Skip to main content

67 posts tagged with "cybersecurity"

View All Tags

The Watchtower: Anatomy of an Alert

Shubham
Cybersecurity Enthusiast

0x01: The Watchtower (SIEM Architecture)

Switching to the Blue Team, I spent time analyzing the SIEM (Security Information and Event Management).

There is a common misconception that a SIEM dashboard is an external tool or a third-party website we simply "check." In reality, a SIEM is the heartbeat of an organization's internal infrastructure. It acts as a massive funnel for data, operating in three distinct phases:

  1. Ingestion (The Collection): This is the raw feed. Every firewall, server, workstation, and even the ID card scanners at the front door send their logs to a central point. Without this centralization, you would have to manually log into 5,000 different computers to see what is happening.

  2. Normalization (The Translation): Logs are messy. A Windows server might say EventID: 4625, while a Linux server says Failed password for root. The SIEM’s job is to translate these different languages into a standard format (e.g., Authentication_Failure). This structure turns chaos into queryable data.

  3. Detection (The Logic): Once the data is structured, we apply logic rules. These aren't just simple keyword searches; they are correlations.
    Simple: "Alert if a user fails login 50 times."
    Complex: "Alert if a user logs in from New York, and then logs in from London 10 minutes later."

The Art of Triage

When one of these alerts fires, the job isn't just to "close the ticket." It triggers an Incident Response (IR) cycle. We have to become investigators immediately:

  • True vs. False Positive: Is this actually a hacker running nmap, or is it just a junior sysadmin who misconfigured a network scanner? Context is everything.
  • Contextual Analysis: We look at the metadata. Who is the Process User? If it's SYSTEM, that's bad. Which Host is affected? If it's LPT-HR-009 (Human Resources), they probably shouldn't be running PowerShell scripts at 2:00 AM.
  • Containment: If the threat is verified, we move to containment. We don't wait; we isolate the machine from the network to prevent lateral movement.

0x02: File Identity (Windows vs. Linux)

One of the most interesting alerts I analyzed involved a deceptive file named cats2025.mp4.exe. This highlights a fundamental difference in how operating systems establish "identity."

The Windows Deception

Windows relies heavily on file extensions to decide how to treat a file. It trusts the name, not the data.

  • The Trick: Attackers exploit the default Windows setting: "Hide extensions for known file types."
  • The Execution: An attacker names a virus cats2025.mp4.exe. Because Windows sees .exe as a "known" type, it hides it. The user only sees cats2025.mp4 and thinks it is a video.
  • The Reality: The icon might look like a video player, but the Operating System sees an executable. One double-click, and the payload runs.

The Linux Architecture

Linux (and by extension, ELF binaries) operates on a "trust but verify" model. It generally ignores extensions entirely.

  • Magic Bytes: Instead of reading the name, Linux reads the file header—the specific hexadecimal signature at the very start of the file.
    • An ELF binary (Linux program) always starts with the bytes 0x7F 45 4C 46.
    • If you name a file image.jpg but it starts with those bytes, Linux knows it is not an image. It is a program.
  • The Permission Gate: This is the most critical safety feature. Even if you download a Linux virus, it cannot run by default. A user must explicitly grant the "Executable Bit" (chmod +x) permission.

Because the "Double Extension" trick fails on Linux, malware authors use a different camouflage technique called Masquerading.

Instead of trying to look like a generic PDF, Linux malware tries to look like a boring system process. They name their malicious files kworker, systemd-daemon, or journal-service so that when an admin runs a process list (ps aux), the malware blends perfectly into the background noise of the operating system.

EOF

The deeper you go, the more you realize that "hacking" is rarely about smashing keys in a terminal. It is about understanding the architecture. It is knowing how the OS trusts files, how databases store passwords, and how to filter through millions of logs to find the single line that reveals the anomaly.

