whoami

Hello, this is Nithin here. I’m a security researcher/enthusiast and I go by the handle @thebinarybot at most of the places online.

cat whatsthisarticleabout.txt

“I’m in” is a classic dialogue used in almost most of the techno-geek or hacker-ish films to describe that they have “hacked” into a system. But what does it actually mean? What did the hero get into?

Learn about what a shell, terminal emulator, the anatomy of a shell and a lot more in this blog.

Introduction

Most of the times, when the said “hacker” utters words such as “I’m in”, “We’re in the game”, “System Hacked” in movies, you would immediate see a panel with gibberish words written in it.

Something like the below image for example.

As a child, anything that was written in block letters and displayed in a font as shown above immediately caught my attention. I used to think hacking was all about typing some commands and “getting in” to a system. But that is definitely no it.

Cutting back to the topic, the above image you see is precisely what a shell is. It is not a hack, nor is it a technique or a super complex technical stuff that you cannot understand.

In simple terms, a shell is nothing but merely a computer program that provides the user with an interface to input instructions into the system and view text output. These inputs are said to be command-line inputs as they do not have a graphical interface and require you to type words, quite literally.

But as depicted accurately in films, for a penetration tester or a hacker, a shell is often the end result you see after successfully exploiting a vulnerability to gain interactive access to the target system.

So, in a way, a shell gives the hacker a direct access to the target operating system, thereby allowing them to run harmful commands, view the filesystem, modify data and much more.

Terminal Emulator

Every operating system such as Windows, Linux and MacOS has a shell and to interact with the system’s shell we use an application called as the Terminal or Terminal Emulator.

Few noteworthy Terminal Enumerators for popular operating systems include:

Windows Terminal — Windows

GNOME, MATE Terminal — Linux

Terminal, iTerm2 — MacOS

There are many more terminals available out there and in fact it is possible to install a terminal emulator on different operating systems if it’s open-sourced and supports the platform. However, these are merely personal preferences.

CLI — Command Language Interpreter

A Command Language Interpreter (CLI) is a software program that interprets and executes commands entered by a user or provided by scripts. These commands typically interact with the operating system or perform various tasks.

Hence, every time we talk about command-line interfaces we should understand that it’s a combination of the OS, terminal emulator application and the command language interpreter.

There are many command language interpreters, also often called as shell scripting languages or command scripting languages.

Shell Variants

As we understood that shell is merely a computer program which passes messages to the system, we should also understand there are many variants and types of this program. One should not confuse these types with that of the types of terminal emulators available. Both are different.

But how are they different? What is the difference between a terminal emulator and a shell?

To rephrase, a terminal emulator is merely a software application that emulates a video terminal within another display architecture. It allows users to interact with the system’s shell or command-line interface in a graphical environment. Essentially, it provides the window or interface where you type and execute commands.

However, a shell is a command-line interpreter that provides a user interface for accessing the operating system’s services. It interprets and executes the commands entered by the user or read from a script. The shell is responsible for running commands, managing processes, and providing programming constructs like loops and conditionals.

Now, coming back to the different types of shells — we should understand that these different types of shells are not simply graphically different as that of terminal emulator and they carry actual different in properties, functions and features. Here’s a couple of them:

1. The Bourne Shell (sh): Bourne Shell is regarded as the first UNIX shell ever. sh is super compact and also had a huge speed of operation. Moreover, scripts written for Bourne shell are portable across Unix-like systems. However, It doesn’t have in-built functionality to handle logical and arithmetic operations. Furthermore, the Bourne shell cannot recall previously used commands.
2. The GNU Bourne-Again Shell (bash): bash is an enhanced version of sh, as the name suggests, with more features incorporated from other shells such as csh, ksh etc. For example, bash allows us to automatically recall previously used commands and edit them with help of arrow keys. This is not possible in sh. However, as it has these extra features it is slightly more resource-intensive than simpler shells.
3. Z Shell (zsh): zsh is a modern shell used by many professionals today. It is known for its robust interactive features, scripting capabilities, and extensive customization options. With zsh, you can have customized themes, enable auto-completion, do globbing and much more.

Now let us see how to identify the terminal and shell/command language interpreter we have practically.

Although there are many ways to do this, you can easily figure out what shell you are running using the command echo $SHELL and what terminal emulator you have using echo $TERM.

