn to make a game in C++! https://www.reddit.com/r/learnprogramming/comments/3mtvlk/learn_to_make_a_game_in_c/   The Greatest Regex Trick Ever http://www.rexegg.com/regex-best-trick.html   I created web app for monitoring temperature and humidity, and wanted share it with you. https://github.com/hawkerpl/damn_hot_pie   The Art of Command Line https://github.com/jlevy/the-art-of-command-line   Hi, first post ever! I\u0026rsquo;ve started a blog on fun graphic guides to algorithms. Thoughts? http://algosaur.us/   NASA\u0026rsquo;s ten coding commandments https://jaxenter.com/power-ten-nasas-coding-commandments-114124.html   Computer Systems Security MIT OpenCourseWare   Here\u0026rsquo;s a list of 153 free online programming/CS courses (MOOCs) with feedback(i.e. exams/homeworks/assignments) that you can start this month (July 2015) https://www.reddit.com/r/learnprogramming/comments/3bw634/heres_a_list_of_153_free_online_programmingcs/   The Open-Source Computer Science Degree https://www.reddit.com/r/learnprogramming/comments/3btnh6/the_opensource_computer_science_degree/   BetterExplained - A fun website that explains programming concepts and tools in a very easy and intuitive way https://www.reddit.com/r/learnprogramming/comments/3b0rli/betterexplained_a_fun_website_that_explains/   The Technical Interview Cheat Sheet https://gist.github.com/TSiege/cbb0507082bb18ff7e4b   Goddamn pointers man\u0026hellip; It just doesn\u0026rsquo;t click https://www.reddit.com/r/learnprogramming/comments/3hycnu/goddamn_pointers_man_it_just_doesnt_click/   Algorithms and Data Structures cheat sheets? https://www.reddit.com/r/learnprogramming/comments/3gpvyx/algorithms_and_data_structures_cheat_sheets/   The best Git Workflows explanation so far https://www.atlassian.com/git/tutorials/comparing-workflows   Learning programming beyond the basics https://www.reddit.com/r/learnprogramming/comments/3er4xo/learning_programming_beyond_the_basics/   The AI Games - Create a bot for Tetris and join the competition! http://theaigames.com/competitions/ai-block-battle   The Art of Command Line https://github.com/jlevy/the-art-of-command-line   PSA for people who often do troubleshooting. PSR is relatively unknown, and it\u0026rsquo;s awesome. http://windows.microsoft.com/en-us/windows7/how-do-i-use-problem-steps-recorder   Unicode is Kind of Insane http://www.benfrederickson.com/unicode-insanity/   Top 10 data mining algorithms in plain English http://rayli.net/blog/data/top-10-data-mining-algorithms-in-plain-english/   Hi r/programming, 4 months ago I released a tiny text-extraction algorithm. After spending the better part of the last 4 months testing/thinking about extraction algo\u0026rsquo;s for a paper (never again), I think I\u0026rsquo;ve landed the big one. Well, it\u0026rsquo;s small actually. 10 lines of code. http://rodricios.github.io/posts/solving_the_data_extraction_problem.html   How are reddit bots created? https://www.reddit.com/r/learnprogramming/comments/362ark/how_are_reddit_bots_created/   40 Key Computer Science Concepts Explained In Layman’s Terms (x-post from r/interestingasfuck) https://www.reddit.com/r/learnprogramming/comments/33i1k2/40_key_computer_science_concepts_explained_in/   Learn Git Interactively https://www.reddit.com/r/learnprogramming/comments/2xfieg/learn_git_interactively/   Here\u0026rsquo;s Waldo: Computing the optimal search strategy for finding Waldo [OC] http://www.randalolson.com/2015/02/03/heres-waldo-computing-the-optimal-search-strategy-for-finding-waldo/   [Resource] Wireshark video course. Most useful packet capture tool every coder should know (100 free coupons) https://www.reddit.com/r/learnprogramming/comments/2ueowa/resource_wireshark_video_course_most_useful/   Hey everyone! I\u0026rsquo;m writing a complete beginner\u0026rsquo;s guide on how to use Git / Source Control. Thought some of you might find this helpful. https://www.reddit.com/r/learnprogramming/comments/2ubnew/hey_everyone_im_writing_a_complete_beginners/   Main is usually a function. So then when is it not? https://jroweboy.github.io/c/asm/2015/01/26/when-is-main-not-a-function.html   I taught myself how to program from scratch. Here are my recommendations for newbies starting out. https://www.reddit.com/r/learnprogramming/comments/2sm65w/i_taught_myself_how_to_program_from_scratch_here/   Learning iOS development by building a Yik Yak Clone https://www.reddit.com/r/learnprogramming/comments/2sufw2/learning_ios_development_by_building_a_yik_yak/   A github repo that\u0026rsquo;s actually a game to help you learn git https://github.com/hgarc014/git-game   14 clever and useful 3D-printable camera accessories http://makezine.com/2014/05/09/14-clever-and-useful-3d-printable-camera-accessories/   Tutorial on creating a platformer in Python https://www.reddit.com/r/learnprogramming/comments/20ejkg/tutorial_on_creating_a_platformer_in_python/   Raspberry Pi Class Now Free on Skillshare https://www.reddit.com/r/raspberry_pi/comments/1yfwnm/raspberry_pi_class_now_free_on_skillshare/   How I learned to develop Android apps in less than a year https://www.reddit.com/r/learnprogramming/comments/1s347g/how_i_learned_to_develop_android_apps_in_less/   What are some exercises a beginner should do to get better at coding. https://www.reddit.com/r/learnprogramming/comments/1ixjvt/what_are_some_exercises_a_beginner_should_do_to/   Introduction to C++, a series of 46 videos created by Redditor sarevok9 [x-post /r/UniversityofReddit] http://ureddit.com/blog/2013/02/25/featured-class-introduction-to-c/   About 4 months ago I posted a fast/simple youtube to mp3 converter. I\u0026rsquo;ve kept my promise of no ads and continue to fund it from my own pocket. Can you jump start it by pasting 1 youtube url? http://www.url-to-mp3.com/   How to make a cakeday site using the Reddit api and JavaScript - x-post r/programming http://stinaq.me/2013/02/21/how-to-make-a-cakeday-site-using-the-reddit-api-and-javascript/   What other abominations can anyone find written in bash? 3D FPS here\u0026hellip; https://github.com/EvilTosha/labirinth/blob/master/lab2.sh   [Java] Tips and tricks for Java development with Eclipse https://www.reddit.com/r/learnprogramming/comments/18pa1m/java_tips_and_tricks_for_java_development_with/   Detecting a Loop in Singly Linked List - Tortoise \u0026amp; Hare http://codingfreak.blogspot.com/2012/09/detecting-loop-in-singly-linked-list_22.html   9 of the Best Free C Books http://www.linuxlinks.com/article/20130202034416464/9oftheBestFreeC-Part1.html   Instacode - Instagram for Code! (yes this is as useful as you think it is) http://instacode.linology.info   Found a list of legally FREE e-Books pertaining to programming, comp. sci, and engineering over at /r/freebies https://www.reddit.com/r/learnprogramming/comments/17diit/found_a_list_of_legally_free_ebooks_pertaining_to/   Java Beginners Course, Making a 3D Game, Minecraft 2D Tutorials, Tower Defence Tutorials! https://www.reddit.com/r/learnprogramming/comments/14srg6/java_beginners_course_making_a_3d_game_minecraft/   You wan\u0026rsquo;t to learn how to code a game? Here\u0026rsquo;s a short template for you. Turn this into tetris as a learning experience. Post a screen shot of your success. https://www.reddit.com/r/learnprogramming/comments/10iya0/you_want_to_learn_how_to_code_a_game_heres_a/   Learning to program from zero to employable: tips and tricks, or recommended resources? https://www.reddit.com/r/learnprogramming/comments/yay4p/learning_to_program_from_zero_to_employable_tips/   How many of you, if any at all, would be interested in a stream of me going through and programming a 2D game? https://www.reddit.com/r/learnprogramming/comments/ptdie/how_many_of_you_if_any_at_all_would_be_interested/    CTF    Title URL     Defcon-ctf-2017-divided-writeup https://www.securifera.com/blog/2017/06/18/defcon-ctf-2017-divided-writeup/   Warhable - CTF - PEN-TESTING - CODING - RESEARCH - LEARNING https://warhable.wordpress.com/   Solving a Danish Defense Intelligence Puzzle - Irken Kitties https://safiire.github.io/blog/2017/08/19/solving-danish-defense-intelligence-puzzle/   Zero Day Initiative — Deconstructing a Winning Webkit Pwn2Own Entry https://www.zerodayinitiative.com/blog/2017/8/24/deconstructing-a-winning-webkit-pwn2own-entry   Solving the SANS 2016 Holiday Hack Challenge https://techanarchy.net/2017/01/solving-the-sans-2016-holiday-hack-challenge/   ForAllSecure released their open CTF-style training platform, HackCenter, at Enigma 2017 https://www.reddit.com/r/netsec/comments/5r8rz8/forallsecure_released_their_open_ctfstyle/   HackCenter https://hackcenter.com/sign-in   Learn buffer overflows, assembly, and read step-by-step walkthroughs on CTF events/challenges https://www.reddit.com/r/netsecstudents/comments/6f6zm3/learn_buffer_overflows_assembly_and_read/   Pwntools v3.0 Released https://www.reddit.com/r/netsec/comments/4z3noh/pwntools_v30_released/   CTF challenges and a guide for beginners https://github.com/kablaa/CTF-Workshop   Holiday Hack Challenge 2015 Complete Writeup https://medium.com/@jrozner/holiday-hack-challenge-2015-complete-writeup-1c8300cc847a#.pv007155s    Web Development    Title URL     learnlayout.com is a nice resouce for beginners in CSS https://www.reddit.com/r/learnprogramming/comments/88pg39/learnlayoutcom_is_a_nice_resouce_for_beginners_in/   Simple single element spinning loader using CSS https://codepen.io/AllThingsSmitty/pen/BRbgyp   I\u0026rsquo;ve created a tutorial for creating a module Angular 5 Dashboard from scratch https://www.reddit.com/r/learnprogramming/comments/7n5zdv/ive_created_a_tutorial_for_creating_a_module/   jq - like sed for JSON data https://stedolan.github.io/jq/   A Collection \u0026amp; Specification for Exemplary Frontend and Backend Codebases https://github.com/gothinkster/realworld   Things you probably didn’t know you could do with Chrome’s Developer Console https://medium.freecodecamp.com/10-tips-to-maximize-your-javascript-debugging-experience-b69a75859329#.8mba7zmqr   Node.js Playbook - A guide to getting started fast https://github.com/HiFaraz/node-playbook   How to build a responsive parallax scrolling site using only CSS \u0026amp; HTML. https://css-tricks.com/tour-performant-responsive-css-site/   Implementing Search Into Your React \u0026amp; Redux App w/ Algolia http://blog.getstream.io/cabin-react-redux-example-app-algolia/   Funky CSS3 Toggle Buttons http://codepen.io/ashleynolan/pen/wBppKz   Vanilla JS is a fast, lightweight, cross-platform framework for building incredible, powerful JavaScript applications. http://vanilla-js.com/   I\u0026rsquo;ve written a 200 page e-book on how to build an Instagram like social network from scratch with Ruby on Rails. It\u0026rsquo;s yours for free (no sign up required). https://www.dropbox.com/s/9vq430e9s3q7pu8/Let%27s%20Build%20Instagram%20with%20Ruby%20on%20Rails%20-%20Free%20Edition.pdf?dl=0   How to Not Suck