I am really enjoying been part of the Cyber Security community, but if you make a game that resembles the Crystal Maze and Cyber Security … I am going to flip out !!!!!

The lovely people at TryHackMe.com have done just that!

Now I am going to be straight with you …. pappy needz hiz fix, I am writing this blog to try and win more gold tickets…

… But I have writern and used TryHackMe.com in the past and the platform, I can honestly credit the site as a major reason I moved into Cyber Security as a career.

It started last year when searching for Security training…


These are my notes from this excellent course …

Postman Beginner’s Course — API Testing

It is not a replacement for this course, it is just my notes, more written information can be found here:-

https://github.com/vdespa/introduction-to-postman-course

I have used some of the notes from git hub and I used Postman web –

Postman Web link — https://web.postman.co/home

My Notes …

First API request via Postman …

Workspace > Open a new Tab > Past in the API URL > Add “/status” at the end of the URL

Click the “send” button and it will return the status


I am working through some of the rooms to help develop my skills on TryHackMe, below is a walk through for this room https://tryhackme.com/room/basicpentestingjt

Find open services

Use NMAP to find open ports

sudo nmap IP ADDRESS

Look for Hidden directories

To look for hidden directories, we will be using OWASP DirBuster, to start the application in a terminal type: –

sudo dirbuster

/usr/share/dirbuster/wordlist


To find out when a Linux account’s password was last changed, you can view the shadow file in the terminal as root: -

sudo cat /etc/shadow

This will bring up the accounts and hashed passwords in the terminal, the third value is the date the password was changed.

NAME : $6$.n. : 18611

To work out the date the password was changed you need to find out how many days since the epoch date (‘epoch’ is often used as a synonym for Unix time) January 1, 1970.

So the the above (18611) is Tuesday, December 15, 2020.

There is a…


Nessus Essentials is a free vulnerability assessment tool for upto 16 IP address. The free version comes with some excellent and free tools:-

Windows Install

STEP 1 — https://www.tenable.com/downloads/nessus?loginAttempted=true

STEP 2 — You then need to “get activation Code”

STEP 3 — Installed as default, once the installation has been completed, your default browser will bring up the following web page:- http://localhost:8834/WelcomeToNessus-Install/welcome

STEP 4 — It will ask you connect via SSL but there is no cert install by default, so go to “advanced” > “accept the risk and continue”

STEP 5 — Select a product > Nessus Essentials

STEP 6 —…


Introduction

Appsheets allows users to create “no-code” applications to collect and/or connect to data. It is very similar to PowerApps from Microsoft and allows users to create mobile, tablet and web apps. AppSheets has been purchased by Google but can use data sources like DropBox, Office 365, Salesforce and more.

How to Create an application

Create a new … login to AppSheets via a browser.

Info — in this example I have used a template …


The below script can be run against a single or multiple websites…


As a total Noob to Python, it may seem a pretty simple to add date to the end of a file name … but it took me an hour to work it out *facepalm inserted here*

First in my script, I imported the “date” portion of the from the “datetime” libary,

from datetime import date                   
today = date.today()
print("Today's date:", today)

When creating the file (and this is the bit that took me an hour to find), you will need to set a verable which uses “today”

Date = (today)

Once you have set the date you can add this…


Below are some notes I made to help prepare me for the SY0–501 exam which I passed on the 30th December 2020 …

RC4 — is a streaming cipher algorithm that encodes plain text bit by bit.

Bycrypt Algorithm — is based on the blowfish cipher and is a key stretching tech that helps strenghten the password by using a password hashing function and then salting the password.

CASB (Cloud Access Secuirty Broker) — can be deployed in three different ways –

  • Forward proxy model, the user needs to install self-signed certs to access the cloud resources via the proxy.

When using iFrame in a web page it is important to configure it as a sandbox and set only the attributes need to run.

The below infromation and sandbox attributes can be found here … https://www.w3schools.com/tags/att_iframe_sandbox.asp

“The sandbox attribute enables an extra set of restrictions for the content in the iframe.

When the sandbox attribute is present, and it will:

  • treat the content as being from a unique origin
  • block form submission
  • block script execution
  • disable APIs
  • prevent links from targeting other browsing contexts
  • prevent content from using plugins (through <embed>, <object>, <applet>, or other)
  • prevent the content to navigate…

Mark Spencer IT

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store