<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en"><generator uri="https://jekyllrb.com/" version="3.10.0">Jekyll</generator><link href="https://5odead.github.io/feed.xml" rel="self" type="application/atom+xml" /><link href="https://5odead.github.io/" rel="alternate" type="text/html" hreflang="en" /><updated>2026-07-12T11:09:45+00:00</updated><id>https://5odead.github.io/feed.xml</id><title type="html">5odead // CTF Writeups</title><subtitle>CTF writeups, exploit walkthroughs, and security research by 5odead — web, pwn, reversing, and more.</subtitle><author><name>5odead</name></author><entry><title type="html">How I Solved THM: Thompson</title><link href="https://5odead.github.io/thm-thompson-walkthrough/" rel="alternate" type="text/html" title="How I Solved THM: Thompson" /><published>2026-07-12T00:00:00+00:00</published><updated>2026-07-12T00:00:00+00:00</updated><id>https://5odead.github.io/thm-thompson-walkthrough</id><content type="html" xml:base="https://5odead.github.io/thm-thompson-walkthrough/"><![CDATA[<p><img width="1498" height="322" alt="Screenshot_20260712_143021" src="https://github.com/user-attachments/assets/ed97e304-78bb-4370-97b5-71d0aa99a21c" /></p>

<h2 id="disclaimer">Disclaimer</h2>

<p>This walkthrough is for educational purposes only. All activities were performed on legally authorised TryHackMe systems.</p>

<h2 id="initial-reconnaissance">Initial Reconnaissance</h2>

<p>I scanned the IP with Nmap using this command:</p>

<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>nmap <span class="nt">--top-ports</span> 500 <span class="nt">-sV</span> 10.81.173.106
</code></pre></div></div>

<p><strong>Command explained:</strong></p>

<ul>
  <li><code class="language-plaintext highlighter-rouge">--top-ports 500</code> — scan the 500 most common ports</li>
  <li><code class="language-plaintext highlighter-rouge">-sV</code> — service version detection</li>
</ul>

<p>While the scan was running, I decided to check if there was a website running. There was.</p>

<p><img width="1621" height="663" alt="Screenshot_20260712_145704" src="https://github.com/user-attachments/assets/16b165b4-4e68-41cb-814e-fe92940480f1" /></p>

<p>I started exploring the site and found a page called <strong>Host Manager</strong>, which had a login on it. Interesting. I looked around more but found nothing else, so I went back to check my Nmap results.</p>

<p><img width="1224" height="395" alt="Nmap_Scan" src="https://github.com/user-attachments/assets/747aca00-d5c2-4dab-84c7-03d26c6dc43b" /></p>

<h2 id="digging-into-open-ports">Digging Into Open Ports</h2>

<p><strong>Port 22</strong> is running SSH version OpenSSH 7.2p2, so I looked for known vulnerabilities and found <strong>CVE-2018-15473</strong>, a race-condition-based username enumeration bug. I’ve had a bad experience with this one before, and it didn’t seem useful here either, so I moved on.</p>

<p>The next thing I had was <strong>Apache JServ</strong> running on port 8009. I had no idea what it was, and this was also my first time dealing with Apache Tomcat, so I decided to read up on it:</p>

<p><strong>Apache Tomcat</strong> is a Java application server that executes Java code like JSP files and servlets to generate responses for HTTP requests. It has a Manager panel used to manage applications deployed on the server.</p>

<p><strong>Apache JServ Protocol (AJP13)</strong> is a protocol Tomcat uses to listen for requests from services like web servers and load balancers. It’s typically not meant to be exposed directly to the internet.</p>

<p>So port 8009, running AJP, was a security misconfiguration by itself. I researched further and found it was vulnerable to <strong>CVE-2020-1938: Ghostcat</strong>. This vulnerability lets attackers read hidden files, and sometimes take full control of a server, by abusing Tomcat’s AJP connector.</p>

<h2 id="chasing-ghostcat-cve-2020-1938">Chasing Ghostcat (CVE-2020-1938)</h2>

<p>I picked an exploit off GitHub to test it out:</p>

<p><strong>GitHub:</strong> <a href="https://github.com/Hancheng-Lei/Hacking-Vulnerability-CVE-2020-1938-Ghostcat">Hancheng-Lei/Hacking-Vulnerability-CVE-2020-1938-Ghostcat</a></p>

<p><img width="1920" height="426" alt="CVE2020-1938" src="https://github.com/user-attachments/assets/9aeda3fb-2696-4629-a733-a97620d30034" /></p>

<p>After a few tweaks, I got it running, and it confirmed the vulnerability was real — I was able to read a protected file over Ghostcat/AJP. It returned actual file contents: the XML from <code class="language-plaintext highlighter-rouge">WEB-INF/web.xml</code>, including the Apache license and web app configuration. Time to look for juicier files.</p>

<p>Since <code class="language-plaintext highlighter-rouge">WEB-INF/web.xml</code> was readable, I figured other configuration files might be too. I made a list and went through them one by one:</p>

<ul>
  <li><code class="language-plaintext highlighter-rouge">WEB-INF/application.properties</code> — Spring Boot application configuration</li>
  <li><code class="language-plaintext highlighter-rouge">WEB-INF/context.xml</code> — Tomcat context configuration</li>
  <li><code class="language-plaintext highlighter-rouge">META-INF/context.xml</code> — application metadata configuration</li>
  <li><code class="language-plaintext highlighter-rouge">WEB-INF/spring-security.xml</code> — Spring Security configuration (authentication)</li>
  <li><code class="language-plaintext highlighter-rouge">WEB-INF/faces-config.xml</code> — JSF (Java web framework) configuration</li>
  <li><code class="language-plaintext highlighter-rouge">WEB-INF/application.yml</code> — Spring Boot YAML configuration</li>
  <li><code class="language-plaintext highlighter-rouge">WEB-INF/db.properties</code> — database connection properties</li>
  <li><code class="language-plaintext highlighter-rouge">WEB-INF/database.properties</code> — database credentials/config</li>
  <li><code class="language-plaintext highlighter-rouge">conf/tomcat-users.xml</code> — Tomcat Manager credentials (logical guess, but AJP couldn’t reach it)</li>
</ul>

<p>Guess how many I found. If you guessed zero, you’re right. Every single one came back <strong>HTTP 500 — FileNotFoundException</strong>. Was I hallucinating this whole vulnerability? What if the tool wasn’t working right? Metasploit has a module for Ghostcat too, so I ran that to sanity-check myself:</p>

<p><img width="900" height="722" alt="Ghostcat_Metasploit" src="https://github.com/user-attachments/assets/e5760b3e-b719-4beb-a379-4899bff987ae" /></p>

<p>The Metasploit scan confirmed the tool was working fine. It was me screwing something up, and I couldn’t figure out what.</p>

<p>While I was at it, I also tried the Metasploit Tomcat Manager brute-force module:</p>

<p><img width="1055" height="786" alt="Tomcat_Login_Bruteforce" src="https://github.com/user-attachments/assets/ecf9478a-6547-4133-954c-cabc2626c06b" /></p>

<p>It ran through a list of default and weak passwords for Tomcat Manager, but every single one was wrong. Dead end.</p>

<h2 id="backtracking-tomcat-managers-default-creds">Backtracking: Tomcat Manager’s Default Creds</h2>

<p>I went back and reopened the site, and remembered the <strong>Host Manager</strong> login page from earlier. I tried a few passwords, failed, and got a <strong>401 — Unauthorised</strong> message.</p>

<p><img width="1269" height="544" alt="Screenshot_20260712_160037" src="https://github.com/user-attachments/assets/86ba6edf-8b62-4f33-8199-3bfac1f10b4f" /></p>

<p>Very odd error message for a login page. On a whim, I tried the exact username and password shown on the page itself, and it worked.</p>

<p><img width="1606" height="708" alt="Screenshot_20260712_160346" src="https://github.com/user-attachments/assets/a9643d70-13f3-4bcc-93f8-fd3d67385188" /></p>

<p><strong>I WAS IN.</strong> I sat there a little dumbfounded — I had a demo-looking username and password staring at me the whole time, and instead I went and brute-forced Tomcat Manager and chased Ghostcat down a hole. But that’s cybersecurity for you.</p>

<blockquote>
  <p>A dead end on path X isn’t a failure; it’s just the map telling you it’s time to unlock path Y.
— me</p>
</blockquote>

<h2 id="getting-a-shell-war-file-upload">Getting a Shell: WAR File Upload</h2>

<p>Now that I was in, the way forward was simple: drop a reverse shell as a <code class="language-plaintext highlighter-rouge">.WAR</code> (Web Application Resource), set up a listener, trigger the payload, and get a shell.</p>

<p>I first generated a Java web-based reverse shell with <a href="https://www.revshells.com/">revshells.com</a> and uploaded it:</p>

<p><img width="1650" height="327" alt="shellin" src="https://github.com/user-attachments/assets/a244ae35-7fb7-4adc-855b-a04ff3a6ddcb" /></p>

<p>Deployed it, triggered it…</p>

<p><img width="1857" height="830" alt="shellnotworking" src="https://github.com/user-attachments/assets/44a2ffec-6ecd-4d03-952a-edc445bca205" /></p>

<p>Nothing. No time to debug it. I deleted the file from the server and generated a fresh payload with <code class="language-plaintext highlighter-rouge">msfvenom</code> instead:</p>

<p><img width="1906" height="123" alt="Screenshot_20260712_141407" src="https://github.com/user-attachments/assets/92248936-0ff4-4770-912f-a62b50fdb7c1" /></p>