at JavaScript http://www.slideshare.net/tmont/how-to-not-suck-at-javascript   Share your silly JavaScripts that you created for fun! https://www.reddit.com/r/learnprogramming/comments/2sl4ce/share_your_silly_javascripts_that_you_created_for/    Defensive Security \u0026amp;\u0026amp; Sys Admin    Title URL     Securing Windows Workstations: Developing a Secure Baseline » Active Directory Security https://adsecurity.org/?p=3299   Detecting Lateral Movements in Windows Infrastructure http://cert.europa.eu/static/WhitePapers/CERT-EU_SWP_17-002_Lateral_Movements.pdf   IT and Information Security Cheat Sheets https://zeltser.com/cheat-sheets/   Docker for Automating Honeypots or Malware Sandboxes https://dadario.com.br/docker-for-automating-honeypots-or-malware-sandboxes/   A honeypot proxy for mongodb. When run, this will proxy and log all traffic to a dummy mongodb server. https://github.com/Plazmaz/MongoDB-HoneyProxy   White Hats http://blog.pentestnepal.tech/   Security Resources: Beginner to Advanced. https://hrushikeshk.github.io/blog/2018/01/15/security-resources/   Leaked Slides Outline What Are Probably Some of the Most State-Of-The-Art Artifical-Intelligence Powered Social Engineering Methods of the Present Day (partial x-post /r/gaming) https://imgur.com/a/l4yQ5   Windows Admins: Let\u0026rsquo;s all take a second to thank or think about Nir Sofer for all the help over the years. What a great portfolio of simple, to the point tools. http://www.nirsoft.net/about_nirsoft_freeware.html   GitHub - avatsaev/touchbar_nyancat: Stupid nyancat animation on your +$2k MacBook Pro\u0026rsquo;s Touchbar https://github.com/avatsaev/touchbar_nyancat   Your Social Media Fingerprint https://robinlinus.github.io/socialmedia-leak/   Malware, malicious charging stations, and rogue cell towers - Oh My! NIST releases the Mobile Threat Catalogue for public comment on Github. https://pages.nist.gov/mobile-threat-catalogue/   Website enumeration insanity: how our personal data is leaked (xpost r/sysadmin) https://www.troyhunt.com/website-enumeration-insanity-how-our-personal-data-is-leaked/   PowerShell Security: PowerShell Attack Tools, Mitigation, and Detection https://adsecurity.org/?p=2921   Awesome Infosec Resources https://github.com/onlurking/awesome-infosec   I made a website that explains basic network theory https://www.reddit.com/r/sysadmin/comments/46r5ws/i_made_a_website_that_explains_basic_network/   Excel tricks to impress your boss http://i.imgur.com/s8neQNJ.jpg   Defending Against Mimikatz https://jimshaver.net/2016/02/14/defending-against-mimikatz/   Wireshark Workflow - Analyzing Malicious Traffic (Sasser Worm) http://hackmethod.com/malicious-network-traffic-wireshark/   CryptoWall 4.0 Released - We\u0026rsquo;ve already seen it with one of our clients http://www.bleepingcomputer.com/news/security/cryptowall-4-0-released-with-new-features-such-as-encrypted-file-names/   Portrait of a Sysadmin https://www.facebook.com/baattinofficial/videos/1190780811044387/   Tron v6.7.0 (2015-09-23) // Disable Windows 10 telemetry; Remove Lenovo spyware; large improvements to OEM de-bloat section https://www.reddit.com/r/sysadmin/comments/3m71gt/tron_v670_20150923_disable_windows_10_telemetry/   Script that tracks the devices in your network and displays statistics/charts about what is running at which times. (I\u0026rsquo;m definitely the one spending the most time on my computer in my flat) https://github.com/phiresky/nmap-log-parse   Great list of sysadmin resources/tools https://github.com/kahun/awesome-sysadmin   I\u0026rsquo;ve been sent a clearly malicious bit.ly link by a hacked skype account. What\u0026rsquo;s the best way to safely analyze where the malice is? https://www.reddit.com/r/AskNetsec/comments/3fkmiz/ive_been_sent_a_clearly_malicious_bitly_link_by_a/   Awesome tip i learned form a graybeard, the .\\ https://www.reddit.com/r/sysadmin/comments/3dmmcl/awesome_tip_i_learned_form_a_graybeard_the/   Free certification practice test engine with thousands of questions for CCNA, CISSP, CEH, Net+, Sec+, PMP, etc. https://www.skillset.com/certifications?a=m   PSA for people who often do troubleshooting. PSR is relatively unknown, and it\u0026rsquo;s awesome. http://windows.microsoft.com/en-us/windows7/how-do-i-use-problem-steps-recorder   HOW TO: Remove yourself from MOST background check sites and people search engines. Thanks to LawyerCT \u0026amp; Pibbman! https://www.reddit.com/r/technology/comments/31u84n/how_to_remove_yourself_from_most_background_check/   Tron v6.1.0 (2015-03-29) // Add Kaspersky VRT, remove Vipre (speed increase), logging cleanup, preserve LogMeIn sessions https://www.reddit.com/r/sysadmin/comments/30x1xu/tron_v610_20150329_add_kaspersky_vrt_remove_vipre/   Sad Server: All SysAdmin\u0026rsquo;s will Love this Twitter Handle [Truly Hilarious] https://twitter.com/sadserver   I made a free tool for rapidly scanning Cisco routers. [Download link in post] (xpost from /r/netsec) https://www.reddit.com/r/sysadmin/comments/2suyid/i_made_a_free_tool_for_rapidly_scanning_cisco/   So apparently you need a CAL to obtain an IP address from a Windows DHCP Server.. http://blogs.technet.com/b/volume-licensing/archive/2014/03/10/licensing-how-to-when-do-i-need-a-client-access-license-cal.aspx   I was unhappy with the other subnet calculators out there so I built one myself. I hope you agree it\u0026rsquo;s better than the rest. http://www.tunnelsup.com/subnet-calculator   The Best Hidden Features of VLC: downloads YouTube videos, records desktop, converts video files and more http://lifehacker.com/the-best-hidden-features-of-vlc-1654434241   windows 10 to have a package manager http://www.howtogeek.com/200334/windows-10-includes-a-linux-style-package-manager-named-oneget/   Found this brilliant guide on StackExchange - how to Hack into a computer through its MAC and IP address (x-post from /r/sysadmin) http://security.stackexchange.com/questions/56181/hack-into-a-computer-through-mac-and-ip-address   Worked on a completely locked down machine. Time passed quick https://www.reddit.com/r/excel/comments/2jtd2f/worked_on_a_completely_locked_down_machine_time/   How I made the office IT guy hate me http://imgur.com/QCBtATV   Just Sysadmin Things\u0026hellip; for which I\u0026rsquo;ve been reprimanded https://www.reddit.com/r/sysadmin/comments/2gt7x5/just_sysadmin_things_for_which_ive_been/   In honor the 4th of July, I present Tron, who \u0026ldquo;fights for the User\u0026rdquo; (automated disinfect/cleanup package) https://www.reddit.com/r/sysadmin/comments/29u4c3/in_honor_the_4th_of_july_i_present_tron_who/   Happy Hour Virus - How to leave work early (XPost from /r/ProgrammerHumor) http://happyhourvirus.com/   How do you get new desktop machines ready as soon as possible? https://www.reddit.com/r/sysadmin/comments/1tj5ob/how_do_you_get_new_desktop_machines_ready_as_soon/   Active Directory Administrators Toolkit https://www.reddit.com/r/sysadmin/comments/1t3a2a/active_directory_administrators_toolkit/   Why PowerShell? http://ramblingcookiemonster.wordpress.com/2013/12/07/why-powershell/   So my daughter\u0026rsquo;s friends thought they would prank her\u0026hellip; https://www.reddit.com/r/sysadmin/comments/1ontpn/so_my_daughters_friends_thought_they_would_prank/   Best security practices for a VMware Workstation sandbox https://www.reddit.com/r/AskNetsec/comments/17r95x/best_security_practices_for_a_vmware_workstation/    Tech News    Title URL     Amazon claims another victim: Cisco kills its $1 billion cloud http://www.businessinsider.in/amazon-claims-another-victim-cisco-kills-its-1-billion-cloud/articleshow/55989213.cms   This Pakistani student has developed a full-blown IDE for Assembly language https://www.techjuice.pk/pakistani-student-ide-for-assembly-language/   Internet protocols are changing - Future of TCP, DNS, TLS and HTTP https://blog.apnic.net/2017/12/12/internet-protocols-changing/   Inside the world of Silicon Valley\u0026rsquo;s \u0026lsquo;coasters\u0026rsquo; — the millionaire engineers who get paid gobs of money and barely work http://www.businessinsider.com/rest-and-vest-millionaire-engineers-who-barely-work-silicon-valley-2017-7   U.S. Senators introduce IoT bill affecting gov. procurement; good-faith research liability protections. https://www.warner.senate.gov/public/index.cfm/pressreleases?id=06A5E941-FBC3-4A63-B9B4-523E18DADB36   How is NSA breaking so much crypto? https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-much-crypto/   Comcast\u0026rsquo;s CEO Wants the End of Unlimited Data http://www.fool.com/investing/general/2015/12/23/comcasts-ceo-wants-the-end-of-unlimited-data.aspx    Saved Comments TIL that Doom was so popular in 1995 that it was installed on more PCs than Windows 95. Bill Gates briefly considered buying ID software, but settled for getting a team at Microsoft to port the game to Win95. The team was led by Gabe Newell. \u0026gt; inverse square root\nThere is no obvious reason why this should work, and how Carmack or any of the previous users of this stunningly elegant hack came across the magic value 0x5f3759df appears to have been lost to history. Beyond3D tried to trace it back through the ages, but after going through Carmack, an x86 assembly hacker called Terje Matheson, NVIDIA and eventually Gary Tarolli who used it in his days at 3dfx, the trail went cold.\nIt’s a real pity, because finding that constant would have required someone to think in a completely different direction to everyone else, and be convinced enough that such a constant even existed to spend time narrowing it down.\nSource: https://blog.dave.io/2011/10/0x5f3759df-true-magic-number/\nFrom a web dev perspective, familiarize yourself with the OWASP rules to prevent it if you want to stay safe. XSS is one of the easiest things to find in the wild. Usually I can find it pretty quickly in a vulnerable site by just looking at the chrome network connections and seeing when requests are made with URL params, and see if changing those gets inserted into bad spots in the page - and that\u0026rsquo;s just reflected XSS, low hanging fruit. Some people just put URL parameters right into javascript, and something like ', 'z':alert('xss'), 'y': ' can work. Also, it\u0026rsquo;s not just quotes. alert(/XSS/) will execute too.\nJust make sure you track the flow of user input, and never assume obfuscation or an extremely complex javascript file is enough to prevent people from realizing where input goes and how it might be processed. If you check for URL params that are prepended with debug_ and do something special with them, it\u0026rsquo;s going to be possible for attackers to find that and send their own input. And never assume that it being processed server side is enough to prevent people from finding a vulnerability.\nAlso, make sure you test with firefox. I\u0026rsquo;ve found that firefox has a lot of potential XSS that chrome fixes on its own. Chrome might prevent HTML tag injections like  when firefox doesn\u0026rsquo;t. Lots of XSS on sites only work with firefox.