├── CODE-OF-CONDUCT.md
├── README.md
├── images
├── daena-key-purplestorm.png
├── daena-key-purplestorm2.png
├── dominik-mayer-purplestorm.png
├── htb-purplestorm.png
├── htb_logo.png
├── thm_logo.png
└── vulnlab_logo.png
└── scripts
└── rdp
/CODE-OF-CONDUCT.md:
--------------------------------------------------------------------------------
1 |
2 | # Contributor Covenant Code of Conduct
3 |
4 | ## Our Pledge
5 |
6 | In the interest of fostering an open and welcoming environment, we as
7 | contributors and maintainers pledge to make participation in our project and
8 | our community a harassment-free experience for everyone, regardless of age, body
9 | size, disability, ethnicity, sex characteristics, gender identity and expression,
10 | level of experience, education, socio-economic status, nationality, personal
11 | appearance, race, religion, or sexual identity and orientation.
12 |
13 | ## Our Standards
14 |
15 | Examples of behavior that contributes to creating a positive environment
16 | include:
17 |
18 | * Using welcoming and inclusive language
19 | * Being respectful of differing viewpoints and experiences
20 | * Gracefully accepting constructive criticism
21 | * Focusing on what is best for the community
22 | * Showing empathy towards other community members
23 |
24 | Examples of unacceptable behavior by participants include:
25 |
26 | * The use of sexualized language or imagery and unwelcome sexual attention or
27 | advances
28 | * Trolling, insulting/derogatory comments, and personal or political attacks
29 | * Public or private harassment
30 | * Publishing others' private information, such as a physical or electronic
31 | address, without explicit permission
32 | * Other conduct which could reasonably be considered inappropriate in a
33 | professional setting
34 |
35 | ## Our Responsibilities
36 |
37 | Project maintainers are responsible for clarifying the standards of acceptable
38 | behavior and are expected to take appropriate and fair corrective action in
39 | response to any instances of unacceptable behavior.
40 |
41 | Project maintainers have the right and responsibility to remove, edit, or
42 | reject comments, commits, code, wiki edits, issues, and other contributions
43 | that are not aligned to this Code of Conduct, or to ban temporarily or
44 | permanently any contributor for other behaviors that they deem inappropriate,
45 | threatening, offensive, or harmful.
46 |
47 | ## Scope
48 |
49 | This Code of Conduct applies within all project spaces, and it also applies when
50 | an individual is representing the project or its community in public spaces.
51 | Examples of representing a project or community include using an official
52 | project e-mail address, posting via an official social media account, or acting
53 | as an appointed representative at an online or offline event. Representation of
54 | a project may be further defined and clarified by project maintainers.
55 |
56 | ## Enforcement
57 |
58 | Instances of abusive, harassing, or otherwise unacceptable behavior may be
59 | reported by contacting the project team at syr0@protonmail.com. All
60 | complaints will be reviewed and investigated and will result in a response that
61 | is deemed necessary and appropriate to the circumstances. The project team is
62 | obligated to maintain confidentiality with regard to the reporter of an incident.
63 | Further details of specific enforcement policies may be posted separately.
64 |
65 | Project maintainers who do not follow or enforce the Code of Conduct in good
66 | faith may face temporary or permanent repercussions as determined by other
67 | members of the project's leadership.
68 |
69 | ## Attribution
70 |
71 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
72 | available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
73 |
74 | [homepage]: https://www.contributor-covenant.org
75 |
76 | For answers to common questions about this code of conduct, see
77 | https://www.contributor-covenant.org/faq
78 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 |
2 | 
3 |
4 |
5 | # CTF-Notes
6 |
7 | ### From Zero To Hero
8 |
9 | #### About this repository
10 |
11 | This repository will contain various notes, code snippets, hints and different sources related to all kinds of cybersecurity topics, dropped by our team members.
12 |
13 | ### Table of Contents
14 |
15 | - [Where to start](#where-to-start)
16 | - [Basic Knowledge](#basic-knowledge)
17 | - [First Steps](#first-steps)
18 | - [Checklist](#checklist)
19 | - [Tool Recommendations](#tool-recommendations)
20 | - [Trainings](#trainings)
21 | - [Hacking Resources & Tutorials](#hacking-resources--tutorials)
22 | - [Purplestorm Wallpapers](#purplestorm-wallpapers)
23 |
24 | ### Where to Start
25 |
26 | #### Basic Knowledge
27 |
28 | - It is recommended to work in a virtual environment like an `Kali Linux` instance running on `VirtualBox` or `VMware Player`.