Types of Shells

As discussed earlier, as penetration tester or an ethical hacker you have compromised a system to it’s fullest if you’re able to interact with it remotely — thereby accessing the shell.

To do this, there are different ways. For example, you can connect to a compromised system through network protocols like SSH or WinRM which allows remote login. But these usually require credentials.

To get a remote shell without having credentials is quite hard but still possible. This method is known as remote code execution. To achieve this, we must first learn the different type of shells:

1. Reverse Shell: A reverse shell is a type of shell where the target machine initiates the connection to the attacker’s machine. This is a commonly used attack technique to bypass firewall rules and network address translation (NAT) that might block incoming connections but allow outgoing connections. This is one of the most quickest and easiest method to obtain control over a compromised host.
2. Bind Shell: A bind shell is a type of shell that listens on a specific port on the target machine, waiting for an incoming connection from the attacker’s machine. Once the connection is made, the attacker gains control over the target system. Unlike a reverse shell which connects to us (attacker machine), we intend to connect to the target machine machine’s listening port.

To understand more about the workings of Reverse/Bind Shell, the commands used to establish these shells across different OS variants, I strongly urge you to checkout my guide: https://thebinarybot.gumroad.com/l/shellsexplained

The entire guide contains much more information as compared to this blog. You will also get to learn more about tools used to setup shells, how to stabilize shells and also learn about additional shell types such as web shells. All of this knowledge is for just $2.

Support

I have been creating content related to Cybersecurity/Bug Bounty Hunting for a while now. Although not necessary, it would mean the world to me if you decide to support me by buying me a book here.

This would not just help me but also the community as I will be able to create more quality content the more I read.

Kindly share this post with your friends who could benefit and please clap too!

Contact

Twitter: https://x.com/thebinarybot
Discord: thebinarybot

Cheers 🍻

Thebinarybot’s Guide to Shells ❤ was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

whoami

Hello, this is Nithin here. I’m a security researcher / enthusiast and I go by the handle @thebinarybot at most of the places online.

cat whatsthisarticleabout.txt

One of the most underrated and often ignored skill in bug bounty is to manage all your resources. This includes everything from having a close eye on your target, taking notes and keeping yourself up-to date with whatever is happening in the community. In this article, I aspire to share with you the common tools and strategies I use to manage my resources when it comes to bug bounties.

1. Community

Twitter is a gamechanger and TweetDeck is Twitter on steroids.

Back when I started in bug bounties I didn’t know and understand the importance of community. I never used to ask for help. Maybe one of the reasons for that was because I was shy of what others would think of me. But since joining Twitter, my idea on how it all works has changed. I received input from strangers, exchanged ideas and also found new friends.

If not for these, Twitter is also the best place to keep an eye on the target you’re testing. Given that almost every organization has a Twitter account and tweet their updates and newly released features, you should consider following your target organization and lookout for freshly populated areas to attack.

Coming to TweetDeck, I wasn’t lying when I said TweetDeck is Twitter on steroids. It quite feels that way because TweetDeck lets you monitor multiple tags, users, organizations etc. in one single page.

I personally like to keep an eye on my target, newly released cves and a couple of popular bug bounty tags such as #bugbounty & #bugbountytips all in one page using TweetDeck.

I would also strongly suggest you to use Discord and be a part of major discord servers such as NahamSec’s server, HackerOne, BugCrowd, TryHackMe and HackTheBox. Be a part of whatever interests you.

2. Note Taking

I have stressed the importance of note taking a lot of times and I do so once again here.

Note taking is painful but extremely important. I’ve always found it hard to start but once I start everything just falls along. So the obvious question is what note taking application do I use?

To me, it’s a mixture of tools for different purposes once again. I do not have one all purpose tool and don’t think I ever will. So, here’s a list of tools I use and how I use them.

• Notion: I primarily use Notion as my knowledge bank. Any time I learn something new, I like to take notes and keep it updated in Notion. This includes conference notes, deep dive vulnerability analysis and much more. It is also super helpful to me as a creator as sometimes I would feel like giving out some of my notes and templates to the community.
• One Note: If you think One Note is dead, I feel for you. One Note has been my light weight go-to application to just randomly jot down everything I am testing and I have to test after choosing a target. I have a notebook named BugBountyTargets and every section in this notebook belongs to a target I am testing. I segregate a section into different pages such as recon intel, interesting endpoints and much more.
• XMind: XMind is another brilliant tool that has worked magic. All of my extensive notes go on One Note and all of my lightweight testing strategies fall into X Mind. I create mind maps to have a large scale picture of my target and the items I would like to test.

