girlfriend knows me so well fr!! ( i totally didnt accidentally flood her blogfeed)

i'm just trying to find a goddamn poll to show my wife and i can't search the term "fuckable" this is bullshit it's my own goddamn blogfeed i'm not a child

straight up, do they not let you have your own page for your tumblr blog anymore? I enter my url.tumblr.com and it takes me to tumblr's shitty phone app configuration of my blog without any functionality.... url.tumblr.com/archive does the same

fucking help how do i search my blog for shit without this? the search function in the app is broken too im going to die

I don't claim to make you happier or wiser. But definitely promise that while you stay here, you can be you. Be you- when you comment, when you reply in the polls, when you DM to share your troubles or triumphs and at all times. This space is not a race to look good or oblige eachother through comments and likes. This is just a virtual diary shared between two strangers. You and Me. Until time allows it to exist :) आपकी (Yours) Stranger @travelwithmestranger . . . . . #travelwithmestranger #blogpost #hearttoheart #travelersnotebook #beyou #newpost #textgram #instadiary #todaysthought #thoughtshake #pennedthoughts #feelingsquotes #tumblrpost #thesincerestoryteller #fromstreetswithlove #mentalhealthblogger #strangerthings #blogfeed #readitagain #readingcommunity #writers #bloggergirl #myblog #journalspread #journaling #journalwriting #writinginspiration #healingwords #inspiringwords (at India) https://www.instagram.com/p/CnPGIopJ-Ab/?igshid=NGJjMDIxMWI=

PINK SAGE I've been missing yesterday But what if there's a better place? Even if it's far away I know I will get there someday. So cover me in sunshine, Shower me with good times. We know the world's been spinning Since the beginning. And everything will be alright. Mostly lines from "Cover me in sunshine" Hence the name I give this picture is the pink sage, for the pink sky and sage as in thinker which is me. Still thinking back to incredible moments #blogfeed #exploremore #paragliding #sunsets #longingforfaraway #blogmode #birbilling #aroundtheworld #travelanywhere #traveltagged #indiatravelgram #readcaption #poetryisalive #picturepoetry #mightypen #writergram #theskyofmusing #wordsonpaper #penandpaper #travelblog #travellinggirl #traveller #poetrycommunity #wordsandpictures #instagood #explore #thehosteller #himachalpradesh #astheticfeed (at Billing , Himachal , Worlds Second Highest Paragliding Spot !!) https://www.instagram.com/p/CON-uiQLh05/?utm_medium=tumblr

After only 5 months of hard and dedicated work MB4Y has been selected in the top 10 Mercedes Blogs in the world this year by the famous blog.feedspot website.

We have regular trending articles and wedding tips on our blog! Be sure to follow our social feeds to never miss a post! 😉 . . . #socialmediamarketing #socialmedia #facebookblog #tumblrblog #pinterestblog #socialmediafollow #autumnleaves #blogpost #blogfeed #weddingblog #weddingtips #weddingarticles #saffronweddings (at Australia) https://www.instagram.com/p/Bv6ap5JnMMa/?utm_source=ig_tumblr_share&igshid=1hnf18j2813w4

https://www.lmentsofstyle.com/blogfeed/blogfeed/2014/11/23

it occurs to me that the jwz.org blogfeed is just a Tumblr that isn't on Tumblr.

HTB - DevOops

DevOops is allegedly more difficult than OSCP but good practice; i actually found it quite easy. Probably because the vulnerabilities to exploit are pointed out.

An nmap scan reveals Gunicorn to be listening on port 5000- this is already a hint at the second attack required for the user flag as this was the same type of server I had to target for root access to Symfonos 4. Basic directory brute force further reveals the presence of three files- upload, the root of the server (index.html) and feed.

Index hints that the server uses Python at the back-end: apparently the root is feed.py while feed simply loads a png image and upload reveals a simple upload file form with reference to XML elements.

With so little to explore, it was quickly obvious that the upload form is probably vulnerable to some form of attack. I started by uploading txt and png files to observe the results- the page is simply reloaded.

This is when I thought to try uploading an XML file to the server- particularly with the hint towards what XML elements to use. 10 minutes research later and I’d put together a simple test.xml file.

I didn’t immediately jump to trying the above file: I firstly confirmed this was a vulnerability by trying to view /etc/passwd which was returned in the content element upon upload of the file.

After this, I spent half an hour or so seeing if RCE was possible through external entity attack; while it could have been if PHP was in use, it isn’t obviously so in the case of Python. This is when I remembered feed.py.

Feed.py revealed the insecure use of pickle on user supplied POST data to /newpost. After facing similar with JSON pickles in the past, I was aware that RCE was possible through this vulnerability and began working towards a reverse shell.

