Cool! I'll see what I can do

same lol

this is the definition of a horror movie to a web dev

I'm out here sweating too😅😅 New subscriber gained

Could be wrong but I believe laravel, *when properly installed*, is more secure than Drupal. Just my opinion of course and nothing is ever truly secure. I've seen plenty of people installing laravel the wrong way with env public and accessible or all files in www folder etc etc. Still would love to see where the more advanced vulnerabilities are... Of course if the video is simply "look a freely accessible env file", I will be truly disappointed teehee

Sure you didn’t come in the back door?

@@user-vk2cd9qw7i🤡

At first I did not know about anything, but with time and experience I developed my skills. I vividly remember my first app I hacked! I was hooked, and I'm still learning to this day

@@thehackerish could you name some resources you found helpful along the way to learn

@@vneem3758 I have shared videos about this yes, watch this one for instance kzbin.info/www/bejne/p5LRfoB3asuDors, you can also watch my web hacking playlist which is a step-by-step course for web hacking

@@thehackerishthe first thing I hacked was when I was 15 and changed the index.html to read PWNED !! via a web shell. I was so damn happy but I quit hacking to focus on other things. Today I feel guilty for not following the path to become a cybersecurity expert. If only did I knew how much money cybersecurity researchers would have been making.

Experience whit huge amount of repetition a sprinke of writeDown-em-all and googling skill ..... p.s. if u start doing 2-3 times the same box u are on the right way p.p.s it can be frustrating a lot , specially pen-testing /red-teaming it's one of those things that u love or hate

Welcome aboard!

Enjoy! I am glad you found what you were looking for :)

Well that's a comment that made my day! Thanks a lot for watching

I decided 10 years ago and I am not disappointed, apart from sitting on desk for hours ;)

@@thehackerish is it too late for someone between ages 23 and 25 to start learning?

@@MRJMXHD Absolutely not! You're still young! Go for it if that's something you want to pursue

@@MRJMXHDI’m 26 and I started a bachelors of Cyber sec this month

​@@thehackerishwhat if im 15

Glad you enjoyed it!

No it's not random, I never hack something I don't own or have permission to.

Thank you so much 😀

That's what I thought to. Just nuking the logs is proof in and of itself of a hack. From my genealogy experience we call it negative evidence.

Awesome! Thank you! I will post new ones, but similar videos are ready for you in the same playlist "penetration testing"

Thanks for the kind words

Thanks a lot!

Thank you! Cheers!

Good point!

are you a hacker

are you learning from port swigger by any chance? if not please advice me im new to this, i started learning and reading like 2 weeks ago

hey, easy satan.

@Sarahmilverton bro what are ya talkin bout

Wow, I love your questions. 1. my alias already included the url, with a placeholder for the room number I played in. 2. the app returns the first line only 3. With head, I need to use it as many as the lines of the file. Takes time. 4. /opt/s is the vulnerable executable we're trying to exploit for root access

Welcome to the family! Lots of similar content already in the pentesting playlist, let me know what you think of them!

Thank you! Are you a developer?

Hi,how can I message you? I need help

Thanks! Enjoy

Thanks for the kind message

Share the love!

If I could upload arbitrary files, like PHP, I could have taken control on the server by running arbitrary commands (Remote Code Execution), Here is a concrete example from on of my previous videos: kzbin.info/www/bejne/hmWXmqCsgbZpmaM

@@thehackerish thanks! So when you open that file it runs the code and you just made a php file that takes the arg x as a command to run on the server? Also dont most server block access to files via the url?

That's right, and no they don't block it from url because that's how php app works, unless you use routes, frameworks like laravel use them and so you can't directly access the php files

Glad you asked. Here it is: nmap --top-ports 200 ctf"$1".root-me.org -Pn -v --open -sV 2>/dev/null. I hacked many challenges on root-me, hence the target hostname

Thanks for the sub!

Welcome to the club! Many similar videos on the pentesting playlist are available

Web dev will definitely help you become a great hacker. The first part of hacking is to understand the system, and what better way to understand an app than to code one. Go go go! You got this. Python is great to write quick scripts, although you can do it in any high level language really, but it's widely used among security professionals.

Same. I noticed at the end that outright deleting log files is not a good idea though. The lack of those files will cause suspicion and cause further investigation.

Yeah, it might be better to just replace any of the traces you had left behind with something else that wouldn't look suspicious.@@lightyagami3492

Hmm...interesting, but the & would add a new parameter

wsl with ubuntu

Yeah sure, head over to my playlist about web hacking, it takes your by hand from the start. Also check out Academy.thehackerish.com

@@thehackerish thanks!!

yeah, I should have set HISTSIZE and HISTFILESIZE :)

@@thehackerish What about auth log for ssh connection? Or some "afterscript" which will delete trace of your ssh access after you'll log out?

@@skuge- You are the man! Good point

Degree in software engineering, self taught cybersecurity

If you own a web app you want me to test, you know where to find me 😉

Much appreciated!

Glad you enjoyed it

BurpSuite, a web proxy. Have a look at this video to see how cool it is kzbin.info/www/bejne/pl7EdIiVeJadgc0

This channel has many similar videos to learn from. But you can start with the owasp top 10 in the web hacking playlist

@@thehackerish alright thank you!

Burpsuite, there is also zap proxy. They are web proxies to play with the http requests

Enjoy magic 🎩

Indeed, good point

are there any client-side filters that can be bypassed?

@@xt355 Since the server was vulnerable, the impact is much higher than any other potential client-side vuln, but that's also good to test for.

Well, invest time and effort to learn how the system works, to the point of finding a way to abuse something. In short, be a hacker, an ethical hacker of course.

@@thehackerish Thanks Man

Go for it! I have so many techniques with hands-on examples in this channel, go watch the pentesting playlist

Yes, I occasionally use chatgpt to assist me in some tedious tasks. Otherwise nothing else

thats crazy, how do you even use it?? is it for like brainstorming@@thehackerish

I write like I am chatting with someone, like please take this csv and extract only the ABC column. These kind of things

A laptop

Next time!

Welcome on board!

An update is a great start but honestly I wouldn't use Drupal or wordpress to host anything.

This video shows you to must use latest versions of softwares :)

@@bariscodefx Indeed!

Welcome aboard! Start with the web hacking and penetration testing playlists. Good luck!

@@thehackerish thank you .

I'd say yes, since you at least need to open the port for the web application. It will be harder, but not impossible. But you can make the hacker's life harder with a WAF as a secondary security measure, and implement detections to spot suspicious activity early. And of course, the most important thing: develop secure code and have a proper SDLC lifecycle that takes security into consideration

The app is developed in a PHP framework, and the OS commands are just bash

Here is a video for a Wordpress example: kzbin.info/www/bejne/mKm4e6iPgrikgtU

With a reduced attack surface, you can't do much really. I'd look at other assets owned by the customer I'm hacking

@@thehackerish but someone else has defaced it and im trying to help them figure out how

@@en_ry I see, well you need access to logs, and support from the hosting provider if it's shared. It's possible that the website got defaced because of another hacked website on the same hosting server.

@@thehackerish so i would have to get into a port still no? also the only thing they have linked is another website

There is no password for burpsuite

I believe I tried but I don't recall why it didn't work.

It's not kali, it's Ubuntu running using WSL

Enjoy and have a great weekend 😀