<p>New payload, new listener. Deployed it, and boom — got a reverse shell.</p>

<p><img width="1679" height="861" alt="image" src="https://github.com/user-attachments/assets/9ebe2af2-25a6-4bb6-b645-3a51adee8285" /></p>

<p>Found the user flag. Now it’s time for root.</p>

<h2 id="privilege-escalation-writable-cronjob-script">Privilege Escalation: Writable Cronjob Script</h2>

<p>I checked the user’s home directory and looked at file permissions:</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ls -la
total 48
drwxr-xr-x 4 jack jack 4096 Aug 23  2019 .
drwxr-xr-x 3 root root 4096 Aug 14  2019 ..
-rw------- 1 root root 1476 Aug 14  2019 .bash_history
-rw-r--r-- 1 jack jack  220 Aug 14  2019 .bash_logout
-rw-r--r-- 1 jack jack 3771 Aug 14  2019 .bashrc
drwx------ 2 jack jack 4096 Aug 14  2019 .cache
-rwxrwxrwx 1 jack jack   26 Aug 14  2019 id.sh
drwxrwxr-x 2 jack jack 4096 Aug 14  2019 .nano
-rw-r--r-- 1 jack jack  655 Aug 14  2019 .profile
-rw-r--r-- 1 jack jack    0 Aug 14  2019 .sudo_as_admin_successful
-rw-r--r-- 1 root root   39 Jul 12 01:47 test.txt
-rw-rw-r-- 1 jack jack   33 Aug 14  2019 user.txt
-rw-r--r-- 1 root root  183 Aug 14  2019 .wget-hsts
</code></pre></div></div>

<p>Two things jumped out: <code class="language-plaintext highlighter-rouge">id.sh</code> is world-writable (<code class="language-plaintext highlighter-rouge">rwxrwxrwx</code>), and <code class="language-plaintext highlighter-rouge">test.txt</code> is owned by root with a timestamp from just a few hours ago, not 2019 like everything else. That combination screamed cronjob to me — something running as root, on a schedule, was touching this directory, and <code class="language-plaintext highlighter-rouge">id.sh</code> was fair game to overwrite.</p>

<p>I tested the theory with something simple:</p>

<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">echo</span> <span class="s2">"cat /root/root.txt &gt; /home/jack/root_flag.txt"</span> <span class="o">&gt;</span> id.sh
</code></pre></div></div>

<p>I waited for the next run.</p>

<p><img width="718" height="530" alt="image" src="https://github.com/user-attachments/assets/bb235399-eaba-4706-a9b4-cc58e649f3e5" /></p>

<p>Root flag found.</p>

<h2 id="key-takeaways">Key Takeaways</h2>

<table>
  <thead>
    <tr>
      <th>Takeaway</th>
      <th>Explanation</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td><strong>A working exploit isn’t a guaranteed path</strong></td>
      <td>Ghostcat was real and confirmed by Metasploit, but the box just wasn’t giving up files through it. Verify the tool works, then know when to stop forcing it</td>
    </tr>
    <tr>
      <td><strong>Read every message on the page</strong></td>
      <td>A 401 error that displays the exact credentials to use is not subtle. Don’t overlook what’s already handed to you while chasing harder exploits</td>
    </tr>
    <tr>
      <td><strong>Timestamps are a signal</strong></td>
      <td>A file owned by root that was modified minutes ago, sitting next to files from 2019, is a strong hint something is running on a schedule</td>
    </tr>
    <tr>
      <td><strong>World-writable files near root-owned ones = cronjob privesc</strong></td>
      <td><code class="language-plaintext highlighter-rouge">id.sh</code> being <code class="language-plaintext highlighter-rouge">rwxrwxrwx</code> while sitting next to a freshly-touched root file was the giveaway. Always check permissions and timestamps together</td>
    </tr>
  </tbody>
</table>

<p>Thanks for reading. Happy hacking.</p>]]></content><author><name>5odead</name></author><category term="tryhackme" /><category term="thm" /><category term="thompson" /><category term="ghostcat" /><category term="cve-2020-1938" /><category term="apache-tomcat" /><category term="ajp" /><category term="war-shell" /><category term="privilege-escalation" /><category term="cronjob" /><summary type="html"><![CDATA[Step-by-step walkthrough of TryHackMe's Thompson machine: chasing Ghostcat (CVE-2020-1938) down a dead end, stumbling into Tomcat Manager's default credentials, deploying a WAR reverse shell, and exploiting a writable cronjob script for root.]]></summary><media:thumbnail xmlns:media="http://search.yahoo.com/mrss/" url="https://5odead.github.io/assets/images/og-image.png" /><media:content medium="image" url="https://5odead.github.io/assets/images/og-image.png" xmlns:media="http://search.yahoo.com/mrss/" /></entry><entry><title type="html">How I Solved THM: Startup</title><link href="https://5odead.github.io/thm-startup-walkthrough/" rel="alternate" type="text/html" title="How I Solved THM: Startup" /><published>2026-06-24T00:00:00+00:00</published><updated>2026-06-24T00:00:00+00:00</updated><id>https://5odead.github.io/thm-startup-walkthrough</id><content type="html" xml:base="https://5odead.github.io/thm-startup-walkthrough/"><![CDATA[<p><img width="1626" height="296" alt="TryHackMe Startup machine banner" src="https://github.com/user-attachments/assets/fcbaf3a9-eab2-43a1-8b2e-0fe353f0e9c0" /></p>

<h2 id="disclaimer">Disclaimer</h2>

<p>This walkthrough is for educational purposes only. All activities were performed on legally authorised TryHackMe systems.</p>

<h2 id="initial-reconnaissance">Initial Reconnaissance</h2>

<p>I started with a basic Nmap scan to identify open ports and services:</p>

<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nmap <span class="nt">-sC</span> <span class="nt">-sV</span> <span class="nt">-p-</span> <span class="nt">-v</span> &lt;IP&gt;
</code></pre></div></div>

<p>While the scan was running, I decided to check if there was a website running. There was. I checked the source code (Ctrl+U) but found nothing useful, so I moved on to directory enumeration.</p>

<h2 id="directory-enumeration-with-ffuf">Directory Enumeration with ffuf</h2>

<p>I copied the URL and ran <a href="https://github.com/ffuf/ffuf">ffuf</a> against it. You can use dirbuster or gobuster too. I just prefer ffuf because it’s fast.</p>

<blockquote>
  <p><strong>Advice</strong> — Tools don’t matter. What matters is whether you understand what you’re doing. Tools come and go; logic and skill stay.</p>
</blockquote>

<p>The wordlist I used is from <a href="https://github.com/danielmiessler/SecLists">SecLists</a>, specifically <code class="language-plaintext highlighter-rouge">common.txt</code>.</p>

<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ffuf <span class="nt">-u</span> http://&lt;IP&gt;/FUZZ <span class="nt">-w</span> common.txt <span class="nt">-t</span> 100
</code></pre></div></div>

<p>Here are the results:</p>

<p><img width="1143" height="645" alt="ffuf results showing /files directory" src="https://github.com/user-attachments/assets/d4ddbcf1-2956-4eb7-bc3c-11646be86333" /></p>

<h2 id="exploring-files">Exploring /files</h2>

<p>There is a <code class="language-plaintext highlighter-rouge">/files</code> directory. I copied the URL and opened it in my browser:</p>

<p><img width="941" height="603" alt="/files directory listing in browser" src="https://github.com/user-attachments/assets/d4d1b88d-9ad1-4933-8565-fc449e68ffa3" /></p>

<p>I opened <code class="language-plaintext highlighter-rouge">notice.txt</code> and spotted a name: <strong>Maya</strong>. Interesting. I checked the other files and directories but nothing stood out. Meanwhile, my Nmap scan finished:</p>

<p><img width="1730" height="216" alt="Nmap scan results" src="https://github.com/user-attachments/assets/5b6ebebd-9427-41e1-bceb-7e769cb24a30" /></p>

<h2 id="digging-into-open-ports">Digging Into Open Ports</h2>

<p><strong>Port 21</strong> is running FTP with anonymous login enabled. I logged in and poked around, but found the same files we already saw in the browser. Nothing new. Time to switch.</p>

<p><strong>Port 22</strong> is running OpenSSH 7.2p2. I went online to look for known vulnerabilities and found <strong>CVE-2016-6210</strong>, an information disclosure vulnerability that lets you check whether a username exists on the target system.</p>

<p><img width="1403" height="700" alt="CVE-2016-6210 exploit details" src="https://github.com/user-attachments/assets/6933e417-b0e7-4a71-8bcd-416759239fa8" /></p>

<p><strong>Exploit:</strong> <a href="https://www.exploit-db.com/exploits/40136">exploit-db.com/exploits/40136</a></p>

<h2 id="cve-2016-6210-rabbit-hole">CVE-2016-6210 Rabbit Hole</h2>

<p>Remember the name we found in <code class="language-plaintext highlighter-rouge">notice.txt</code>? Maya. I thought it could lead somewhere. The plan was simple: confirm the username with this vulnerability, then brute-force my way in.</p>

<p>I fired up Metasploit and found the SSH username enumerator at <code class="language-plaintext highlighter-rouge">scanners/ssh/ssh_enumusers</code>. I set <code class="language-plaintext highlighter-rouge">RHOST</code> as the machine IP and hit run, but got an error straight away. I forgot to set <code class="language-plaintext highlighter-rouge">USERNAME</code>. I set it to Maya, hit run again, and got a false positive error. I then set <code class="language-plaintext highlighter-rouge">CHECK_FALSE</code> to false, hit run again, and it said <strong>USER MAYA FOUND</strong>.</p>