I learned here that things should always be tested locally first before testing them remotely: I was fiddling around with the reverse shell for an hour or two and constantly receiving error 500s. When I tried ti loally and it worked, i knew it was likely that there was something else wrong with my payload.

After 10-20 minutes, I discovered that adding the Content-Type header and setting it to text/html resulted in successful delivery of the payload (I confirmed this with a simple ping at first.)

Now I just needed to get a working payload- netcat was on the victim but a nc reverse shell resulted in immediate disconnection meaning the process was being terminated for some reason on their end. After some trial and error, I uncovered the following working payload:

I created this script from a few I found on Google. The pickle vulnerability arises form the manner in which pickle deserializes data (translating a byte stream to an object in the case of Python, an object being a list or dictionary etc.)

Objects with pickle are serialized using dumps or dump while they are deserialized using load/loads.

To achieve RCE through pickle, however, we must use the __reduce__function:  it requires a callable object and an optional tuple of arguments for the called object, thus providing this to the Pickle process will executable the mentioned callable object along with the provided arguments.

The above revere shell succeeded and I had a foothold on the system as Roosa. I could have probably read the user flag back in the external entity attack; I thought I’d save it for when I had achieved RCE.

The root flag is very easy- simple enumeration of Roosa’s home directory reveals a GitHub project called ‘blogfeed’ and the presence of an RSA private key used for the project’s integration. I had my suspicions this key may be relevant and thus saved it for further use later.

Further basic enumeraton (specifically of .bash_history) shows us that Roosa screwed up at one point and accidentally submitted a relevant private key to the GitHub project. Although not an expert, I use GitHub myself and thus am aware that previous commits can be viewed.

Some research showed that it is possible to view patches (I simply refer to it as changes but hey ho) to a GitHub repo via the git log -p command. Executing this reveals the original key submitted to the repo.

From here I discovered that an RSA private key can be used in place of a password for SSH access... Perhaps we have root’s private key here? I tried this with ssh -i old-key [email protected] and sure enough we have root access.

I enjoyed this machine but I don’t feel it should be of medium difficulty- it actually took me longer on the user flag.

Also reminded myself of the importance of trying exploit payloads locally first if doable to discover the source of an error when delivering the exploit remotely.

ADVENT

You are here now.

Don’t worry, the songs, the humming The strumming and the ukulele notes Rising into the dreamy sky above Into the blue ridge mountains.

The fairylights twinkle

The bonfire fading, calling harmony Rising with flint as the paper swan past it There’s a spark, advent of the notable eve So Stop the worrying

You are here now.

By Komal Bhowsinka

the impulse to post every weird little thought in your head versus the self-restraint to not wordblast your blogfeed? this struggle too is yuri

Due to some sort of error on my part, my blogpost didn't post today and was instead backdated to May of this year... so here's a picture of a juvenile Bald Eagle (Haliaeetus leucocephalus) to compensate and to tell you that my new post about my Long Point observations in March is now at the top of my blogfeed at norfolknaturalist.ca. Check it out! . . . . . . #nature #ontarionature #baldeagle #juvenilebaldeagle #haliaeetusleucocephalus #blognorfolk #norfolknature #norfolkcounty #norfolkcountyontario #longpointontario (at Long Point, Ontario) https://www.instagram.com/p/Ch5vuzvpQcJ/?igshid=NGJjMDIxMWI=

this is super weird, but can you tag pics of female celebrities with something? I have [50pics] blocked already, but stuff has started slipping through.

So, I have been thinking about this request and how to address it for six hours since you sent it, and I’m going to give a stupidly long answer, and then a few potential solutions. If I come across gruff or angry or frustrated or ANYTHING like that, it’s not the tone I “mean” at all, I’m just trying to think this through and answer the best I can.

First: I have never said no to anyone’s request for a tag in the past, no questions asked.

But.

My answer is… no, because it feels fundamentally wrong to me to make it possible to consume any kind of content I either create or curate in a way that would erase the presence of women.

Because I don’t have any context for this request other than “I don’t want to see women,” I am going to say no. I’ve been thinking and thinking about it since you sent this, truly and really considering, and the idea of making it possible to view content that I curate or create – whether that’s my doofy pointless blog, my fanfiction, or anything I write that isn’t fic – in a way where it’s easy for anyone to ignore or erase the presence of women and the influence of women on the lens through which I’m creating and curating content… it makes my stomach hurt.

