Have you ever wanted to be able to interact with an API endpoint from some web application whether it is yours or somebody elses?

Its rhetorical. I don’t care whether you have or not. You’re gonna learn today.

Playing with web applications you likely remember atleast 2 operations of interfacing with a web application.

Those being:

GET and POST methods. Well there are 2 more that are important called PUT and DELETE.

As a quick refresher we will go through what the first two mean and add the last two to catch everyone up to speed.

GET - This is when you are reading the information from the web application and requesting the page.

POST - This is when you are sending data to the web application.

• example being when you login on some page or are adding something to a database.

PUT - This operation is utilized when making a change on the server such as an update to your username.

DELETE - This obviously means delete but much like when you’re using the GET request you can point the DELETE operation at the path you wish to delete and like magic it’s gone.

There are two bonus operators that can be used in a web application as well but they are not frequently used. Those are: OPTIONS and PATCH.

OPTIONS - Gives the user the possible options available to him when communicating with the web application

PATCH - Works just like PUT the only difference being that it is used to change some part of an entry not the entire thing.

• example being when you want to change your first name to a nick name but leave your last name the same you can use PATCH

Now that we have talked about it I’ll give some snippets of a command line to show you how to write them.

We will be using cURL as a resource to retrieve and change information. Get used to it.

Curl by default uses the GET request so I will not be showing a screenshot of the first operation but will give you the example in text.

curl https://google.com

When you are dealing with an API of some kind it will still return the information to you much like any other time you have used it except it may look jumbled or in another format such as json.

If we want to take the json text and make it look exceptionally better and in the correct format we can add a pipe and the command “jq” to the command line.

Awesome. So we understand the GET operation with an API. Lets check out the POST.

When posting we want to use the switch “-X” POST followed by the URL and some data. To post the data we need the “-d” switch. Lastly, we need to change the end of the content type to json since we already know that is what we will be receiving back for information.

We created a new entry. Now you can do a GET to request the information and see your entry provided in the json format.

Lets see PUT in action. Remember, this changes entries. Let’s grab another entry and show the change.

PUT much like POST requires “-X”, “-d” and “-H” and the data that is being changed. The differences is that you need to change POST to PUT and specify in the URL which entry you wish to change. Just like before we will check to see if it worked by a GET request to the API page.

Then finally the simplest one to understand. Deleting entries from a database on an endpoint.

When you do a GET request on the deleted information you are presented the result of an empty array. That empty array is proof of a deleted entry.

I hope you learned something, and if you didn’t I hope it was a decent refresher and you enjoyed my presentation on the subject. If not, no worries I’ll keep pushing out content and there’s bound to be something you enjoy.

As always, stay curious my friends.

Let’s do something a tad different. Instead of talking about the nitty gritty straight forward I want to try to make everything memorable.

I will be relating the status codes to my dysfunctional family. We all have a little messed up family… Don’t pretend you don’t. This is SUPER relatable.

First and foremost, lets talk about what status codes are. Every time you communicate with a website you are interfacing with status codes. Whether you realize it not its happening. Some of you may be aware of “404” errors and that itself is a status code.

There are 5 unique identifiers for our status codes: (this is where we relate to our families to make it easier to remember)

1xx - Informational Status Code

These would be the family members who always come up and tell you too much information. Sure a lot of it can be important but they tend to overshare just a bit too much

2xx - Successful Status Code

2xx family members could easily be the family that is always doing well or atleast appears to be doing well

3xx - Redirection Status Codes

Best example I can provide to these family members are the ones that avoid things and put it on others

4xx - Client Error Status Codes

These individuals do not accept responsibility for their actions. Always anothers fault, internet isnt working and that’s on you, kinda guy.

5xx - Server Error Status Codes

This can go one of two ways. The family member that accepts responsibility and says “hey, my fault I messed up”, or the ones that always have something happening to them for some reason.

You may not find this funny. But my lame and dry sense of humor actually finds the title hilarious. As funny as it is, we are not curling in the gym we are using a well known command today called: cURL.

The command cURL stands for - client URL. In case you’re weird like me and need to know what URL stands for it means - uniform resource locator.

cURL allows us to transfer data from a server using different kinds of protocols such as http, https, ftp, sftp and more. That being said you can also send data using cURL as well so it is a great tool to sit and become familiar with.

Now that I have introduced the command and tool along with what it does, lets dive into some of the most useful commands available to you.

If you curl a website with no switches:

curl google.com

• you can receive simple information, is the site still up? Is it redirected?

curl -v google.com

• this command will provide you with much more information such as the headers, body of the document and IPv4 and IPv6 information.

curl -vvv google.com

• this essentially does everything the above command does but now you can get the response info back from the server you are communicating with.

curl -O google.com

• this I find to be one of the most useful commands. You can use it to download the file at the specified path you have set.

curl -d google.com

• this command allows you to post data with the curl command. This can be username/password, json data and more.

Lastly, always check the “-h” or “—help” options or man pages if possible. This wasn’t meant to teach absolutely everything but just scratch the surface. If you’re interested there are tons of books and online resources too keep learning about the topic.

Unfortunately, I am not sure how to post photo on the regular blogs on the site so bear with me. If I figure it out I’ll update with screenshots so it is much more enjoyable of a read.

Coming soon. This box has been rooted.

This is my 3rd attempt at writing this because I lost all my progress the other times, so if it’s not perfect please excuse me. I have been extremely frustrated with it, but I refuse to not put it out.