<p><img width="1337" height="603" alt="Metasploit SSH username enumeration result" src="https://github.com/user-attachments/assets/50a3928d-f379-4408-a59a-8aa2e454fcf8" /></p>

<p>Something felt off, so I tried the username <code class="language-plaintext highlighter-rouge">rfvewbfibk</code>. It also came back as <strong>FOUND</strong>. Now I knew something was wrong.</p>

<p>I went online and tried every CVE-2016-6210 exploit I could find. Nothing worked because of a bug in Python’s <code class="language-plaintext highlighter-rouge">paramiko</code> library. I tried Python virtual environments, forcefully installing requirements on main Python, everything. Still nothing.</p>

<p><img width="1689" height="910" alt="CVE-2016-6210 exploit errors in terminal" src="https://github.com/user-attachments/assets/208f47b0-e909-41d7-affc-72a6e4bd1ccb" /></p>

<p>At this point I let Gemini generate a custom exploit for it. I was confident. Hit enter. <strong>MAYA FOUND</strong>. Let’s go.</p>

<p><img width="1450" height="914" alt="AI generated exploit result showing Maya found" src="https://github.com/user-attachments/assets/8de15e1d-3076-47aa-b51a-5210b90096cd" /></p>

<p>I cross-checked it with a random string as the username. Found again. False positives across the board. This time I chose not to fall into the same rabbit hole I did last time, debugging broken code I found online. I stepped back completely. No more SSH. Back to FTP.</p>

<h2 id="the-real-way-in-ftp-write-access">The Real Way In: FTP Write Access</h2>

<p>I started retracing my steps. How did I reach FTP? Did I miss anything? Any bug on the website? Any port I ignored? I read through the Nmap results again and saw it. Here are the results again. Do you see it?</p>

<p><img width="1403" height="575" alt="Nmap scan showing FTP directory is writable" src="https://github.com/user-attachments/assets/f25f7207-4e23-4841-bcdd-354a781fae5b" /></p>

<p><strong>The FTP directory is writable.</strong></p>

<p>I logged back into FTP and uploaded two files to the <code class="language-plaintext highlighter-rouge">/files/ftp</code> directory:</p>

<ul>
  <li><code class="language-plaintext highlighter-rouge">linpeas.sh</code></li>
  <li>A <a href="https://github.com/pentestmonkey/php-reverse-shell">Pentest Monkey PHP reverse shell</a></li>
</ul>

<p>I was confident PHP was installed since this was a web server. I started a Netcat listener, opened the browser, and clicked <code class="language-plaintext highlighter-rouge">payload.php</code>.</p>

<p><img width="1362" height="659" alt="Successful reverse shell connection in terminal" src="https://github.com/user-attachments/assets/2009792e-eeff-47ee-9e79-569e006f0bd8" /></p>

<p><strong>And I was in.</strong> Successful reverse shell. I navigated to the FTP directory and ran LinPEAS.</p>

<p><img width="1061" height="401" alt="LinPEAS output highlighting /incidents directory" src="https://github.com/user-attachments/assets/1fa62f3d-80ac-4053-a6d1-fb455ca18843" /></p>

<h2 id="finding-credentials-in-a-pcap">Finding Credentials in a PCAP</h2>

<p>If you know what a Linux file system normally looks like, you will spot it immediately. There is an <code class="language-plaintext highlighter-rouge">/incidents</code> directory. That is not standard. I checked it and found a file called <code class="language-plaintext highlighter-rouge">suspicious.pcapng</code>. I downloaded it to my machine and opened it in Wireshark.</p>

<p><img width="1919" height="1060" alt="suspicious.pcapng opened in Wireshark" src="https://github.com/user-attachments/assets/74a50856-a35d-4e8a-8cd9-f2c2f255535b" /></p>

<p>Lots going on. I tried filtering HTTP packets first but found nothing useful. I tried searching for passwords as strings but still nothing. Finally, I followed the TCP stream and that is where it all was.</p>

<p><img width="1920" height="1040" alt="TCP stream in Wireshark showing plaintext credentials" src="https://github.com/user-attachments/assets/7a2e3b6f-f26f-4c96-a896-931207fa09be" /></p>

<p>There is a user named <strong>Lennie</strong>, and her password was captured in plaintext. I copied it and SSHed in immediately. User flag found.</p>

<p><img width="1740" height="747" alt="SSH login as Lennie and user flag" src="https://github.com/user-attachments/assets/66791986-0eb8-4e47-ad9f-20ef9e4dd19c" /></p>

<h2 id="privilege-escalation-writable-cronjob-script">Privilege Escalation: Writable Cronjob Script</h2>

<p>Time to get the root flag. I explored Lennie’s files and a <code class="language-plaintext highlighter-rouge">scripts</code> folder caught my eye. Inside it was a script called <code class="language-plaintext highlighter-rouge">planner.sh</code>. I opened it and saw it executes another script at an unusual path: <code class="language-plaintext highlighter-rouge">/etc/print.sh</code>. That screamed cronjob to me.</p>

<p><img width="541" height="270" alt="planner.sh script contents showing /etc/print.sh" src="https://github.com/user-attachments/assets/6a218c9b-4c8e-4993-897f-7bd65639d1b0" /></p>

<p>I added a Bash reverse shell line to <code class="language-plaintext highlighter-rouge">/etc/print.sh</code>, saved it, and started a Netcat listener. About a minute later, the shell came back. Root flag found.</p>

<p><img width="1886" height="1012" alt="Root shell and root flag" src="https://github.com/user-attachments/assets/dabc91b9-4091-4ac7-904f-88caf4e086b2" /></p>

<h2 id="key-takeaways">Key Takeaways</h2>

<table>
  <thead>
    <tr>
      <th>Takeaway</th>
      <th>Explanation</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td><strong>Check FTP write permissions</strong></td>
      <td>Anonymous FTP login is suspicious on its own. Writable FTP plus a web server is a direct path to a reverse shell</td>
    </tr>
    <tr>
      <td><strong>Know when to move on</strong></td>
      <td>I wasted time on CVE-2016-6210 when every result was a false positive. If the tool is giving nonsense output, the tool is broken</td>
    </tr>
    <tr>
      <td><strong>Non-standard directories are a signal</strong></td>
      <td><code class="language-plaintext highlighter-rouge">/incidents</code> does not belong in a normal Linux file system. When something looks out of place, check it</td>
    </tr>
    <tr>
      <td><strong>Cronjobs run as root</strong></td>
      <td>A script executed by root that a low-privilege user can write to is game over. Always check scripts being called by other scripts</td>
    </tr>
  </tbody>
</table>

<p>Thanks for reading. Happy hacking.</p>]]></content><author><name>5odead</name></author><category term="tryhackme" /><category term="thm" /><category term="startup" /><category term="ffuf" /><category term="directory-enumeration" /><category term="ftp" /><category term="reverse-shell" /><category term="privilege-escalation" /><category term="cronjob" /><summary type="html"><![CDATA[Step-by-step walkthrough of TryHackMe's Startup machine: directory enumeration with ffuf, uploading a PHP reverse shell via FTP, extracting SSH credentials from a pcap file, and exploiting a writable cronjob script for root access.]]></summary><media:thumbnail xmlns:media="http://search.yahoo.com/mrss/" url="https://5odead.github.io/assets/images/thmstartup.png" /><media:content medium="image" url="https://5odead.github.io/assets/images/thmstartup.png" xmlns:media="http://search.yahoo.com/mrss/" /></entry><entry><title type="html">How I Solved HTB: Cap Machine</title><link href="https://5odead.github.io/htb-cap-machine-walkthrough/" rel="alternate" type="text/html" title="How I Solved HTB: Cap Machine" /><published>2026-06-14T00:00:00+00:00</published><updated>2026-06-15T00:00:00+00:00</updated><id>https://5odead.github.io/htb-cap-machine-walkthrough</id><content type="html" xml:base="https://5odead.github.io/htb-cap-machine-walkthrough/"><![CDATA[<p><img src="/assets/images/htbcap.png" alt="Hack The Box Cap machine dashboard" /></p>

<h2 id="disclaimer">Disclaimer</h2>

<p>This walkthrough is for educational purposes only. All activities were performed on legally authorised Hack The Box systems.</p>

<h2 id="initial-reconnaissance">Initial Reconnaissance</h2>

<p>I started with a basic Nmap scan to identify open ports and services:</p>

<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nmap <span class="nt">-sC</span> <span class="nt">-p-</span> 10.129.3.175
</code></pre></div></div>

<p>While the scan was running, I checked if there was a website. Yes—there was a security dashboard running. I explored the site, read source code from different pages, tried logging out, but found nothing useful.</p>

<p>The most interesting page let users download a <code class="language-plaintext highlighter-rouge">.pcap</code> capture file.</p>

<p><img width="1640" height="701" alt="Screenshot_20260614_094248" src="https://github.com/user-attachments/assets/e69adf3f-bb31-429b-b96f-07b8d37065d6" /></p>

<h2 id="pcap-download-page--idor-vulnerability">.pcap Download Page → IDOR Vulnerability</h2>

<p>I downloaded the file and checked for something valuable, but found nothing. Then I noticed the URL and experimented with it:</p>

<ul>
  <li>Changing the value to <code class="language-plaintext highlighter-rouge">10</code> → nothing changed</li>
  <li>Changing it to <code class="language-plaintext highlighter-rouge">0</code> → <strong>access to another user’s capture data</strong></li>
</ul>

<p>This is a classic <strong>IDOR (Insecure Direct Object Reference)</strong> vulnerability.</p>

<p>I downloaded the other user’s <code class="language-plaintext highlighter-rouge">.pcap</code> file and analysed it in Wireshark. After scrolling through the traffic, I found the username and password transmitted in plaintext.</p>

