During a debugging session of one of our NodeJS microservices misbehaving on a Windows Server 2019 instances, I opened the microservice log to begin investigating the faulty behavior.
Hack The Box is a website offering vulnerable machines for practising hacking skills. The goal of the ‘Labs’ are to hack into the system and capture the flag (CTF) which can be found in a text file in the desktop of a regular and an administrator user. On my pursuit to get some practical exercise in the field, I decided to sign up and attempt one of the beginner exercises. This post describes how I managed to get remote code execution (RCE) in the one of the boxes and access the flags.
Recently, I became interested in understanding a bit more about web application exploitation. This interest evolved with my daily work with web applications over the last few years, reviewing already developed web application source code, modifying it at times in order to resolve a customer issue and needing to dive deep and debug customer problems in production. But I always felt that my daily work was only focusing on how to resolve an issue for a customer. I never branched out to actually understanding the security behind the web applications and services I’m debug and the code I was reviewing and modifying. Moreover, I felt that I was not able to identify any security vulnerabilities in the applications I was working with. So I challenged to take this next step in learning more about web application security vulnerabilities by signing up to ångstromCTF 2021, an annual capture-the-flag competition hosted by Montgomery Blair High School (ironically located very near to the high school I attended in Maryland). This post describes the process by which I was able to finish one of the challenges called Jar under the Web category.
The other day when visiting my family, under a large pile of torn up binders and laminated documents, I found my sibling’s old 2013 MacBook Air. I thought it would be wasteful to just leave it there so I picked it up and took it to the lab, AKA home. I discovered that the laptop was password locked with my sibling’s user and password. Since it must’ve been laying at my family’s house for a few years at least, and we as human’s have a tendency to forget our credentials, I decided to save the attempts and just format it and start with a clean OS.
A few months ago, I received a highly-anticipated 2020 32GB, 2.3 GHz Quad-Core Intel Core i7 MacBook Pro. Highly-anticipated because I already had one stolen (a 2019 version) earlier last year in a robbery in an AirBnB apartment I was renting while I was staying in Barcelona. It was quite a dramatic story but I won’t get into the details. This is a tech blog after all.
The Wikipedia definition should be sufficient in explaining what the software does:
Pi-hole or Pihole is a Linux network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole and optionally a DHCP server, intended for use on a private network
I wanted to deploy it for a few reasons:
This post is here to explain how was able to deploy PiHole on Kubernetes and how I resolved some of the problems that occurred during the deployment process.
One of our largest customer recently had a problem loading a list of resources from our web application. The problem was a blocker for the customer and required to identify the problem and provide a workaround, if possible. I was assigned the task as I was the SME in this area (NodeJS microservices, infrastructure such as storage, microservice messaging and configuration).
This week, I needed to debug a production issue where one of the critical ReactJS applications happened to load exactly after 60 seconds.