\nOil is now so cheap even pirates aren’t stealing it any more | So I can explain what this does if you want the run down. Linux actually isn\u0026rsquo;t too scary once you learn the basics. There are just a lot of really simple things going on. First off you should know that this is the command line in linux and that linux also has GUIs (just like windows) where you can do a bunch of stuff.\nSo in linux shell you have a few basic commands that are standard to most linux variants. In here these are and do the following:\n sudo : run the following command as an admin mv : move the following file to the following destination\nThese are part of what is called \u0026ldquo;bash\u0026rdquo; (Bourne Again SHell) in linux, which is the most common command line interpreter in linux. There are only a few really basic commands you need to know. Other important ones would be: cd : change directory to this location (can use .. to go up) ls : list all files in current folder\nThe rest of what I used are called \u0026ldquo;packages\u0026rdquo;, these are mini-programs that you can download as an add-on to your operating system. In a way you can kind of think of them as a browser extension. They add some bit of functionality and take inputs and outputs. You call them by typing their name. All packages can be downloaded via your package manager, depending on which variant of linux you have this will probably be either apt-get or yum (yellowdog updater modified).\nTo keep linux small they don\u0026rsquo;t put tons of packages in by default, only the ones you actually need. So first you\u0026rsquo;d need to download all the additional packages we used. These are as follows: openssl : cryptography library that powers much of the internet, it allows you to take stuff, jumble it in a way that it can only be unjumbled with a password wget : it downloads stuff from the internet, and has a bunch of really awesome options steghide : a more obscure package, it allows you to hide data inside of other data. Like hiding a hidden message inside of an image. shred : This overwrites data to make sure that it can\u0026rsquo;t easily be recovered with automated digital forensics programs\nEach of these packages has options, called flags. A flag starts with a hyphen.\nSo for the first command we call openssl, tell it we want to use the most secure encryption algorithm that it has, and tell it two parameters: to read in supertanker.iso and create a new file called notATanker.\nWe use wget to download a video file. This is the file that we will hide the file new encrypted file we just created in. The idea behind choosing cspan is if someone opens the video they will think that it\u0026rsquo;s just a random congressional hearing, which is usually very boring and they won\u0026rsquo;t go looking much further.\nThe next command is steghide, which stands for Steganography Hide. Steganography is a fancy word for hiding data inside of other data. This could be as simple as putting a text file at the bottom of a picture, or as complex as hiding a picture of a cat inside a picture of a tree. The idea is that this program will embed the encrypted file we created inside here. Steganography alone isn\u0026rsquo;t secure since you are merely hiding the data, but with encryption even if you were to find the data you would be unable to recover it in any reasonable amount of time without the password.\nSteghide takes a few parameters (aka flags), -ef is the file that you want to embed inside another file. -cf is the cover file that is the media you are hiding in. -sf is the output file that we will create after the command is done running. -z tells the program to compress the file using the maximum compression level 1-9.\nAfter we run steghide we now have a new file perlModules.conf. In linux .conf is usually used to denote configuration files (I know what a shock). So we need to stick this somewhere. /etc/ contains all kinds of configuration files, but it\u0026rsquo;s a protected directory so we need admin via the sudo command. /apache/ is the name of a web server which is the most popular web server package on the internet. So someone might look in there but it won\u0026rsquo;t be super obvious.\nThe last command is shred. We tell it that we want the verbose output so we can see what\u0026rsquo;s going on and to fill the files with zeros so it doesn\u0026rsquo;t look like it was overwritten and instead just looks like empty space. I did have to google a lot of these flags since I didn\u0026rsquo;t remember them off the top of my head. That\u0026rsquo;s okay, it\u0026rsquo;s what the documentation is there for. For most linux commands you can type either the commands and |help (e.g. openssl |help) or use man (manual) to look up flags and stuff if you forget. You can also use google. Keep in mind that this is the power user way of doing it, many of these tools also have either a GUI version or a GUI wrapper which does the commands for you.\nThanks for the Feedback is one of the best I have read that incorporates info I have heard from other books all in one place with practical examples. If I could give a copy of this book to every person on earth I would. (The same people wrote a book called Difficult Conversations, but I have yet to read that.)\nEdit to add Consious Business. This is the one I meant to add as the second recommendation; it is mostly about working with others in business but really applies to working with anyone in all relationships.\nEmotional Intelligence is another I recommend, giving guidance on how to understand emotions. (Read this, then go re-watch Inside Out.)\n10% Happier is an exploration into meditation as a non-spiritual thing. See Dan\u0026rsquo;s video.\n59 Seconds is about little things we can do to make our lives better (all science study based).\nAnd Stumbling on Happiness is about understanding our own motivations better (also research study based).\nSome of these books are clearly about \u0026ldquo;self help\u0026rdquo; but understanding ourselves is a key to understanding our interactions with others. And I try to only recommend books that are based in science and research.\nI also like Lean In by Sheryl Sandberg, Incognito by David Eagleman, The Power of Habit by Charles Duhigg, How Children Succeed by Paul Tough, The Hidden Brain by Shankar Vedantam, Nudge by Richard Thaler, and Thinking Fast and Slow by Daniel Kahnerman. Oh, and anything by Malcom Gladwell; I may not always agree with him, but he is thought provoking and well researched. (I have an Audible account and have found that a good way to get through books while doing other things like exercise, long car trips, or cleaning the house.)\nMore Adds; Predictably Irrational by Dan Ariely, The Paradox of Choice by Barry Schwartz, Nurture Shock by Po Bronson, My Age of Anxiety by Scott Stossel, Far From The Tree by Andrew Solomon, The Charisma Myth by Olivia Cabane, How We Learn by Benedict Carey, and I generally like anything by the Freakanomics guys.\nIf anyone would like to make recommendations to me based on the above list, please do so! I always have a growing reading queue :-)  ","description":"..and a wordcloud!","id":21,"section":"posts","tags":["programming","python","hacking","security"],"title":"Six years of saved links","uri":"https://anthonylaiuppa.com/posts/six-years-of-links/"},{"content":"2020 Retrospective Migrating my site to a new SSG and wanted to share a thought here. I wrote this two years ago and still use Ansible daily. That said a great Dockerfile or Packer are my go to\u0026rsquo;s now.\nIntro Writing code is fun, but what do you do when you get it working? Cron it on your computer and leave it on? You probably want to deploy it. Traditionally to a server, or maybe even a raspberry pi.\nA month ago I wrote a program to automate some buying and trading so I didnt have to spend time on reddit. When I finished it, I saw it as a great opportunity to learn about containers. So here is a brief overview on how I used Ansible to deploy my code to Docker containers in an automated manner.\nThis makes a great entrance into container orchestration for the future when we want to deploy more complex applications with many pieces.\nWell get started by going briefly over the python code we want to deploy, and then the steps we take to deploy it using Ansible-Container.\nThe code Lets take a look at our code. The repo has three main parts.\nAll of which can be found on my github https://github.com/AnthonyLaiuppa/r_scrape\n r_scrape.py - the Class doing all the heavy lifting for us config.json - the configuration file with all the creds/variables we need to pass to r_scrape to make it work run.py - the file that we actually execute to make the code go do the thing  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57  from __future__ import absolute_import, unicode_literals from slackclient import SlackClient import praw import json import io class rScrapeLogic(object): def __init__(self, mode=None): self.mode=mode def load_config(self, data): with io.open(data, mode=\u0026#39;r\u0026#39;, encoding=\u0026#39;utf8\u0026#39;) as config: self.config = json.loads(config.read()) self.config[\u0026#39;details\u0026#39;][\u0026#39;keywords\u0026#39;] = [x.strip() for x in self.config[\u0026#39;details\u0026#39;][\u0026#39;keywords\u0026#39;].split(\u0026#39;,\u0026#39;)] print(\u0026#39;Loaded Config successfully\u0026#39;) return self.config def auth_reddit(self): try: self.reddit = praw.Reddit( client_id = self.config[\u0026#39;reddit\u0026#39;][\u0026#39;id\u0026#39;], client_secret = self.config[\u0026#39;reddit\u0026#39;][\u0026#39;secret\u0026#39;], user_agent = self.config[\u0026#39;reddit\u0026#39;][\u0026#39;user_agent\u0026#39;], username = self.config[\u0026#39;reddit\u0026#39;][\u0026#39;username\u0026#39;] ) print(\u0026#39;Successfully authenticated to reddit api\u0026#39;) return self.reddit except Exception as exc: print(\u0026#39;{0} - Unable to auth to reddit, check your creds\u0026#39;.format(exc))\texit(0) def slack_it(self, message):\tslack_client = SlackClient(self.config[\u0026#39;slack\u0026#39;][\u0026#39;token\u0026#39;]) try: slack_client.rtm_connect() slack_client.api_call( \u0026#34;chat.postMessage\u0026#34;, channel=self.config[\u0026#39;slack\u0026#39;][\u0026#39;channel\u0026#39;], text=message, as_user=True) except Exception as exc: print(\u0026#39;{0} - Unable to use slack, please check configs\u0026#39;.format(exc)) def mon_subReddit(self): for submission in self.reddit.subreddit(self.config[\u0026#39;details\u0026#39;][\u0026#39;subreddit\u0026#39;]).stream.submissions(): try: print(\u0026#39;going to check a submission {0}\u0026#39;.format(submission.url)) self.check_submission(submission) except Exception as exc: print(\u0026#39;{0} - We are out of submissions waiting on more\u0026#39;.format(exc)) def check_submission(self, submittal): for word in self.config[\u0026#39;details\u0026#39;][\u0026#39;keywords\u0026#39;]: if word in submittal.selftext: message = \u0026#39;@channel We have a match - {0} - {1}\u0026#39;.format(word, submittal.url) self.slack_it(message)   Pretty succinct and clean minus, all the print statements I left from debugging.