<p><img width="1912" height="963" alt="image" src="https://github.com/user-attachments/assets/2031eb0f-263f-49d2-9ba8-764b0af61c65" /></p>

<h2 id="credentials-extracted-from-pcap">Credentials Extracted from PCAP</h2>

<p>The protocol used was <strong>FTP</strong>. I checked my Nmap results (better image attached since I lost the original screenshot):</p>

<p><img width="719" height="142" alt="Screenshot_20260614_124343" src="https://github.com/user-attachments/assets/b0ab3f48-de97-41a0-bb25-52bdb3ab3e6c" /></p>

<p><strong>Open Ports:</strong> (FTP was one of them)</p>

<p>I logged in using the FTP credentials from Wireshark, and <strong>YEAH I WAS IN</strong>. I checked the user file and found the flag.</p>

<p><img width="1325" height="645" alt="image" src="https://github.com/user-attachments/assets/99ea3b13-c445-44e7-ba89-ac3008f31400" /></p>

<h2 id="privilege-escalation">Privilege Escalation</h2>

<p>Now I needed the root flag. I used <strong>Linpeas</strong>, a privilege escalation script:</p>

<ul>
  <li><strong>GitHub:</strong> <a href="https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS">PEASS-ng/linPEAS</a></li>
  <li><strong>Official Website:</strong> <a href="https://linpeas.org/">linpeas.org</a> — tons of free resources</li>
</ul>

<p>I tried uploading it via FTP, but it failed due to a permission error.</p>

<p><img width="1395" height="499" alt="Screenshot_20260614_095146" src="https://github.com/user-attachments/assets/23b6d696-e876-43f0-880e-ab63626d31ea" /></p>

<p>Instead, I transferred the script over <strong>SSH</strong> and ran it from there. LinPEAS ran successfully and returned its findings.</p>

<p><img width="1908" height="823" alt="Screenshot_20260614_105002" src="https://github.com/user-attachments/assets/2708a769-cb83-4b14-964f-dc1e1f165e70" /></p>

<h2 id="linpeas-output--cve-20213156">LinPEAS Output → CVE-2021–3156</h2>

<p>LinPEAS flagged <strong>CVE-2021–3156</strong>. I started reading about it and was confident it would work (I was so wrong).</p>

<h3 id="what-is-cve-20213156">What is CVE-2021–3156?</h3>

<p>Also known as <strong>Baron Samedit</strong>, it’s a heap-based buffer overflow in <code class="language-plaintext highlighter-rouge">sudo</code>:</p>

<ul>
  <li>Privilege-escalation bug in sudo</li>
  <li>Once you have local access, you can compromise the entire system</li>
  <li>Particularly serious since it’s in sudo</li>
</ul>

<p><strong>How it works:</strong></p>
<ol>
  <li>When you run <code class="language-plaintext highlighter-rouge">sudo</code> in shell mode, it allocates memory to process your command</li>
  <li>You give input ending with a single backslash (<code class="language-plaintext highlighter-rouge">\</code>)</li>
  <li><code class="language-plaintext highlighter-rouge">sudo</code> reads the backslash and skips to the next character, jumping over the “null terminator” (stop sign for text end)</li>
  <li>Missing the stop sign, <code class="language-plaintext highlighter-rouge">sudo</code> blindly copies data past its boundaries into neighbouring memory blocks</li>
  <li>This overwrites sudo’s internal settings, tricking the system into running malicious code with root privileges</li>
</ol>

<p>I found an exploit online offering <strong>C</strong> and <strong>Python</strong> versions (in case C fails):</p>

<p><strong>GitHub:</strong> <a href="https://github.com/worawit/CVE-2021-3156/">worawit/CVE-2021-3156</a></p>

<p>I ran the C version first since the system met the requirements:</p>

<p><img width="1330" height="224" alt="image" src="https://github.com/user-attachments/assets/888a6920-a714-40ee-a674-1f9fb2580739" /></p>

<p>File successfully compiled. Let’s go. Now let’s run it.</p>

<p><img width="1470" height="411" alt="Screenshot_20260614_111129" src="https://github.com/user-attachments/assets/18e77b2e-e5b3-44a5-af60-2aa3a33769d9" /></p>

<p><strong>It failed.</strong> Why? This exploit needs to write to <code class="language-plaintext highlighter-rouge">/etc/passwd</code> in a tiny window (milliseconds). The default timing (4000ms) wasn’t right. I tried:</p>

<ul>
  <li><code class="language-plaintext highlighter-rouge">2000</code> (faster) → failed</li>
  <li><code class="language-plaintext highlighter-rouge">5000</code> (slower) → failed</li>
</ul>

<p>All timings failed.</p>

<p><img width="1100" height="221" alt="1_jHysF6j-md4JYGYeKOwAUQ" src="https://github.com/user-attachments/assets/686471cc-e0cc-462e-8449-c5d934824a62" /></p>

<p>I switched to the Python version &amp; Here’s what happened</p>

<p><img width="1330" height="190" alt="image" src="https://github.com/user-attachments/assets/e2b1609d-91f9-44fd-82b8-080034f00d94" /></p>

<p>The exploit says the vulnerability is patched. Now I had a choice:
Either I debug further why the exploits aren’t working, or I look for another vulnerability because</p>

<ul>
  <li><b> C exploit (race condition) </b> — compiled fine, but race timing failed</li>
  <li><b> Python exploit (heap manipulation) </b> — says target is patched</li>
</ul>

<p>I decided not to waste time going deeper into the rabbit hole and started looking for another vulnerability.</p>

<h2 id="the-real-vulnerability-python-cap_setuid-misconfiguration">The Real Vulnerability: Python cap_setuid Misconfiguration</h2>

<p>Five minutes of re-reading the LinPEAS output, I spotted what I missed the first time
Python had the <code class="language-plaintext highlighter-rouge">cap_setuid</code> capability set.
This is a Linux capability to change your User ID to 0 (System ID / Root).</p>

<h3 id="the-exploit-code">The Exploit Code</h3>

<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">os</span>
<span class="n">os</span><span class="p">.</span><span class="n">setuid</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span>
<span class="n">os</span><span class="p">.</span><span class="n">system</span><span class="p">(</span><span class="s">'/bin/bash'</span><span class="p">)</span>
</code></pre></div></div>

<p>Running this gave me a <strong>root shell</strong>, and I found the root flag.</p>

<p><img width="1607" height="536" alt="image" src="https://github.com/user-attachments/assets/7be978d4-b49f-49c5-af14-002d1e8931f8" /></p>

<h2 id="key-takeaways">Key Takeaways</h2>

<table>
  <thead>
    <tr>
      <th>Takeaway</th>
      <th>Explanation</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td><strong>IDOR via URL manipulation</strong></td>
      <td>Always test numeric parameters at boundaries (0, -1, sequential IDs)</td>
    </tr>
    <tr>
      <td><strong>Know when to move on</strong></td>
      <td>Spending too long on a failed CVE exploit is a common time sink. If it’s patched, it’s patched</td>
    </tr>
    <tr>
      <td><strong>Linux capabilities = dangerous as SUID</strong></td>
      <td><code class="language-plaintext highlighter-rouge">cap_setuid</code> on Python = instant root shell. Read your LinPEAS output carefully</td>
    </tr>
  </tbody>
</table>

<p>Thanks for reading. Happy hacking.</p>]]></content><author><name>5odead</name></author><category term="hackingthebox" /><category term="htb" /><category term="cap" /><category term="idor" /><category term="privilege-escalation" /><category term="python-capsetuid" /><summary type="html"><![CDATA[Step-by-step walkthrough of Hack The Box's Cap machine: discovering IDOR via pcap download, extracting FTP credentials from Wireshark, attempting CVE-2021-3156 (Baron Samedit), and exploiting Python's cap_setuid capability for root access.]]></summary><media:thumbnail xmlns:media="http://search.yahoo.com/mrss/" url="https://5odead.github.io/assets/images/htbcap.png" /><media:content medium="image" url="https://5odead.github.io/assets/images/htbcap.png" xmlns:media="http://search.yahoo.com/mrss/" /></entry><entry><title type="html">OverTheWire Natas: Levels 0–10 Walkthrough</title><link href="https://5odead.github.io/overthewire-natas-0-10-walkthrough/" rel="alternate" type="text/html" title="OverTheWire Natas: Levels 0–10 Walkthrough" /><published>2026-05-26T00:00:00+00:00</published><updated>2026-06-15T00:00:00+00:00</updated><id>https://5odead.github.io/overthewire-natas-0-10-walkthrough</id><content type="html" xml:base="https://5odead.github.io/overthewire-natas-0-10-walkthrough/"><![CDATA[<h1 id="overthewire-natas-levels-010-walkthrough">OverTheWire Natas: Levels 0–10 Walkthrough</h1>

<p>OverTheWire’s Natas wargame is a series of web security challenges that teach server-side vulnerabilities.</p>

<h2 id="prerequisites">Prerequisites</h2>

<p>What you should know:</p>

<ul>
  <li>Basic HTML/CSS structure</li>
  <li>How to use browser developer tools</li>
  <li>Basic command line usage</li>
  <li>Understanding of HTTP requests (helpful but not required)</li>
</ul>

<p>Tools you’ll need:</p>

<ul>
  <li>A web browser (I used Chrome/Firefox)</li>
  <li><a href="https://portswigger.net/burp/communitydownload">Burp Suite Community Edition</a> (for intercepting HTTP requests)</li>
  <li>Python 3 (for decoding in Level 8)</li>
  <li>A text editor or terminal for running quick scripts</li>
</ul>