I learned my lesson. Hit save often so you don’t go to sleep in tears from wasted time.

Reconnaissance:

So first lets start with our scan. I like to use -vvv for a nice fast scan and then gather more information with what I get.

Foothold:

Exploitation:

Privilege Escalation:

Post Exploitation:

As always, stay curious my friends.

I am going to preface this with the fact that I rooted it using metasploit…but that takes no skill and I am studying for OSCP and need to manually do it so I went back and it again the right way.

(There is no right way though, if you break into a box you broke in. Be proud.)

CVE-2007-2447

our finding leads us to the exploit listed above.

Port Scan:

Lets scan the machine first like always

First start with your scan (soon I’ll likely starting off like Ippsec because hes got some neat tips and tricks)

As always. Stay curious my friends.

In our last post we talked about the 5 phases of ethical hacking. Today we are going to go over a reconnaissance tool called Nmap. Now we could go into OSINT but if you want to learn about that go to Heath Adam’s PNPT and you can get a solid understanding from his course.

For us we will go over a practical application of Nmap using the platform Hack The Box.

Don’t worry we won’t do something too difficult (not like I have the skills to do anything crazy anyway) so you will be fine. We will be using the meow machine to play with nmap.

Now, Lets run an Nmap scan against the target machine. First launch your terminal… duh.

We use the command nmap -vvv <target machine> see below.

I like to use -vvv for the highest levels of verbosity and increased speed.

we can use another switch “-p” to designate specific ports but for now we don’t need that.

Now as a reward of our nmap scan we have port 23 open which runs telnet. Telnet is an application protocol that operates in plain text and allows users to remotely log into other computers.

Now we can run another nmap scan with the switch “-A” and specify the port we received like so.

nmap -A -p23 <target machine> -T4

-A = OS and version detection, script scanning and traceroute

-T4 = is for timing and faster execution

We run a second scan to see if we can get any more information from the port
Below is the output from our scan. Interestingly, we now know the host we are targeting is a linux machine.

I was going to stop here and show only the nmap scan but since it is a super easy box to break into I may as well finish it with you. Not gonna lie I’d rather stop doing this at the moment and finish my movie.

since the scan came back as Telnet we can use the command “telnet -l root <target machine>

when we run this command we get logged in directly to the host and can list the files. listing the files provides the following. You need to read the file yourself.

Hope you learned something. If you didn’t that’s cool. Thanks for giving this a read.

As always. Stay Curious.

As always start with a scan. I skipped posting the initial scan and just posted me using a version and script scan on port 21.

(Good idea to post common ports to know while working in the field)

Whether you read it in this crappy blog or another one, the phases of ethical hacking are always the same. I want to try writing it in a more fun manner for a blog post. If you hate it lemme know on Twitter @__ The __ Giver __ (No Spaces)

Phase 1: Reconnaissance - The Spy Game Begins:
Picture yourself, a secret agent, equipped with a magnifying glass and a Sherlock Holmes hat. You're on a mission to gather information about your target. But instead of sneaking around in the shadows, you're sitting at your computer, Googling like hell. It's like being a spy, but with more caffeine and fewer explosions and a crap ton of 1’s and 0’s.

Phase 2: Scanning - Finding Your Entry Point:
Now that you have some juicy information, it's time to go on a virtual treasure hunt. Armed with your trusty scanning tools, you're like a modern-day Nathan Drake (he’s cooler than Indiana Jones don’t @ me), searching for open ports and vulnerabilities. But instead of dodging bullets, you're dodging firewalls and antivirus software. Who knew hacking could be so wild?

Phase 3: Gaining Access - Ocean’s 11 Heist:
Imagine yourself as a master lockpicker like LockPicking Laywer, trying to crack the code and gain access to the target system; instead of using fancy lockpicking tools, you're mashing away furiously on your keyboard, to finally get in and say the words “I’m in” to the imaginary camera (you’re not that guy… yet). It's like being a hacking ninja, silently infiltrating the system without leaving a trace. Well, except for the sound of your fingers tapping on the keys, and your deep sighs and swears as nothing has worked for the past hour.

Phase 4: Maintaining Access - Persistence - The Herpes of the Hacking World:
Pat yourself on the back, you’re in. Now it's time to play the role of the friend who overstays their welcome and does not know when to leave. You're like a creepy vampire, lurking in the shadows and leaving no trace of your presence. You install backdoors and rootkits, ensuring that you can come back whenever you please. It's like being a virtual squatter, but instead of living in an abandoned house, you're living rent-free in someone's computer, maybe even spying on them via their camera (wow you’re a creep).

Phase 5: Clearing Tracks - The Disappearing Act:
As they say, all good things must come to an end. But before you leave the system, you need to cover your tracks like a pro. You're like a master illusionist or Danny Phantom (do you remember that show or am I just old?), erasing all evidence of your presence. Deleting log files, modifying system files - making your modifications vanish.

And that’s all there is to it.

As always. Stay curious my friends.

I’ll preface this with, I dont have a set schedule. I post when I post. I am a full time doctoral student, employed full time, studying for OSCP and trying to still make time for the wife so you get a post when you get one.

In this blog I plan on doing the more practical side of red teaming and maybe blue teaming as well. I would like to use Hack The Box (HTB) and Tryhackme for solid platforms.

In the “Web App blog” I will be going over theory and understanding the subject matter with a little bit of practicality mixed in. Can’t exploit anything if you don’t understand it right? For the most part I will be using the lovely portswigger labs to guide the fundamentals. It goes much deeper but you get the idea.