I post women – including “female celebrities,” I guess? – in pretty much every context of my blog. I prefer female characters. I prefer woman-fronted music groups, and women musical artists. I prefer female book characters, and I try to consume 95%+ books written by female authors. My undergraduate thesis was on female sexuality in marketing and fandom and the reclamation of female sexual desire by teenage girls, and my masters’ thesis was about women’s language and the subversive linguistic creation of teenage girls and how adults, even adult women, too often end up objectifying girls and women through the inherent patriarchal quality of prescriptivist English. Like. Women and girls are what I care about in this world. They’re the main focus of everything I do, even when not posting them specifically.

The idea of making it possible to follow anything I create, or curate, in a way that even superficially erases their image or presence just… is not okay with me? My gut reaction is the same as whenever people complain about how 99.6% of the time when I write slash, it’s with an assumption of bi- or pansexuality of the male main characters, and I include significant relationships (sexual or romantic or platonic or familial, but always significant portions of the text) between the male mcs and women. It’s the same as whenever Slash Fandom, as a construct, devalues or diminishes the role of female characters to the point where including them in fannish content or meta or readings of canon is a bad thing. It’s stupid-important to me that women, real and fictional, exist in everything I do and consume.

And part of that is: yes, because I’m a lesbian, and yes, many of the female celebrities I post are ones that I find attractive. But I also consciously and doggedly try to promote and support women artists’ work, whether they’re visual artists, actors, writers, models, singers, musicians, illustrators – whatever. I post their pretty faces, but I also put my money where my mouth is and try to keep up with promoting and posting and showing off and squeeing over their work content, too. It’s important to me, and it’s a key feature of what I try to blog.

If a day goes by where I’m not posting about ANY work done by women, assume I am dead, tbh.

BUT SOLUTIONS FOR YOU:

First, if that ISN’T what you meant with this request, PLEASE write back (it can be on anon still! Totally fine!) and just be like “I meant I don’t want to see leotards or midriffs or cleavage” or something, and that’s totally workable. I know that since I don’t have to go into an office or school since I work from home, I’m probably lax on making sure I tag n/s/f/w or “not safe for Ramadan” or whatever the case there is.

Also, I DO tag obsessively, and my tags page includes everyone and everything that I have posted at least 3 times in the 7 years since I’ve started my blog, because I DO want people to be able to blacklist content that they don’t want to see. I’m in the process of reorganizing and correcting some older tags on my blog, so I’m about ~four months behind, so the Black Panther stars are not on my tags page yet, but otherwise: feel free, I guess, to blacklist all of the individual women and girl groups that I have listed. But no, I’m not going to make it easier to strike “women” as a whole, as a crucially important feature of my viewpoint on the world, from my blogfeed.

My blog, minus “women,” would just be… it would be something I would never intentionally put out into the world?

Additionally, for why stuff may seem like it’s slipping through tags: [50pics] was never a tag for “this is the only time women appear on my blog,” it’s just the tag for the specific graphics/edits that I do for that edit series – fifty photos of [whichever woman it is]. But that’s never been the only time or series in which I’ve posted women, and it isn’t meant to be a substitute for it. (But definitely keep blacklisting it if you want to! I DO tag obsessively and with an intense amount of tag organization, so FOR the 50 Pics edits series, that is the finalized tag and will be on all of those posts.)

Otherwise… like, I’m… fine with losing followers? I post my blog content 80% for me and 30% for the idea that other people want to see it, with like, a 10% assumption of overlap between “stuff I like” and “stuff other people would like,” honestly. I don’t put emotional energy into the idea of “mutuals culture,” either, so even if we’ve been mutuals for years and years, if you don’t like my content and don’t want to just blacklist my username: PLEASE feel free to unfollow me, because I don’t want to make YOUR self-curated experience WORSE because I’m curating my own experience my way, you know?

Summer season demands drinks and juices.. What better than MANGO MILKSHAKE 🤩🤩 . . 🔥🔥 Do subscribe K4B in youtube and dm me for shoutout 🔥🔥 . . #kitchen4bachelor #summerdrink #fruitjuice #fruitjuices #mangomilkshake #milkshakes #mangojuice🍹 #mangoseason #summerjuice #summerdrinks🍹 #foodphotography #pictureoffood #pictureoftheday📷 #bloggersofindia #foodbloggerindia🇮🇳 #bangalorefoodblogger #silcharfoodies #silcharblogger #assamfoodblogger #foodblogeats #foodblogfeed #blogfeed #youtuber #youtubevloggers #yummyjuice #mykitchenstories #foodtravelstories #foodhunt #followmypage💛 #newpost📸 (at Bangalore, India) https://www.instagram.com/p/CBHvhFRF2X1/?igshid=1qtxc2l21u5lq

If you are planning to visit the Virgin Australia Fashion Festival from 4 th to 14 th March 2020, hiring Maxi Taxi Melbourne Airport service is the best option of getting to the Royal Exhibition Building on time.