\nIts a simple work flow to achieve what we want\nLoad config with credentials -\u0026gt; Authenticate to reddit -\u0026gt; Get posts -\u0026gt; Check for keywords -\u0026gt; Slack it if its got a keyword\nNormally this is where I would put a picture of the results of the code running, but we want the container to run our code so lets lets the container give us the results.\nContainer Orchestration using Ansible You can find all relevant code on my github if youd like to see it.\nhttps://github.com/AnthonyLaiuppa/harbormaster\nhttps://github.com/AnthonyLaiuppa/r_scrape\nA container is essentially a stripped down virtual environment sitting ontop of the host kernel, we need to prepare it a little.\nPull the harbormaster repo, and then pull the r_scrape repo (reddit_scrape, couldve named it better)\nLets break down what we need to get this container ready to run the code.\n1) Define the variables for the config.json by putting it in a vars file 2) Define the template for config.json so it receives the variables it needs to run the code. This is really just following Jinja2 Documentation on templating for JSON, nothing unusual.\n3) Fill out our tasks/main.yml so Ansible can do everything we need to prepare the Container. The two main pieces that ansible-container needs to run are our tasks/main.yml and our container.yml\nThe tasks dictate what is going in the container and how, and the container.yml lays down the base rules and what should be done with it.\nLets take a look at our folder structure and then well look at the tasks we want to run.\nWe can see where all the relevant files sit after ansible-init as well as what weve added in the way of groupvars/, our template/ and our cloned source code of the app we want to deploy.\nTo begin with, what we seek to do is create a user on the system to run the code under. In production, ideally with least permission.\nCopy our source over, install dependencies, remove the blank config from the repo clone, and then drop in our templated one.\nFrom there our container.yml file tells docker that when it runs, it will to execute our run.py which in turns runs the flow describe earlier.\n4) Build and run our container Pieces are in place, lets build it ansible-container --vars-file group_vars/harbormaster.yml build --no-cache\nAs we can see our tasks executed cleanly, and our image is ready for use. Lets run it. ansible-container run\nSummary So what we achieved here was an incredibly quick flow of how we got our code running in a docker container, in an automated and manageable way.\nIf we were deploying to a production environment, we would tighten up some settings for security and use Kubernetes.\nThe ansible-container documentation goes over deploying to Kubernetes but since this is a pretty simple program I didnt feel the need to go that far.\nHopefully soon Ill be back with a more interesting application to distribute and manage with Kubernetes for you to read about.\nAs a surmise heres what we did\n Develop a simple class with all of the methods we need to achieve our end goal Use Ansible-Container to build our docker container Use Ansible-Container to run our container  Really not all too complex, similar to using Vagrant/Ansible with provisioning VMs.\nKeycaps are ran on limited runs in time restricted group buys, so if you miss the window of opportunity you can miss out on an awesome cap. Fortunately weve got some code keeping an eye out now.\n Incase you were wondering what I was trying to obtain\n I hope you enjoyed reading this, thanks for taking the time!\n","description":"Containers, so hot right now","id":22,"section":"posts","tags":["ansible","docker","containers","python"],"title":"Harbormaster","uri":"https://anthonylaiuppa.com/posts/harbormaster/"},{"content":"Intro Recently I decided I wanted to begin preparing for the OSCP, which for those who arent familiar stands Offensive Security Certified Professional. Its a fairly difficult exam with a large scope of material to cover. I decided to start by focusing on the process of Penetration testing. Penetration testing is an important part of the exam, and something that I still havent done an immense amount of. So I decided it was time to spin up a virtual testing range and go at it. Im a firm believer that the best way to learning by doing so hopefully this article inspires you to spin up a lab of your own too.\nBuilding our Virtual Lab Before we can begin penetration testing we need to have some targets.\nI wanted to deviate away from DVWA and Metasploitable since they have plenty of writeups and I want to challenge myself. SecGen generates random vulnerable virtual hosts for us to practice on safely.\nYou can find SecGen on github at https://github.com/cliffe/SecGen\nIf we spin up a Ubuntu VM and run it heres what we are greeted with.\nIt takes a good little while to compile the VM but when its done you should be able to see it in virtualbox.\nFor ease I shut the VM off and changed the network adaptor to bridged so it appears directly on my network.\nWe could make more VMs with more advanced network topologies but for getting started quickly we need as little as this one box.\nPenetration Testing Just opening up Kali linux and looking at the tools can be daunting at first. Reading is always recommended to help bridge this knowledge gap and give you somewhere to start.\nThanks to Packtpub and humble bundles Ive got plenty of books covering the topic of penetration testing to help aid me in this endeavor.\nMost of them have their own phases of penetration testing breakdown but well use a simple version.\nFor the purpose of this article well boil our process down to these steps\n Reconnaissance - Use information gathering techniques to identify and enumerate targets Exploitation - Conducting remote attacks in hopes of obtaining a shell Post - Privilege escalation to root, and if we wanted to be thorough persistence  Reconnaissance Now that Ive got my vulnerable VM on the network, Ill need its IP address in order to be able to attack it. Putting NMAP work we can quickly scan the network and identify which is our VM in question.\n\u0026ldquo;Doesnt Oracle make Virtual Box?\u0026rdquo;\nIts pretty apparent which one our VM is since we know Oracle makes Virtualbox and thats what is hosting our target. The other virtual host we see in the scan is infact our attacker.\nSo we know where our target is, now well want to run a port scan and see if there are any vulnerable services we can attack.\n\u0026ldquo;It takes a good second to scan 65535 ports stealthily.\u0026rdquo;\nOur scan comes back with some promising results.We can see three services on ports; 22, 80, 6667. Which is SSH, Web, and IRC.\nExploitation Now that we have some services identified on our target, well want to leverage further tools at our disposal. Kali comes with MetaSploit which is a great tool for this sort of thing. By firing up metasploit we can search for irc vulnerabilities, select one for use, and launch the attack against the target.\nIn our earlier picture the irc came back as ircd, so I selected the ircd_backdoor payload from amongst all the search results.\nWe set our RHOST to our victims IP address and type exploit.\n\u0026ldquo;We got a shell!\u0026rdquo;\nWhat we can see is that we have a shell session open between our attacker and victim.\nIt really was that simple. At least in this instance, other vulnerabilities may require more finesse.\nPost Once we have shell access, we will want to move into the Post exploitation phase.\nAttackers use this phase for privilege escalation and persisting their access to the system. The may go further and install software or pivot and attack other targets on the network.\nFor our purposes we will just try to get root and cat /etc/passwd\nSo if you look at the following picture my first thought was to run uname -a and grab the kernel version. Based on the kernel version we can fire up searchsploit and find something we can potentially use.\nThe version of the Linux kernel on that particular system came back as 3.2.0 which is vulnerable to Dirty Cow so I went with that.\nWe can use a quick wget to download the code, and cat it to be sure we actually pulled the code. An added plus is we can see if there are any special compilation instructions, which there are in this case.\n\u0026ldquo;Post exploitation information gathering\u0026rdquo;\nCompiling the code yielded no errors and we are able to run it without issue.\nReading the particular exploit we leveraged it is revealed that it creates a user with root permissions on the system with a default name of \u0026lsquo;firefart\u0026rsquo; so we now we should be able to simply SSH into the box with our new account!\n\u0026ldquo;Great Success!\u0026rdquo;\nConclusion We were able to hit all our marks!\nWe scanned the network, identified our target, exploited it, and were able to get root.\nGoing through this exercise has been a great learning experience. I gained some good insight into what penetration is like at a base level. I know in the future things will be more complicated, and I look forward to tackling that challenge. In the mean time Im just happy to have gotten root!\n","description":"...how do you pronounce Kali?","id":23,"section":"posts","tags":["hacking","kali","virtualization","nmap","metasploit","exploitation","reconnaissance"],"title":"Breaking into penetration testing","uri":"https://anthonylaiuppa.com/posts/breaking-into-penetration-testing/"},{"content":"Intro Slack is an effective group communication tool that Ive found myself using quite a bit recently. It simplifies communication greatly eliminating the need for multiple apps.\nWith Slack Im able to interact with work, side projects, and the programming community with one application.\nWhere Packt comes into play, is that for the last couple of weeks Ive had a colleague posting packts deal of the day in one of our slack channels daily.\nSo when I found a small block of free time, I decided to apply some simple automation.\nWhere we start Writing a slack bot using their API and python is well documented with many examples being available. Infact I was surprised because it was probably the easiest API Ive worked with so far.\nIve also dabbled with web scraping in the past so I figured this would be incredibly quick to throw together something basic. Of course it wouldnt be any fun if I didnt hit a snag or two.\nThis is a recipe that has been done over plenty of times, requests to grab the page, and then BeautifulSoup to parse our what information we want.