3. RSS Feeds

Keeping updated with the things that’s happening is crucial if you’ve chosen Cybersecurity. You always have to keep yourself updated and one way to do that effectively is by reading blogs and writeups. You can take the pain and check each popular blog one by one or you can be smart by pulling all the RSS feeds of your favourite blogs and read them all at one place. That one place for me is an app called “Inoreader”. I chose this app as it works the best for me but you can do a quick google and play around different RSS Feed Apps before settling into one.

I recently wrote a thread on my favourite blogs to keep oneself updated. You can find it here.

4. Books

Books have helped me widen my knowledge and shape my perspectives. I read a wide variety of books such as fiction, travelogues, self-help, technical etc. And obviously once again, the challenge is to keep them all in one place and also make sure that it is possible to quickly retrieve any information that I need. I recently started using Apple Books to tackle this issue as it helps me easily annotate and lookup and information I need. But it is understandable if you don’t know Apple. Prior to Apple Books, I was using this app called SumatraPDF in windows. This app is super lightweight and helps you to annotate and organize easily. Would highly recommend you to use this.

If you are looking for books to read in context to bug bounty, find my thread on the same here.

5. Newsletters

In addition to blogposts, I also subscribe to quite a bunch of newsletters to keep myself updated. Sometimes all you need is a weekly overview of everything that’s happened in the bug bounty / infosec space and newsletters are the best for this purpose.

Wondering what newsletters to subscribe? Checkout this thread on my most favourite newsletters here.

Bonus

If you are a fan of watching video content, YouTube and Twitch is your place to go. Here’s a list of 50 YouTube channels you can follow to upskill in Cybersecurity / Bug Bounty.

Ideally, I would create a Notion database to keep track of all the videos I watch as well and take notes simultaneously.

Support

I have been creating content related to Cybersecurity / Bug Bounty Hunting for a while now. Although not necessary, it would mean the world to me if you decide to support me by buying me a book here.

This would not just help me but also the community as I will be able to create more quality content the more I read.

Cheers ;”)

whoami

Hello, this is Nithin here. I’m a security researcher / enthusiast and I go by the handle @thebinarybot at most of the places online.

cat whatsthisarticleabout.txt

In this article, I’m going to cover the DOs and DON’Ts when starting in Bug Bounty. As the title hints, this article is aimed for beginners who’re just venturing into this field.

DOs

1. When it comes to bug bounties, you would mostly start with web application hacking to earn $$$$. Given that you’re starting with web application hacking, it is highly expected from you to know the basics of how web application and internet functions to make the most out of your hacking journey. Of course, you can just use payloads crafted by others and just spray them on all parameters but that’s not going to do any good in the long-term let alone short. If you ask me where I can learn the basics, I would shamelessly ask you to visit my blog where I have covered almost everything you need to know before getting started. Checkout the basics here.
2. Now that you know the basics, you need to have a wider understanding of how everything connects together. Loosely speaking, it is actually okay if you just know OWASP Top 10 and choose an easy to hunt vulnerability like IDOR or Auth Vulnerabilities. But if you just look for one type of vulnerability you might miss out on others that still exist. Ideally, it is best to develop a hacker mindset and question the platform you’re hunting. If there’s a profile picture upload functionality, ask yourself what’s going to happen if I upload anything else but a picture. Ask yourself if others can see my profile picture despite the visibility being set to private. Basically, ask yourself a lot of questions and experiment a lot. This way, you’ll develop a mindset on the entire application you’re testing which will definitely help you in the long run.
3. Okay, now that we got all knowledge required, we need to understand what platform can be chosen to hunt. When starting, I was under the impression that a small scope program would not have a lot of people testing and that I can find bugs. But that’s a big misconception. If you wish to know how to choose a proper program to hunt, click here.