<h2 id="natas-level-0">Natas Level 0</h2>

<p>Authentication Credentials:<br />
Username: natas0<br />
Password: natas0<br />
URL: http://natas0.natas.labs.overthewire.org</p>

<p>Upon visiting the website, we are asked for a username &amp; password, which we already have, so we enter them as given.</p>

<p><img width="1918" height="911" alt="Screenshot_20260523_120931" src="https://github.com/user-attachments/assets/6e6a94ed-0fea-4601-a71c-0dde428148f3" /></p>

<p>After logging in, we see this page. There’s nothing here except a ‘Submit token’ button, which takes us outside the scope, so let’s check the source. On hitting Ctrl + U (View Source), we can see the password in line 16.</p>

<p><img width="800" height="380" alt="0_o7CA7kPQeXyq9rdE" src="https://github.com/user-attachments/assets/f8841fdf-1572-4b37-a262-ea2b6e2787b2" /></p>

<h2 id="natas-level-0--level-1">Natas Level 0 → Level 1</h2>

<p>Authentication Credentials:<br />
Username: natas1<br />
URL: http://natas1.natas.labs.overthewire.org</p>

<p>Upon visiting the website, we are asked for Username &amp; Password. We use the provided username and the password we got from the previous level. After logging in, we see this page.</p>

<p><img width="1918" height="905" alt="Screenshot_20260523_122135" src="https://github.com/user-attachments/assets/a98f4a73-e77f-4bf0-87af-4e780ea3fa30" /></p>

<p>Right-click is blocked on this page, but since we know shortcuts, we don’t need to worry. You can use any of the following:</p>

<p>Alternative methods to access developer tools:</p>

<ul>
  <li>Ctrl + Shift + I : Opens the browser’s Inspect Element panel</li>
  <li>Ctrl + U : Displays the page source in a new tab</li>
</ul>

<p><img width="3840" height="1814" alt="Screenshot_20260523_122635" src="https://github.com/user-attachments/assets/60fc3262-49cc-4f92-95ce-a893fce82292" /></p>

<p>I used Inspect Element, and on Line 17, we can see the password.</p>

<p>Pro tip: For complex websites with extensive code, use Ctrl + Shift + I rather than Ctrl + U. The Inspect Element panel allows you to collapse and expand code blocks, making navigation much easier.</p>

<h2 id="natas-level-1--level-2">Natas Level 1 → Level 2</h2>

<p>Authentication Credentials:<br />
Username: natas2<br />
URL: http://natas2.natas.labs.overthewire.org</p>

<p>Upon visiting the website, we are asked for username &amp; password. We use the provided username and the password we got from the previous level. After logging in, we see this page.</p>

<p><img width="1920" height="391" alt="Screenshot_20260523_123504" src="https://github.com/user-attachments/assets/ddbd09a5-aa05-42bb-a921-82d350b37828" /></p>

<p>Nothing again, so I view the source.</p>

<p><img width="1920" height="541" alt="Screenshot_20260523_123640" src="https://github.com/user-attachments/assets/15969e5a-67c6-4f00-bee2-b42610648f6a" /></p>

<p>On Line 15, there’s a PNG image attached, so I clicked the image, and it was just a blank image. I thought this might have to do with image steganography, so I downloaded the image and decided to check for Exif information (metadata), but found nothing until I realized this entire challenge is related to web security, not image steganography. I went a step back and decided to see the source of the image, but found nothing. Then I went back one more step, and something caught my eye.</p>

<p>Can you see it? Take a guess.</p>

<p>We have the full file path of the image. I quickly reopened the image and removed the image portion from the link.</p>

<p>From:<br />
http://natas2.natas.labs.overthewire.org/files/pixel.png</p>

<p>To:<br />
http://natas2.natas.labs.overthewire.org/files/</p>

<p><img width="1031" height="498" alt="Screenshot_20260523_125444" src="https://github.com/user-attachments/assets/4d7650cf-89f0-4ae3-a0c3-b53192996436" /></p>

<p>I clicked the users.txt (http://natas2.natas.labs.overthewire.org/files/users.txt) and got the password.</p>

<p><img width="1774" height="644" alt="Screenshot_20260523_125619" src="https://github.com/user-attachments/assets/68dc6216-c4df-4693-9248-06149b24cccf" /></p>

<h2 id="natas-level-2--level-3">Natas Level 2 → Level 3</h2>

<p>Authentication Credentials:<br />
Username: natas3<br />
URL: http://natas3.natas.labs.overthewire.org</p>

<p>Nothing on the page, no password or image in the source code, but there’s a hint. Line 3 says:</p>

<p><i> This stuff in the header has nothing to do with the level </i></p>

<p>I fired up Burp Suite, checked the headers, and found nothing. I was confused. I went a step back and read the source code, and read Line 15, which I had ignored previously.</p>

<p><i> No more information leaks!! Not even Google will find it this time… </i></p>

<p>“Not even Google will find it this time” Hmmm, why can’t Google find it? What could it be? What is something on a website that Google can’t find?</p>

<p>Thought about it for a minute, then it clicked in my mind: robots.txt. That’s something Google can’t index. I fixed the link:</p>

<p>From:<br />
http://natas3.natas.labs.overthewire.org/</p>

<p>To:<br />
http://natas3.natas.labs.overthewire.org/robots.txt</p>

<p><img width="926" height="265" alt="Screenshot_20260523_132713" src="https://github.com/user-attachments/assets/fcc81a91-788c-44fc-8686-002dfa9464a5" /></p>

<p>We got it. The robots.txt is disallowing the /s3cr3t folder. Time to check it out, I changed the link again.</p>

<p>From:<br />
http://natas3.natas.labs.overthewire.org/robots.txt</p>

<p>To:<br />
http://natas3.natas.labs.overthewire.org/s3cr3t/</p>

<p><img width="787" height="465" alt="Screenshot_20260523_132848" src="https://github.com/user-attachments/assets/56681542-4d15-4b05-a92c-608cf276919b" /></p>

<p>I clicked the users.txt (http://natas3.natas.labs.overthewire.org/s3cr3t/users.txt) and got the password.</p>

<p><img width="1856" height="544" alt="Screenshot_20260523_133115" src="https://github.com/user-attachments/assets/87904430-1692-4964-aa2c-9f766734e47d" /></p>

<h2 id="natas-level-3--level-4">Natas Level 3 → Level 4</h2>

<p>Authentication Credentials:<br />
Username: natas4<br />
URL: http://natas4.natas.labs.overthewire.org</p>

<p><img width="1912" height="686" alt="Screenshot_20260525_125516" src="https://github.com/user-attachments/assets/772041e5-af3c-468c-ac85-9bdbcd82290c" /></p>

<p>The website says Access Disallowed and gives us a hint. I load up Burp Suite and see the request over there, but I see nothing. Then I click the Refresh Page button provided on the site, and I see it.</p>

<p><img width="983" height="481" alt="Screenshot_20260525_125928" src="https://github.com/user-attachments/assets/120bb46d-3713-4450-9511-a0ac6f9313dc" /></p>

<p>This is an example of Referer-based access control. The site is checking if the request came from http://natas5.natas.labs.overthewire.org/ or not. We change the Referer part in the request.</p>

<p>From:<br />
http://natas4.natas.labs.overthewire.org/</p>

<p>To:<br />
http://natas5.natas.labs.overthewire.org/</p>

<p>Then we get the response we wanted. Check Line 24.</p>

<p><img width="3160" height="942" alt="Screenshot_20260525_130356" src="https://github.com/user-attachments/assets/dbd1d9eb-bb57-42ea-b1ea-f4b62988db33" /></p>

<h2 id="natas-level-4--level-5">Natas Level 4 → Level 5</h2>

<p>Authentication Credentials:<br />
Username: natas5<br />
URL: http://natas5.natas.labs.overthewire.org</p>

<p>Upon entering the username and password, we are greeted with this page. I checked the source code, and I see nothing.</p>

<p><img width="1920" height="906" alt="Screenshot_20260525_130825" src="https://github.com/user-attachments/assets/1c3e95aa-e3f3-432b-9581-4f00d6a80da1" /></p>

<p>I open Burp Suite, send the Request to the repeater and take a look at it, then I see it.</p>

<p><img width="973" height="476" alt="Screenshot_20260525_132819" src="https://github.com/user-attachments/assets/ade6204e-c96b-4ef4-be0d-dfb4dbe8e121" /></p>

<p>Line 12 gives away the answer:</p>

<p><i> Cookie: loggedin=0 </i></p>

<p>Cookie here means the login status, and it is set to 0, which means False, so I changed it.</p>

<p>From:<br />
<i> Cookie: loggedin=0 </i></p>

<p>To:<br />
<i> Cookie: loggedin=1 </i></p>

<p>Then I sent the request and got the password in response.</p>

<p><img width="3094" height="1744" alt="Screenshot_20260525_133455" src="https://github.com/user-attachments/assets/79cc609e-0a9f-4677-8659-708b1b0056bd" /></p>

<h2 id="natas-level-5--level-6">Natas Level 5 → Level 6</h2>

<p>Authentication Credentials:<br />
Username: natas6<br />
URL: https://natas6.natas.labs.overthewire.org</p>

<p>The page asks for a secret and includes a View Source Code button.</p>

<p><img width="1452" height="445" alt="Screenshot_20260526_144001" src="https://github.com/user-attachments/assets/a86ef2b5-14c3-4842-9d09-504580eeb6d9" /></p>

<p>I click the View Source Code button, and we can see the following code.</p>

<p><img width="1470" height="917" alt="Screenshot_20260526_144300" src="https://github.com/user-attachments/assets/c721a588-2b39-4f38-9523-764ac0e97fd6" /></p>