\nSo I threw open a python shell and just pulled the pages HTML and used BeautifulSoup to prettyprint(prettify) it, that way I could form an idea of where to go with this.\n403 - Forbidden Its common for sites to deploy some mechanisms to deter people from scraping their pages. Which is entirely fair since making alot of requests programmatically could potentially bog a site down. But in our case we only want 1 request every 24 hours. Selenium has always been my go to when scraping or testing websites, especially if Im doing a more complicated process and want to see visually what is happening. In this case though since we are pulling just one page, so going headless is much more preferred. With the magic of PhantomJS and selenium we can emulate a browser, so on the site side they see the request as coming from a \u0026lsquo;browser\u0026rsquo; and dont give us the 403.\nNow I simply swapped out the Requests library for BS4 and reran the script. This time around it worked great! So now that we\u0026rsquo;re pulling clean HTML, its time to get to parsing.\nA little right click and inspect on the packt deal of the day page, revealed the title to be right here\n\u0026lt;div class=\u0026quot;dotd-title\u0026quot;\u0026gt;\u0026lt;h2\u0026gt;Our Title\nBS4 made quick work of this parsing and soon we get the result.\n['\\\\n\\\\t\\\\t\\\\t\\\\t\\\\t\\\\t\\\\t\\\\t\\\\t\\\\t\\\\t\\\\t\\\\t\\\\t\\\\tMongoDB Cookbook\\\\t\\\\t\\\\t\\\\t\\\\t\\\\t\\\\t\\\\t\\\\t\\\\t\\\\t\\\\t\\\\t\\\\t']\nWoo! A new line and a bunch of tabs. Weirdly enough while I had some trouble on earlier, I dropped string.strip('\\\\n').strip('\\\\t') in the code after work and it stripped away all of those tabs.\nAlright so now that we\u0026rsquo;ve got the scraping and parsing figured out, lets add our slack code in.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49  import codecs from selenium import webdriver from bs4 import BeautifulSoup from slackclient import SlackClient def get_book_title(url): driver = webdriver.PhantomJS() driver.set_window_size(1120, 550) driver.get(url) response = driver.page_source.encode(\u0026#39;utf-8\u0026#39;) driver.quit() html_str = str(response) soup = BeautifulSoup(html_str, \u0026#34;html.parser\u0026#34;) title = soup.find(\u0026#39;div\u0026#39;, \u0026#39;dotd-title\u0026#39;) children = title.findChildren() for child in children: print(child.contents) return child.contents def clean_string(title): clean = str(title[0]) clean = clean.strip(\u0026#39;\\\\n\u0026#39;).strip(\u0026#39;\\\\t\u0026#39;) return clean def deploy_bot(url, title): SLACK_BOT_TOKEN =\u0026#39;\u0026#39; BOT_NAME = \u0026#39;packtbot\u0026#39; slack_client = SlackClient(SLACK_BOT_TOKEN) message = get_message(url,title) if slack_client.rtm_connect(): slack_client.api_call(\u0026#34;chat.postMessage\u0026#34;, channel=\u0026#39;random\u0026#39;, text=message, as_user=True) else: print(\u0026#39;Connection failed\\n\u0026#39;) def get_message(url, title): message = \u0026#39;Todays free book is {0} \\n\u0026#39;.format(title) message += \u0026#39;Browse over to {0} to claim it!\\n\u0026#39;.format(url) return message def main(): url=\u0026#39;https://www.packtpub.com/packt/offers/free-learning\u0026#39; title = get_book_title(url) title = clean_string(title) deploy_bot(url,title) if __name__ == \u0026#34;__main__\u0026#34;: main()   Results We have acheived automation!\nConclusion Making a slack bot to let me and my coworkers know what the deal of the day is was easy thanks to python and slacks API!\nAs well as the littany of other tools we put to use.\nTheres just one thing though, do I really care about every free book packt has?\nI barely have time to read things that interest me.\nFortunately my colleague was sharing with us things he found interesting and relevant.\nSadly my bot cant quite do that, but with the addition of a wordlist I think we can get pretty close. We can tackle that later\n","description":"Never miss the deal of the day!","id":24,"section":"posts","tags":["python","web","scraping"],"title":"Making the packtbot","uri":"https://anthonylaiuppa.com/posts/packt-bot/"},{"content":"Intro I was at work when I almost dropped a URL into goo.gl, you know because short URLs are awesome. However I stopped right before I dropped it in because Google was kind enough to tell me that all URLs shortened are public. Then it occured to me that just haphazardly dropping links in is of course an OPSec issue. With billions of shortened URLs in existence is it really though?\nWhere we start We need to start with our plan of attack. Most goo.gl URLs look like this, https://goo.gl/QE6V6o Alright, so six character. We need to calculate all possible combinations with a length of six characters, encompassing all uppercase and lowercase characters, as well as 0-9. It comes out to 10 numbers + 52 letters(Upper\u0026amp;Lower) = 62. 62 ^ 6(length of our string) = about 57 billion unique values. This could take a while to enumerate through, and also presents a challenge.\nBeing the person I am, I opted to go the path of least resistance. While I could spend forever writing a program to perfectly generate all 57 billion strings, I could also throw together a random generator way faster.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39  #!/bin/python import string import random import requests import signal import sys op = open(\u0026#34;output.txt\u0026#34;, \u0026#34;a\u0026#34;) #Thank you string library for helping make this simple def generator(size=6, chars=string.ascii_uppercase + string.digits + string.ascii_lowercase): rndStr = \u0026#39;\u0026#39;.join(random.choice(chars) for _ in range(size)) return \u0026#39;https://goo.gl/\u0026#39; + rndStr #Thank you stack overflow for helping me make sense of requests. (We are checking the header URL here) def testURL(url): return requests.head(url, timeout=100.0 , headers={\u0026#39;Accept-Encoding\u0026#39;: \u0026#39;identity\u0026#39;}).headers.get(\u0026#39;location\u0026#39;, url) #A clean break with Ctrl+C is hit def signalHandler(signal, frame): print \u0026#39;Stopping logging \\n\u0026#39; op.close() exit(0) signal.signal(signal.SIGINT,signalHandler) #Generate URL-\u0026gt; Request URL -\u0026gt; Check for redirect -\u0026gt; Log redirect def main(*args): for i in range(0,int(sys.argv[1])): url = generator() test = testURL(url) print \u0026#39;Original url: \u0026#39; + url + \u0026#39; Resultant url \u0026#39; + test if url != test: stuff = url + \u0026#39; Redirects to \u0026#39; + test + \u0026#39;\\n\u0026#39; + \u0026#39;\\n\u0026#39; print \u0026#39;Logging redirect: \u0026#39; + stuff op.write(stuff) op.close() if __name__ == \u0026#39;__main__\u0026#39;: main()\t  Alright so we have our script, but what about the results?\nI didnt want to blow Google out of the water with requests, not that I could but courtesy you know, so I made sure I could pass an arg setting my loop to run a fininte number of times.\nSometimes we got long stretches of nothing, other times we hit the jackpot.\nOverall I probably ran about 7,000 requests and received about 300 results.\nConsidering my effort was minimal, I\u0026rsquo;d say its a neat return for the work.\nI\u0026rsquo;m going to just drop all of the results pictures beneath this with captions pointing out potentially interesting finds.\nOverall I think the pictures will sort of make the case that one shouldnt just drop anything into a URL shortener.\n-think the pictures will sort of make the case that one shouldnt just drop anything into a URL shortener.\nNothing so far\u0026hellip;..\nAround here is where we start seeing some odd stuff.\nHeres a screen cap of us finding some potentially juicy things. We can see a facebook, a jetblue boarding pass, what looks like an online order confirmation, and someones dropbox user content. Not sure I\u0026rsquo;d just want to share those URLs with just anyone.\nI\u0026rsquo;m sure you\u0026rsquo;re tired of all of that green font so lets just look at the output file.\nAlright lets just pick out things that catch our eye. A request looking like it belongs to some dev environment, a google drive, a secure checkout from a shopping basket url, a facebook share, and a healthcare site with a lovely encoded url.\nTheres plenty more in the file, I didnt think it would be necessary to really post the whole thing to hammer the point home.\nConclusion As a final conclusion its obvious that you shouldn\u0026rsquo;t put anything potentially sensitive into a url shortener. Which they tell you not to do on the page but sometimes people gloss over these sorts of things.\n","description":"Thats a nice looking pattern youve got there..","id":26,"section":"posts","tags":["enumeration","python","hacking","reconnaissance","osint"],"title":"Enumerating URL shorteners","uri":"https://anthonylaiuppa.com/posts/enumerating-url-shorteners/"},{"content":"Intro Recently I was having a little trouble implementing encryption due to chunk size, and then getting proper padding so I figured I would share a simplified example using Python. Bonus steganography included because why not?\nExplanation and Definitions  Encryption: The process of encoding a message so that it can be read only by the sender and the intended recipient. Encryption systems often use two keys, a public key, available to anyone, and a private key that allows only the recipient to decode the message.\n In this example we will be using Public Key cryptography based off a generate 2048 bit RSA key, that is then wrapped in a PKCS1_OAEP cipher that is hashed with SHA-2, specifically SHA-256. Simply put RSA isnt considered entirely secure and neither is SHA1, so we are wrapping our RSA in PKCS1_OAEP and modifying the hash that PKCS1_OAEP will be using from SHA-1 to SHA-2 standards. Additionally I couldve taken things a step further and encrypted our key with DES using a passphrase however for demonstrative purposes the way we have things now shall suffice.\nSince I only have a limited understanding of cryptography Ill be the first to say my implementation may not be perfect or the strongest out there but for basic purposes it should get the job done. I had immense difficulty finding resources or sample code on encrypting large strings using RSA + PKCS1_OAEP + SHA256 from PyCrypto so it felt good to finally get something working.\n Steganography - the practice of concealing messages or information within other nonsecret text or data. RSA- \"is the most widespread and used public key algorithm. Its security is based on the difficulty of factoring large integers. The algorithm has withstood attacks for 30 years, and it is therefore considered reasonably secure for new designs.\" Source by dlitz.net, PyCrypto documentation PKCS1_OAEP - Public Key Cryoptography Standard 1 - Optional Asymmetric Encryption Padding SHA - Secure Hash Algorithm. A cryptographic hash function that is a mathmatical operation ran on digital data.  