DON’Ts

1. Do not ever report a finding from scanner without verifying and proving an impact. Copy pasting scanner texts will irritate the triager and is definitely not something you’d get away with.
2. Do not spray and pray rather spray at the prey. What I mean to say is, don’t just blindly do things because anything can be vulnerable. It is true, anything can be vulnerable but if you choose your prey (ie. a weak spot such as a oddly named parameter, a seemingly insecure endpoint etc.) and hunt on it, then your chances to get that first bounty is huge,
3. Do not expect reward for every report that you submit. I have this mindset where I assume that 99%, this report is going to be a duplicate and I won’t make anything. This is a counter-intuitive process to make me hack more and not just sit and wait for the triage to respond on my report status.

Support

I have been creating content related to Cybersecurity / Bug Bounty Hunting for a while now. Although not necessary, it would mean the world to me if you decide to support me by buying me a book here. This would not just help me but also the community as I will be able to create more quality content the more I read.

Cheers ;”)

Hello, this is Nithin here. I’m a security researcher / enthusiast and I go by the handle @thebinarybot at most of the places online.

Steel Mountain is a CTF at TryHackMe which is based on the popular TV series Mr.Robot and is a Windows themed room. It’s quite an easy CTF and here’s a write-up on how I solved this.

1. Deploy the Machine

Q1. Who is the employee of the month?

First, let’s do a basic Nmap scan.

There’s quite a bunch of open ports. Upon visiting port 80, I got this.

But the name isn’t available. So I opened the image in new tab and the name of the employee was there in the URL.

Ans : Bill Harper

2. Initial Access

Q1. Scan the machine with nmap. What is the other port running a web server on?

Having completed the scan previously, I knew port 8080’s service is HTTP.

Ans : 8080

Q2. Take a look at the other web server. What file server is running?

Connecting to IP:8080 and hovering over the HttpFileServer link, I was able to see that it’s pointing to rejetto.com

Ans : Rejetto Http File Server

Q3. What is the CVE number to exploit this file server?

From the Nmap scan, I came to know that the HttpFileServer version is 2.3. Hence, looking up for the same in Exploit-DB, I got this.

Ans : 2014–6287

Q4. Use Metasploit to get an initial shell. What is the user flag?

Launching Metasploit and then searching for the CVE.

Setting necessary options and running the exploit.

But upon running exploit for the first time, I wasn’t able to create a session.

Then I made sure to set LHOST also to the same IP as that of SRVHOST and it worked and gave me a meterpreter shell.

Checking bill’s directory,

Checking bill’s desktop and obtaining the flag.

Ans : b04763b6fcf51fcd7c13abc7db4fd365

3. Privilege Escalation

Uploading the PowerUp.ps1 script and loading powershell,

Running PowerUp.ps1,

Q1. Take close attention to the CanRestart option that is set to true. What is the name of the service which shows up as an unquoted service path vulnerability?

Ans : AdvancedSystemCareService9

Q2. What is the root flag?

Since we have a CanRestart set to True, I tried to restart the service, upload a malicious binary instead of the legitimate one and obtain root. (Could do this since the directory of the application is write-able)

Using msfvenom to create a reverse shell,

Then, I uploaded by executable.

Now, starting Handler as a background job.

Now, restart AdvancedSystemCareService9 using sc stop/start AdvancedSystemCare9 and then background the current session, connect to the elevated session and obtain the flag.

Hello, this is Nithin here. I’m a security researcher / enthusiast and I go by the handle @thebinarybot at most of the places online.

Kenobi is quite an easy CTF at TryHackMe. Here’s my write-up on how I solved this room.

1. Deploy the vulnerable machine

Q1. Make sure you're connected to our network and deploy the machine

(No answer needed)

Q2. Scan the machine with nmap, how many ports are open?

Ans : 7

2. Enumerating Samba for shares

Q1. Using the nmap command above, how many shares have been found?

Ans : 3

Q2. Once you’re connected, list the files on the share. What is the file can you see?

Ans : log.txt

Q3. What port is FTP running on?

Ans : 21

Q4. What mount can we see ?

Ans : /var

3. Gain initial access with ProFtpd

Q1. Lets get the version of ProFtpd. Use netcat to connect to the machine on the FTP port. What is the version?

Ans : 1.3.5

Q2. How many exploits are there for the ProFTPd running?

Ans : 4

Q3. We know that the FTP service is running as the Kenobi user (from the file on the share) and an ssh key is generated for that user.

