Y

June 13, 2023

Fine-Tuning ResNet50 pretrained on ImageNet for CIFAR-10

Thoviti Siddharth Machine Learning/Artificial Intelligence CIFAR-10, Fine-Tuning, PyTorch, ResNet, Transfer Learning 0

Introduction

In this blog post, we will discuss how to fine-tune a pre-trained deep learning model using PyTorch. Fine-tuning is a powerful technique that allows us to leverage the knowledge learned by a pre-trained model on a large dataset and apply it to a new task. This can save a significant amount of time and resources compared to training a model from scratch. The fine-tuned model achieved 92.34% accuracy on the test set.

May 15, 2023

Interface – HackTheBox Writeup

Thoviti Siddharth Uncategorized API, Arithmetic Expression Injection, code review, Curl, CVE-2022-28368, Directory Fuzzing, DomPDF, exiftool, ffuf, HackTheBox, HTB, Infosec, Linux Box, Parameter Fuzzing, pspy, Writeup 0

Machine Name: Interface
IP: 10.10.11.200
Difficulty: Medium

Summary

Interface is a medium machine that requires some “curling” skills to form request and demystify their respective response codes. The machine has a lot of fuzzing for API endpoints and parameters which lead to an exploit for DomPDF. The vulnerability deals with how DomPDF caches the font file and allows remote files to be read. The privilege escalation teaches a new technique that abuses Arithmetic Expression Injection in bash scripts.

May 12, 2023

Boredom’s Allure Amidst Modern Chaos

Thoviti Siddharth Life, Philosophy Boredom, Edward Hopper, Growth, Philosophy, Productivity, Solitude, The Nighthawks, Voyeurism 0

In a world teeming with distractions where the internet unlocks an extraordinary wealth of educational resources that transcend ancient dreams, it emerges as a powerful tool, adept at ensnaring our minds and seizing control of our attention. We consume so much information that the only time we think at peace is in the bathroom while we bathe, the only time when boredom doesn’t irk us to get hold of our mobile phone. It’s when we ponder upon inane ideas that otherwise wouldn’t occur. Our generation has been lucky to see the advent of technology raise the bar for productivity, and stupidity too. Since the time power cuts were used as an excuse to tell stories or dreams and let our imagination run wild, to the present time where a power cut wouldn’t matter in our inverter resourceful homes and gadgets that keep us occupied, we have witnessed a shift in the way we engage our creative minds.

When do we think at peace? When do we enjoy our boredom?

April 30, 2023

MetaTwo – HackTheBox Writeup

Thoviti Siddharth HackTheBox, Infosec Blind XXE, Bookingpress, CVE-2021-29447, CVE-2022-0739, FTP, GnuPG, GPG, gpg2john, HackTheBox, HTB, Infosec, JohnTheRipper, Linux Box, PassPie, Password Cracking, PGP, Private Key, SQLi, sqlmap, WAVE, Wordpress, Writeup, XXE 0

Machine Name: MetaTwo
IP: 10.10.11.186
Difficulty: Easy

Summary

MetaTwo is an easy machine that needs exploiting a SQLi that leads us to hashes that need to be cracked. The cracked hash credentials provide access to a WordPress dashboard. This WordPress version is vulnerable to Blind XXE via a WAVE file format metadata. The XXE gives us access to the “wp-config.php” file which contains cleartext password for FTP. Enumerating the FTP server, SSH credentials are found for user. Privilege Escalation requires understanding of private and public keys and different methods that are used to encrypt them. Passpie is the application that was used to encrypt private keys found. We can crack the GPG format keys using John and gain the credentials for root.

April 22, 2023

Investigation – HackTheBox Writeup

Thoviti Siddharth HackTheBox, Infosec binary analysis, code review, command injection, exiftool, Ghidra, HackTheBox, HTB, Infosec, LinPeas, Linux Box, Privilege Escalation, sudo -l, Windows Event Logs, Writeup 0

Machine Name: Investigation
IP: 10.10.10.197
Difficulty: Medium

Summary

Investigation is a medium machine that has a web server vulnerable to command injection vulnerability. With enough enumeration, it is easy to exploit command injection. However, it only leads to a shell as www-data. Getting a user shell requires some log file analysis and common sense. Privilege escalation deals with binary analysis and code review.

April 20, 2023

Precious – HTB Writeup

Thoviti Siddharth HackTheBox, Infosec Deserialization, HackTheBox, HTB, Infosec, Insecure Deserialization, Linux Box, PDFkit, Ruby, Writeup, YAML, YAML.load 0

Machine Name: Precious
IP: 10.10.11.189
Difficulty: Easy

Summary

Precious is an easy machine that requires basic enumeration to find and exploit an outdated software running on a web server. To escalate privileges, the machine makes you look at Ruby scripts and understand how one can identify and exploit Insecure Deserialization vulnerabilities.

April 16, 2023

Tmux – System Clipboard Copy & Mouse Mode

Thoviti Siddharth General configuration, mouse mode, system clipboard, tmux, tmux configuration, tmux copy, tmux copy to system clipboard, tmux plugin manager, tmux yank, xsel 0

If you have ever wanted to copy an error to debug and search on stackoverflow or copy a piece of text on terminal from a tmux session and failed, this post will guide you through the process of setting up a the Tmux Plugin Manager and installing Tmux-Yank to copy directly on the Linux System clipboard. I also demonstrate how to use mouse mode to scroll and copy using the mouse in Tmux.

February 4, 2023

Red Panda – HackTheBox Writeup

Thoviti Siddharth HackTheBox, Infosec code-review, exiftool, HackTheBox, HTB, Infosec, jd-gui, LinPeas, Linux Box, pspy, SpringBoot, SSTI, XXE 0

Machine Name: Red Panda
IP: 10.10.11.170
Difficulty: Easy

Summary

Red Panda is an easy machine (not really) that exploits SSTI in Java Spring Boot to get an RCE. To escalate privileges to root, enumeration of directories, permissions, identities, groups, processes, and files need to be chained together to exploit a file that runs as a cronjob as root. The main attack involves performing an XXE attack to gain access to the private key of root.