How A Pentester Gets Root

February 20, 2022 by Donald Papp 9 Comments

Have you ever wanted to be a fly on the wall, watching a penetration tester attack a new machine — working their way through the layers of security, ultimately leveraging what they learned into a login? What tools are used, what do they reveal, and how is the information applied? Well good news, because [Phani] has documented a step-by-step of every action taken to eventually obtain root access on a machine — amusingly named DevOops — which was set up specifically for testing.

[Phani] explains every command used (even the dead-end ones that reveal nothing useful in this particular case) and discusses the results in a way that is clear and concise. He starts from a basic port scan, eventually ending up with root privileges. On display is an overall process of obtaining general information. From there, [Phani] methodically moves towards more and more specific elements. It’s a fantastic demonstration of privilege escalation in action, and an easy read as well.

For some, this will give a bit of added insight into what goes on behind the scenes in some of the stuff covered by our regular feature, This Week in Security.

Make Your Own Tabletop Game Organizers With Online Tool

February 19, 2022 by Donald Papp 3 Comments

There is a vibrant cottage industry built around selling accessories to improve the storage and organization of tabletop games, but the more DIY-minded will definitely appreciate [Steve Genoud]’s deckinabox tool, which can create either 3D-printable designs, or ones more suited to folded paper or cardstock. Making your own organizer can be as satisfying as it is economical, and [Steve]’s tool aims to make customization simple and easy.

The tool can also generate models for folded paper or cardstock.

The interface for customizing the 3D-printable token tray, for example, begins with a simple filleted receptacle which one can split into additional regions by adding horizontal or vertical separators. The default is to split a given region down the middle, but every dimension can of course be specified. Things like filleting of edges (for easier token scooping) and other details are all handled automatically. A handy 3D view gives a live render of the design after every change.

[Steve] has a blog post that goes into some added detail about how the tool was made, and it makes heavy use of replicad, [Steve]’s own library for generating browser-based 3D models in code. Intrigued by the idea of generating 3D models programmatically, and want to use it to make your own models? Don’t forget to also check out OpenSCAD; chances are it’s both easier to use and more capable than one might think.

DIY Float Valve For Passive Hydroponics Leverages 3D Printing

February 19, 2022 by Donald Papp 10 Comments

[Billy] has a special interest in passive hydroponics (also known as the Kratky method), which is a way of growing plants in nutrient-rich water that does not circulate. As the plant grows and liquid level drops, only the tips of the roots remain submerged while more and more of the root surface is exposed to oxygen in a harmonious balance. However, “thirsty” plant types (tomatoes, for example) throw off this balance, and the system needs to be modified. To address this, [Billy] designed and printed a passive float valve system that takes care of topping up the reservoir only when needed, without using pumps or any other electrical equipment.

Commercial or industrial float valves are too big to use in his small tanks, which led [Billy] to test dozens of DIY designs. He used everything from plastic water bottles to pipe ends, but nothing quite measured up. With 3D printing, [Billy] was able to create a sealed, lightweight float that exactly matched the housing and tube locations.

A strip of silicone works as a sealing agent.

The way [Billy]’s float valve works is by using a hollow object as a kind of buoyant plug inside a housing. When the water level is high, the buoyant object rises up and presses a strip of silicone against an outlet, preventing water from flowing. If the water level is low, the buoyant plug drops and water is free to flow. With a reservoir of fresh nutrient-rich water placed above the grow tank, gravity takes care of pushing a fresh supply down a tube, so no active pump is needed. Combined with a passive float valve, the system pretty much runs itself.

Watch [Billy] give a tour of his system and valve design in the video embedded below. He’s got a lot of experience when it comes to working with projects involving liquids. Only someone as comfortable as he is would make his own DIY dishwasher.

Continue reading “DIY Float Valve For Passive Hydroponics Leverages 3D Printing” →

Commodore 64 Monitor Traces I/O Calls, Eases Debugging

February 18, 2022 by Donald Papp 7 Comments

Developing for the Commodore 64 can be a rewarding retrocomputing experience, and thanks to [Dave Van Wagner], things are easier with his C64 IO_Monitor project, which opens the door to logging and tracing Kernal I/O calls for closer inspection. That’s not a typo, by the way. Kernal is what handles the C64’s low-level OS routines. Amusingly, as the story goes, it did in fact originate as a misspelling of kernel, but the name stuck.

What [Dave]’s program does is trace and log all input and output calls going through Kernal, which includes just about any function one might imagine. Things like keyboard input, screen output, and disk or tape I/O are all dutifully counted and logged, allowing one to really peek under the hood at a low level when doing any kind of development work. This kind of tool has turned out to be pretty handy given [Dave]’s penchant for porting Commodore emulators to a variety of (sometimes unusual) platforms.

