Day 9 — 14Day Cybersecurity Challenge
Today I learned about basic backdoor concepts and connection handling using Metasploit, and I conducted a real-life test on my personal Windows lab systems (Windows 10 & Windows 11).
This wasn’t just theory. I was able to successfully gain access to my own Windows machines using a basic backdoor payload in a fully authorized environment, which helped me understand how real world compromises happen and how they should be prevented.
What I learned:
• How basic backdoors work and how they establish connections
• How listeners handle incoming sessions
• How access is gained when endpoint protections are weak or misconfigured
• Why endpoint security, AV/EDR, and system hardening are critical
Tools used:
• Metasploit Framework
• Msfvenom
• Windows 10 & Windows 11 (personal systems only)
Real world takeaway:
There are many types of backdoors, but understanding even a basic one makes it clear how attackers gain access in real environments and more importantly, how defenders can detect, block, and respond to them.
This hands-on test reinforced the importance of:
• Endpoint monitoring
• Application control
• Least privilege
• Proper security configurations
All testing was done on systems I own and have explicit permission to test.
This learning is focused on defensive security through real understanding, not misuse.
Day 9 complete ✅
Learning by doing. Defending by understanding. 🚀
@thatboringbro@adeolatemi_@Ifepresh001@AyomideAdams13@Short_Whiteside@RedHunterFavour
#7DayCyberChallenge #CyberSecurity #Infosec #BlueTeam #Metasploit #EthicalHacking #LearningInPublic
One week ago today, the @cowrywise Ambassadors at @mivauniversity had their first Physical Hangout.
It was an honour to be able to drag each of them who attended because these Cool Kids don’t like touching grass 😂😂😂.
Anyways, here’s a brief backstory that led up to this
I did a full recon + vulnerability assessment on a live web application as part of learning ethical hacking. No exploiting, no unauthorized access just passive recon and scanning tools.
@h4ruk7@thatboringbro@zoecyber001
Here's everything I found, every tool I used, and what it all means. 👇
2/ Step 1: Subdomain Enumeration
First thing I did was brute-force subdomains using Nmap's dns-brute script.
Found: www, api, mail, webmail, ftp, cpanel, whm
The API subdomain resolved to a live production server. That became my main target.
Tool: Nmap (dns-brute)
3/ Step 2: Full Port Scan
Ran a full -p- scan with service and version detection.
Open ports:
→ 22 — SSH (OpenSSH 9.6p1)
→ 80/443 — nginx (Laravel app)
→ 3306 — MySQL 8.0.32 👀
→ 5000 — Apache / phpMyAdmin 👀
→ 6379 — Redis 8.2.0 💀
→ 8004, 8005, 8006 — Laravel/Swoole instances
→ 8080 — Dozzle Docker log viewer
→ 9000, 9009 — Swagger API docs
Tool: Nmap -sV -sC -A -p-
4/ Step 3: Web Server Scanning
Scanned both port 5000 and 443 with Nikto.
Found:
→ /composer.json, /composer.lock, /package.json all publicly readable
→ /vendor/composer/installed.json exposed
→ Cookies missing Secure and HttpOnly flags
→ DEBUG HTTP verb enabled
→ Missing headers: CSP, HSTS, Permissions-Policy, Referrer-Policy, X-Content-Type-Options
Tool: Nikto
5/ Step 4: CVE Scanning with Nuclei
Nuclei matched the Redis version (8.2.0) against its template database.
CVEs found:
→ CVE-2025-46817 🔴 CRITICAL
→ CVE-2025-49844 🔴 CRITICAL
→ CVE-2025-46819 🟠 HIGH
→ CVE-2025-46818 🟠 HIGH
It also tested default credentials and got in with: blank password, "admin", "password", "root", "iamadmin"
Zero effort to access.
Tool: Nuclei
🚨 6/ CRITICAL FINDING #1 Unauthenticated Redis (Port 6379)
Redis was publicly accessible with NO authentication whatsoever.