<p>Here we can see the PHP code of how authentication works. The script is importing an external file called secret.inc, so I quickly copied the path of the file and pasted it in the URL.</p>

<p>From:<br />
http://natas6.natas.labs.overthewire.org/index-source.html</p>

<p>To:<br />
http://natas6.natas.labs.overthewire.org/includes/secret.inc</p>

<p>Here we can see the secret.</p>

<p><img width="1826" height="490" alt="Screenshot_20260526_144716" src="https://github.com/user-attachments/assets/2ce82bae-8cc3-424f-bf74-0d4e3fe8d616" /></p>

<p>Now, upon entering this secret in the input field, we will get the password.</p>

<p><img width="1548" height="427" alt="image" src="https://github.com/user-attachments/assets/6baff176-767e-4268-bb24-efa71c2ad030" /></p>

<h2 id="natas-level-6--level-7">Natas Level 6 → Level 7</h2>

<p>Authentication Credentials:<br />
Username: natas7<br />
URL: http://natas7.natas.labs.overthewire.org</p>

<p>After logging in, I see this.</p>

<p><img width="1412" height="323" alt="Screenshot_20260526_150638" src="https://github.com/user-attachments/assets/4c6957e6-d533-4281-9c6a-2fbbff1bb91f" /></p>

<p>I click the Home Button and see its source (Ctrl + U). Line 21 gives us a clear hint:</p>

<p><img width="1538" height="627" alt="Screenshot_20260526_150745" src="https://github.com/user-attachments/assets/9189e87a-3df6-41d0-ba4c-718ce203c902" /></p>

<p><i> – hint: password for webuser natas8 is in /etc/natas_webpass/natas8 –&gt; </i></p>

<p>I changed the URL</p>

<p>From:<br />
<i> view-source:http://natas7.natas.labs.overthewire.org/index.php?page=home </i></p>

<p>To:<br />
<i> view-source:http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8 </i></p>

<p><img width="1501" height="736" alt="image" src="https://github.com/user-attachments/assets/5c87a751-f185-4728-ac12-215f12199f84" /></p>

<p>Now, we have the password to move further.</p>

<h2 id="natas-level-7--level-8">Natas Level 7 → Level 8</h2>

<p>Authentication Credentials:<br />
Username: natas9<br />
URL: http://natas9.natas.labs.overthewire.org</p>

<p>We see this when logging in, I quickly press the View source code button given on the site.
<img width="1437" height="680" alt="Screenshot_20260526_152018" src="https://github.com/user-attachments/assets/a43bd7fc-7bac-4be6-8fd3-578aafcae861" /></p>

<p>The site’s source code looks like this. We can see a PHP script embedded in it. Let’s understand it.</p>

<p><img width="1498" height="951" alt="Screenshot_20260526_151955" src="https://github.com/user-attachments/assets/7051a6bd-44d0-428b-adb6-4418a2d8e65f" /></p>

<p>Code Explanation:</p>

<ul>
  <li>There’s a variable called encodedSecret that stores some value.</li>
  <li>There’s a function called encodeSecret() which takes the value of a variable called secret (not encodedSecret, don’t confuse it with the previous step’s variable). The secret value gets encoded in Base64, then it gets reversed, and at last it gets converted to Hexadecimal. This function just exists; it’s not being executed yet.</li>
  <li>The script checks if the user has clicked the submit button.</li>
  <li>If not clicked, then do nothing.</li>
  <li>If clicked, then take the value entered by the user, then pass it to the encodeSecret() function (STEP 2), where it gets converted.</li>
  <li>Compare the final converted output to the encodedSecret variable (STEP 1). If they match, then print Access Granted.</li>
</ul>

<p>Now that we have understood the code, let’s reverse it. To reverse it, we have to do the following:</p>

<ol>
  <li>Convert the hex back to a string.</li>
  <li>Reverse the string.</li>
  <li>Decode the string from Base64 to its original value.</li>
</ol>

<p>Instead of manually decoding all these strings online, I have written a small code for it in Python:</p>

<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">python3</span> <span class="o">-</span><span class="n">c</span> <span class="s">'import base64, binascii; print(base64.b64decode(binascii.unhexlify("3d3d516343746d4d6d6c315669563362")[::-1]).decode())'</span>
</code></pre></div></div>

<p>This will give us the decoded secret, which is <i>oubWYf2kBq</i>. Now enter it as the secret and hit the submit button. You will get the password.</p>

<p><img width="1472" height="595" alt="image" src="https://github.com/user-attachments/assets/de64dc1e-2501-4d4c-9af1-11aa7cf456c4" /></p>

<h2 id="natas-level-8--level-9">Natas Level 8 → Level 9</h2>

<p>Authentication Credentials:<br />
Username: natas9<br />
URL: http://natas9.natas.labs.overthewire.org</p>

<p>After authenticating, we see this input field on the site. I decide to click the View source code button on the page.</p>

<p><img width="1430" height="420" alt="Screenshot_20260526_172632" src="https://github.com/user-attachments/assets/5309c38d-4ba6-4aa1-9d67-2a0b199fbec0" /></p>

<p>An embedded PHP script that makes a query via passthru. Interesting!</p>

<p><img width="1482" height="888" alt="Screenshot_20260526_172759" src="https://github.com/user-attachments/assets/1c379d08-4f64-4483-86ab-62415b028fbc" /></p>

<p>Passthru is used to execute system commands. This script takes input from the user and directly gets it executed through passthru; there’s no input sanitisation, so let’s test if we can chain commands in it.</p>

<p><img width="1401" height="557" alt="Screenshot_20260526_173146" src="https://github.com/user-attachments/assets/c3cb8c53-777e-4f23-82d5-ed75be8ca915" /></p>

<p>Command chaining means executing multiple commands in a single line using special operators. Here I used a semicolon to chain and put pwd to check if it’s working — and it worked. The command pwd prints the working directory, so now we can see where we are at right now. Let’s exploit this vulnerability now.</p>

<p>In level 7, the password was stored in /etc/natas_webpass/natas8, so I decided to check if the same folder exists or not.</p>

<p><img width="1668" height="882" alt="Screenshot_20260526_173623" src="https://github.com/user-attachments/assets/da671162-3e7f-4f4f-bc72-47b8d55bc475" /></p>

<p>Found it. Now we know where our password can be, so I tried this:</p>

<div class="language-text highlighter-rouge"><div class="highlight"><pre class="highlight"><code>;cat /etc/natas_webpass/natas10
</code></pre></div></div>

<p>and got the password.</p>

<p><img width="1596" height="962" alt="image" src="https://github.com/user-attachments/assets/6f3a451b-e827-4e4f-9e57-5d0b135923b9" /></p>

<h2 id="natas-level-9--level-10">Natas Level 9 → Level 10</h2>

<p>Authentication Credentials:<br />
Username: natas10<br />
URL: http://natas10.natas.labs.overthewire.org</p>

<p>Enter the username provided &amp; password from the previous level. 
<img width="1406" height="501" alt="Screenshot_20260526_173951" src="https://github.com/user-attachments/assets/7917e339-a00a-4dec-8bfd-2f197c9f0607" /></p>

<p>Click View Source Code.</p>

<p><img width="1355" height="932" alt="Screenshot_20260526_174042" src="https://github.com/user-attachments/assets/76280246-a161-4173-ab61-a942f7c4c57e" /></p>

<p>Hmm, they seem to have added input sanitisation now, but they missed one thing — they still use passthru. We can’t chain commands, but we can manipulate grep to do the work for us. We can do this by putting:</p>

<div class="language-text highlighter-rouge"><div class="highlight"><pre class="highlight"><code>.* /etc/natas_webpass/natas11
</code></pre></div></div>

<p>as input, what this does is tell grep to read everything.</p>

<p><img width="1640" height="842" alt="image" src="https://github.com/user-attachments/assets/5ea9c373-cb91-4b55-ba86-c5ad6634f564" /></p>

<p>We got the password.</p>

<p>That is it for this walkthrough, I will upload the walkthrough of the next levels in the next write-up. Till then. Keep Hacking</p>]]></content><author><name>5odead</name></author><category term="web" /><category term="sqli" /><category term="natas" /><category term="overthewire" /><summary type="html"><![CDATA[Step-by-step walkthrough of OverTheWire's Natas wargame levels 0–10: source code disclosure, file inclusion, referer manipulation, cookie tampering, file path traversal, base64 reversal, command injection, and grep manipulation.]]></summary><media:thumbnail xmlns:media="http://search.yahoo.com/mrss/" url="https://5odead.github.io/assets/images/Overthewire.png" /><media:content medium="image" url="https://5odead.github.io/assets/images/Overthewire.png" xmlns:media="http://search.yahoo.com/mrss/" /></entry><entry><title type="html">Keylogging: A Practical Approach</title><link href="https://5odead.github.io/trevent-keylogger-stealth/" rel="alternate" type="text/html" title="Keylogging: A Practical Approach" /><published>2025-04-14T00:00:00+00:00</published><updated>2026-06-15T00:00:00+00:00</updated><id>https://5odead.github.io/trevent-keylogger-stealth</id><content type="html" xml:base="https://5odead.github.io/trevent-keylogger-stealth/"><![CDATA[<p>A practical walkthrough of building a keylogger on Linux that actually works—switching from pynput to evdev, exfiltrating via Telegram Bot API, storing logs in volatile /dev/shm, and naming files to mimic system processes.</p>

<p><img src="/assets/images/keylogger-linux-cover.png" alt="Diagram of keylogger flow: evdev → /dev/shm log → Telegram Bot API" /></p>

<h2 id="what-is-a-keylogger">What is a Keylogger?</h2>

<p>A keylogger is a software or hardware tool that records your keystrokes as you type. It’s often used for malicious purposes. There are two main types:</p>

<table>
  <thead>
    <tr>
      <th>Type</th>
      <th>Description</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>Software Keylogger</td>
      <td>Runs as a program or process on a system</td>
    </tr>
    <tr>
      <td>Hardware Keylogger</td>
      <td>Physical device installed on a motherboard or between keyboard and computer</td>
    </tr>
  </tbody>
</table>

<blockquote>
  <p>⚠️ <strong>Disclaimer</strong>: This post is intended for educational and cybersecurity research purposes only. The techniques and code discussed are designed for controlled testing on systems you own or have explicit permission to work on. Unauthorized use of keyloggers is illegal and unethical. The author does not take responsibility for any misuse.</p>
</blockquote>

<h2 id="initial-attempts">Initial Attempts</h2>

<p>Recently, I wanted to test a keylogger on my own device to understand how it works, so I convinced ChatGPT to help me write one in Python. I ran the script, but it didn’t record any keystrokes.</p>

<p>After digging, I discovered the problem: the <strong>pynput</strong> library—a popular Python module for capturing keyboard events—doesn’t work properly with the <strong>Wayland</strong> display server. I tried debugging, but ran into another issue related to my desktop environment. I use <strong>KDE Plasma</strong>, and I wasn’t switching DEs just because of one error.</p>

<p>Looking for alternatives, I searched “keylogger linux download” on Google and found GitHub repositories. I picked one, cloned the repo, followed the README—and it failed again. I checked the code and spotted <strong>pynput</strong> being used there too. I made tweaks, still no luck. Frustrated, I <code class="language-plaintext highlighter-rouge">sudo rm -rf</code>ed it.</p>

<blockquote>
  <p>(<code class="language-plaintext highlighter-rouge">sudo rm -rf</code>: Forcefully delete a directory and its content)</p>
</blockquote>

<p>Cloned a new repo with new code and libraries—but the same compatibility issue. The project hadn’t been maintained for years. I gave up on others’ solutions and decided to write my own keylogger from scratch.</p>

<h2 id="design-overview">Design Overview</h2>

<p>I outlined the basic features I wanted, focusing on core elements for an intermediate-level keylogger:</p>

<h3 id="keystroke-logging">Keystroke Logging</h3>
<p>I decided to use <strong>pynput</strong> because I was determined to get it running—and it’s the easiest to use.</p>

<h3 id="remote-access--exfiltration">Remote Access &amp; Exfiltration</h3>
<p>This was the most challenging part. Thinking from a <strong>SOC Team</strong> perspective, I wanted to exfiltrate data without triggering an <strong>IPS (Intrusion Prevention System)</strong>. Some of the worst methods include:</p>

<ul>
  <li>Email</li>
  <li>FTP</li>
  <li>SMB</li>
  <li>DNS Tunneling</li>
</ul>

<h3 id="anti-detection-mechanism">Anti-Detection Mechanism</h3>
<p>No interactive terminals or obvious signs of activity. Everything runs in the background in the least detectable way possible.</p>

<h3 id="self-destruction--persistence">Self-Destruction &amp; Persistence</h3>
<p>Keystroke logs wouldn’t be saved permanently—they could grow and trigger alerts. The keylogger needed to function autonomously without leaving easily detectable traces.</p>

<h2 id="first-attempt">First Attempt</h2>

<p>After reading 2–3 tutorials and some documentation, my first keylogger was ready. It worked—but did it behave like malware or a rootkit from sketchy game/movie download sites? Not even close.</p>

<p><strong>Problems:</strong></p>
<ul>
  <li>Pynput couldn’t capture keystrokes across multiple virtual desktops</li>
  <li>Keylogs stored directly in the home directory</li>
  <li>Exfiltration: plain text sent over HTTP to a random site</li>
</ul>

<p>Yeah—this would get flagged and blocked in less than a second. I realized I needed to think like an actual malware developer, from coding style down to file naming.</p>

<p>I spent a day researching keyloggers properly: YouTube videos, GitHub code, blog posts, and ChatGPT for ideas. Now I knew what a keylogger is.</p>

<h2 id="the-keylogger">The Keylogger</h2>

<p>I switched from <strong>pynput</strong> to <strong>evdev</strong> since evdev reads events directly from <code class="language-plaintext highlighter-rouge">/dev/input</code> and captures system-wide input, completely solving the virtual desktop capturing issue.</p>

<p>For exfiltration, I used the <strong>Telegram Bot API</strong>—it blends in with normal web traffic and uses encrypted HTTP requests. Captured data is sent directly to a Telegram channel. I got the idea from phishing pages; many use Telegram API to exfiltrate stolen data, so I knew it would be reliable.</p>

<p>The keylogger now stores keystrokes in <code class="language-plaintext highlighter-rouge">/dev/shm/</code>, a volatile directory (automatically cleared on reboot), and deletes the log file after sending it to Telegram.</p>

<p><strong>Result:</strong></p>
<ul>
  <li>Runs quietly in the background</li>
  <li>Uses less CPU</li>
  <li>Avoids repeated requests that could trigger detection</li>
</ul>

<h2 id="project-link">PROJECT LINK</h2>

<p><a href="https://github.com/5odead/Trevent"><strong>GitHub - 5odead/Trevent</strong></a> — A keyboard input monitoring and logging tool for cybersecurity research. Designed for Ethical Testing ⌨️</p>

<h2 id="file-structure-and-names-for-full-stealth">File Structure and Names for Full Stealth</h2>

<p>Create a folder called <code class="language-plaintext highlighter-rouge">networkd-helper</code> in <code class="language-plaintext highlighter-rouge">/usr/lib/systemd/</code>:</p>

<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">mkdir</span> <span class="nt">-p</span> /usr/lib/systemd/networkd-helper
</code></pre></div></div>

<p><strong>Installation Path</strong>: <code class="language-plaintext highlighter-rouge">/usr/lib/systemd/networkd-helper/</code></p>

<blockquote>
  <p>Names that mimic actual system files people won’t find suspicious.</p>
</blockquote>

<table>
  <thead>
    <tr>
      <th>File</th>
      <th>Purpose</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td><code class="language-plaintext highlighter-rouge">systemd-timed.py</code></td>
      <td>Keylogger file name</td>
    </tr>
    <tr>
      <td><code class="language-plaintext highlighter-rouge">telemetry-sync.py</code></td>
      <td>Exfiltration file name (mimics system log files)</td>
    </tr>
    <tr>
      <td><code class="language-plaintext highlighter-rouge">/dev/shm/.cache-netlog</code></td>
      <td>Temporary keylog storage</td>
    </tr>
  </tbody>
</table>

<p><strong>Run Command</strong> (nohup to run in the background):</p>

<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">nohup sudo </span>python3 FILENAME.py &amp;
</code></pre></div></div>

<h2 id="notes">Notes</h2>

<ol>
  <li>Set <strong><code class="language-plaintext highlighter-rouge">KEYBOARD_DEVICE</code></strong> to your actual event number—or the logger won’t capture anything.</li>
  <li>Update <strong><code class="language-plaintext highlighter-rouge">CHAT_ID</code></strong> and <strong><code class="language-plaintext highlighter-rouge">BOT_TOKEN</code></strong> in your exfiltration script—or data won’t get sent.</li>
</ol>

<h2 id="conclusion">Conclusion</h2>

<p>The keylogger now uses some of the best tricks and strategies I’m aware of, but it still has flaws a blue team professional could easily detect.</p>

<p>For example, the process can be spotted effortlessly using <code class="language-plaintext highlighter-rouge">ps aux</code>. I’ll continue refining and improving it over time.</p>

<p>If you have questions, feel free to reach out or leave a comment.</p>]]></content><author><name>5odead</name></author><category term="keylogging" /><category term="linux" /><category term="evdev" /><category term="cybersecurity" /><summary type="html"><![CDATA[Building a Linux keylogger from scratch: switching from pynput to evdev for system-wide capture, Telegram Bot exfiltration, volatile storage in /dev/shm, and stealth-oriented file naming.]]></summary><media:thumbnail xmlns:media="http://search.yahoo.com/mrss/" url="https://5odead.github.io/assets/images/keylogger-linux-cover.png" /><media:content medium="image" url="https://5odead.github.io/assets/images/keylogger-linux-cover.png" xmlns:media="http://search.yahoo.com/mrss/" /></entry><entry><title type="html">A Beginner’s Guide to Tor Exit Nodes</title><link href="https://5odead.github.io/tor-exit-nodes/" rel="alternate" type="text/html" title="A Beginner’s Guide to Tor Exit Nodes" /><published>2024-10-19T00:00:00+00:00</published><updated>2026-06-15T00:00:00+00:00</updated><id>https://5odead.github.io/tor-exit-nodes</id><content type="html" xml:base="https://5odead.github.io/tor-exit-nodes/"><![CDATA[<p>Tor routes traffic through multiple relays to hide your IP. The exit node is the last relay—where your traffic leaves Tor and hits the public internet. You can force Tor to use exits in a specific country (or block certain countries) by editing the <code class="language-plaintext highlighter-rouge">torrc</code> file.</p>

<h2 id="what-tor-actually-does">What Tor Actually Does</h2>

<p>Tor (The Onion Router) is a decentralized network of volunteer relays. Each relay encrypts your traffic and peels off a layer like an onion before forwarding it. The final relay—the <strong>exit node</strong>—delivers your request to the destination site.</p>

<p>Tor Browser is the ready-to-use package: it automatically sends all traffic through Tor, hides your IP, and blocks many tracking methods.</p>