(No answer needed)

The mod_copy expoit allows us to copy files from any part of the filesystem to a chosen destination.

Q4. We knew that the /var directory was a mount we could see (task 2, question 4). So we’ve now moved Kenobi’s private key to the /var/tmp directory.

(No answer needed)

Q5. What is Kenobi’s user flag (/home/kenobi/user.txt)?

Now, since we’ve copied the file to /var/tmp, let’s try to mount that dir to our local machine.

Copy the id_rsa file to your location, chmod 600 it and then ssh into kenobi using the private key obtained.

Ans : d0b0f3f53b6caa532a83915e19224899

3. Privilege Escalation with Path Variable Manipulation

Q1. What file looks particularly out of the ordinary?

Ans : /usr/bin/menu

Q2. Run the binary, how many options appear?

Ans : 3

Q3. What is the root flag (/root/root.txt)?

Checking strings on /usr/bin/menu, we can find that the binary is running without full path.

Also, since it runs with root privileges, let’s try to manipulate the path to gain root.

Ans : 177b3cd8562289f37382721c28381f02

Feel free to contact me at @thebinarybot in twitter if you feel there’s any correction(s) to be made in this article or for help to solve this room. Cheers :)

Hello, this is Nithin here. I’m a security researcher / enthusiast and I go by the handle @thebinarybot at most of the places online.

Basic Pentesting is a very beginner friendly CTF at TryHackMe. Here’s my write-up on how I solved this room.

1. Web App Testing and Privilege Escalation

Q1. Deploy the machine and connect to our network

(No answer needed)

Q2. Find the services exposed by the machine

(No answer needed)

Q3. What is the name of the hidden directory on the web server(enter name without /)?

Ans : development

Q4. User brute-forcing to find the username & password

(No answer needed)

Q5. What is the username?

We know SMB is open in port 139 and 445, so I tried hitting ports 139 and 445 to check for usernames.

I used enum4linux for this purpose. One can download the tool here.

Upon performing a scan, I got the below results.

Ans : jan

Q6. What is the password?

For this task, I used hydra to do a brute-force with rockyou.txt and got the below result.

Ans : armando

Q7. What service do you use to access the server(answer in abbreviation in all caps)?

Ans : ssh

Q8. Enumerate the machine to find any vectors for privilege escalation

(No answer needed)

Q9. What is the name of the other user you found(all lower case)?

Just enumerating, we found another user

Ans : kay

Q10. If you have found another user, what can you do with this information?

pass.bak wasn’t readable so maybe we can try to look into ssh folder and check if there’s id_rsa

(No answer needed)

Turns out there’s id_rsa and it’s readable. We can copy this file to our local machine and then use ssh2john to get the hash.

Once done, we can use john to crack the hash.

Q11. What is the final password you obtain?

To find this, we need to login into kay’s account and read pass.bak

But accessing kay’s account from local machine wasn’t possible. So I tried to login into kay’s from jan’s account.

And, Viola.

Ans : heresareallystrongpasswordthatfollowsthepasswordpolicy

Feel free to contact me at @thebinarybot in twitter if you feel there’s any correction(s) to be made in this article or for help to solve this room. Cheers :)

Hello, this is Nithin here. I’m a security researcher / enthusiast and I go by the handle @thebinarybot at most of the places online.

Vulnversity is an easy and beginner friendly CTF at TryHackMe. Here’s my write-up on how I solved this room.

1. Deploy the machine
2. Reconnaissance

In any CTF challenge, it’s quite trivial to perform a basic recon using Nmap. Here’s how I did my Nmap scan.

Switches and it’s meanings :

• -sV : Used to determine the version of the services running
• -A : Aggressive scan which enables OS and version detection. It also executes in-build scripts for further enumeration.
• -Pn : Used to disable host discovery and just scan for open ports
• -v : Verbose output

Q1. Scan the box, how many ports are open?

Ans : 6

Q2. What version of the squid proxy is running on the machine?

Ans : 3.5.12

(Check Port 3128)

Q3. How many ports will nmap scan if the flag -p-400 was used?

Ans : 400

(Trivial)

Q4. Using the nmap flag -n what will it not resolve?

Ans : DNS

Q5. What is the most likely operating system this machine is running?