I listed the keyspace 762+ live cache keys containing:
→ Customer profile records
→ Financial transaction history
→ KYC / identity verification results
→ Monnify direct debit mandate data
→ Live API session tokens
→ Business verification data
→ SMS message records
No data was read or extracted. Listing keys alone confirms the full exposure.
Fix: bind to 127.0.0.1, set requirepass, block port 6379 at the firewall.
🚨 7/ CRITICAL FINDING #2 phpMyAdmin Publicly Exposed (Port 5000)
A full database admin panel open to the internet. No IP restriction. No 2FA. No rate limiting.
AND MySQL itself (port 3306) was also publicly exposed.
That is TWO separate direct attack paths into a live production database holding real customer financial data.
Fix: IP whitelist phpMyAdmin, put it behind a VPN, bind MySQL to localhost.
🚨 8/ CRITICAL FINDING #3 Unauthenticated Docker Log Viewer (Port 8080)
Dozzle was running with authProvider set to none.
The real-time Docker log viewer was fully open to the internet. From the logs I could see:
→ Live production app logs
→ SMS API responses with real phone numbers
→ User IDs tied to financial transactions
→ Internal service responses and job events
No credentials needed. Logs were streaming live.
Fix: enable Dozzle auth or block port 8080 from external access immediately.
9/ HIGH FINDINGS
#4 Swagger API docs exposed on ports 9000 & 9009. Every endpoint, parameter and response format enumerated publicly. Makes attacking the API layer trivial.
#5 Laravel/Swoole instances on 8004–8006 leak internal Docker network IPs (172.18.x.x) in response headers. Full container topology exposed.
#6 A second domain I scanned was fully behind Cloudflare. No open services, no direct server access. Cloudflare was doing exactly what it should.
Tool: Gobuster
10/ Full Tools Used
→ Nmap port scan, service detection, subdomain brute-force
→ Nikto web server misconfiguration scanning
→ Nuclei CVE template matching and automated vuln detection
→ Gobuster directory and endpoint brute-forcing
→ Redis-cli keyspace enumeration (keys listed only, zero data read)
Total findings: 🔴
4 Critical 🟠 4 High 🟡 4+ Medium / Info
All findings reported responsibly. No data was accessed, extracted or modified.
11/ 5 lessons from this:
Use Cloudflare or a CDN it hides your real server and kills most recon
Never bind Redis or MySQL to 0.0.0.0 in production. Ever.
Admin panels (phpMyAdmin, Dozzle) should NEVER face the public internet
Blank or default passwords on Redis is a P0 misconfiguration it's your front door left wide open
Leaving composer.json, package.json and vendor files in your webroot tells attackers exactly what CVEs to target
If you're running a startup on a VPS, scan yourself. You might not like what you find.
Questions? Drop them below 👇
#CyberSecurity #BugBounty #Infosec #100DaysOfHacking
#LearnInPublic #EthicalHacking
I had the opportunity to work on a live server for security testing. Here's everything I learned tools, methodology, and findings. Thread 👇
1/ RECON FIRST
Before touching anything, I started with passive recon:
• crt .sh for subdomain enumeration via SSL cert transparency
• dig for DNS records (MX, TXT, SPF)
• SPF records can leak real server IPs even when Cloudflare is protecting the domain
2/ TOOLS I USED
• Nmap port scanning, OS detection, service versions
• ffuf directory and API endpoint fuzzing
• Gobuster directory brute forcing
• Nuclei automated CVE and misconfiguration scanning
• curl manual header and response inspection
3/ CLOUDFLARE BYPASS
Cloudflare hides your real IP but several methods can reveal it:
• SPF records often contain the real hosting IP
• Subdomains not proxied through Cloudflare resolve directly
• MX records may point to the origin server
• Historical DNS records via SecurityTrails
4/ PORT SCANNING
Nmap revealed what was actually running on the server:
• Open ports with service versions
• OS fingerprinting
• Default script results (http-title, ssl-cert, ssh-hostkey)
Always scan the REAL IP not the Cloudflare IP you'll only see CF's edge otherwise
5/ WEB APP RECON
ffuf with an API wordlist found endpoints returning 405 meaning they EXIST but reject GET requests. That's still valuable info.