Requirements In order to get our program running we will first need the help of two libraries. The two libraries that I had to install using pip were Stepic and Pycrypto. Stepic is what we will use for our steganography, and pycrypto will handle our encryption implementation\nGenerating our Keys We are going to go ahead and generate our public and private RSA keys to be used for this project. Note its probably not best practice to dump them into a txt file lest someone happen upon them but for learning purposes it should be fine.\n2048 is considered secure by the documentation, and PEM will be our output format for readability purposes. This simple script dumps the keys into seperate text files so we can call them later on. Really it should be fairly self explanatory.\n1 2 3 4 5 6 7 8 9 10 11 12 13  #!/usr/bin/env python  from Crypto.PublicKey import RSA key = RSA.generate(2048, e=65537) pub = key.publickey().exportKey(\u0026#34;PEM\u0026#34;) priv = key.exportKey(\u0026#34;PEM\u0026#34;) target = open(\u0026#34;pubkey.txt\u0026#34;, \u0026#34;w\u0026#34;) target.write(pub) target.close() target = open(\u0026#34;privkey.txt\u0026#34;, \u0026#34;w\u0026#34;) target.write(priv) target.close()   Encrypting our data Heres where we really get to the important part, trying to implement some encryption. Now lets explain how we are going to do this. First we create a new SHA256 hash; then we read in our pubkey.txt as key, next we import the public key using the RSA library, finally we wrap the RSA with the cipher PKCS1_OAEP and the SHA256 hash. The reason we do all this is because RSA by itself is not considered secure so we want to use PKCS1_OAEP to apply a cipher and pad it. The purpose of the SHA256 hash is that by default the pycrypto implementation of PKCS1_OAEP uses SHA1 as its hash, which is also considered insecure. Also note we could use our private key but lets not since we wont be sharing that one. Simply put, not only do we want encryption but we also want padding and a strong hash. Keep in mind, we can of course always implement strong encryption using bigger keys or a salted hash.\nThen to create a dummy string I have declared a large block of As, Bs, Cs, and Ds and concatenated them together for a total length of 3000. Now if we were using just RSA we would be encrypting at a chunk size of 256 as thats our RSA modulus of 2048, however since we are using PKCS1_OAEP as our wrapper our chunk size is different. The documentation lays it out pretty simple, Chunk Size = (RSA modulus - 2) -(2 * (hash digest size)). A quick check for the hash digest size of SHA256 in the documentation yields 32 and in the end our chunk size will be 190. So we use our splitter function to break the string into chunks of size 190, then we encrypt those chunks.\nFollowing this to reduce length and also obscure the underlying encryption we use the zlib library and base64 libraries to apply compression and encoding. So zlib.compress to compress our string and base64.b64encode to encode it. We dont need to do this but if youre going about this for your own use you may find it useful in making it a bit harder to discern how you went about implementing your encryption. Fantastic so at this point were ready to take our string and send it to whomever has the private key, but why stop there.\nDuring all my research I saw a multitude of articles also discussing steganography, the act of hiding information in plain sight. So as an added bonus lets take our encryption a step further and throw it into a cat picture. Specifically this cat picture, I used a PNG as it is a lossless format and will retain our information. Stepic makes shoving our information trivial and you can find the annotated lines towards the end of the code.\nNow that we have got a basic understanding of what we are implementing and why, heres the code.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66  #!/usr/bin/python from Crypto.PublicKey import RSA from Crypto.Cipher import PKCS1_OAEP from Crypto.Hash import SHA256 import base64 import zlib import Image import stepic #Function to split key into chunks  def splitter(string, chunksize): return [string[i:i+chunksize] for i in range(0, len(string), chunksize)] def encrypter(): target = open(\u0026#39;pubkey.txt\u0026#39;, \u0026#39;r\u0026#39;) key = target.read() #read in PEM formatted key from file  target.close() #Create new SHA256 hash h = SHA256.new() #RSA 2048 bit wrapped with PKCS1 as recommended by documentation # Default SHA1 Hash is weak, replacing with SHA2 hash rsakey = RSA.importKey(key) rsakey = PKCS1_OAEP.new(rsakey, h) #Construct a large string to practice encrypting As = \u0026#39;A\u0026#39; * 750 Bs = \u0026#39;B\u0026#39; * 750 Cs = \u0026#39;C\u0026#39; * 750 Ds = \u0026#39;D\u0026#39; * 750 string = As + Bs + Cs + Ds #Chunk size = (RSA modulus -2) -( 2 * (hash digest size)) #In this case (256 -2 ) -( 2 * (32) )= 190 chunks = splitter(string, 190) encrypted = \u0026#39;\u0026#39; for chunk in chunks: encrypted += rsakey.encrypt(chunk) #Lets try compressing the encrypted string a little encrypted = zlib.compress(encrypted) #Add some b64 encoding to sort of obfuscate our encryption encrypted = base64.b64encode(encrypted) target = open(\u0026#39;testrun.txt\u0026#39;, \u0026#39;w\u0026#39;) output = target.write(encrypted) target.close() print \u0026#39;Encrypted String is of size:\u0026#39; + str(len(encrypted)) + \u0026#39;\\n\u0026#39; #Steganography, Hiding the encrypted text in plain sight using least significant bit #Image has to be png as it is lossless format.  im = Image.open(\u0026#34;cat.png\u0026#34;) im2 = stepic.encode(im, encrypted) im2.save(\u0026#39;encodedcat.png\u0026#39;) def main(): encrypter() if __name__ == \u0026#39;__main__\u0026#39;: main()   This is before we add our encryption, its a large 20.5mb picture so its a bit unwieldy for most regular uses. Sorry if the massive cat picture makes your browser lag a bit.\nHeres our final product. As our encryption came out at about 5747, the cat picture is now of size 21.1mb. This is achieved with a hardly noticable difference in our picture.\nThis picture no longer carries the encoding Decrypting our payload Since weve laid out all of our groundwork for generating keys and encrypting, we ought to be able to fly through decrypting. Were going to open the picture using the stepic library again and decode it. Then we undo our base64 encoding and zlib compression. After that we split our string into chunks of 256, its not 190 I know but thats what the documentation says the PKCS1_OAEP.decrypt function takes for size and it works. After that we print our decrypted text and the length of it to verify we got everything back. I will drop the annotated code and output below.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56  #!/usr/bin/python from Crypto.PublicKey import RSA from Crypto.Cipher import PKCS1_OAEP from Crypto.Hash import SHA256 import base64 import zlib import Image import stepic #Split string into chunks  def splitter(string, chunksize): return [string[i:i+chunksize] for i in range(0, len(string), chunksize)] def decryptor(): target = open(\u0026#39;privkey.txt\u0026#39;, \u0026#39;r\u0026#39;) key = target.read() target.close() #Create new SHA256 Hash h = SHA256.new() #RSA 2048 wrapped with PKCS1 as recommended by documentation  rsakey = RSA.importKey(key) rsakey = PKCS1_OAEP.new(rsakey , h) # target = open(\u0026#39;testrun.txt\u0026#39; , \u0026#39;rb\u0026#39;) - For reading encrypted string from file #Open and decode Image to extract encrypted String  im = Image.open(\u0026#39;encodedcat.png\u0026#39;) encoded = stepic.decode(im) encoded = encoded.decode() # encoded = target.read() # target.close() #Undo B64 encoding on top of string encrypted = base64.b64decode(encoded) #Decompress string encrypted = zlib.decompress(encrypted) decrypted = \u0026#39;\u0026#39; #Chunks must be RSA modulus size chunks = splitter(encrypted, 256) for chunk in chunks: decrypted += rsakey.decrypt(chunk) print decrypted print len(decrypted) def main(): decryptor() if __name__ == \u0026#39;__main__\u0026#39;: main()   If we run this program on our cat picture our final output comes out as:\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDD DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD 3000 ","description":"Using python to roll our own crypto!","id":27,"section":"posts","tags":["python","encryption","steganography"],"title":"Hiding encrypted blobs","uri":"https://anthonylaiuppa.com/posts/hiding-encrypted-blobs/"},{"content":"Intro Continuing with my efforts of becoming better at CTFs I decided to participate in the SANS Holiday Hack Challenge. It is a pretty awesome challenge with a lovely pixelated game accompanying the tasks. It takes place in the North Pole and the gist of it is Santa is missing. The elfs were all kinds of helpful providing articles related to some of the tasks. I learned alot about some neat topics that I had little experience with, such a Android application Reverse Engineering and Password Cracking.\nTask 1 Lets take a look at task one.\n What is the secret message in Santas tweets? What is inside the ZIP file distributed by Santas team?  Well to start with lets spin up the game and hop in. We are greeted with a scene involving 2 NPCs that explain Santa is missing, as well as his business card.\nPretty easy to see what we need to do. Lets start with Twitter first. This task was actually a bit of a pain because I do not have a Twitter or IG so viewing the content required making them.\nWe can see Santas tweets look a little cryptic, and after scrolling through them a pattern seems apparent. From here I thought web scraping would be something fun to try, so I cobbled together a script to append all of Santas tweets together. I know the code could look better but I only needed this to work once so I didnt put alot of effort into it. The Tweepy library really came in handy here to access Twitters API.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50  import tweepy cons_token = \u0026#39;\u0026#39; cons_secret = \u0026#39;\u0026#39; callback_url = \u0026#39;http://twitter.com\u0026#39; access_token = \u0026#39;\u0026#39; access_secret = \u0026#39;\u0026#39; screen_name = \u0026#39;santawclaus\u0026#39; #self explanatory auth auth = tweepy.OAuthHandler(cons_token, cons_secret) auth.set_access_token(access_token, access_secret) api = tweepy.API(auth) target = open(\u0026#34;output.txt\u0026#34;, \u0026#39;w\u0026#39;) # initialize a list to hold all the tweepy Tweets alltweets = [] # make initial request for most recent tweets(200 is the maximum allowed count) new_tweets = api.user_timeline(screen_name=screen_name, count=200) # save most recent tweets alltweets.extend(new_tweets) # save the id of the oldest tweet less one oldest = alltweets[-1].id - 1 # keep grabbing tweets until there are no tweets left to grab while len(new_tweets) \u0026gt; 0: print \u0026#34;getting tweets before %s\u0026#34; % (oldest) # this line prevents duplicates using the ID new_tweets = api.user_timeline(screen_name=screen_name, count=200, max_id=oldest) # save most recent tweets alltweets.extend(new_tweets) # update the id of the oldest tweet less one oldest = alltweets[-1].id - 1 print \u0026#34;...%stweets downloaded so far\u0026#34; % (len(alltweets)) # for tweet in alltweets: # target.write(\u0026#39;\\n\u0026#39;.join(str(tweet))) target.write(\u0026#39;\\n\u0026#39;.join([tweet.text.replace(\u0026#39;\\n\u0026#39;, \u0026#39; \u0026#39;) for tweet in alltweets])) # target.write(\u0026#39;\\n\u0026#39;.join([str(tweet.__dict__) for tweet in alltweets])) target.close() print \u0026#39; task complete \\n\u0026#39;   Its quick, dirty, and gets the job done. So lets look at the results and see what we get.\nAlright so we got the answer \u0026lsquo;Bug Bounty\u0026rsquo; from the tweets, but what do we do with that? Well there was a second part to task 1, the zip. I think if we move on to the IG account we can figure out where to go.\nA quick look at the IG and we quickly find the topic of interest. A picture of Santas desk. This especially I found great because it hammers home a great point about opsec, never post pictures of your work desk or environment to social media.\nLook at the picture we can easily spot a filename in the web browser, and a url off to the right near an nmap reference. If we tack these two tidbits together and drop www.northpolewonderland.com/SantaGram_v4.2.zip into the browser we are rewarded with a zip file.\nI wonder what the password could be\u0026hellip;. maybe\u0026hellip; bug bounty? Dropping that in rewards us with the second answer to task 1. SantaGram_v4.2.apk.\n What is the secret message in Santas tweets? - Bug Bounty What is in the zip file being distributed by Santas team? - SantaGram_v4.2.apk  Task 2 Having cleared the hurdles of task 1, lets get started on task 2.\nWhat username and password are embedded in the apk file? What is the name of the audio component (audio file) in the Santagram APK file?  Alright so this one was definitely a journey for me because when you say \u0026lsquo;Reverse Engineering Android Applications\u0026rsquo; it sounds kind of daunting. But thankfully my good pals youtube and google have my back. With about 30 minutes of googling and videos, as well as the article from the elf at the Northpole, I was able to get the application reversed. Heres how I went about it.\n The elf said an apk is just a zip file, so we rename it .zip and look at the contents. We see a binary manifest. Lets see if we can take care of that.  I used Kali Linux for this part just because it came with many of the recommended tools.\nSo here we see apktool and dex2jar. Apktool is going to reverse that manifest and give us some smali files, and dex2jar is going to take the dex files and give us the class files so we can view them as if there were almost the original java code.\nAlright so we got the manifest reversed which gives some useful information from an oversight, but there is no sign of any embedded credentials. Lets look at what dex2jar gives us next.\nSo here we can see dex2jar making our dex files readable. The elf at the Northpole suggested Jad-X but I went with JD-Gui. It took me a relatively short time to pull the git repo and launch the gui. With JD-Gui I was able to look at the class files that dex2jar converted. Thanks to a search bar at the top of the window I was able to just search for username and there we had our answer.\nAnd there we have it, the credentials we wanted.\nAdditioanlly, I could have showed the exact commandline usage and syntax that I used on aptktool or dex2jar, but frankly its really easy to just do -help and figure it out.\nAlright so the last part of task 2 is the audio file. I figured the name would be stored somewhere in the apk but I didnt have a good approach to finding it. So I just ran strings on the file and grepped for things ending in .mp3. Fortunately it paid off.\nIn summary:\nWhat username and password are embedded in the APK file? * guest, busyreindeer78 * What is the name of the audible component (audio file) in the SantaGram APK file? discombobulatedaudio1.mp3  Task 3 I realize this writeup is getting a little long, fortunately as far as keeping it short goes, this is where I am about out of time.\nPart of the game has you searching the NorthPole for the five pieces to a * cranberry pi *\nUpon completing this search we are rewarded with a cranpi.img file. Which brings us to this next part.\nWhat is the password for the \u0026ldquo;cranpi\u0026rdquo; account on the Cranberry Pi system?  Well fortunately one of the elfs provided a lovely article on mounting the .img file by determining the number of bytes to get to the start of the Linux file system.\nLooks like were in without issue.\nAnd of course we can verify this by cat /etc/shadow and making sure the cranpi account is there.\nSo if youre unfamiliar with what we are looking at, it is the password hash of the cranpi account. Because storing passwords in plaintext is bad, I really shouldnt have to explain that.\nKnowing what to do next is simple because the elfs were helpful in pointing it out, but Im going to supply a brief summation.\nA hash is an algorithm that produces a unique value of the input passed through. It has many uses from verifying file integrity to storing passwords. Well by using this algorithm, our program John the Ripper, will enumerate through a list of passwords, hash them, and see if any hashes match the one we have. Since all hashs are meant to be unique, a match would mean we have the password.\nThe elfs told us to use the rockyou.txt wordlist with john, so lets do just that.\nWorth mentioning is that since I had both the shadow and passwd file I went ahead and ran unshadow on them. Unshadow combines the two files so John can use them.\nJohn made short work of that, only taking about ten minutes and that gives us the answer to our question.\nWhat is the password for the \u0026ldquo;cranpi\u0026rdquo; account on the Cranberry Pi system? * yummycookies*  Summary As a result of this challenge I got to explore some concepts I havent gotten into before, such as reversing the android app. Additionally it was great in providing guidance to help me implement all of this new information.\nI got the opportunity to\n Find a use for my knowledge of web scraping See a great example of why you shouldnt take pictures of your desk, opsec! reverse an android app and point out why you shouldnt embed creds run strings and actually get a useful result, thanks grep learn how to mount a linux file system from a .img, great for forensics work with john the ripper, i hadnt done this before either  I had alot of fun with this challenge and I look forward to more future CTFs.\nI hope you enjoyed reading this, thanks for taking the time!\n","description":"My first SANS Holiday Hacking Challenge","id":28,"section":"posts","tags":["ctf","hacking","android","linux","python","osint","password cracking","kali"],"title":"SANSHHC","uri":"https://anthonylaiuppa.com/posts/sans-holiday-hacking-challenge/"},{"content":"Binary Fun: With basic binary file analysis A little bit ago I decided CTFs looked like alot of fun and that I want to get involved. At least for me it was a little daunting picking where to start. Some people would start with things they are familiar with but I thought Reverse Engineering sounded cool so I went with that. I got a small binary made by a friend, intended to be similar to a basic reversing challenge, to start with.\nFirst steps The file is titled pwd2 and we can run a couple of quick bash commands to see if we can find any useful information. I went ahead and spun up a fresh Ubuntu VM for obvious reasons. Of course lets run it first and see what it wants.\nuser@ubuntu:~$./pwd2 Please supply 3 digit passcode 222 Nope The next thing to do would be to run the file command and see if we can grab any other basic information.\nuser@ubuntu:~$file pwd2 ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID\u0026lt;br /\u0026gt; [sha1]=82ef1e7313ec65f084871b449de99df70ba27282, stripped Alright so it is pretty apparent what it wants. At the time I first received this I didnt know about String Format vulns otherwise I wouldve tried seeing if I couldve gained the password value that way. Additionally I didnt think to try integer underflow or overflow, but I did try a simple buffer overflow and can say that did not work.\nAt least now Ive got some more ideas of things to look for. The one useful thing I did get from that file command was that debug symbols are stripped.\nDespite seeing that the binary is stripped, I am still going to try gdb on it. Ive used it before with varying degrees of success and still want to become better with it.\nuser@ubuntu:~$ gdb ./pwd2 (gdb) r Starting program: /home/user/ex1/pwd2 denied. [Inferior 1 (process 7311) exited with code 01] (gdb) Having seemingly hit a wall here, I put a good bit of googling to work. Most on obfuscation of C binaries and things that would try to prevent debuggers. Fortunately I found an article on Securing iOS apps that mentioned a bit about how one may prevent a debugger using dlsym. Dlsym would be dynamically opening a library and calling some sort of function to prevent our debugger. Ubuntu has a nifty tool called ltrace, or library trace, that will call the program and run it until exit. All the while recording all of the dynamic library calls.\nuser@ubuntu:~$ ltrace ./pwd2 __libc_start_main(0x4007ed, 1, 0x7fff898547b8, 0x400850 \u0026lt;unfinished ...\u0026gt; dlopen(nil, 258) = 0x7f32fd4971c8 dlsym(0x7f32fd4971c8, \u0026quot;ptrace\u0026quot;) = 0x7f32fcd9c4f0 puts(\u0026quot;denied.\\n\u0026quot;denied. So there we have it, ptrace is preventing our debugger. Which is neat new knowledge but Im going to exhaust all other low hanging fruit before I begin to look into what more I can do with that.\nLets run strings, because sometimes, it really does work.\nuser@ubuntu:~$ strings ./pwd2 /lib64/ld-linux-x86-64.so.2 libdl.so.2 _ITM_deregisterTMCloneTable __gmon_start__ _Jv_RegisterClasses _ITM_registerTMCloneTable dlclose dlsym dlopen libc.so.6 exit __isoc99_scanf puts __libc_start_main GLIBC_2.2.5 GLIBC_2.7 UH-h UH-h =1\t[]A\\A]A^A_ ptrace denied. Please supply 3 digit passcode Nope Win. ;*3$ It was unlikely that an int would be stored as a string but it only takes quick moment to verify.\nA big part of learning reverse engineering has been attemping to become comfortable with assembly. I did have to learn and even write some in college so I have a slight heading on where to start. I figure we can objdump the binary to a file and grep through the assembly looking for a cmp instruction.\nLooking at the cmp instruction and the surrodning instructions could give away the spot where the conditional is checking for the passcode. Of course since the binary is stripped, it is going to be quite the ridiculous garbled output.\n 520 4007ed: 55 push %rbp 521 4007ee: 48 89 e5 mov %rsp,%rbp 522 4007f1: 48 83 ec 20 sub $0x20,%rsp 523 4007f5: 89 7d ec mov %edi,-0x14(%rbp) 524 4007f8: b8 00 00 00 00 mov $0x0,%eax 525 4007fd: e8 7b ff ff ff callq 40077d \u0026lt;dlsym@plt+0xfd\u0026gt; 526 400802: bf e8 08 40 00 mov $0x4008e8,%edi 527 400807: e8 04 fe ff ff callq 400610 \u0026lt;puts@plt\u0026gt; 528 40080c: 48 8d 45 fc lea -0x4(%rbp),%rax 529 400810: 48 89 c6 mov %rax,%rsi 530 400813: bf 07 09 40 00 mov $0x400907,%edi 531 400818: b8 00 00 00 00 mov $0x0,%eax 532 40081d: e8 3e fe ff ff callq 400660 \u0026lt;__isoc99_scanf@plt\u0026gt; 533 400822: 8b 45 fc mov -0x4(%rbp),%eax 534 400825: 3d 8f 01 00 00 cmp $0x18f,%eax 535 40082a: 74 11 je 40083d \u0026lt;dlsym@plt+0x1bd\u0026gt; 536 40082c: bf 0a 09 40 00 mov $0x40090a,%edi 537 400831: e8 da fd ff ff callq 400610 \u0026lt;puts@plt\u0026gt; 538 400836: b8 00 00 00 00 mov $0x0,%eax 539 40083b: eb 0f jmp 40084c \u0026lt;dlsym@plt+0x1cc\u0026gt; 540 40083d: bf 0f 09 40 00 mov $0x40090f,%edi 541 400842: e8 c9 fd ff ff callq 400610 \u0026lt;puts@plt\u0026gt; 542 400847: b8 00 00 00 00 mov $0x0,%eax\u0026lt;/ The assembly code was quite massive with over 1033 lines but I managed to ferret out the above block as one warranting closer examination. Simply because puts and scanf caught my eye. Looking two below the scanf(532) we have cmp at 534. The first value 0x18f is compared against whatever is at %eax. 533 is a mov that takes our value and pushes it to %eax so we can conclude our value at %eax is compared against 0x18f. A quick hex to base 10 conversion reveals 0x18f to be 399. Lets give it a try.\nuser@ubuntu:~$ ./pwd2 Please supply 3 digit passcode 399 Win. Conclusion It worked but Im quite fortunate in the fact that puts and scanf werent also put under dlsym as that wouldve made it a good bit harder to identify.\nAdditionally Im fortunate in that the passcode was stored simply and not obfuscated any further.\nIt was a fun challenge and Im looking forward to doing more of these\nAll and all a great foray into the world of RE.\n","description":"Reverse engineering sounds cool","id":30,"section":"posts","tags":["hacking","reverse engineering","ctf"],"title":"Binary fun","uri":"https://anthonylaiuppa.com/posts/binary-fun/"},{"content":"Intro I got to thinking, you can obfuscate js and vbs when serving up code to people, why not Python? Well to there is that whole whitespace thing and lack of semi-colons, but lets see what we can do.\n Obfuscation: \u0026ldquo;To make so confused or opaque as to be difficult to perceive or understand\u0026rdquo;\n In terms of programming one usually doesnt purposefully obfuscate their code as they may wish for others to read it. However within the realm of Cyber Security the opposite often holds true. Many of those who are crafting the code behind malware (or for fun in puzzles/competitions like IOCCC) purposefully make their code as difficult to read as possible using obfuscation. Therefore it is relatively important to understand obfuscation when it comes to code analysis.\nHere we will be going through the process of applying basic obfuscation to python code in the below examples.\nInitial code Scanner.py is a simple scapy implementation of an arp scan for a local area network. An attacker may find it useful to find all live hosts on a network so they may find potential pivots. However most attackers would probably use something a little more sophisticated in order to remain undetected but for our purposes this will work.\n1 2 3 4 5 6 7 8 9 10 11  #!/usr/bin/env python from scapy.all import * try: alive,dead=srp(Ether(dst=\u0026#34;ff:ff:ff:ff:ff:ff\u0026#34;)/ARP(pdst=\u0026#39;192.168.1.0/24\u0026#39;), timeout=2, verbose=0) print \u0026#34;MAC - IP\u0026#34; for i in range(0,len(alive)): print alive[i][1].hwsrc + \u0026#34; - \u0026#34; + alive[i][1].psrc except: pass   Here is sample output from Scanner.py.\nuser@ubuntu:~$ sudo python scanner.py [sudo] password for user: WARNING: No route found for IPv6 destination :: (no default route?) MAC - IP 00:00:11:11:11:11 - 192.168.1.10 cc:bb:44:33:22:11 - 192.168.1.1 dd:ee:ae:45:67:34 - 192.168.1.14 ff:dd:78:ad:6d:23 - 192.168.1.4 00:00:00:70:07:e2 - 192.168.1.30 00:00:11:22:22:22 - 192.168.1.27 Encoding Base64 is a common type of encoding that is easy to encode and decode using the python Base64 module. It adds a layer of obfuscation between prying eyes and our code.\nSo the first step we will take will be to encode Scanner.py in Base64.\nThe below code snippet will call the base64 library and encode Scanner.py, then dump it as a single string into output.o\n1 2 3 4 5 6 7 8 9 10 11 12 13 14  import base64 #Its all pretty self explanatory def main(): target=open(\u0026#34;scanner.py\u0026#34;, \u0026#34;r\u0026#34;) todo = target.read() target.close() s=base64.b64encode(todo) target = open(\u0026#34;output.o\u0026#34;, \u0026#34;w\u0026#34;) target.write(s) target.close() if __name__ == \u0026#39;__main__\u0026#39;: main()   Afterwards we can open up both files side by side to see the difference.\n","description":"Who knew making code difficult to read could be fun?","id":31,"section":"posts","tags":["python","hacking","obfuscation"],"title":"Obfuscating python","uri":"https://anthonylaiuppa.com/posts/obfuscating-python/"},{"content":"Intro This article is where I will put up a few of my Project Eulers Solutions. They arent particularly special but I really enjoyed solving the problems so I thought Id share a few of the problems that I had fun with.\n36 - Double-Base Palindromes At this point I have solved a few of the Eulers problems but I chose this one to share over the similar problem 4 because I felt this one was a little more fun since you have got to convert the number to base 2 from base 10 and also check it. The only hitch in this really was the leading zeros but that didnt take much doing to get around. Below is the code and the problem.\nThe decimal number, 585 = 10010010012 (binary), is palindromic in both bases.\nFind the sum of all numbers, less than one million, which are palindromic in base 10 and base 2.\n(Please note that the palindromic number, in either base, may not include leading zeros.)\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20  #! usr/bin/python #Find check to see if its a palindrome #Add palindromes that pass the check to total def findPals(i): total=0 for i in range(0, 1000000): if(str(i)==str(i)[::-1] and (str(toBin(i))==str(toBin(i))[::-1])): total+=i i+=1 i+=1 return(total) #Convert base 10 to base 2 def toBin(n): return(\u0026#34;{0:b}\u0026#34;.format(n)) def main(): i=0 print(findPals(i)) if __name__ == \u0026#39;__main__\u0026#39;: main()   8 - Largest Product in series This one also isnt particularly challenging but it was fun and it got me comfortable with lists. All I really did was take that large number, drop it into a list so I could iterate through it and then just made a list of the products of the 13 adjact numbers. After that it was just a quick call to max() and there you go. The number is a bit large being a 1000 digits and all so I threw it into a tab.\nThe four adjacent digits in the 1000-digit number that have the greatest product are 9 × 9 × 8 × 9 = 5832.\nFind the thirteen adjacent digits in the 1000-digit number that have the greatest product. What is the value of this product?\n73167176531330624919225119674426574742355349194934 96983520312774506326239578318016984801869478851843 85861560789112949495459501737958331952853208805511 12540698747158523863050715693290963295227443043557 66896648950445244523161731856403098711121722383113 62229893423380308135336276614282806444486645238749 30358907296290491560440772390713810515859307960866 70172427121883998797908792274921901699720888093776 65727333001053367881220235421809751254540594752243 52584907711670556013604839586446706324415722155397 53697817977846174064955149290862569321978468622482 83972241375657056057490261407972968652414535100474 82166370484403199890008895243450658541227588666881 16427171479924442928230863465674813919123162824586 17866458359124566529476545682848912883142607690042 24219022671055626321111109370544217506941658960408 07198403850962455444362981230987879927244284909188 84580156166097919133875499200524063689912560717606 05886116467109405077541002256983155200055935729725 71636269561882670428252483600823257530420752963450\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23  #! usr/bin/python  def main(): #Convert int to list number= \u0026#34;See tab above\u0026#34; j = [int(i) for i in str(number)] k=0 #create second list to store products products=[] while(k\u0026lt;988): #multiply 13 ints at a time from list 1 product = j[k]*j[k+1]*j[k+2]*j[k+3]*j[k+4]*j[k+5]*j[k+6]*j[k+7]*j[k+8]*j[k+9]*j[k+10]*j[k+11]*j[k+12] if(product==0): k+=1 else:#if product isnt zero add to list products.append(product) k+=1 #Find largest product of consecutive ints print(max(products)) if __name__ == \u0026#39;__main__\u0026#39;: main()   25 - 1000 Digit Fibonacci Number The Fibonacci problems for me represented an interesting problem. I could go about it recursively but that o(n) becomes far too large on this problem. I could use floating point arithmetic as well, which I tried to do on problem 2. Theres two things about that, one is that floating point arithmetic becomes inaccurate due to rounding errors the higher you go, and two is that at F(34) it breaks. So I knew when I had to pass F(34)r that I would need a new approach. So Ive got a simple generator going and a counter to stop at the right index0. It worked like a charm. Another approach I couldve considered is implementing some form of caching ge so instead of calculating up the chain to find the next number, I only need to work with the previous two Ive found.\nThe Fibonacci sequence is defined by the recurrence relation:\nFn = Fn−1 + Fn−2, where F1 = 1 and F2 = 1.\nHence the first 12 terms will be:\nF1 = 1\nF2 = 1\nF3 = 2\nF4 = 3\nF5 = 5\nF6 = 8\nF7 = 13\nF8 = 21\nF9 = 34\nF10 = 55\nF11 = 89\nF12 = 144\nThe 12th term, F12, is the first term to contain three digits.\nWhat is the index of the first term in the Fibonacci sequence to contain 1000 digits?\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30  #! usr/bin/python #Digit Counter def digits(n): n=[int(i) for i in str(n)] if len(n)==1000: return True return False #Fibonnaci Generator def fib(): a, b = 0, 1 while 1: yield a a, b = b, a + b def main(): stop = False a = fib() i=-1 #Stop when N is a length of 1000 while stop!=True: i+=1 #Use I to track where in the sequence we are n=a.next() stop=digits(n) print(i) if __name__ == \u0026#39;__main__\u0026#39;: main()   ","description":"I chose to do math in my spare time once..","id":32,"section":"posts","tags":["python","algorithm"],"title":"Project Euler","uri":"https://anthonylaiuppa.com/posts/project-eulers/"}]