Ans : Ubuntu

(Check Port 22)

Q6. What port is the web server running on?

Ans : 3333

(Look for Host: VULNVERSITY in your Nmap scan result)

3. Locating directories using GoBuster:

My scan results,

Q1. What is the directory that has an upload form page?

Ans : internal/

4. Compromise the webserver

First proxy your connection using Burp, and visit IP:3333/internal where you’ll have the ability to upload a file.

Q1. Try upload a few file types to the server, what common extension seems to be blocked?

Ans : .php

Q2. Run this attack, what extension is allowed?

Ans : .phtml

After uploading the reverse shell and listening using netcat at the specified port,

Q3. What is the name of the user who manages the webserver?

Ans : bill

Q4. What is the user flag?

Ans : 8bd7992fbe8a6ad22a63361004cfcedb

5. Privilege Escalation

This part is the most interesting and challenging part in this entire room. I’ll try to brief this to the best possible.

Q1. On the system, search for all SUID files. What file stands out?

To find this, run “find / -user root -perm -4000 -exec ls -ldb {} \;”

Upon executing the above command, you’ll be able to see /bin/mount, /bin/ping … etc as SUID files, but however /bin/systemctl looks intimidating to check and that’s the answer for this question.

Ans : /bin/systemctl

Q2. Become root and get the last flag (/root/root.txt)

Now this is going to be quite a long run.

First, what is systemctl ?

The systemctl command is a utility which is responsible for examining and controlling the systemd system and service manager — www.liquidweb.com

Knowing that /bin/systemctl is a SUID file, the first place to check for a potential escalation is gtfobins. So I ended up visiting https://gtfobins.github.io/gtfobins/systemctl/

By default systemctl will search these files in /etc/system/systemd, but since we don’t have access to the paths that’s owned by root, we’ll try to create one.

This can be done by creating an environment variable, then create a service or unit file and assign this to the environment variable we created.

First, creating an environment variable,

The above command basically creates an environmental variabled called prvesc (you can give whatever name you want) and calls the mktemp command to create a temporary file as a systemd service unit file.

Next, we need to create a service which access the root.txt file and redirects it to tmp from where we can read.

The above command does the following :

• echo ‘[Service]
  > ExecStart=/bin/sh -c “cat /root/root.txt > /tmp/output”

This is used to tell the service that when it starts, read the contents in root/root.txt and redirect the output to /tmp/output

• [Install]
  > WantedBy=multi-user.target’ > $prvesc

This is used to set the run level and redirect it to the environment variable we created.

Now we need to link the environment variable to systemctl in such a way that it makes our unit file available for systemctl commands no matter on what path it is.

That can be done by executing,

Now once the symlink is created, we need to enable this service and the required output will be available at /tmp/output. That can be done by executing the below command.

Now we need to navigate to /tmp/output to retrieve the flag.

Ans : a58ff8579f0a9270368d33a9966c7fd5

Overall, this is everything I did.

Feel free to contact me at @thebinarybot in twitter if you feel there’s any correction(s) to be made in this article or for help to solve this room. Cheers :)

Hello, this is Nithin here. I’m a security researcher / enthusiast and I go by the handle @thebinarybot at most of the places online.

Pickle Rick is quite an easy and beginner friendly CTF at TryHackMe. Here’s my write-up on how I solved this room.

1. Port Scan

Port scan is the first things you should try to gain information about the attack surface. I use NMAP for this purpose.

I just did a basic nmap scan using “nmap -A -sV — top-ports 1000 TARGET_IP”

Upon running this scan, I was able to find that port 22 and 80 were open, ie ssh and http.

2. Web Server Check

Since I knew http was open, I visited http://TARGET_IP and found this.

Checking the source code (Right Click -> View Page Source), I found this.

At this point, I have another information with me, which is the username.

3. Content Discovery

After finding the username, I was looking for some password.txt or some file that has the password stored.

Hence, I ran gobuster for directories and files using dirbuster-medium word-list that I use pretty much everywhere for content discovery.

I was able to find juicy information from the scan and I first checked robots.txt as robots.txt usually contains locations that aren’t supposed to be indexed.

Upon vising http://TARGET_IP/robots.txt I was able to find the below information.

My instinct said this is the password and I quickly visited http://TARGET_IP/login.php to test it out.

And viola, I got logged in.