Leviathan 0 to 1

Shubham
Cybersecurity Enthusiast

Leviathan 0 to 1

we already know password for leviathan0 so we will login using ssh
ssh leviathan0@leviathan.labs.overthewire.org -p 2223 then type the password leviathan0

now if you see there are no files that means files are hidden
use ls -la command to list the files that are hidden also

leviathan0@leviathan:~$ ls -la
total 24
drwxr-xr-x 3 root root 4096 Oct 14 09:27 .
drwxr-xr-x 150 root root 4096 Oct 14 09:29 ..
drwxr-x--- 2 leviathan1 leviathan0 4096 Oct 14 09:27 .backup
-rw-r--r-- 1 root root 220 Mar 31 2024 .bash_logout
-rw-r--r-- 1 root root 3851 Oct 14 09:19 .bashrc
-rw-r--r-- 1 root root 807 Mar 31 2024 .profile

here we can clearly see leviathan1 in .backup directory
now change directory to .backup then we have one html file named bookmarks.html, now if you do cat bookmarks.html
thats so long output

leviathan0@leviathan:~/.backup$ cat bookmarks.html | grep leviathan
<DT><A HREF="http://leviathan.labs.overthewire.org/passwordus.html | This will be fixed later, the password for leviathan1 is 3QJ3TgzHDq" ADD_DATE="1155384634" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">password to leviathan1</A>

so we used grep to filter

and yeah we got the password to leviathan 1 this was just practice or you say warm up type question, there was no such reverse engineering stuff as such.

`

Leviathan 1 to 2

Shubham
Cybersecurity Enthusiast

Leviathan 1 to 2

login

ssh leviathan1@leviathan.labs.overthewire.org -p 2223 password : 3QJ3TgzHDq

now use ls to look for the files

leviathan1@leviathan:~$ ls
check
leviathan1@leviathan:~$ file check
check: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=990fa9b7d511205601669835610d587780d0195e, for GNU/Linux 3.2.0, not stripped

we also used file check to find out the type of file it is, we found out its elf 32 bit lsb executable

leviathan1@leviathan:~$ strings check | grep leviathan
leviathan1@leviathan:~$ strings check
td8
/lib/ld-linux.so.2
_IO_stdin_used
puts
__stack_chk_fail
system
getchar
__libc_start_main
printf
setreuid
strcmp
geteuid
libc.so.6
GLIBC_2.4
GLIBC_2.34
GLIBC_2.0
__gmon_start__
secr
love
password:
/bin/sh
Wrong password, Good Bye ...
;*2$"0
GCC: (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0
crt1.o
__abi_tag
__wrap_main
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
check.c
__FRAME_END__
_DYNAMIC
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
strcmp@GLIBC_2.0
__libc_start_main@GLIBC_2.34
__x86.get_pc_thunk.bx
printf@GLIBC_2.0
getchar@GLIBC_2.0
_edata
_fini
__stack_chk_fail@GLIBC_2.4
geteuid@GLIBC_2.0
__data_start
puts@GLIBC_2.0
system@GLIBC_2.0
__gmon_start__
__dso_handle
_IO_stdin_used
setreuid@GLIBC_2.0
_end
_dl_relocate_static_pie
_fp_hw
__bss_start
__TMC_END__
_init
.symtab
.strtab
.shstrtab
.interp
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rel.dyn
.rel.plt
.init
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got
.got.plt
.data
.bss
.comment

tried piping the output of strings check into grep leviathan but didnt got anything ... then did string check only without piping ... look there carefully

love
password:
/bin/sh
Wrong password, Good Bye ...

run the file

leviathan1@leviathan:~$ ./check
password: test
Wrong password, Good Bye ...

this means its simple strcmp that is comparing the password you typed with the correct password. so we can simply use ltrace to trace library calls ... ltrace is used to see what library calls are made during binary execution ... library calls are, when a program calls a function from a file that is shared by multiple programs ... for example checking if input is the correct password is done with library function called strcmp .. it will show function and its input parameters, which then include the password

leviathan1@leviathan:~$ ltrace ./check
__libc_start_main(0x80490ed, 1, 0xffffd474, 0 <unfinished ...>
printf("password: ") = 10
getchar(0, 0, 0x786573, 0x646f67password: hello
) = 104
getchar(0, 104, 0x786573, 0x646f67) = 101
getchar(0, 0x6568, 0x786573, 0x646f67) = 108
strcmp("hel", "sex") = -1
puts("Wrong password, Good Bye ..."Wrong password, Good Bye ...
) = 29
+++ exited (status 0) +++

so clearly visible its comparing our input "hello" with "sex" so correct password is sex.
lets try by running the binary again and checking the password.

leviathan1@leviathan:~$ ./check
password: sex
$

and indeed yes, we got access to the leviathan 2 shell ... as it was written already above in strings ... /bin/sh

now you can simple find the password from:

$ cat /etc/leviathan_pass/leviathan2
NsN1HwFoyN

here we go another leiathan done!