29 | - Make sure you downloaded the correct `.ovpn` file to connect to the network and access your box.
30 |
31 | ```console
32 | $ sudo openvpn /PATH/TO/OVPNFILE/.ovpn
33 | ```
34 |
35 | - Wordlists are usually located in `/usr/share/wordlists/`. The mostly used ones are:
36 | - rockyou.txt (sudo gunzip /usr/share/wordlists/rockyou.txt.gz)
37 | - /usr/share/wordlists/seclists (https://github.com/danielmiessler/SecLists)
38 | - If you are missing some tools, try to install them from the `Kali Linux repository`.
39 |
40 | ```console
41 | $ sudo apt-get install kali-linux-everything
42 | ```
43 |
44 | - If a website is not reachable via `IP address` and redirects you, try to add it to the `/etc/hosts` file.
45 | - Always familiarize yourself with the tools you use and checkout their documentation as well as the parameter `-h`.
46 | - Don't run exploits from the internet without understanding what they are doing.
47 |
48 | #### First Steps
49 |
50 | There are some basic things you should be aware about when you approaching a new box.
51 |
52 | - Make sure to take proper `notes`. Probably you want to concider to write them in `Markdown` and `Obsidian` for example. Here are a few alternatives:
53 | - [cherrytree](https://github.com/giuspen/cherrytree)
54 | - [Sublime Text](https://www.sublimetext.com)
55 | - [Notion](https://www.notion.com)
56 | - [Capacities](https://capacities.io)
57 | - Always keep some sort of `reconnaissance` running in the background like `directory busting` with `Gobuster`, which can take some time.
58 | - Make sure to `enumerate` every service and every endpoint properly. On a website for example, check for `usernames`, `email address schemes`, check the `source` of the website `click` or `hover over` every `link` you can find to see if they lead to something.
59 | - Check for already known `vulnerabilities` and `exploits`. Therefore you can just use `Google`. Here are a few examples:
60 | - ` vulnerability`
61 | - ` vulnerability`
62 | - ` exploit`
63 | - ` poc`
64 | - ` github`
65 | - ` github poc`
66 | Alternatively check [Exploit Database](https://www.exploit-db.com), [Sploitus](https://sploitus.com) or use `searchsploit` from the command line.
67 |
68 | ```console
69 | $ searchsploit
70 | ```
71 |
72 | - Try `default credentials` (https://github.com/ihebski/DefaultCreds-cheat-sheet) or `admin:admin`. Especially on `web applications`.
73 | - If you find credentials or just a password, always go for `credential reuse` and try if they work for another user as well.
74 |
75 | #### Checklist
76 |
77 | Depending on what a box offers to you, you can go through the following checklist.
78 |
79 | 1. Run nmap!
80 |
81 | ```console
82 | $ sudo nmap -sC -sV -p-
83 | $ sudo nmap -sC -sV -Pn -p-
84 | $ sudo nmap -sV -sU
85 | ```
86 |
87 | 2. If a webserver is available, check `robots.txt`.
88 |
89 | > http://RHOST/robots.txt
90 |
91 | 3. Also, give `whatweb` a try.
92 |
93 | ```console
94 | $ whatweb http://
95 | ```
96 |
97 | 4. Ob websites, try `directory busting` with different wordlists.
98 |
99 | ```console
100 | $ gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
101 | ```
102 |
103 | 5. Checking for `subdomains`. If a box offers you a `vhost` entry like `http://openadmin.htb/` for example, it is always worth it to see if there are more `vhosts` configured.
104 |
105 | ```console
106 | $ gobuster vhost -u -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
107 | $ gobuster vhost -u -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain
108 | ```
109 |
110 | ```console
111 | $ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.openadmin.htb" -u http://openadmin.htb --mc all --fs
112 | ```
113 |
114 | 6. Intercept `web requests` with `Burp Suite`. Without getting to deep into the usage of `Burp Suite`, here are the steps to configure it in your browser.
115 | - Start `Burp Suite` and open your browser on `http://burp`.
116 | - Then download the `CA Certificate`.
117 | - Depending on your browser, switch to `settings` and then to `certificates`.
118 | - Import the `certificate`.
119 | - We recommend to use [FoxyProxy](https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard) and configure it there but you can also go with the `proxy settings` of your browser.