Interested in giving it a spin? Head to the project’s GitHub repository for all the necessary files as well as some usage details, and enjoy making debugging and development a little less opaque than it otherwise would be.

Backpack Board For OLEDs Boasts Fancy Features

February 14, 2022 by Donald Papp 6 Comments

Back when LCD character displays based on the HD44780 controller were the bee’s knees, a way to make them easier to work with came in the form of “backpack” PCBs, which provided an accessible serial interface and superior display handling at the same time. [Barbouri] has updated that idea with a backpack board that mounts to OLED displays using the US2066 display driver, and provides an I²C interface with powerful and convenient high-level functions that make the display simple to use.

On the software side, the backpack uses this I2cCharDisplay driver project which provides functions like cursor control, fading, display shifting, and of course writing characters or strings. While [Barbouri] designed the board specifically to accommodate Newhaven Slim Character OLED displays, it should in theory work with any US2066-based OLED character display. [Barbouri]’s design files for the Slim-OLED Display backpack board are available for download directly from the project page (link is near the bottom), or boards can be purchased directly from OSH Park.

OLED technology is nifty as heck; we’ve seen some neat tricks done by stacking transparent OLED displays, and even seen OLEDs made in the home lab.

Invisible 3D Printed Codes Make Objects Interactive

February 8, 2022 by Donald Papp 18 Comments

An interesting research project out of MIT shows that it’s possible to embed machine-readable labels into 3D printed objects using nothing more than an FDM printer and filament that is transparent to IR. The method is being called InfraredTags; by embedding something like a QR code or ArUco markers into an object’s structure, that label can be detected by a camera and interactive possibilities open up.

One simple proof of concept is a wireless router with its SSID embedded into the side of the device, and the password embedded into a different code on the bottom to ensure that physical access is required to obtain the password. Mundane objects can have metadata embedded into them, or provide markers for augmented reality functionality, like tracking the object in 3D.

How are the codes actually embedded? The process is straightforward with the right tools. The team used a specialty filament from vendor 3dk.berlin that looks nearly opaque in the visible spectrum, but transmits roughly 45% in IR. The machine-readable label gets embedded within the walls of a printed object either by using a combination of IR PLA and air gaps to represent the geometry of the code, or by making a multi-material print using IR PLA and regular (non-IR transmitting) PLA. Both provide enough contrast for an IR-sensitive camera to detect the label, although the multi-material version works a little better overall. Sadly, the average mobile phone camera by itself isn’t sufficiently IR-sensitive to passively read these embedded tags, so the research used easily available cameras with no IR-blocking filters, like the Raspberry Pi NoIR.

The PDF has deeper details of the implementation for those of you who want to know more, and you can see a demonstration of a few different applications in the video, embedded below. Determining the provenance of 3D printed objects is a topic of some debate in the industry, and it’s not hard to see how technology like this could be used to covertly identify objects without compromising their appearance.

Continue reading “Invisible 3D Printed Codes Make Objects Interactive” →

“Lazier” Web Scraping Is Better Web Scraping

February 7, 2022 by Donald Papp 13 Comments

Ever needed to get data from a web page? Parsing the content for data is called web scraping, and [Doug Guthrie] has a few tips for making the process of digging data out of a web page simpler and more efficient, complete with code examples in Python. He uses getting data from Yahoo Finance as an example, because it’s apparently a pretty common use case judging by how often questions about it pop up on Stack Overflow. The general concepts are pretty widely applicable, however.

[Doug] shows that while parsing a web page for a specific piece of data (for example, a stock price) is not difficult, there are sometimes easier and faster ways to go about it. In the case of Yahoo Finance, the web page most of us look at isn’t really the actual source of the data being displayed, it’s just a front end.

One way to more efficiently scrape data is to get to the data’s source. In the case of Yahoo Finance, the data displayed on a web page comes from a JavaScript variable that is perfectly accessible to the end user, and much easier to parse and work with. Another way is to go one level lower, and retrieve JSON-formatted data from the same place that the front-end web page does; ignoring the front end altogether and essentially treating it as an unofficial API. Either way is not only easier than parsing the end result, but faster and more reliable, to boot.

How does one find these resources? [Doug] gives some great tips on how exactly to do so, including how to use a web browser’s developer tools to ferret out XHR requests. These methods won’t work for everything, but they are definitely worth looking into to see if they are an option. Another resource to keep in mind is woob (web outside of browsers), which has an impressive list of back ends available for reading and interacting with web content. So if you need data for your program, but it’s on a web page? Don’t let that stop you!