`

Tcpdump: The Basics

Shubham
Cybersecurity Enthusiast

What is Tcpdump

okay let me go through it straightforward

tcpdump is a command-line packet analyzer. it captures packets directly from a network interface or reads them from a saved pcap file, then prints packet details.

lame language definition:
tcpdump is like a tiny network spy that listens to all traffic on an interface

formal definition:
tcpdump is a libpcap-based command-line tool that intercepts, filters, and displays packets for diagnostics, forensics, and network monitoring purposes.


Why Tcpdump Matters

  • runs on servers without GUI
  • extremely lightweight, ideal for quick captures
  • can save captures to .pcap and analyze later in Wireshark
  • useful for debugging network connectivity
  • helps detect suspicious/malicious traffic
  • allows automated/scripted packet captures

lame language definition:
when something weird happens on your network, tcpdump shows what’s actually flowing over the wire

formal definition:
tcpdump provides packet-level visibility for troubleshooting, auditing, and security monitoring by capturing and filtering traffic directly from network interfaces.


Basic Usage & Important Options

common options you’ll use:

  • **-i <interface>** → choose interface (eth0, wlan0, lo, any)
  • **-n / -nn** → show numeric IPs/ports (no DNS or service-name resolution)
  • **-c <count>** → stop after N packets
  • **-w <file>** → write packets to a pcap for later analysis
  • **-r <file>** → read a saved pcap file

general syntax:
tcpdump [options] [filter expression]


Filtering Packets

tcpdump filters are extremely powerful and help cut noise.

examples:

  • capture only ICMP
    icmp

  • capture HTTP port 80
    port 80

  • capture packets from a specific IP
    src 192.168.1.10

  • capture packets to a specific IP
    dst 10.0.0.5

  • combine filters
    tcp and port 443 and src 10.10.10.50

filters let you focus on exactly what matters.


Reading vs Capturing

tcpdump can:

  • capture live packets
  • save packets to a file
  • read files created earlier
  • monitor remote servers via SSH
  • create captures you later open in Wireshark

this makes it versatile for both live debugging and offline analysis.


What Tcpdump Output Usually Looks Like

each printed line typically includes:

  • timestamp
  • protocol (IP, TCP, UDP, ICMP)
  • src_ip:src_port → dst_ip:dst_port
  • tcp flags (if applicable)
  • packet length or other metadata

this gives quick insight into what traffic is flowing without needing a full GUI analyzer.


When to Use Tcpdump vs Wireshark

use tcpdump when you need:

  • fast text-based packet capture
  • minimal system footprint
  • SSH-based remote analysis
  • automated or scripted packet recording
  • only basic header/payload visibility

use wireshark when you need UI-level detail, protocol trees, reassembly, or file extraction.


Security Use Cases

  • capture suspicious outbound connections
  • inspect DNS or ARP traffic during enumeration
  • detect plaintext credentials in unencrypted protocols
  • gather evidence during incident response
  • perform reconnaissance on unknown networks
  • analyze malware communications on isolated machines

tcpdump is extremely useful in cybersecurity because it provides raw, unfiltered network truth.


Conclusion

tcpdump is simple, powerful, and essential.
it lets you capture, filter, analyze, and save network packets — even on systems with no graphical environment.

if you understand tcpdump basics, filters, interface selection, and capture options,
you already have one of the strongest command-line packet analysis tools in your toolkit.

`

Wireshark Basics & Packet Analysis

Shubham
Cybersecurity Enthusiast

What is Wireshark

okay let me go through it straight forward

wireshark is a free and open-source packet analyzer used to capture and inspect network traffic. you can either sniff live packets or load pcap files for analysis.

lame language definition:
wireshark is basically a microscope for network traffic — you can zoom into every packet and see all details

formal definition:
wireshark is a cross-platform network protocol analyzer that captures, decodes, and displays packets across OSI layers, enabling low-level inspection, filtering, and traffic analysis.


Why Wireshark Matters

  • troubleshoot network issues
  • inspect protocol behavior (dns, http, tcp, udp, tls, etc.)
  • analyze suspicious or malicious traffic
  • understand real packet structures
  • extract files or data from captures
  • essential tool for both networking and cybersecurity

lame language definition:
if you want to see exactly what your computer is “saying”, wireshark is the tool

formal definition:
wireshark provides detailed packet-level visibility for diagnostics, protocol research, security auditing, and digital forensics.