Nuclei with 2900+ templates ran in 2 minutes and checked for CVEs, misconfigs, and exposed files
6/ WHAT I FOUND
• Real server IP leaked via SPF record
• Swagger UI publicly accessible full API surface exposed
• Internal Docker network IPs leaking in HTTP response headers
• Open CORS (access-control-allow-origin: *) on API endpoints
• Database and admin tools exposed on non-standard ports
7/ KEY LESSONS
✅ Cloudflare protects port 80/443 but not every port
✅ SPF records are often overlooked and leak real IPs
✅ Swagger/docs should never be publicly accessible in production
✅ Docker binds to 0.0.0.0 by default firewall your ports
✅ Always scan your real IP, not just your domain
8/ TOOLS TO LEARN
→ nmap (port scanning)
→ ffuf (fuzzing)
→ nuclei (vulnerability scanning)
→ subfinder + httpx (subdomain recon)
→ testssl .sh (TLS audit)
→ trivy (Docker image scanning)
All free. All on Kali Linux.
#CyberSecurity #EthicalHacking #Infosec #PenTesting #KaliLinux #LearningInPublic
The wait is now over!! 🔥
First episode is out on Spotify!!🎙️
Many cybersecurity enthusiasts don’t understand the reality in the filed, this episode begins the journey to a shift in paradigm of what cybersecurity actually means in the corporate world.
https://t.co/E1DXtx5Rr8
Just hit our first 100 users on SMSgang 🚀
Real people. Real usage. Real momentum.
We’re building:
• WhatsApp notifications (OTP, alerts, updates)
• Virtual numbers
• Dev-friendly APIs
This is just the start.
https://t.co/n01r2dtWuw
Just hit our first 100 users on SMSgang 🚀
Real people. Real usage. Real momentum.
We’re building:
• WhatsApp notifications (OTP, alerts, updates)
• Virtual numbers
• Dev-friendly APIs
This is just the start.
https://t.co/n01r2dtWuw
Keyloggers are old but they’re still actively used.
And assuming they’re outdated malware is a dangerous mistake.
I know this because I built a keylogger myself for research not to attack, but to understand how endpoint compromise really works.
Keyloggers don’t need to break encryption.
They don’t need to bypass servers.
They collect data before protection even applies.
Once malware runs on your laptop, it can quietly capture:
1.Keystrokes (passwords, messages, OTPs)
2. Clipboard data (API keys, secrets)
3.Screenshots (banking apps, dashboards, emails)
4. Camera & microphone access
5. Browser sessions and local data
The goal isn’t speed.
It’s silent, continuowus access.
This is why keyloggers still work in 2026.
They exploit trust, not vulnerabilities.
Security tools protect networks, APIs, and encryption.
Keyloggers operate below all of that.
If malware runs with user-level access:
1. HTTPS doesn’t matter
2. MFA doesn’t matter
3. Strong passwords don’t matter
The data is captured before security applies.
Most infections don’t come from hacking.
They come from cracked software, fake installers, browser extensions, email attachments, USB devices, and outdated systems.
Older laptops are especially vulnerable because:
1.They stop receiving security updates
2.Protections get disabled for performance
3.Legacy drivers run with higher privileges
Data is usually exfiltrated quietly to a remote server, blended into normal traffic which is why the system often looks finewhile everything is being watched.
Defense is simple, but strict
1.Treat your laptop as a security boundary
2.Keep your OS fully updated
Audit camera, mic, and screen permissions
3.Avoid untrusted software and cracked tools
4. Use real endpoint protection
If compromise is suspected: reinstall, then rotate credentials
Keyloggers aren’t advanced hacking tools.
They’re patient surveillance tools.
If you care about fintech security, bug bounty, developer safety, or privacy
endpoint security matters just as much as APIs and servers.