120 |
121 | | Setting | Value |
122 | | --- | --- |
123 | | Proxy Type | HTTP |
124 | | Proxy IP address or DNS name | 127.0.0.1 |
125 | | Port | 8080 |
126 |
127 | - In `Burp Suite` switch to `Target` > `Proxy settings` and select `Use advanced scope control`.
128 | - Add the `IP address` of the box you are approaching.
129 | - Switch to the `Proxy` tab, move to `Intercept` and click on `Intercept is off` to enable it.
130 | - At last switch the proxy in `FoxyProxy` to the `Burp Suite configuration` and access the website. Now you can intercept the web traffic coming from and going to the box and modify as you want.
131 |
132 | #### Tool Recommendations
133 |
134 | Below you find just a few tools to start with. Of course this is not a complete list and there are always better tools for the job out there. Take small steps and get comfy with tools and techniques to develop and at last improve your unique approach on a system.
135 |
136 | ###### Information Gathering
137 |
138 | - [Nmap](https://github.com/nmap/nmap)
139 | - [masscan](https://github.com/robertdavidgraham/masscan)
140 | - [RustScan](https://github.com/RustScan/RustScan)
141 |
142 | ###### Vulnerability Analysis
143 |
144 | - [nikto](https://github.com/sullo/nikto)
145 |
146 | ###### Web Application Analysis
147 |
148 | - [WhatWeb](https://github.com/urbanadventurer/WhatWeb)
149 | - [Burp Suite](https://portswigger.net/burp/communitydownload)
150 | - [Gobuster](https://github.com/OJ/gobuster)
151 | - [dirsearch](https://github.com/maurosoria/dirsearch)
152 | - [ffuf](https://github.com/ffuf/ffuf)
153 | - [wfuzz](https://github.com/asciimoo/wuzz)
154 | - [WPScan](https://github.com/wpscanteam/wpscan)
155 |
156 | ###### Database Assessment
157 |
158 | - [sqlmap](https://github.com/sqlmapproject/sqlmap)
159 |
160 | ###### Password Attacks
161 |
162 | - [thc-hydra](https://github.com/vanhauser-thc/thc-hydra)
163 | - [hashcat](https://hashcat.net/hashcat)
164 | - [NetExec](https://github.com/Pennyw0rth/NetExec)
165 |
166 | ###### Exploitation / Post Exploitation Tools
167 |
168 | - [Metasploit](https://github.com/rapid7/metasploit-framework)
169 | - [BloodHound](https://github.com/SpecterOps/BloodHound)
170 | - [Impacket](https://github.com/fortra/impacket)
171 | - [enum4Linux-ng](https://github.com/cddmp/enum4linux-ng)
172 | - [PEASS-ng](https://github.com/carlospolop/PEASS-ng)
173 | - [PSPY](https://github.com/DominicBreuker/pspy)
174 | - [Evil-WinRM](https://github.com/Hackplayers/evil-winrm)
175 |
176 | #### Trainings
177 |
178 | If you feel you need to learn fundamentals of a new topic or to improve you knowledge in specific areas, I would recommend checking out [TryHackMe](https://tryhackme.com) which provides valuable learning paths to various topics.
179 |
180 | Here are a few room recommendations for beginners.
181 |
182 | - [Learning Cyber Security](https://tryhackme.com/room/beginnerpathintro)
183 | - [Introductory Networking](https://tryhackme.com/room/introtonetworking)
184 | - [Intro to Offensive Security](https://tryhackme.com/room/introtooffensivesecurity)
185 | - [Linux Fundamentals Part 1](https://tryhackme.com/room/linuxfundamentalspart1)
186 | - [Linux Fundamentals Part 2](https://tryhackme.com/room/linuxfundamentalspart2)
187 | - [Linux Fundamentals Part 3](https://tryhackme.com/room/linuxfundamentalspart3)
188 | - [Windows Fundamentals 1](https://tryhackme.com/room/windowsfundamentals1xbx)
189 | - [Windows Fundamentals 2](https://tryhackme.com/room/windowsfundamentals2x0x)
190 | - [Windows Fundamentals 3](https://tryhackme.com/room/windowsfundamentals3xzx)
191 | - [Pentesting Fundamentals](https://tryhackme.com/room/pentestingfundamentals)
192 | - [Active Reconnaissance](https://tryhackme.com/room/activerecon)
193 | - [Nmap](https://tryhackme.com/room/furthernmap)
194 | - [Burp Suite: The Basics](https://tryhackme.com/room/burpsuitebasics)
195 | - [Web Application Security](https://tryhackme.com/room/introwebapplicationsecurity)
196 | - [OWASP Top 10](https://tryhackme.com/room/owasptop10)
197 | - [SQL Injection](https://tryhackme.com/room/sqlinjectionlm)
198 | - [Hydra](https://tryhackme.com/room/hydra)
199 | - [Metasploit: Introduction](https://tryhackme.com/room/metasploitintro)
200 |
201 | #### Hacking Resources & Tutorials
202 |
203 | Here are a few resources and knowledgebases to cover various topics. Starting with writeup videos of `IppSec` is always a good call.
204 |
205 | - [ippsec.rocks](https://ippsec.rocks/)
206 | - [Hacking Articles](https://www.hackingarticles.in/)
207 | - [HackTricks](https://book.hacktricks.xyz/welcome/readme)
208 | - [netbiosX/checklists](https://github.com/netbiosX/Checklists)
209 | - [The Penetration Testing Grimoire](https://github.com/RackunSec/Penetration-Testing-Grimoire)
210 | - [pentestmonkey](https://pentestmonkey.net/)
211 | - [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings)
212 | - [GTFOBins](https://gtfobins.github.io/)
213 |
214 | ### Purplestorm Wallpapers
215 |
216 | With a little modifications to gorgeus Daena Key and Dominik Mayer art, we present you to use and download `Purplestorm Wallpapers`.
217 |
218 |
219 | 
220 |
221 |
222 | 
223 |
224 |
225 | 
226 |
227 |
228 | 
229 |
230 |
231 | Also feel free to get in touch with us on our [Discord](https://discord.gg/JbGr5gA3KY), we are all willing to help!
232 |
--------------------------------------------------------------------------------
/images/daena-key-purplestorm.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xsyr0/CTF-Notes/028afd7157cfa49dc8042876e58e48a8fedab659/images/daena-key-purplestorm.png
--------------------------------------------------------------------------------
/images/daena-key-purplestorm2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xsyr0/CTF-Notes/028afd7157cfa49dc8042876e58e48a8fedab659/images/daena-key-purplestorm2.png
--------------------------------------------------------------------------------
/images/dominik-mayer-purplestorm.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xsyr0/CTF-Notes/028afd7157cfa49dc8042876e58e48a8fedab659/images/dominik-mayer-purplestorm.png
--------------------------------------------------------------------------------
/images/htb-purplestorm.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xsyr0/CTF-Notes/028afd7157cfa49dc8042876e58e48a8fedab659/images/htb-purplestorm.png
--------------------------------------------------------------------------------
/images/htb_logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xsyr0/CTF-Notes/028afd7157cfa49dc8042876e58e48a8fedab659/images/htb_logo.png
--------------------------------------------------------------------------------
/images/thm_logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xsyr0/CTF-Notes/028afd7157cfa49dc8042876e58e48a8fedab659/images/thm_logo.png
--------------------------------------------------------------------------------
/images/vulnlab_logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xsyr0/CTF-Notes/028afd7157cfa49dc8042876e58e48a8fedab659/images/vulnlab_logo.png
--------------------------------------------------------------------------------
/scripts/rdp:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # simple rdp wrapper for xfreerdp to switch to evil-winrm faster (yes i am that lazy)
4 |
5 | usage() {
6 | echo "usage: $(basename $0) -i '10.129.16.128' -u 'Administrator' -p 'P@s\$w0rd!' [-H 'NTLMHash']" >&2
7 | }
8 |
9 | if [ $# -eq 0 ]
10 | then
11 | usage
12 | exit 0
13 | fi
14 |
15 | while getopts ':i:u:p:H:' OPTION; do
16 | case "$OPTION" in
17 | i) host="$OPTARG" ;;
18 | u) user="$OPTARG" ;;
19 | p)
20 | pass="$OPTARG"
21 | xfreerdp /v:"$host" /u:"$user" /p:"$pass" /cert:ignore /dynamic-resolution +clipboard
22 | ;;
23 | H)
24 | hash="$OPTARG"
25 | xfreerdp /v:"$host" /u:"$user" /pth:"$hash" /cert:ignore /dynamic-resolution +clipboard
26 | ;;
27 | ?)
28 | usage
29 | ;;
30 | esac
31 | done
32 | shift "$(($OPTIND -1))"
33 |
--------------------------------------------------------------------------------