Basic Wireshark Interface

when you open a capture, you mainly work with:

  • packet list pane → shows all packets
  • packet details pane → shows protocol breakdown for selected packet
  • packet bytes pane → raw hex/ASCII data
  • display filter bar → to narrow down what you want to see

you can load .pcap or .pcapng files or capture live traffic.


Packet Dissection

every packet is shown layer by layer:

  • ethernet (source/dest MAC)
  • ip header (source/dest IP, TTL, protocol)
  • tcp/udp (ports, flags, seq numbers)
  • application data (http, dns, ftp, tls, etc.)

the details pane lets you drill down into any header field.

example things you might inspect:

  • TTL value
  • source/destination ports
  • HTTP host or user-agent
  • DNS query name
  • TCP handshake flags
  • payload bytes

Filtering Packets

wireshark supports two kinds of filters:

capture filters

applied before capturing, restrict what gets recorded.
example: only capture traffic on port 80 → tcp port 80

display filters

applied to shown packets after loading a capture.
these are more powerful and commonly used.

examples:
dns
http
tcp.flags.syn == 1
ip.addr == 192.168.1.10
udp.port == 53

you can also right-click any field → “Apply as Filter” to generate syntax automatically.


Searching Inside Packets

you can search for:

  • strings inside packet bytes
  • hostnames
  • ip addresses
  • http headers
  • filenames
  • hidden text in payload

useful for CTFs and malware pcaps.


Statistics Tools

wireshark provides high-level summaries:

protocol hierarchy

breakdown of all protocols in the capture → useful for spotting dominant traffic

endpoints

shows all communicating IPs, MACs, ports

conversations

shows who talked to whom and how much data was exchanged

capture file properties

metadata about the pcap, sometimes includes hidden notes or flags

these tools let you get insights without reading every packet manually.


Common Use Cases

identifying suspicious traffic

filter by http, dns, unknown ports, large payloads, repeated requests, etc.

extracting files

some http/ftp/unencrypted streams let you reconstruct transmitted files.

analyzing tcp handshakes

useful for diagnosing connectivity issues.

spotting DNS exfiltration

check unusually long TXT records or frequent DNS queries.

reading HTTP requests

see urls, methods, cookies, headers (if unencrypted).

following a TCP stream

reconstruct entire conversations (http pages, ftp sessions, etc.)


Conclusion

wireshark is one of the most important tools for anyone learning networking or cybersecurity.
it shows you real traffic, real protocols, and real packet structures — no abstractions.

if you understand how to filter, dissect, and interpret packets in wireshark,
you basically understand how data truly moves across networks.

`

Networking Core Protocols

Shubham
Cybersecurity Enthusiast

Introduction

okay let me go through it straight forward

this room covers the core application-layer protocols the internet uses everyday: DNS, WHOIS, HTTP, FTP, SMTP/POP3/IMAP.
these protocols help resolve names, fetch web pages, transfer files, and send/receive emails.

lame language definition:
these are the official "languages" computers speak for websites, files, emails, and domain lookup

formal definition:
Core network protocols are standardized application-layer communication rules that define how data is requested, transferred, and interpreted across the internet, enabling services like DNS resolution, HTTP browsing, FTP file transfer, and email transmission.


DNS (Domain Name System)

dns converts names → ip addresses.
your browser can't understand domain names, only numbers.

lame language definition:
dns is the internet’s phonebook

formal definition:
DNS is a hierarchical, distributed naming system that resolves human-readable domain names into IP addresses and provides additional record types like MX, CNAME, PTR, etc.

DNS Example

nslookup example.com
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: example.com
Address: 93.184.216.34

browser now knows where to send HTTP request.


WHOIS

whois gives info about who owns a domain, when it was registered, etc.

lame language definition:
whois is “who owns this address on the internet?”

formal definition:
WHOIS is a query/response protocol used to look up registration data for domain names and IP address blocks.

WHOIS Example

whois example.com
Domain Name: EXAMPLE.COM
Creation Date: 1995-08-13
Registrar: ...
Registrant Organization: IANA

used in reconnaissance.


HTTP (Hypertext Transfer Protocol)

http is how browsers fetch web pages, APIs, json, images, etc.

lame language definition:
http is “give me this webpage”

formal definition:
HTTP is an application-layer protocol defining how clients and servers request and deliver web resources, using methods like GET, POST, PUT, DELETE, etc.

HTTP Example

GET / HTTP/1.1
Host: example.com
User-Agent: curl/7.79.1
Accept: /

HTTP/1.1 200 OK
Content-Type: text/html
<html>...</html> ```
FTP (File Transfer Protocol)

ftp is used to upload/download files between client and server.

lame language definition: ftp is a courier service for files.

formal definition: FTP is a standard network protocol for transferring files over a reliable TCP connection, usually using port 21 for control and additional ports for data.

FTP Example

ftp example.com
Name: anonymous
Password: guest

ftp> ls
ftp> get secrets.txt
ftp> bye

Email Protocols (SMTP, POP3, IMAP)

SMTP

used for sending emails.

lame language definition: smtp sends your mail to the post office.

formal definition: SMTP is a protocol for transferring outgoing email between clients and mail servers, and between mail servers.

POP3

used for retrieving emails, usually downloads + deletes.

lame language definition: pop3 pulls emails down to your device.

formal definition: POP3 is a simple email retrieval protocol where the client downloads messages from server and optionally deletes them from the mailbox.

IMAP

used for retrieving emails but keeps them synced across devices.

lame language definition: imap keeps your emails on the server so all devices see same inbox.

formal definition: IMAP is an email protocol allowing clients to view, organize, and synchronize mail stored on the server without deleting it.

Email Example (POP3 via telnet)

telnet mail.example.com 110
+OK POP3 server ready
USER student
+OK
PASS password123
+OK Logged in
LIST
+OK 2 messages
RETR 1
Subject: Welcome
From: admin@example.com
QUIT

Why These Protocols Matter

dns → resolves names
whois → reveals domain ownership
http → loads websites
ftp → transfers files
smtp/pop/imap → email communication

lame language definition: without these, the internet would be a pile of raw IP addresses and bytes

formal definition: Core protocols make internet services usable by providing standardized mechanisms for name resolution, content delivery, file transfer, and email exchange. Conclusion

networking core protocols explain how websites load, how domains resolve, how files are transferred, and how emails flow across servers.

if you understand dns, whois, http, ftp, smtp/pop3/imap — you understand how humans communicate over the internet at protocol-level.

`

Networking Concepts

Shubham
Cybersecurity Enthusiast

OSI Model

okay let me go through it straight forward

so networking has this 7 layer model called OSI model
it’s basically a structured way to understand “how data moves” from your device to another device

lame language definition:
it is a 7-step pipeline through which data passes. each layer has a job, adds some info, and sends it to the next one

formal definition:
the OSI model (Open Systems Interconnection) standardizes communication functions into 7 abstraction layers to ensure different systems can communicate reliably

the 7 layers (in simple and useful language)

Layer 7 — Application
the apps you actually use (browser, ssh, discord)

Layer 6 — Presentation
formats and translates data (encryption, compression, encoding)

Layer 5 — Session
creates and maintains the connection (opening, closing, maintaining sessions)

Layer 4 — Transport
splits data into segments, handles ports, and ensures delivery (tcp/udp)

Layer 3 — Network
handles IP addresses and routing (deciding the best path)

Layer 2 — Data Link
mac addressing, local network delivery, error detection

Layer 1 — Physical
actual electrical/optical signals, cables, wifi waves

basically:
7 → what users see
1 → how bits physically travel


TCP/IP Model

it’s like OSI but the one that the internet actually uses.
more practical, fewer layers.

lame language definition:
TCP/IP is OSI model but compressed into 4 layers so engineers don’t cry

formal definition:
TCP/IP (Transmission Control Protocol / Internet Protocol) is a suite of communication protocols used to interconnect network devices on the internet

layers

Application Layer
combines OSI’s layers 5,6,7
your apps, formats, protocols like http, dns, ftp

Transport Layer
manages port numbers + segmentation + reliability
(TCP/UDP live here)

Internet Layer
IP addressing + routing

Network Access Layer
equals OSI layer 1+2
MAC, frames, physical transmission


IP Addresses & Subnets

ip = internet address of a device
A.B.C.D basically

now every IP address has two parts:

Network part → which network you belong to
Host part → your unique device inside that network

so how do we know which part is which?
using subnet mask

lame language definition:
subnet mask draws a line between “network” and “host” portion of the IP address

formal definition:
a subnet mask is a 32-bit number that divides an IP address into network and host identifiers

example:
255.255.255.0 → first 3 octets = network, last = host

so valid hosts become .1 to .254


TCP and UDP

TCP

the reliable guy
does handshake, ensures packet delivery, checks order
it’s slow but trustworthy

use cases: https, ssh, ftp, email

UDP

the fast guy
no handshake, no guarantee, no ordering
works when speed matters

use cases: video calls, gaming, streaming

lame language definition:
TCP cares, UDP doesn’t


Encapsulation

when data moves through layers, each layer wraps it with its own piece of information
like putting a gift into multiple wrapping papers

formal definition:
encapsulation is the process where each networking layer adds its own header (and sometimes trailer) to the data from the layer above

example flow:
application data → transport segment → IP packet → frame → bits

receiver does the reverse (decapsulation)


Telnet

telnet is an old protocol to remotely access systems

lame language definition:
it is SSH but without encryption … like shouting your password in public

formal definition:
telnet is an application protocol used to provide a bidirectional text-based communication using a virtual terminal connection over TCP (typically port 23)

not used anymore because everything is plaintext, so attackers can sniff credentials easily


Conclusion

all networking concepts here boil down to one idea:

data doesn’t just travel; it passes through layers, gets wrapped with info, uses protocols to move, and gets delivered safely using IP + TCP/UDP.

this is the backbone of how the internet works. `

Natas Level 8

Shubham
Cybersecurity Enthusiast

Natas 8

Solution

okay so the first thing that will come to our mind while visiting the page will be clicking that View sourcecode button.
when you will visit that page you will find an encoded secret, you have to decode it
but we are given a function in php to encode secret ... so to decode it we will implement that in reverse order

function encodeSecret($secret) {
return bin2hex(strrev(base64_encode($secret)));
}

bin2hex(strrev(base64_encode($secret)) produced 3d3d516343746d4d6d6c315669563362
reverse these steps to get the secret

make sure you have php installed on your pc/laptop ... then execute following commands.

shubhamdchhatbar@shubhams-MacBook-Air ~ % php -a
Interactive shell

php > echo base64_decode(strrev(hex2bin('3d3d516343746d4d6d6c315669563362')));
oubWYf2kBq
php >

submit this oubWYf2kBq and you will get password for natas 9

`

Natas Level 9

Shubham
Cybersecurity Enthusiast

Natas 9

Solution

first thing you are likely to click here is View sourcecode

there you will see something like this

<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
$key = $_REQUEST["needle"];
}

if($key != "") {
passthru("grep -i $key dictionary.txt");
}
?>

here passthru() function is used ... read more about it on https://www.php.net/manual/en/function.passthru.php#127699

since passthru is there we can use command injection ...
basically it is an attack which executes the arbitrary commands on the host operating system via a vulnerable application ... read OWASP Command Injection for more information.

in Find words containing search box
write ;ls -a you will see the files now on the official website it is given that password can be found on etc/natas_webpass/natas*

so we will execute the command ; cat /etc/natas_webpass/natas10; and will get the password for natas 10
`

Web Basics

Shubham
Cybersecurity Enthusiast

HTTP header

okay let me go through it straight forward

GET /home.html HTTP/1.1
Host: developer.mozilla.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://developer.mozilla.org/testpage.html
Connection: keep-alive
Upgrade-Insecure-Requests: 1
If-Modified-Since: Mon, 18 Jul 2016 02:36:04 GMT
If-None-Match: "c561c68d0ba92bbeb8b0fff2a9199f722e3a621a"
Cache-Control: max-age=0

you might have seen this type of thing in burp suite, if not no problem.
all these things such as User-Agent, Host, Accept etc are called as HTTP header

lame language definition:
they are key-value pair that gives you additional information about the request or the response

now formal definition:
HTTP headers let the client and the server pass additional information with a message in a request or response. [source: mdn]

Request header

it is a header that can used in HTTP request to provide information about the request context, so that server can tailor the response. for example Accept header tells us which is preferred or allowed format of the response

CORS

short for cross-origin resource sharing is a system consisting of transferring http header which tells whether the browser blocks frontend javascript code from accessing responses from cross origin requests

some CORS headers are Access-Control-Allow-Origin, Access-Control-Allow-Credentials, etc

Cookies

these are small pieces of data that web server stores on your browser to remember information between requests .. so question arises why cookies exists? http is stateless .. every request is independent ... server doesnt remember you ... cookies fix that by storing small data on your device so that server can recognize you whenever you revisit
cookies are stored in browsers in small text files and server sends them as Set-Cookie http header.
`