Now since there’s something called Command Panel, I wanted to test various commands and see if I can pull off something.

4. Flag 1

First, I ran ls to see what all files are listed.

Ran “cat Sup3rS3cretPickl3Ingred.txt”, and I got this.

Tried running head, tail but they didn’t work either. At last, I tried running “less Sup3rS3cretPickl3Ingred.txt” and I got the first flag.

Flag 1 : mr. meeseek hair

5. Flag 2

I had quite a lot of information in hand. I had /assets folder which I wanted to check and I had clue.txt which I wanted to check as well. I first checked clue.txt using the same less command and got this.

Now that I know I’ve to check for file system. I first ran ls /home to which I got this below.

Navigating inside rick, I was able to find a directory named “second ingredients”. Navigating inside that folder, there was a file named “/home/rick/second ingredients” without any extension.

So I ran file FILENAME to see what the file type was.

Knowing that it is a text file, I ran “less FILENAME” and got the second flag.

Flag 2 : 1 jerry tear

6. Flag 3

I checked the /assets directory, but couldn’t find anything interesting there.

I tried checking ls /home/ubuntu instead of ls /home/rick but that didn’t result in anything. Moving a step back I checked “ls /”, to which I got this.

There obviously is a root directory and I wanted to check it but “ls /root” didn’t work. So I tried running it with escalated privilege by using “sudo ls /root” to which I got this.

Now running “sudo less /root/3rd.txt”, I got the final flag and solved this challenge.

Flag 3 : fleeb juice

Feel free to contact me at @thebinarybot in twitter if you feel there’s any correction(s) to be made in this article or for help to solve this room. Cheers :)

“Docker” is a word that we all have come across and is quite a buzz word at the moment. But what exactly is docker and how do I test what it does?

I’ll help you answer the first part, but go register at Pentester Academy (https://www.pentesteracademy.com/) and continue reading this article to explore get answered for the second part.

What is Docker ?

Before trying to understand what Docker is, let’s have a look at what issue Docker is trying to solve. Once you know what problem a particular software package is trying to solve, you’ll get a wider understanding of the package as well.

Whenever we try to create software applications, there are instances where the program I create works absolutely fine in my machine but wouldn’t work as expected when it’s uploaded to a server or tested in my friend’s machine. If you’re a developed you’d have come across this situation as well.

One of reasons why this issue pops up is because of the difference in dependencies. Most of the software applications are dependent upon other packages to work. Simply put, those packages are called as dependencies. You might have installed all the required dependencies in your machine but your friend wouldn’t have and that most likely would’ve caused the issue of not working in his computer.

Docker is a software application that solves the above mentioned issue by creating containers. So essentially, once you create a container it stores your code, your dependencies, your configuration, the processes you’re running and many more necessary details. Once created, you can easily share this docker image with your friend who upon installing this need not go through any hassle of installing custom dependencies, modify config files etc.

Quick shout-out to Pentester Academy

Pentester Academy is a company that teaches you Pentesing practically. One of the best things about Pentester Academy is their browser-built laboratories. I’ve always liked learning things practically and testing them and the labs in Pentester Academy provided a very hassle free experience on exploring and maneuvering. Most of the labs are priced but there are a couple of community (free) labs you can try out as well.

Docker Lab at Pentester Academy

The Docker Lab at Pentester Academy is completely free of cost and you can visit at https://attackdefense.pentesteracademy.com/challengedetails?cid=1342. The instructions for this laboratory is very straight forward. What’s even better is the availability of a detailed Lab Manual that can be downloaded, for free of cost. To add cherry on top of the cake, they also have a detailed video walk through for every lab session which you can refer if stuck at some point.

This particular docker lab doesn’t have any task to complete as such but only practice the commands.

Here are some of the basic things that you might want to try :

1. Checking version using docker version

The above command displays a detailed version of the application. Alternatively, you can also run another command to just display the version number

2. Downloading image using docker pull

This command is used to pull a docker image. Since docker also acts like a social networking platform where you can download files, this becomes easy.

Once you’ve pulled a couple of images, to list all the images, you can use “docker images”

3. Running in different modes

You can run docker basically in two modes, the background mode and the interactive mode.