<h2 id="why-exit-nodes-matter">Why Exit Nodes Matter</h2>

<p>Exit nodes don’t see your real IP, but they <strong>can see the destination site</strong> and the unencrypted contents of your traffic (unless the site uses HTTPS). Tor picks exits randomly by default, but you may want to control them for:</p>

<ul>
  <li><strong>Testing</strong>: Check how a site behaves from a specific country</li>
  <li><strong>Research</strong>: Access region-restricted content</li>
  <li><strong>Content access</strong>: Ensure traffic exits in a certain location</li>
</ul>

<h2 id="edit-torrc-to-control-exits">Edit torrc to Control Exits</h2>

<p>Find your <code class="language-plaintext highlighter-rouge">torrc</code> file:</p>

<ul>
  <li><strong>Windows</strong>: <code class="language-plaintext highlighter-rouge">C:\Users\&lt;YourUsername&gt;\AppData\Roaming\Tor\torrc</code></li>
  <li><strong>macOS/Linux</strong>: <code class="language-plaintext highlighter-rouge">/etc/tor/torrc</code> or <code class="language-plaintext highlighter-rouge">~/.tor/torrc</code></li>
</ul>

<p>Open it and add the lines below.</p>

<h3 id="pick-a-country">Pick a country</h3>

<div class="language-text highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ExitNodes ua
StrictNodes 1
</code></pre></div></div>

<ul>
  <li>Replace <code class="language-plaintext highlighter-rouge">ua</code> with a country code: <code class="language-plaintext highlighter-rouge">us</code> (USA), <code class="language-plaintext highlighter-rouge">fr</code> (France), <code class="language-plaintext highlighter-rouge">de</code> (Germany), etc.</li>
  <li><code class="language-plaintext highlighter-rouge">StrictNodes 1</code> forces Tor to <strong>only</strong> use exits in that country.</li>
  <li>Set <code class="language-plaintext highlighter-rouge">StrictNodes 0</code> if you want Tor to prefer that country but allow others if needed.</li>
</ul>

<h3 id="use-multiple-countries">Use multiple countries</h3>

<div class="language-text highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ExitNodes us,de,fr
StrictNodes 0
</code></pre></div></div>

<p>Tor will prioritize exits in the US, Germany, and France, but can fall back to others.</p>

<h3 id="pin-by-ip-address-optional">Pin by IP address (optional)</h3>

<div class="language-text highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ExitNodes 192.168.1.1
StrictNodes 1
</code></pre></div></div>

<p>Replace with the actual exit node IP you want.</p>

<h2 id="blacklist-countries-or-nodes">Blacklist countries or nodes</h2>

<h3 id="block-as-exit-nodes-only">Block as exit nodes only</h3>

<div class="language-text highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ExcludeExitNodes ru,cn
</code></pre></div></div>

<p>Tor won’t use Russia or China as exits, but can still use them as entry/middle relays.</p>

<h3 id="block-from-the-entire-circuit">Block from the entire circuit</h3>

<div class="language-text highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ExcludeNodes ru,cn
</code></pre></div></div>

<p>This prevents Tor from using those countries at any position (entry, middle, or exit).</p>

<h2 id="quick-reference">Quick reference</h2>

<table>
  <thead>
    <tr>
      <th>Setting</th>
      <th>Effect</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td><code class="language-plaintext highlighter-rouge">ExitNodes us</code></td>
      <td>Prefer US exits</td>
    </tr>
    <tr>
      <td><code class="language-plaintext highlighter-rouge">StrictNodes 1</code></td>
      <td>Only use specified exits/countries</td>
    </tr>
    <tr>
      <td><code class="language-plaintext highlighter-rouge">StrictNodes 0</code></td>
      <td>Prefer specified exits, but allow others</td>
    </tr>
    <tr>
      <td><code class="language-plaintext highlighter-rouge">ExcludeExitNodes ru,cn</code></td>
      <td>Do not use Russia/China as exits</td>
    </tr>
    <tr>
      <td><code class="language-plaintext highlighter-rouge">ExcludeNodes ru,cn</code></td>
      <td>Do not use Russia/China anywhere in the circuit</td>
    </tr>
  </tbody>
</table>

<h2 id="references">References</h2>
<ol>
  <li><strong>Tor Project Documentation</strong> - Official guide for configuring and using Tor.
    <ul>
      <li><a href="https://www.torproject.org/docs/tor-manual.html.en">Tor Project Documentation</a></li>
    </ul>
  </li>
  <li><strong>Tor Network Overview</strong> - Overview of how the Tor network operates.
    <ul>
      <li><a href="https://www.torproject.org/about/overview.html.en">Tor Network Overview</a></li>
    </ul>
  </li>
  <li><strong>Country Codes</strong> - Snippets and codes available at:
    <ul>
      <li><a href="https://sccmrookie.blogspot.com/2016/03/tor-country-codes-list.html">Country List</a></li>
      <li><a href="https://communitydocs.accessnow.org/147-Tor_force_exit_nodes.html#problem">Snippets</a></li>
    </ul>
  </li>
</ol>]]></content><author><name>5odead</name></author><category term="tor" /><category term="privacy" /><category term="networking" /><summary type="html"><![CDATA[How Tor exit nodes work, why you might pick a specific country, and exact torrc config snippets for ExitNodes, StrictNodes, and ExcludeExitNodes.]]></summary><media:thumbnail xmlns:media="http://search.yahoo.com/mrss/" url="https://5odead.github.io/assets/images/og-image.png" /><media:content medium="image" url="https://5odead.github.io/assets/images/og-image.png" xmlns:media="http://search.yahoo.com/mrss/" /></entry><entry><title type="html">Anti-Detect Browsers</title><link href="https://5odead.github.io/anti-detect-browsers/" rel="alternate" type="text/html" title="Anti-Detect Browsers" /><published>2024-10-03T00:00:00+00:00</published><updated>2026-06-15T00:00:00+00:00</updated><id>https://5odead.github.io/anti-detect-browsers</id><content type="html" xml:base="https://5odead.github.io/anti-detect-browsers/"><![CDATA[<p>Anti-detect browsers let users erase their digital fingerprint and pretend to be someone else online. They’re built on Chrome and Firefox code but twist every detectable detail—user agent, OS, screen resolution, even installed fonts—to mask who you really are.</p>

<h2 id="what-they-actually-do">What They Actually Do</h2>

<p>These tools don’t just hide your IP. They let you spoof metadata down to the font list on your device. Think of it like walking into a crowded market wearing a mask—and a fake name tag, a fake outfit, and a fake voice.</p>

<p>You can configure what the outside world sees:</p>
<ul>
  <li>User agent string</li>
  <li>Operating system</li>
  <li>Screen resolution</li>
  <li>Installed fonts</li>
  <li>IP address (when paired with a proxy)</li>
</ul>

<h2 id="notorious-tools-in-the-scene">Notorious Tools in the Scene</h2>

<table>
  <thead>
    <tr>
      <th>Browser</th>
      <th>Origin / Reputation</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>Genesium</td>
      <td>Spawned from Genesis Market; strong anonymity</td>
    </tr>
    <tr>
      <td>Linken Sphere</td>
      <td>Hacker favorite; deep fingerprint customization</td>
    </tr>
    <tr>
      <td>Fraud Fox</td>
      <td>Older but still used; simple interface</td>
    </tr>
  </tbody>
</table>

<p><strong>Others worth noting:</strong> Nstbrowser, MoreLogin, Multilogin, GeeLark</p>

<h2 id="how-hackers-use-them">How Hackers Use Them</h2>

<h3 id="credential-stuffing">Credential Stuffing</h3>
<p>Attackers feed stolen username/password pairs into accounts while shifting fingerprints to avoid security flags. One batch of credentials can hit thousands of accounts without tripping detection.</p>

<h3 id="fraudulent-transactions">Fraudulent Transactions</h3>
<p>Stolen credit cards, identity theft, and fake purchases all happen behind a changed digital mask. The real identity stays hidden while the transaction goes through.</p>

<h3 id="scamming-and-phishing">Scamming and Phishing</h3>
<p>Fake websites imitate legitimate ones—bank portals, login pages, payment gateways. Anti-detect browsers let attackers host these sites and dodge law enforcement tracking.</p>

<h3 id="botting-and-mass-account-creation">Botting and Mass Account Creation</h3>
<p>Social media, e-commerce, and gaming platforms get flooded with fake accounts. Reviews are manipulated, spam explodes, and markets get disrupted.</p>

<h3 id="data-harvesting">Data Harvesting</h3>
<p>Websites get scraped for client lists, prices, emails, or private data without triggering anti-bot systems. The scraped data often ends up on the dark web or fuels targeted attacks.</p>

<h2 id="the-bottom-line">The Bottom Line</h2>

<p>Anti-detect browsers aren’t just privacy tools—they’re deception engines. They enable anonymity, but they also power fraud, phishing, botnets, and large-scale account abuse. As security systems tighten, these browsers evolve too, keeping the fight between protection and exploitation locked in a constant cycle.</p>]]></content><author><name>5odead</name></author><category term="cybersecurity" /><category term="anonymity" /><category term="fraud" /><summary type="html"><![CDATA[How anti-detect browsers hide digital fingerprints, the tools hackers use, and the illicit activities they enable—from credential stuffing to botting.]]></summary><media:thumbnail xmlns:media="http://search.yahoo.com/mrss/" url="https://5odead.github.io/assets/images/og-image.png" /><media:content medium="image" url="https://5odead.github.io/assets/images/og-image.png" xmlns:media="http://search.yahoo.com/mrss/" /></entry></feed>