After retiring my Apple Mac Pro 5,1 from its role as my main workstation, I tried using a retired gaming PC instead. After experiments with various Linux distributions (Arch, Omarchy, Debian, PopOS!) I landed on the latest Fedora KDE distro (44) after reading good reports about its balance of stability and up-to-date software.

This has proved to be a solid and enjoyable system and my distro-hopping has stopped. I have been customising it to my needs and learning about KDE’s latest features.

After a long hiatus — my last proper post was back in 2022 — I’m restarting this blog.

Life got busy (as it always does), and the blog quietly slipped down the priority list. But I’ve decided it’s time to change that.

I’ve been thinking a lot about the value of maintaining a personal blog. A big inspiration for me recently has been Simon Willison .

This post describes how I got the latest build of Hashcat working on a newly installed Ubuntu 20.04.4 LTS.

My previous password cracking rig was a 2009 Mac Pro with an AMD Radeon RX580 and this proved a fast and reliable platform for several years until I upgraded the MacOS version to 10.15 (Catalina) after which hashcat started throwing runtime errors like:

Kiterunner is a context based webscanner that uses common api paths for content discovery of an application’s api paths.

Example usage:

kr scan https://example.com -w ~/kiterunner/routes.kite

kr scan https://example.com -w ~/kiterunner/routes.kite --ignore-length=1234

• Title : Hacking APIs - Breaking Web Application Programming Interfaces
• Author : Corey Ball
• Date : April 2022
• ISBN-13: 9781718502444
• Link: https://nostarch.com/hacking-apis

Our penetration testing engagements web applications increasingly involve URLs with /api/ in their path. Of course these can be tested just like any other URL but it became obvious that there are subtleties to testing APIs that required a new set of testing methods.

This book promises to provide a thorough grounding in API testing. I purchased this book for our pen test team bookshelf with the hope that it would fill in any knowledge gaps that our team may have.

On 3 May 2022, @Jhaddix tweeted about his Bug Hunter’s Methodology Application Analysis v1.

This led me to his original guide titled "(4.02) to The Bug Hunter’s Methodology" which can be downloaded from Google Docs. A great overview of tools and techniques.

CVE-2022-1388 is a critical vulnerability (CVSS 9.8) in the management interface of F5 Networks’ BIG-IP solution that enables an unauthenticated attacker to gain remote code execution on the system through bypassing F5’s iControl REST authentication. The vulnerability was disclosed publicly on 4 May 2022.

• https://arstechnica.com/information-technology/2022/05/hackers-are-actively-exploiting-big-ip-vulnerability-with-a-9-8-severity-rating/.

A bash script to test for CVE-2022-1388 was published at https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/. I modified the sample script to accept a target IP or FQDN as a command line argument, as follows: