Evading Ids, Firewalls, And Honeypots Course — Watch Ethical Hacking:

She connected to a "Linux server" provided in the lab. It looked perfect—Ubuntu banner, bash prompt. She typed the test command. Then she tried to ls /tmp/ . No directory. Honeypot. She disconnected immediately.

Next, she needed a foothold. A public web server sat on the DMZ. Instead of brute-forcing or vulnerability scanning (both IDS triggers), she browsed it like a normal user, then used HTTP parameter pollution —adding duplicate id parameters to a login form. The web server’s backend merged them in a way that bypassed authentication. The IDS saw only id=123 and id=456 . Normal traffic.

She was in. User-level access on the DMZ box. She connected to a "Linux server" provided in the lab

Maya’s heart hammered. This was no simulation. This was a live-fire exercise against Syphon’s own red-team infrastructure.

Finally, she reached the HR server. The flag was a text file: FLAG{ghost_in_the_wire} . Then she tried to ls /tmp/

Most firewalls allow outbound SSH (port 22) and DNS (port 53). He showed her how to tunnel a reverse shell over DNS requests. "Firewalls trust DNS," he said. "After all, how else will users resolve google.com?"

The instructor loaded up a tool called HTTPtunnel . "If a firewall allows HTTP outbound, tunnel everything inside HTTP. But not normal HTTP— weird HTTP. Headers out of order. Chunked encoding with false lengths. Firewall's protocol decoder will give up and pass the raw stream to the web server. And the web server? It's yours." She disconnected immediately

He showed her how to spot the lie.