To run in background mode, use “docker run -dt name_of_the_image”

To run in interactive mode use “docker run -it name_of_the_package”

4. Inspecting an image

To inspect an image, you need to know the container ID. To get container ID you can run “docker ps” which basically lists all running containers.

Once you have the container ID, you can run docker inspect ID to inspect the docker image

5. Stop container

To start or stop a container, you need the container ID. Once you have the ID, you can run “docker stop ID”.

These are some of the very basic commands you can test with docker. The detailed walk-through and Lab Manual provided by Pentester Academy definitely will teach you a lot on docker. Do check them out.

If there’s any correction to be made in this article or to discuss anything security feel free to contact me at @thebinarybot in twitter. Have a great day !

Hello, this is Nithin here. I’m an independent security researcher and I go by the handle of @thebinarybot in most of the places online.

I vaguely started my cybersecurity journey about a couple of months back and hoped to find myself a way to becoming something. The “something” wasn’t defined, nor the path. Although I never felt short of resources, I always asked myself if this is the correct path or what is the correct path to learn cybersecurity. When I started, I did what any beginner would do. I enrolled myself in numerous paid and free courses, installed Kali Linux in hopes of magically becoming a hacker overnight, started looking out for more courses in udemy, cybrary etc. I was intimidated by the amount of resources available online, started learning things here and there and ultimately ended up at a point where I had no clue of what I was doing and what I wanted to become.

If you’re a cybersecurity enthusiast and looking for a learning path, don’t worry I got you covered. I wish I knew this when I initially got started and I don’t want you to feel the same.

In this article, I’m going to talk about TryHackMe (THM), an online platform for learning cybersecurity and how it helped me get started. Also, I’m not an ambassador of THM who’s trying to promote this platform but merely a student / learner who got benefited from THM. Read the article completely to know how to win vouchers which includes OSCP exam vouchers worth 1000$ and THM premium vouchers etc.

What is TryHackMe ?

TryHackMe, as I mentioned earlier, is an online platform to learn cybersecurity. It’s a freemium, meaning you get to learn a lot of things for free but you have to subscribe monthy / annually to unlock certain premium content.

What’s so compelling about TryHackMe ?

The quality and labs. Yes, the quality of content what TryHackMe produce is truly wonderful and most importantly they have hands-on practice laboratory sessions which is exactly what I wanted.

TryHackMe has clear cut learning paths such as the recently launched “Pre Security” which teach you the per-requisites of cybersecurity in order. The Pre Security learning path also tells you what paths you can explore once it is completed. This include the likes of “Cyber Defense” and “Offensive Pentesting”. Every learning path has study guides and labs which are jointly called as Rooms. They are Capture-The-Flag themed simulated machines, where one’s task is to dig into the machine provided and obtain the flag (solution). Trust me, it’s so interesting. You can find further information about machines and their access at the website once you’ve singed up for free.

What should I do now to get started ?

All you have to do to get started is visit www.tryhackme.com. Once done, enroll yourself in the Pre Security path and start learning. It’s completely free, so why not give it a shot.

The Pre Security path covers a lot of topics such as “What is Networking” , “Intro to LAN”, “DNS in detail” , “Linux Fundamentals”, “Windows Fundamentals” etc.

Upon completion of all the paths, you’ll also earn a certificate. But certain rooms in the learning path such as “OSI Model” are only available for those who have subscribed. You can enroll for free and check out the free content initially and if you find it interesting and useful you can go ahead and subscribe.

Pre Security learning path and tickets

If you’re reading this before July 15, then you’re absolutely lucky. This is because since the Pre Security path has been recently launched, THM is giving away prizes worth $5000+ which you can avail in by collecting tickets. Upon grabbing 3 tickets of the same kind, you can redeem them. Some interesting tickets which you might not want to miss are, OSCP exam vouchers worth upto $1000 and 3 months THM premium vouchers, etc.

And to collect tickets, all you need to do is just complete the Pre Security learning path. Yes, you get gifts for learning. Upon the completion of a task in the Pre Security learning path, you’ll be awarded a ticket.

— — — — — — — — — — — — — — — — — — — — — —

Thank you for reading this article.

Checkout TryHackMe at : www.tryhackme.com
Checkout the Pre Security learning path at : https://tryhackme.com/path/outline/presecurity

Free free to connect with me @thebinarybot in twitter. Have a great day ahead and stay safe :)